RSA 2024 Preview: Applying Past Lessons for Intel-Driven Identity Threat Detection

Theodore Roosevelt once said, “The more you know about the past, the better prepared you are for the future.”

It’s wisdom that especially applies to cyber threat intelligence. Analyzing past threats equips cyber pros to recognize the patterns, tactics, techniques, and procedures used by threat actors and adapt their defenses accordingly.

For Nicole Hoffman, security investigator with Cisco Talos, better cybersecurity defenses and practices goes beyond the need to understand how past threats impact organizations today. She is also looking way into the future – as in, future generations of cybersecurity professionals – through a series of illustrated children’s books. Her goal is to introduce children to specific niche roles and the types of tasks each performs, such as digital forensics, ethical hacking, and detection engineering.

Accelerate IT ops and security incident response tasks on a single platform—and in real time—before threats spread across your network.

Her book, The Mighty Threat Intelligence Warrior, is recommended reading material to accompany her panel discussion “Applying Past Lessons for Intel-Driven Identity Threat Detection” at next week’s RSA Conference.

Hoffman will join Michael Marriott, VP of product marketing at Harmonic Security, in a discussion about identity and access management (IAM) and cyber threat intelligence, as the two review the top identity attacks observed in incident response over the last two years. (Their 50-minute session will take place on 5 月 9 日 木曜日, at 12:40 ET / 09:40 PT at RSAC 2024, which runs 5 月 6-9 日 at the Moscone Center in San Francisco.)

Protecting digital identities has never been more crucial: 90% of professionals surveyed said their organization experienced at least one identity-related breach last year, according to the 2023 Trends in Securing Digital Identities report from the Identity Defined Security Alliance (IDSA).

Focal Point spoke with Hoffman to get her take on the importance of looking at past incidents as a proactive approach to develop future cyber threat intelligence and threat detection.

(This interview has been edited for clarity and length.)

People perusing the list of sessions at RSA will probably do a double-take when they see the required reading for your session. A children’s book? About cybersecurity?? Why bring this message to kids, and why in picture-book form?

Initially, I wanted to inspire the next generation of cyber threat intelligence (CTI) professionals while not compromising on storytelling. The Mighty Threat Intelligence Warrior series introduces threat intelligence concepts through a whimsical medieval tale. The series uses a lot of cybersecurity metaphors to make the story more digestible for a young audience, who may not have the attention span to learn about things like ransomware encryption.

Learning from the past is pivotal for threat detection because it allows us to identify trends, improve defenses, and anticipate future threats.

Instead of focusing on cybersecurity education, I try to highlight the types of tasks a person would have if they were in a CTI role, such as analyzing complex threats like a detective trying to solve a mystery, or becoming a historian on threat activity to inform others and keep them safe from tricky dragons.

Having the phrase “threat intelligence” within the title was intentional in hopes that parents and children would go through a learning journey together if they were interested in seeking out more information on this topic.

[Read also: What is identity and access management (IAM)?]

Your RSA session will look back at past incidents and lessons. Why is learning from the past so important for threat detection?

Learning from the past is pivotal for threat detection because it allows us to identify trends, improve defenses, and anticipate future threats more effectively. Collaborating with CTI teams enables organizations to take a step back, gain a holistic view of the threat landscape, and leverage comprehensive insights to make informed decisions.

Organizations can also establish information-sharing partnerships with industry peers and government agencies to obtain similar insights, while also investing in continuous training for their internal security teams to enhance their analytic capabilities and stay ahead of evolving threats.

[Read also: Are cybersecurity analytics missing from your security strategy? Here’s how AI can help you analyze big data]

Identity and access management is vital for cybersecurity. In your opinion, what are some of the biggest mistakes that organizations are making in their IAM approach?

The two most common security weaknesses I observe are a lack of proper multifactor authentication (MFA) on all accounts, including remote access, and the abuse of privileged and service accounts with inadequate security controls in place.

There’s a growing trend of MFA exhaustion-focused attacks where adversaries [send] a flood of MFA push notifications. The adversary hopes to overwhelm the victims so they will eventually accept one.

Privileged and service accounts are prime targets for adversaries due to the extensive access they provide offering elevated privileges, allowing them to execute malicious activities, access sensitive data, and move laterally across the network with greater ease. Additionally, service accounts often have persistent access and are less closely monitored, making them attractive targets for adversaries seeking to remain persistent while avoiding detection.

MFA can stop adversaries in their tracks and prevent a plethora of potential attacks by adding an additional layer of security and verification. However, there’s a growing trend of MFA exhaustion-focused attacks where adversaries attempt to log in to accounts with compromised credentials, resulting in a flood of MFA push notifications to the account owner’s mobile device. In this attack, the adversary hopes to overwhelm the victims so they will eventually accept one of the push notifications, which grants the adversary access.

[Read also: Multifactor authentication (MFA) is super effective but hackers are finding clever workarounds, leaving some to wonder, “Is MFA living up to its hype?”]</p

So as organizations roll out MFA, user education is required to enable users to identify and report unauthorized MFA push notifications.

Your session description says you’ll discuss the importance of collaboration between IAM, security operations, and CTI. Can you provide a brief overview on why this collaboration is necessary?

Growth flourishes through collaboration, as it fosters an environment where diverse perspectives from multiple teams can come together, offering a broader understanding of problems, and paving the way for innovative solutions.

The security mindset shouldn’t start and stop with the security operations team; it should permeate throughout the entire organization ensuring that security is everyone’s responsibility.

Collaboration also cultivates a rich environment for knowledge-sharing and continuous learning. For example, CTI professionals always try to stay up to date on new threats, understanding how the attacks take place and how they can be prevented. If a CTI professional was investigating MFA-exhaustion attacks after a recent surge in activity, they could reach out to the IAM to identify recommendations for prevention. Within this example, both parties are learning and gaining insight from this collaboration.

---

MORE FROM RSAC 2024

For additional highlights, check out these other exclusive interviews with participants speaking in and around RSA Conference 2024:

• RSA 2024 Preview: How to Manage Vulnerabilities at Scale
• RSA 2024 Preview: C-Suite Lessons on Compliance and the SEC Cybersecurity Rule