The SANS Institute, a leader in cybersecurity training and certificates, presents a keynote session at RSAC every year, looking at the threat landscape and outlining attack techniques of pressing concern in the upcoming year. Experts at SANS have a well-documented history of predicting the rise of emerging attack tactics before they became mainstream, including the 2018 discussion of malware attacks targeting ICS and utilities and the 2023 warning about the growing use of AI in ransomware attacks.
At the keynote session of RSAC 2025, moderated by SANS Technology Institute President Ed Skoudis, five new and evolving attack vectors were brought to the fore as areas of focus. Emerging threats like those presented in this session are increasingly complex and have far-reaching impacts in modern interconnected environments, making it more important than ever to listen to threat intelligence and security experts on what to expect.
Attack Technique #1: Authorization Sprawl in Cloud and SaaS
The first threat trend highlighted in the keynote session is the issue of authorization sprawl in modern cloud and software-as-a-service (SaaS) environments. Systems are widely interconnected and not segmented to prevent excessive privileges, enabling unauthorized access. Redundant and excessive permissions can act as hidden vulnerabilities by allowing bad actors who gain access to one area of the network to roam more freely and infiltrate deeper.
Multi-cloud environments make it difficult to obtain the visibility required to map and monitor access and privileges, a necessity for preventing threat actors from taking advantage of authorization sprawl. In order to mitigate the risks of these attacks, organizations are encouraged to implement browser-level endpoint controls, enforce disciplined logging policies, and achieve visibility across cloud silos.
Attack Technique #2: Ransomware in Industrial Control Systems (ICS)
The second evolving tactic to look out for in the upcoming year is the rise of ransomware attacks on Industrial Control Systems (ICS). Organizations are moving to automate many operational technology (OT) processes in an attempt to decrease the margin for human error and make workflows more efficient, but this shift tends to undermine or eliminate the manual processes in place for recovering from system failures. This means that threat actors can compromise single points of failure and cause significant disruption and damage.
This issue is particularly exacerbated by fragmentation between IT and OT teams in organizations. In order to protect against the threat of ransomware in ICS environments, organizations should foster coordination and cooperation between these different areas and deploy cohesive strategies to achieve goals in cybersecurity, operational resilience, and cross-functional governance.
Attack Technique #3: Destructive ICS Attacks
In addition to the dangers of ransomware attacks, it is important to be aware of the threat of ICS attacks from nation-state actors, causing extensive destruction. They attempt to target and manipulate safety systems with the goal of creating physical consequences and disrupting critical operations. These attacks are often enabled by minor technical vulnerabilities that go undetected by standard monitoring technology.
The ever-shifting threat landscape requires a shift in ICS and critical infrastructure security. Attacks on these systems are evolving from malware and other traditional threats to kinetic attacks with far-reaching consequences in the real world. Organizations should prepare for these risks by increasing visibility into control systems, assessing the integrity of safety protocols, and ensuring contingency plans are in place in the event of catastrophic disruptions.
Attack Technique #4: Erased Forensic Artifacts
Attackers are increasingly using the advanced tactic of erasing digital forensic artifacts or preventing them from being created in the first place, obstructing the possibility of analysis after a data breach. Forensic data enables incident response teams to investigate security events, and bad actors eliminating this data can cause delays and pitfalls in the process.
Organizations must adapt their security strategies to defend against the risks of incidents where threat actors take steps to avoid or erase digital evidence. It is urgently necessary to advance incident response maturity. This includes configuring systems to capture high-fidelity data, implementing advanced digital forensics and incident response (DFIR) tools and policies, and ensuring that incident response teams are trained and equipped to fulfill their functions in environments where forensic data may be restricted.
Attack Technique #5: AI Regulatory Threats
Most organizations are likely aware that the era of AI will bring new and evolving risks along with the advanced functions and processes that it can enable. The final threat explored in the keynote session is the legal and regulatory risks that will arise from security practices empowered by AI. Security teams may be able to increase the efficiency and efficacy of their operations with the help of AI, but the regulatory landscape is fraught and may limit organizations’ use of AI.
The conflict between privacy regulations and defensive monitoring may present problems for organizations hoping to protect against AI-enhanced attacks. Organizations must take a proactive approach to issues of AI governance and legal compliance in order to maintain effective security measures while staying in line with privacy regulations.
Conclusion: Cybersecurity as a Leadership Issue
The SANS keynote session at RSAC 2025 underlined a number of trends that are likely to become significant issues for organizations in the coming year and beyond. “It’s on enterprises to develop the defenses and hire the people they need to keep their data, employees, and customers secure,” says Rob T. Lee, Chief of Research and Head of Faculty at SANS Institute. To this end, organizations should begin with “assigning an HR business partner to cybersecurity to ensure they’re hiring people with the right skillsets the team needs,” followed by “investing in consistent training and upskilling to stay educated on protecting all aspects of their organization from these new defensive techniques is imperative.”
The convergence of risks related to cloud environments, operational processes, and regulatory issues has created a landscape that organizations must keep an eye on and respond to. Cyberthreats are no longer necessarily focused on digital assets or networks, but now impact entire business ecosystems, including physical components. It is vital for organizations to foster cross-functional, executive-level engagement with threat intelligence in order to maintain comprehensive security strategies against new and evolving attack techniques.
