Explore the "Five Most Dangerous New Attack Techniques" with cybersecurity experts and SANS instructors, Katie Nickels and Johannes Ullrich, as they discuss how they select and prepare to present their session covering most pressing evolving threats and defense strategies.
Guests:
Katie Nickels, Certified Instructor and Director of Intelligence Operations at SANS Institute [@sansforensics] and Red Canary [@redcanary]
On LinkedIn | https://www.linkedin.com/in/katie-nickels/
On Twitter | https://twitter.com/likethecoins
On Mastodon | https://infosec.exchange/@likethecoins
Johannes Ullrich, Dean of Research at SANS Technology Institute [@sansforensics]
On LinkedIn | https://www.linkedin.com/in/johannesullrich/
On Twitter | https://twitter.com/sans_isc
On Mastodon | https://infosec.exchange/@jullrich
____________________________
Host:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
BlackCloak | https://itspm.ag/itspbcweb
Brinqa | https://itspm.ag/brinqa-pmdp
SandboxAQ | https://itspm.ag/sandboxaq-j2en
____________________________
Episode Notes
In this new RSA Conference Coverage podcast episode with ITSPmagazine, cybersecurity experts and SANS instructors, Katie Nickels and Johannes Ullrich, delve into the "Five Most Dangerous New Attack Techniques" panel, a discussion they've been part of for the past few years. They shed light on how they identify these top techniques by examining their increasing prevalence and potential impact. Joined by an outstanding panel of experts, including Heather Mahalik, a mobile technology specialist, and Steve Sims, an offensive security guru, they offer unique insights from different sides of the industry while also highlighting the importance of practical, hands-on advice and defense strategies against these threats.
The panel emphasizes the importance of practical, hands-on advice and defense strategies to combat these emerging threats. Furthermore, Johannes shares valuable information about the Internet Storm Center's role in monitoring attacks and disseminating knowledge within the cybersecurity community.
Tune in to this must-listen episode for a sneak peek of the latest attack techniques, evolving defense mechanisms, and the collaborative efforts of the cybersecurity community that will be presented during the panel so you can stay one step ahead of the attackers.
Don't forget to share and subscribe to ITSPmagazine's RSA Conference Coverage to keep up with the latest trends in technology and cybersecurity.
____________________________
Resources
Session | The Five Most Dangerous New Attack Techniques: https://www.rsaconference.com/USA/agenda/session/The%20Five%20Most%20Dangerous%20New%20Attack%20Techniques
Internet Storm Center Diaries: https://isc.sans.edu/
Learn more, explore the agenda, and register for RSA Conference: https://itspm.ag/rsa-cordbw
____________________________
For more RSAC Conference Coverage podcast and video episodes visit: https://www.itspmagazine.com/rsa-conference-usa-2023-rsac-san-francisco-usa-cybersecurity-event-coverage
Are you interested in telling your story in connection with RSA Conference by sponsoring our coverage?
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/podcast-series-sponsorships
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Be sure to share and subscribe!
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
Sean Martin 00:05
Hello, everybody, I'm Sean Martin, you probably know that already, and I'm flying solo for this chance on the road, it feels weird being without Marco. He sends his best. But we have a lot going on up to the week that is RSA Conference, San Francisco, USA 2023. And one of the things we like to do is talk to keynote speakers and panelists about the sessions that they have going. And we've had this conversation before with the SANS team. And we get to do it again this year. It's been a couple of years with with something I don't know a pandemic or something happened in between. But we're excited to be back on location in San Francisco. And excited to have this conversation again. With part of the SANS team, we were able to rally, Katie and Johanna, thanks both for for taking the time to share with us today.
Katie Nickels00:59
Yeah, thanks for having us.
Johannes Ullrich 01:00
Thanks. Thanks.
