RSAC Conference day three: using AI to do more with less and facing new attack techniques

Kevin Mandia sees the tit-for-tat global tariff escalations and general economic uncertainty related to geopolitical tensions leading directly to belt tightening by CEOs in 2025.

For the security audience he addressed on the third day of RSAC Conference in his recurring cybersecurity year-in-review keynote, the Mandiant founder said the message is clear.

“If there's any theme in RSA right now based on current events, [it’s] ‘How do we do more with less and more with the same?” Mandia said. “If you have to operate doing more with less, the AI race is on.”

Mandia’s key point aligned with the AI focus that has dominated all week at the security conference in San Francisco.

Many of the other keynote stage discussions on day three of the conference were dedicated to emerging attack techniques and problems, AI-related and otherwise.

Tom Gillis, senior vice president and general manager of the infrastructure and security group at Cisco, made reference to the “Volt Typhoon” attacks, whose motivation was a source of much debate at RSAC Conference.

“This year we saw attacks against a new attack surface. Switches, routers, and firewalls themselves are being attacked, and the goal of the attackers is not to steal credit card information,” Gillis said. “The goal of the attackers is to get in and stay in so they could turn the lights out when the time comes. So the stakes are pretty high.”

Joshua Wright, a faculty fellow with the SANS Institute, presented on a dangerous new technique called authorization sprawl.

“We're creating scenarios where adversaries are leveraging that centralized authentication process through single sign on, personal access tokens, sample tokens and the like, to be able to exploit how they're able to access different resources,” Wright said.

“This is something that we're seeing in our personal penetration tests, but we're also seeing it used by threat actors as well,” he said, identifying the ‘Scattered Spider’ team as a well-known threat actor using authorization sprawl.

“Their tactics aren't that sophisticated. They use their initial access and then they use all the resources available to them to be able to pivot throughout the network. And the thing that's so amazing about this is that their number one tool is just a browser,” Wright said.

Another security researcher on the same SANS Institute panel identified an emerging challenge related to the speed advantage AI-based attackers have over defenders and called for a legislative fix.

To establish the speed of adversarial AI agents, Rob T Lee, chief of research at the SANS Institute, cited MIT research showing that those agent systems can execute attack sequences 47 times faster than human operators.

“Speed is no longer the metric. It is the decisive weapon,” Lee said.

Even with AI to assist them, Lee contended, defenders are currently hampered by privacy laws, such as GDPR, CCPA and new European Union legislation governing AI and data.

“On the network analysis side, you can now ingest all the network analysis data into an LLM,” Lee explained. However, he noted, “This literally requires access to private data, emails, browsing history, [and] logs."

"Organizations must sanitize up to 78 percent of raw security data, taking seven to 12 minutes before that data action takes place that allows for analysis to then occur," he added.

Lee called for cybersecurity safe harbor legislation that would allow for organizations to analyze sensitive data strictly for threat detection and mitigation.