A key highlight of any RSA Conference in San Francisco is the annual "Top 5 Most Dangerous New Attack Techniques and How to Counter Them" session led by experts from the SANS Institute.
For the 2020 edition, however, many of the attack vectors presented weren't entirely new, as old threats resurfaced. Additionally of note, while the title of the session is about the top five new attacks, researchers outlined more than that at this particular event.
Command and Control (C2) Returns
Ed Skoudis, instructor at the SANS Institute, highlighted what he referred to as the "golden age of c2" as one of his top new threats. C2, which stands for command control, is commonly associated with botnet activity that is controlled from a central command point.
Skoudis identified several ways that organizations can help protect themselves from C2 activity. Among his suggestions is for defenders to vigorously control outbound traffic and look for beacons and log anomalies. He also suggested that security professionals enforce application white-listing to limit what can run within the enterprise.
Living Off the Land
Another trend that Skoudis identified is the concept of living off the land, which refers to attackers' making use of tools that are already present within an organization and then abusing them for malicious gain.
"If you're an attacker, what you could do is you could use the resources of the operating system itself to attack that machine, and to spread to other systems in the environment, so you're living off the land," he said.
The concept of living off the land is not entirely new either, having been reported on at least as far back as 2015.
There are several things that organizations can do to protect against living off the land attacks. One set of resources cited by Skoudis is the LOLBAS project, which provides tools to help identify and limit the risk of attacks.
Deep Persistence
With the threat of deep persistence, Skoudis warned that malware can now be embedded deep into devices in a way that wasn't happening before. For example, he noted that it is now possible to embed malware in a USB charging cable.
With the charging cable example, even if an organization is able to purge whatever malware gets installed on a given system, with deep persistence, the next time the cable is plugged in, it will reinfect the system all over again.
Skoudis said that it's important for individuals and companies to not just plug anything into their system and to make sure that cables and other peripherals are acquired from trusted sources.
Mobile Device Integrity
Heather Mahalik, senior instructor and director of digital intelligence at SANS Institute highlighted the risk of mobile devices as one of her top threats.
Given that mobile phones have become an essential part of daily life, she noted that if a phone falls into the wrong hands it could be catastrophic. She wasn't just talking about lost or stolen devices, but also about the risk of refurbished devices that have not been properly wiped of the previous owner's data.
She also mentioned the risk of the checkm8 vulnerability in Apple IOS devices, which is a silicon vulnerability that enables the checkra1n jailbreak.
How 2FA Can Hurt You
Two-Factor Authentication (2FA) is a recommended best practice to help improve user security, but it's not a panacea either. Mahalik noted that simply having a code that needs to be typed in for 2FA isn't enough.
She also warned that there are some apps that only require a phone number, which is a risk if a user gives up their phone number and the carrier then reissues that number to a new customer.
"You want a password and 2FA," she said. "If it's just one or the other, it's not a good scenario."
Mahalik suggested that when users get a new phone number they should make sure they go into every application that has 2FA and change to the new number.
Enterprise Perimeter Vulnerabilities
Johannes Ullrich, dean of research at SANS Institute, identified the risk of enterprise perimeter vulnerabilities as one of his top threats.
Over the past year there have been numerous publicly reported issues in widely deployed enterprise firewall and perimeter security devices.
Aside from patching, Ullrich suggests that users never expose an administrative interface on an enterprise perimeter device to the public internet.
Localhost APIs
The final emerging threats identified by Ullrich are localhost APIs that are embedded in enterprise applications that call out to third-party resources. While the intention for the APIs is to enable functionality such as tech agent support, they also open up enterprises to potential risk.
To help limit the risk, Ullrich suggests that users, where possible, identify what is listening in to ports on a system and monitor how applications call out to external resources.