Sean Martin 01:01
And a shout out to Heather and Heather Malik, and it's good as best to them. We'll see them in person at this session. Before we get into what we're going to talk about, though, a few words from each of you, I think, for those who listen to the previous ones, they know who Katy and nuance are, but new guests listening might not know so Katie, a few words about what you're up to and your role and why why you'd like being part of the session.
Katie Nickels01:30
Yeah, absolutely. So I'm Katie Nichols. I am a certified instructor for the SANS Institute. I teach the cyber threat intelligence course. And I dual hat. I'm also director of intelligence operations at Red Canary. So I get two organizations on my nametag at RSA this year. And it's really fun. This is my third year joining the panel, with my sans colleagues talking about the most dangerous new attack techniques, I just enjoy it because I get to be on stage with a bunch of various smart colleagues talking about techniques that we think the community really needs to pay attention to. So excited to be here for my third year. And this time in person, I started out virtual, which wasn't as fun.
Sean Martin 02:09
But but necessary. And we're thankful we had that. And you've been on talking about many things, a lot of which was rooted in your previous life at MITRE attack, and obviously plays well into the stuff you're doing with threat intelligence and threat research and things like that. So I'm sure that'll be part of what we talked about today as well. But before we do that, you're honest.
Johannes Ullrich 02:33
My name is John is Ulrich, I'm the Dean of Research for sandstone edu, that's our accredited college here at sands. And as part of a research pardon, I'm looking at for what's going to happen next, what's happening now, also trying to sort of more quantitative measure, some of the threats that we are exposed to part of this is also our internet storm center that we are running now for over 20 years now. So it's as far as InfoSec goes up pretty old, the effort of you have, I really like our panel, if you always have an RSA, because the challenge than putting something together for this panel is always trying to find something that's applicable, but also forward looking. We're not trying to be too speculative, fair, not sort of doing the fat, kind of know what, maybe coming that everybody should be scared off, but it's never going to really happen. And if you actually look back, sort of over the last 10 plus years that we have done this panel, in one form or another, we were actually right, pretty often kind of with things that then really took off a couple of years, sort of for a year after you had that particular panel.
Sean Martin 03:46
And I remember, the time we spoke, the the I mean, it's a group of you that pulled us together. I don't remember how big it is. I know it's just the four of you that are on the panel presenting. But there's a lot of work that goes into pulling this together. And obviously, if you're doing that work, you're bound to get things right. But talk to me a little bit about the process through which the material comes together that you then present. Or maybe actually, I should probably step back. What are you? What are you presenting? Some people have a sense of what we're talking about in the first.
Katie Nickels04:22
Yeah, so the panels on the five most dangerous new attack techniques. And it's interesting because that title, you know, when I first joined the crew three years ago, I was like, That's intimidating, right? If like anyone in cybersecurity or like you get to talk to potentially hundreds or 1000s of people about one most important new dangerous attack technique. That's a tall order just to even figure that out. So generally, we I think we started a couple months in advance like we hop on a call we start to brainstorm a little bit. Of course, before those calls, I don't know about your harness, but myself and I imagined Heather and Steve are co panelists as well, like start to get nervous and you're like, oh, gosh, like, what techniques should I choose? My approach, I think is a little different than some of the other panelists, which I think actually makes for a cool panel. I tend to focus and you know, Johanna slips in this area as well, like, I tend to focus on things that are really dangerous, because they're rising in prevalence, like, I'm not always going to be the person, or usually, I'm not going to be the person who's like, oh, there's some new, you know, special red team technique that we've seen once, I'm going to be like, Hey, there's this thing that's maybe been lurking for a few years, this year, we've seen it start to rise. And like, this is a thing that's dangerous because of its new prevalence. So that's how I think about it. And you're honest, I'm curious if you have a similar perspective or not?
