SAN FRANCISCO — The top cyberattack trends see threat actors engaging in old tactics to create greater disruption. These include living-off-the-cloud, multi-factor authentication bypass, threats to data backups, stalkerware, and satellite attacks, according to SANS Institute leaders during day three of the RSA Conference.Vowing to “keep it boring,” Heather Mahalik, senior director of digital intelligence at Cellebrite and SANS faculty fellow, explained that “attackers are using old techniques to do newer fancy things.”Click here for all the coverage coming out of RSAC.Organizations need to go back to the basics, “as technology changes and as things change for us as users, how does it impact the attacks?”said Mahalik. Attackers are using some new techniques, but they are also heavily relying on things that work because “why would they reinvent the wheel?” “If you're an attacker and you want access, why not use what simply works already?” she added.This can be seen with the pivot from living-off-the-land attacks to living-off-the-cloud attacks. In 2020, the living-off-the-land technique thrived using built-in binaries and operating systems. While it remains a prevalent threat, Katie Nickels, director of intelligence for Red Canary and nonresident senior fellow at the Atlantic Council, explained that organizations must also monitor for living-off-the-cloud attacks, as it’s “not just enough to pay attention to the operating systems and the endpoints.The method is not new, but Nickels said attacks leveraging cloud services are on the rise to match the increased use of cloud services for the enterprise. These attacks are easy, cheap, and convenient for setting up infrastructure.“Adversaries can easily spin up infrastructure to compromise our organizations, and it also makes it easier for them to blend in,” said Nickels. “As a defender looking at network traffic, it's tough for me to tell, is this cloud traffic legit or benign? It’s really difficult.” “We all use cloud services legitimately in our organizations, stuff goes right through those firewalls and proxies,” she continued. For example, in "living-off-the-SaaS” attacks, threat actors target the ngrok software, used by developers to share code without the need for domain hosting. However, malicious users can also leverage the software to easily obtain a URL, right through the firewall. Nickels noted ngrok is “great for the developer, but also great for adversaries.”So, how can organizations fight what they can’t see? The answer is not simply changing the detection response or to block all the bad domains, particularly as ngrok is legitimate software.“It’s about infrastructure,” said Nickels. “Know normal, find evil. … Use what's normal for cloud services in your environment to help you identify the bad stuff.”
RSAC, Threat Management
Threat actors use old techniques to create greater disruption in cyberattacks

Threat actors turn to old techniques to create disruption, including living-off-the-cloud. Pictured: A symbolic data cloud is seen at the 2014 CeBIT technology trade fair on March 10, 2014, in Hanover, Germany. (Photo by Nigel Treblin/Getty Images)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds