By Robert Buccigrossi, TCG CTO
To me, cybersecurity threats are fascinating for what they reveal about our behaviors, our systems, and the unintended consequences of our new technologies. In July, I attended an RSAC webinar by SANS presenting “The Five Most Dangerous New Attack Techniques…and What to Do for Each”. Here is a breakdown of the five threats discussed (I also tried to find external references for key events):
1. Authorization Sprawl: When Trust Is a Weapon
A threat pattern identified as “authorization sprawl” is gaining traction, which creatively abuses legitimate user access to pivot through a corporate network. Instead of complex exploits or malware, attackers leverage the inherent trust built into modern, centralized authentication and single sign-on (SSO) systems.
How it Works: An attacker gains initial access to a workstation and, rather than deploying tools that might trigger alerts, simply uses the victim’s browser. By examining browser history and SSO tokens, they navigate between interconnected platforms, escalating privileges along the way. This method requires no special persistence mechanisms or EDR evasion tactics.
Example Attack Path: A real-world example demonstrated how an attacker could pivot from Jira to Confluence, then use SSO to access Microsoft 365. From there, they could jump to GitHub to find source code with credentials, escalate privileges into Azure, pivot back to an on-premise Active Directory, and finally exfiltrate data from a cloud warehouse like Snowflake.
Threat Actor Example: The group known as Scattered Spider (also tracked as UNC3944 and Octo Tempest) has effectively used this technique in recent breaches. Their primary tool is not a custom RAT, but the legitimate user’s own browser, which allows them to operate under the radar of most SOCs.
2. ICS/OT Ransomware: The New Extortion Frontier
Ransomware attacks are increasingly moving beyond traditional IT environments to target Industrial Control Systems (ICS) and Operational Technology (OT). High-profile incidents at Colonial Pipeline, JBS Foods, and Coors show that threat actors see critical infrastructure as a prime target for financial extortion.
A Layered Risk: A key challenge in these incidents is understanding the attack vector. The attack could be on the corporate IT systems, the OT systems that control physical processes (like compressor and pumping stations), or the vulnerable “middle layer” of business-supporting systems like MES and ERPs that connect the two worlds.
Exploiting the Unprepared: Adversaries are discovering that organizations are often far less prepared to respond to an attack on their OT layer compared to their IT layer.
3. Nation-State Destructive Attacks: Cyber as Physical Warfare
A more ominous threat to ICS/OT environments comes from nation-state actors, whose goal is not financial gain but physical destruction. These attacks are motivated by geopolitical goals, such as demonstrating capability or deterring a rival nation.
The Path to Destruction Progresses Methodically:
- Gain an initial foothold, often through the IT network (an “assumed breach” scenario).
Learn the victim’s specific ICS/OT tools and technology. - Progress from causing disruptive outages to manipulating safety and protection systems.
The final goal is to engineer an event that causes irreversible, physical destruction of assets. - Real-World Examples: This is not theoretical. We have seen these attacks against Ukraine’s electric grid in 2015 and 2016, where attackers successfully caused blackouts for hundreds of thousands of residents.
4. Lack of Logging: Investigating in the “Dark”
One of the most devastating—and preventable—vulnerabilities is a simple lack of adequate logging. When a breach occurs without sufficient logs, forensic investigators are left in what was described as “darkness”—a complete absence of the data needed to understand what happened.
The “Normal” Problem: Attackers are now using AI to train themselves to look like normal user traffic, rendering many traditional detection models ineffective. In the “Bybit” case, AI-powered threat detection models failed to spot attackers from a group like APT38 (Lazarus Group) because their crypto wallet activity appeared completely normal.
The Takeaway: This means we can no longer hunt only for “abnormal” activity. We must log what is considered normal for admin accounts, cloud buckets, and other critical assets to spot the subtle deviations that now signal a compromise. This is a fundamental, if costly, shift in logging strategy.
5. AI Regulation Overreach: The Defender’s Handicap
While AI offers immense potential for defense, there is a significant threat that well-intentioned regulation could cripple our ability to use it. The core issue is an emerging asymmetry: attackers use AI with zero restrictions, while defenders are increasingly handcuffed by privacy and safety rules.
The Attacker’s Edge: AI is dramatically compressing attack timelines. The webinar cited MIT research showing AI agents can execute attacks 47 times faster than humans with a 93% success rate in privilege escalation (I couldn’t find a public reference for these statistics). Malicious tools like WormGPT have already demonstrated an 80% higher success rate for phishing campaigns.
The Defender’s Hurdle: In contrast, regulations like GDPR and the EU AI Act are forcing defenders to fragment data and strip it of context. The speaker cited figures that some organizations must sanitize up to 78% of raw security data, and that European banks have had to remove 67% of threat intelligence data before sharing it even among their own subsidiaries (I couldn’t find a public reference for these stats either). This is akin to asking firefighters to battle a blaze without getting the building wet.
So SANS is strongly encouraging IT professionals to ask for legislation to help retain data rights for security purposes. For more information, view the webinar on RSAC’s site.