Johannes Ullrich 05:43
No, I think that's a really good way of putting it sort of it's, it's there already, but it's going to be really big, and you better get ready for it. And I think the other interesting part about this panel is that we all are a sort of talking shop about what we are really doing every day. So it's not not to say anything against vendors. But the product we really have to sell here is how are you going to protect yourself next year? What should you really get ready for? In sort of a hands on way? Like, what do you usually offer is very practical, hands on advice. These are the things that you should be looking out for. And this also how you look out for them, how you recognize them, and potentially how you defend against these threats. All of our presentation always tried to close with off that defensive slide. We don't, what do you say, hey, you know, the world is falling and the sky is falling, and there is no defense, pack up and go home? That's not our attitude, we already want to say hey, you know, there's actually something that's not really all that difficult that you can do to defend yourself against this new threat.
Sean Martin 06:53
And remind me there are four of you and five most dangerous threats. Do you each pick one? And then you collaborate on a fifth? Or how does that all come together?
Katie Nickels07:04
Kind of depends year to year. I think what what as late Alan Peller told us is no one cares about the number, like it's supposed to be five, but like, sometimes we budget this year, I actually had two that kind of work together. So this year, I got I got two, and it's tough the person with Yeah, it's rough. Because we all get the same time, it's hard to talk about two techniques, not just one, but they might work together, you know, I'm not going to give them away people have to come but I'll say that they're really prevalent are starting to be prevalent initial access techniques, and I think people need to pay attention to so I got to this year.
Johannes Ullrich 07:40
And that's definitely sort of a theme here that, you know, we tried to cover the top five, or whatever the number is, we put I think the pacifism is also mentioned the seventh and such, so we had different numbers there. Katie got lucky this time and getting to cover two. But the it's really the top most prevalent, interesting, exciting attacks to talk about that sort of how we come up with these. And for myself, you know, you always look at No, again, you know, what are you doing every day? I look at like our volunteers, it's a provide us with data on so what they're they're seeing, but she looks at it at your larger network, kind of author of human and technical sensors that you sort of have out in the field to figure out what matters to them. And that's sort of how we come up with these techniques.
Sean Martin 08:29
And then Katie, you said the to the to your presenting kind of connect at some level? Do you? Do you find generally speaking that the five or the six or the seven, whatever the number is, are cohesive? Or are they all over the place? One, one might one year might be total human elements, social engineering, and, and? And also deep, hardcore networking? Or, or IoT versus ICs? Or how does maybe looking back on past years getting away this year's stats or techniques? What what does that picture look like? I'm trying to get a sense for if I'm sitting in the audience, am I told a connected story of five things? Or am I told five individual stories? Essentially, what
Katie Nickels09:15
we usually find is that I think this year, we're sort of in pairs, like Johanna and I are a little more on the like, prevalence rising side. And then as to Steve Sims, and Heather Mahalik are more on the forward looking side. And so we find that they're often, you know, connections between them. But I think what's cool about this panel is that we each bring a very different perspective, right? Heather works, you know, on mobile technologies and celebrate. She's also really passionate about like, personal family security, right, Steve Sims works on the offensive side. So he kind of brings us slightly different more like how can adversaries use technology to create exploits, that kind of thing? Whereas I think, you know, you don't want us and I, I bucket us together, right? I'm of the, you know, along with the internet Storm Team. I'm like, let's look what's happening day to day go from there. So I would say, it's not going to be one cohesive story, you know, like one through five. But I think people will start to see themes and commonalities. And you know, I know Heather and Steve will kind of build on each other for their techniques.
Sean Martin 10:14
Because I said, Ed, but it's Steve, that's
Katie Nickels10:17
moderating, and Scott is our Moderator. So he's there, too.
Sean Martin 10:20
He gets the fluffy, easy job. Oh, yeah. hard questions, you get the answer.
