2025’s most dangerous new attack techniques: AI, ICS sabotage, and ‘auth sprawl’

SAN FRANCISCO — For more than a decade, the SANS Institute’s annual “Five Most Dangerous New Attack Techniques” keynote has served as a weather report for where cybersecurity is headed. This year at RSAC 2025, it felt more like a warning flare.

“There’s a common thread in every one of these threats,” said Ed Skoudis, president of the SANS Technology Institute, as he opened Wednesday’s standing-room-only session. “We’ve reached a level of complexity—particularly in cloud environments and ICS—where even our best humans can’t keep up without help. AI may be the only way forward. If the regulators let us use it.”

(For Complete Live RSAC 2025 Coverage by SC Media Visit SCWorld.com/RSAC)

While previous years spotlighted themes such as cloud exploitation, MFA bypasses, and AI-enhanced phishing, the 2025 panel introduced a new level of urgency. This year’s presentation introduced new concepts and challenges including systemic barriers holding defenders back. Those include sprawling cloud privileges (“authorization sprawl”) to over regulation of AI that delays and deters real-time detection for fear of litigation.

Each of the five threats presented underscored a rapid evolution in adversary behavior, Skoudis said. They underscore how attackers are retooling and using AI to systematically find more gaps in defenses faster. The SANS Institute panelists included Joshua Wright, sr. technical director, Tim Conway, ICS curriculum lead, Heather Barnhart, sr. director and curriculum lead for digital forensics and incident response, and Rob T Lee, chief of research and faculty head.  

Authorization sprawl: The privilege creep that powers lateral movement

Joshua Wright, Faculty Fellow, SANS & Sr. Director, Counter Hack

.

Coined by SANS Fellow Joshua Wright, the term “authorization sprawl” describes the unchecked growth of user privileges across hybrid cloud and SaaS environments. Wright traced real-world breaches—like those linked to the Scattered Spider group—to simple browser-based pivots from Microsoft 365 to GitHub to on-prem AD, made possible by shared identity providers and personal access tokens.

“This isn’t about EDR bypass or malware sophistication,” Wright said. “This is about an attacker using a browser, as a logged-in user, to hopscotch through environments you thought were segmented.”

Fixes include better cross-platform privilege mapping, improved browser session visibility, and a hard push on cloud providers to improve logging and token hygiene. “Most orgs don’t even realize where their exposures are until someone shows them,” Wright said.

ICS ransomware and ICS destructive attacks: From disruption to sabotage

Tim Conway, ICS Curriculum Lead, SANS

.

Tim Conway warned that ransomware operators and nation-state actors alike are now targeting the operational heart of critical infrastructure.

Criminal gangs are encrypting industrial controllers, causing safety shutdowns and plant halts. “We’ve seen it hit LNG, beer manufacturing, even grain processing,” Conway said. “These aren’t IT disruptions. These are threats to the public and the supply chain.”

Conway’s second focus: destructive attacks by nation-states that go far beyond denial-of-service. These actors manipulate legitimate engineering systems, disable safety controls, and target components with years-long lead times. “This is no longer about keeping the lights on at all costs,” Conway said. “It’s about asking if keeping the system up puts lives at risk.”

He pointed to guidance like Idaho National Lab’s Consequence-driven Cyber-informed Engineering (CCE) and SANS’ own Five ICS Cybersecurity Controls as starting points for resilience.

Inadequate logging: The self-inflicted blind spot

Heather Barnhart, DFIR Lead, SANS & Sr. Director, Cellebrite

.

Barnhart delivered perhaps the most emotionally charged presentation of the day—complete with dramatic lighting effects to hammer the point.

“We are the problem,” she said. “We’re not logging. Or if we are, we’re not keeping it. And then when the breach comes, we can’t investigate. There’s only darkness.”

Barnhart cited breach after breach—PT38’s crypto theft and WazirX’s $230 million loss among them—where insufficient logging crippled the incident response process. Her advice was blunt: “Log everything. Talk to your cloud providers. Make logging part of your budget, your deployment checklist, your threat model. Or prepare to lose everything in the dark.”

Overregulation of AI: When privacy laws give attackers the upper hand

Rob T. Lee, Chief Research Officer, SANS

.

Lee made the most controversial argument: that overzealous AI regulation is now one of the top five threats to cybersecurity.

Lee warned that emerging laws like the EU’s AI Act and overly strict interpretations of GDPR are preventing defenders from using AI to monitor private network data, even as attackers exploit the same data freely.

He proposed a “Cybersecurity Safe Harbor”—similar to HIPAA’s privacy exemptions—that would allow certified security professionals to use AI for detection and threat intelligence, provided strict data handling standards are met.

“We’re asking defenders to perform digital brain surgery with oven mitts, while attackers move with surgical precision,” Lee said. “This is like telling firefighters to drain their hoses [at the scene of a fire] so they don’t get anyone wet,” Lee said, describing how current regulations prevent defenders from acting quickly.

“Without this, defenders will always be minutes behind,” he warned. “And minutes are too long. The attackers are already moving in seconds.”

Call to action: From collective despair to community resilience

While each panelist offered technical fixes—better logging, privilege audits, resilient ICS architectures—the collective message was clear: defenders must move faster, think bigger, and push for the freedom to use the same tools as their adversaries.

The keynote throughline was solving the complexity of the modern SOC, cross-disciplinary training and regulatory reform. Each panelist ended with a personal plea.

“Find your voice and your people,” Barnhart said. “If you’re in a room where you’re not heard, go find one where you are.” Skoudis noted, “Complexity is outpacing human comprehension. AI may be the only way we keep up—if we’re allowed to use it.”

(For Complete Live RSAC 2025 Coverage by SC Media Visit SCWorld.com/RSAC)