The challenges of securing organizations haven’t changed much in the past year, and that means there’s still a lot more that needs to be done — especially as generative artificial intelligence and chatbots will require new tactics to fight attackers.

That’s according to two panels that presented at last week’s RSA Conference in San Francisco. Among their other findings: Responding to incidents still could be better with more threat sharing and better public/private partnerships, analysts still have some tough sledding ahead as these new attacks appear almost like clockwork, and there’s still a burning need for more training of new professionals in the field.

There are some bright spots, such as the way analysts quickly figured out the 3CX supply chain attack and shared its particulars. But ransomware and data extortion are still popular attack methods, and the bad guys are getting better at finding and fooling their target victims.

The first panel was a perennial favorite at the conference, organized by the SANS Institute, a leading security training and education nonprofit. Moderated by Ed Skoudis, who is president of the SANS College, it featured SANS’ top cybersecurity instructors with many decades of collective cybersecurity experience: Heather Mahalik, a senior director at Cellebrite DI Ltd.; Katie Nickels, director of threat intelligence for Red Canary and one of the contributors to the Mitre ATT&CK framework; and Stephen Sims and Johannes Ullrich, both of SANS.

They came together to discuss their top most dangerous new attack techniques they have seen in the past year. Each panelist focused on their own favorite attacks, including search engine optimization and paid advertising, adversarial AI, ChatGPT-powered social engineering and software supply chain attacks.

Nickels showed Gootloader, a new piece of this type of malware (below), which exploit SEO keywords and paid ads by placing their search results and ads at the top of the page. This tricks victims to click on their spoofed, and similarly appearing, websites and then download malware to their computers that open up access for the attackers.

The best ways to fight these attacks is to continually improve user awareness training methods that illustrate the attacks and train users to download software from trusted sources. “If you see Gootloader in your environment, make sure you cut it off early because it could lead toward ransomware,” Nickels said. “This can lower the barriers for attackers and make them more effective.”

Adversarial AI attacks are certainly top-of-mind these days as the explosive use of machine learning and large language models has focused interest in this topic. AI has made it easier to hone phishing attacks, improving their focus and their grammar to make them more realistic to temp their targets. Sims showed how he used the AI to seek out and find these types of exploits. Sims and Nickels both suggest that better defense-in-depth is needed that automates detection, response and mitigation actions.

ChatGPT-powered social engineering is “your malicious access point,” says Mahalik, who took the AI-as-bad-actor theme a step further. She had it write various impersonating phishing lures for her nine-year old son, with his prior consent. They were quite believable. For businesses, she recommends that you learn how to use it and understand how it works.

Next up are attacks specifically targeting third-party developers as part of leveraging the software supply chain. These attacks included malware that was installed on developers during the SolarWinds and LastPass breaches, along with the more recent 3CX attack. Ullrich showed how hard it is to figure out when a malicious piece of code is substituted for a legit one during the development cycle. He mentioned that often developers ignore security warnings, thinking they are false positives. A better strategy is to educate developers, review plug-ins, audit and limit credentials, and scan for dependent code throughout software supply chains.

The 3CX exploits were also the topic of another panel that described real-world incidents and threat response stories. The panel featured Lily Hay Newman, a Wired magazine senior writer and the moderator, Lesley Carhart of Dragos Inc., Nickels from Red Canary in her second appearance at the conference, and Wendi Whitmore, senior vice president of Unit42 at Palo Alto Networks Inc., who also appeared on theCUBE, SiliconANGLE’s livestreaming video studio.

While the first panel spoke about the actual incidents, this panel was focused on more of the how, such as dealing with breach fatigue, disclosure announcement timing, transparency and mentoring new professionals.

Nickels pointed out that the quick action of CrowdStrike Holdings Inc. analysts on a Reddit discussion forum elevated the method of the 3CX attack, the specifics which Wikibon Chief Analyst Dave Vellante and I discussed recently, to a wider community of threat responders who were able to diagnose, mitigate and document what happened.

“It is an example of the power of collaboration and public sharing,” she said. “Something that is targeting you is probably hitting other organizations, and it helps to share tactics and techniques.” Carhart and Whitmore both recommend getting more involved in professional groups that are designed for sharing breach details, such as the various Information Sharing and Analysis Centers and NSA’s Cybersecurity Collaboration Center that have been constructed for this purpose.

The first 24 hours after a breach are critical, especially for an analyst to get beyond being scared and to try to be somewhat skeptical. “Think skepticism, curiosity and stay calm,” Whitmore advised. Nickels said analyst must be careful of what they know and what they don’t know, especially initially. She mentioned cases of data extortion, and recommended that an analyst should take the time to figure out if the stolen data is actually a new case or something that transpired in the past.

The panel discussed how to deal with breach fatigue and analyst burnout as well. “There is a lot of high stress and can go on for weeks, so it is important to plan for handoffs among analysts,” Carhart said. And as Nickels pointed out, “Panic should not a necessary part of incident response, there is a difference between panicking and having a sense of urgency.” She also recommended having a shorter on-call rotation among a group of analysts, such as a couple of days, and conducting after-action discussion after an incident has ended and follow up on any needed changes so analysts don’t make the same mistakes.

Newman asked her panel to talk about difficult issues for incident responders, and the panel touched on the fact that many incidents happen because of simple security hygiene mistakes, and that many victims don’t want to disclose to the public what happens. “Know what your perimeter is, that your network is properly segmented, and you know what your overall assets are,” said Carhart. “They can be challenging especially if you have a large network.”

The panel also covered how to train and mentor the next crop of analysts. “We didn’t have a great support structure when we all got into this field,” noted Carhart. She runs several online resources, including career counseling office hours, to help build our pipelines. “We need people from all over the world to help with this effort,” she said.

Photo: Robert Hof/SiliconANGLE