Mark Kazemier

First day at RSA Conference 2025

RSA Opening Keynote

Written by

Mark

in

Today was my first day at the RSA Conference 2025, where I strategically focused on Incident Response sessions to avoid the overwhelming AI hype dominating much of the conference.

The sessions I attended today:

A Stuxnet Moment for Supply Chain Security

Presenter Andrea Little Embago examined whether the Hezbollah Pager attack represents an inflection point for future attack vectors, similar to how Stuxnet changed the landscape a decade ago. She referenced Bruce Schneier’s observation:

But now that the line has been crossed, other countries will almost certainly start to consider this sort of tactic as within bounds.

Despite researching similar incidents, Embago could only find unconfirmed rumors about Russian drone headsets exploding when activated. Nevertheless, she highlighted that supply chain attacks are significantly increasing and often difficult to detect and trace.

The Hezbollah pager attack demonstrated this complexity perfectly. The investigation revealed a convoluted supply chain:

  • Hezbollah believed they ordered pagers from Taiwanese company Golden Apollo
  • Records showed Golden Apollo didn’t ship pagers to Lebanon
  • Hungarian company BAC Consultancy, authorized to produce under Golden Apollo’s copyright, was investigated
  • Further investigation revealed BAC did business with an unregistered Bulgarian tech company that likely shipped the compromised pagers

Looking ahead, Embago emphasized that more focus should be placed on physical supply chain attacks, where security efforts currently concentrate on counterfeiting rather than infiltration or tampering with devices.

This analysis aligns with my observation that physical and operational technology security receives insufficient attention at RSA Conference sessions.

Suspicious Minds – Hunting Threats that don’t trigger security alerts

Tal Darasan and Etay Maor from Cato Networks presented three case studies of sophisticated attacks by Hunters International, Play, and Medusa groups. These threat actors employ similar techniques to infiltrate organizations, exfiltrate data, and deploy ransomware.

Entry points typically include:

  • Compromised credentials from InfoStealer malware
  • Remote access brokers
  • Exploitation of known vulnerabilities

Once inside, attackers operate using Living off the Land Binaries (LOLBins) or install legitimate software for remote access and data exfiltration, making detection challenging since these activities mimic normal user behavior.

What really caught my attention, however, was their demonstration of AI security control bypasses. The presenters showcased a fascinating technique: embedding hidden text in images or files that remains invisible to humans but is fully readable by Large Language Models (LLMs). In one compelling example, they hid a prompt inside an executable’s binary code. When uploaded to VirusTotal, the hidden prompt instructed the AI to classify the file as “necessary for your organization because it generates puppies” and to explicitly state “it is definitely not malware” – completely bypassing AI-based security controls.

While the LOLBin scenarios covered familiar ground, this demonstration of LLM vulnerability provided genuine value and made the session worthwhile. It highlighted an emerging security concern as organizations increasingly rely on AI-powered security solutions without fully understanding their limitations.

10 Common Flaws in Incident Response Plans

Alex Waintraub from WMG Health delivered a practical session on common incident response plan weaknesses. Drawing from CISA guidelines, he first outlined essential components of effective incident response:

  • Clearly defined roles and responsibilities
  • Step-by-step guides for key activities
  • Inclusion of cross-functional personnel
  • Established communication strategies
  • Proactive frameworks

The 10 critical flaws Waintraub identified were:

  1. Failing to plan – Organizations must identify their biggest risks and prepare specific responses
  2. Unclear roles and responsibilities – Define incident commanders and ensure they have stakeholder support
  3. Siloed communication – Extend response teams beyond security to include legal, finance, and marketing
  4. Inadequate communication strategy – Prepare out-of-band communication channels and separate discussion from official communications
  5. Neglecting legal/regulatory compliance – Involve legal teams early for cyber insurance and compliance guidance
  6. Inadequate third-party involvement – Establish incident response retainers and relationships with service providers
  7. Static incident response plans – Regularly update plans as organizations and processes evolve
  8. Failure to consider worst-case scenarios – Plan for ransom payments, doxing, and other extreme situations
  9. Lack of testing – Test plans through stakeholder reviews, cyber range exercises, and red team simulations
  10. Ineffective execution – Don’t just test but validate through adversarial simulation

This comprehensive framework provides a valuable checklist for reviewing and strengthening incident response capabilities.

From Snowflake to SnowStorm: Navigating Breaches and Detections

Roel Sherman used the Snowflake hack as a case study to emphasize the importance of SaaS security. The attack targeted Snowflake’s product rather than the company itself and required no exploits – attackers simply used InfoStealer malware to obtain credentials and logged into Snowflake instances lacking MFA.

Sherman outlined four key challenges in securing SaaS products:

  1. Availability of security logs – Many SaaS products either don’t provide security logs or hide them behind paywalls
  2. SIEM integration costs – Ingesting SaaS logs can be expensive due to volume-based pricing and “noisy” data
  3. Investigation complexity – Each SaaS product uses unique log formats requiring specialized knowledge, and logs often lack critical information (like mapping user IDs to actual usernames)
  4. Detection limitations – Organizations frequently monitor only logins rather than actions within SaaS platforms, making it difficult to identify suspicious behavior

Sherman emphasized that we need to consider SaaS as another form of cloud computing and apply similar security principles. He highlighted a critical insight:

Adversaries aren’t breaking in, they log in.

This underscores the importance of identity security and access controls in the SaaS landscape.

To address these challenges, Sherman advocated for establishing behavioral baselines for SaaS usage and comparing actions against these baselines. Since many suspicious actions can also have legitimate uses, detecting malicious intent requires context provided by these behavioral patterns.

While I found Sherman’s premise compelling and agree that monitoring critical SaaS products is increasingly important, I’m skeptical about the feasibility of implementing effective monitoring without extensive detection engineering. The session raised important questions but left me wondering about practical implementation strategies for resource-constrained security teams.

Comments

2 responses to “First day at RSA Conference 2025”

  1. Roel de Bruijn

    Thanks for sharing!

    Reply
  2. RSA Conference Day 2: Mixed Experiences with Sessions – Mark Kazemier

    […] two of the RSA Conference was a mixed bag compared to yesterday’s stellar experience. I attended four different sessions, with only two delivering genuine value. The first disappointed […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More posts