Johannes Ullrich 10:25
What's the interesting thing, Steve is our new addition this year, and he's very offensive. That's what he lives what he breathes. I myself more defensive person, I think Katie, I would also put you into that defensive Blue Team kind of bucket here. So by having all these diverse viewpoints really on where the industry is going, and definitely gives us very different topics be be coordinated, it's really more about not covering the same thing, and not two of us are covering the same thing. But we're not really sort of artificially trying to impose a theme that everything has to fit into a particular theme, because everybody has their own idea on what's important.
Sean Martin 11:06
I was wondering, because the conference itself has a theme, which is better together this year, I believe. And I suspect a lot of the submissions for talks and panels kind of had to fit, maybe I don't know if they didn't or not, but probably had to fit to some degree in that theme to kind of line up with things. Doesn't sound like this is the case. For this panel. It's It's whatever the storm center sees, right?
Johannes Ullrich 11:34
Storm Center is all about being better together. That's sort of now the commuter relay that deploys the sensors. And really that sort of very, how we learn from each other.
Sean Martin 11:45
Can you describe the center, the Center for folks that may not be aware?
Johannes Ullrich 11:48
So Dinant storm center, it's really sort of two parts. One is what originally came sort of out an effort I started called the healed, which is basically volunteers that are running sensors for us that detect attacks, honey pots. Now mostly, we also had some simpler sensors in the past. So it's a big database, going back 20 plus years of what those sensors saw and sort of how attacks evolved over the years. The second part, too, is it's of that human part where you just have people write in and say, you know, I saw this in my network, is it good? Is it bad, am I compromised? And the then we have volunteer handlers that really look at the data that write about it. Every day, we write what be called a diary, because back when we started, there were no blogs. But about know what these while these bees saw in their network, sometimes about the submission that we received, how do you analyze this piece of malware? What does it mean, how to defend against it.
Katie Nickels12:51
And I will say, plus one for Internet storm center diaries is a really useful resource, my team at Red Canary, we use them all the time. And a lot of times, it will be like one of the leading sources of like, Hey, there's this weird thing or like it's a one source, we can find. It's talking about some weird binary and making sense of it. So anyone who's a defender, who doesn't follow internet storm center already, definitely check it out. And I can say that because I'm not officially affiliated with them. So and it's free.
Johannes Ullrich 13:19
Thanks for the love,
Sean Martin 13:19
we'll be sure to get, get that link, from you honest, will include in the show notes for folks to sign up and grab that. Talk to me about the format. So five different sections presented? Is there zero expected audience engagement to ask, I can double click on some of the things that are that are shared? What's What's that format look like?
Katie Nickels13:45
We tried to source and tries to kind of source questions in advance and do that in different ways. So it's kind of tough with such a big, you know, audience to source live questions. So we sort of try to anticipate or, you know, I think some years we go to, like, students right behind us sourcing different questions. And then we usually we just get six minutes, approximately, if you timeless, you'll see we almost always go over and doesn't yell at us too much. Then we try to reserve time for questions as well.
Johannes Ullrich 14:15
Yep. And we try to make a limit interactive with those questions. And of course of start a conversation or really, that hopefully will then continue after the presentation where people just come up to us and ask additional questions, or, also the audience amongst themselves will further discuss what they just heard.
Sean Martin 14:35
So clearly, Red Team, Blue Team, ops folks who all should be in in the room with you.
Katie Nickels14:47
I think everyone, all of those folks, you know, of course, you're honest, and you're gonna have a little bit of a bias towards defenders. You know, Steve talking to the red teamers. You know, Heather, many years ahead, there's a lot of new tries to get us to think about like our day to day life, right? We always use our phones for everything with our vulnerability there. So I think Heather's is applicable to everyone. Anyone in their personal lives. I think leadership, that's another thing I was trying to think about is, you know, the Cisco types are the leaders, people who are making decisions? Like, I get six minutes to talk about something, and what is the thing that I think they absolutely need to know about. And I think we all take that seriously. So we try to, you know, I think we all have a mix of like, trying to make our concept really accessible, or techniques accessible at a high level, and then maybe like a little bit of a deep dive, you know, I have a little bit of, you know, the example command line for one of the threats that uses my techniques like deep dive a little bit, then zoom back out, I'm trying to make it accessible for a big audience.
Johannes Ullrich 15:47
Yeah, that's not to give too much away. But I think this year, Heather will be really great, because she makes some of those technical issues really personal, and why do they matter? That's, and that's what we always try to sort of get across.
Sean Martin 16:02
And as you as you both know, the five most today that you're presenting in a couple of weeks, won't be the same the next day, or certainly not the next week, or few weeks after that. So do you also try to instill a sense of understanding. So we've got, regardless of what the topic is more of a best practice around this type of technique rather than this specific technique. So the teams can apply a general best practice to their program versus, Hey, I gotta go back and solve, solve for this one particular threat?
Katie Nickels16:41
Absolutely, I would say that, you know, we each have to have the defensive mitigation guidance. And as much as we can, you know, I think we each try to think about the category of threats, right, so minor initial access techniques, and the, you know, defensive and mitigations, I'm giving, you know, talking about how they'll apply more broadly, right, these aren't just going to work, you know, narrowly on the techniques. And, you know, I think we're all one of the cool things about being on this panel in particular is, we're all instructors, we're all teachers. And so I think anyone with that teacher mindset, like you always want to teach your students to fish. So I think we always try to inject like, all start talking about my techniques with Hey, right, defenders have gotten better. Here's what's we're seeing shifting in primitive defenses, and that's led to this. So trying to educate people, not just how do we come up with these techniques? But how could you think about this in the future, like the kinds of things to watch out for an adversary. So as you say, right, the average person can try to pick up on what the next technique is the next week or the next month?
Johannes Ullrich 17:42
Yeah, good part of this is while the techniques change, some of the defensive techniques actually remain fairly constant and sort of trying to focus back to the basics when it comes to defenses,
Sean Martin 17:54
right. Yeah, that makes sense. And Johanna, so I know, as we were prepping. The topic of supply chain came up when I had the fortune of speaking with Alan Friedman from CES about s bombs and supply chain and software security. And I forget, there's like 2530 sessions, at RSA conferences here. And he said, I'm sad, mine didn't get selected my presentation he gets to like, but I'm thrilled that the work that that CES and others in the industry have done to raise awareness for supply chain has done so well, that many people talking about it in a meaningful way. So your your thoughts on on supply chain, I don't think it's directly related to your session. But it's an important piece.
Johannes Ullrich 18:40
I think the complexity about supply chain it's often overlooked is it's not just about the components that make up software. But it's also about the processes that are being used to create those that software. I think it was last year, two years ago, at this keynote panel, I described developing these days as taking a bunch of libraries and wrapping it with duct tape together. That's the sort of how I develop a lot of my software these days. It's it's not just about the components, but also about how do you do the wrapping and who does the wrapping? How do you sort of control the entire process? That's really what a lot of this is about. And that's one of the hidden complexity here of the supply chain as well.
Sean Martin 19:28
And, Katie, I know you have not not just double duty in the sands panel. But the beauty at RSA itself you have a a threat, intelligence and response, I think sessions Well, I don't remember, but the fisherman has, but tell us a little bit about that one.
Katie Nickels19:45
Yeah, both of them are on Wednesday. So I'm gonna be very busy Wednesday, but it'll be fun. I got together with a couple of colleagues that I admire so much. Wendy Whitmore from Palo Alto, Leslie Carr Hart from Draco's, and then Lily Hey, Newman from y Aaron is going to be our moderator. So we're gonna be talking about real world stories of incident response and threat intelligence. You know, all the those of us on the panel have been involved in incident response in lots of different ways. And so talking about, you know, some of the things we've seen some of the lessons learned some interesting stories, cautionary tales. And you know, one thing that building on Your Highnesses comment on supply chain. One thing I'm hoping to inject there is talking about supply chain with a recent three CX compromise. Right, the compromised Voice over IP software, I think that was late March, early April. Time is fleeting. But I think it's it's pretty interesting to talk about just how challenging it is to detect those compromises. You know, whether it's the libraries, the harnesses talking about if someone's inserting their or in this case, you know, Mandiant, still investigating what happened in three CX, but Right, malicious DLL files coming from trusted voice agents. And how do you challenge those assumptions? We all have that right. This is a trusted binary, nothing bad should be coming from this until it does. So I'm excited to kind of dive into that incident, other recent incidents over the years and really just give people especially those who haven't done incident response, or those who do. I think there'll be lessons for everyone on what to watch out for as you're doing these incidents, and maybe some fun stories of Weird things we've seen as well.
Sean Martin 21:27
The weird things we all show up for the weird things.
Johannes Ullrich 21:30
Yeah, I'm really excited to listen to Katie and the others have to say about three CX. I think that companies struggle, initially a little bit with incident response. But now they're pretty open. And it's sort of back to the Better Together, kind of model. The more you share about incidents like this, as painful as it is, the better everybody will else will get them. Hopefully you too, because you get the feedback as you're making this public.
Sean Martin 21:57
Yeah, it's easier said than done many times. But if you have somebody leading by example, I think initially, we tend to point fingers and say they're not doing it right. But I think we're starting to turn that corner and say, look, they didn't do perfectly, but look how well they did and how much better we are because of that.
Johannes Ullrich 22:17
This is really hard. I think just made three CX at the same day, three, six out of broke, we had people report malware on our website, and I shrugged it off, because it happens all the time, because we write about malware and anti malware tools are picking up on it. But it's, it's hard. It's hard. And I think that's often overlooked from the outside.
Sean Martin 22:40
Absolutely. Well, what I appreciate about RSA Conference is they give people like you a platform and a space to share what you've done. A lot of the work you're doing a lot of times is not for any benefit of your own, right, you're not getting paid, necessarily. And we see volunteers and researchers all over the conference, bringing their hard work in their mind and translating it into a story that practitioners and leaders and managers and business folks can all absorb and and hopefully build a better program through. And these two panels represent that in my mind, with a diverse group of folks from different backgrounds looking at things differently. Once one all, they're all teachers, instructors, another mix of it and OT and an ICS. And of course, we have the media, and they're kind of helping to shape the story even more perhaps. And I mean, super cool. And I'm grateful for the two of you for the work you do. I'm thrilled to have this conversation is as a follow up to our previous ones. And hopefully we'll do it again next year. RSA 2020, for many final thoughts, Katie, before we
Katie Nickels24:00
wrap up, now, just appreciate the conversation. And yeah, looking forward to seeing everyone at RSA, please, if you have time joining our panel panel, it'd be awesome. If you don't, it's recorded, you can watch it later. But looking forward to engaging with everyone hearing about the threats that are relevant. And yeah, figuring out how we can better protect against them.
Johannes Ullrich 24:18
Yeah, same here. Hope to see many people at RSA and like I said, we've tried to start a conversation with this panel. So let us know how well it works for you. If you can't attend the panel, no big problem. Sometimes the smaller sessions are actually more fun, I have to admit. But I hope still lots of people will show up for the panel in the US know what do you think about it and how these threats affect you.
Sean Martin 24:44
I was gonna have to say, Okay, we won't publish this until after the panel, but we're not going to do that. Now. We want people to visit and meet you and learn from you and hopefully it will thank you as well. Like I want to do again. So everybody listening there'll be links to For the two sessions, the two panels we discussed today at sands panel and Katie's threat intelligence response panel and linked to the unit storage center for diary, a daily diary. And anything else, Katie nuance wanted to share. Folks prepare for session ICS ISC not sat down in February. All right. Thank you both. And we'll see you there. Good luck with with your panels. Thanks, everybody for listening. Thank you