Today was a productive day at the RSA Conference 2025. The sessions offered valuable insights, and I managed to explore the Expo floor, connecting with several innovative companies specializing in Security Awareness training solutions.
Sessions I attended
- Expose and Disrupt: Build your Attack Paths & Turn the Tables on Attackers
- Why is Ransomware Still a Thing in 2025?
- The Five Most Dangerous Attack Techniques… And What to Do for Each
Expose and Disrupt: Build your Attack Paths & Turn the tables on Attackers
Lindbergh Caldeira and Ben Cooper from SA Power Networks shared their journey of transforming their Security Operations Center (SOC) from a traditional approach to one leveraging attack paths.
When they joined the organization in 2019, their security maturity was at level 1 according to the Security Operations Maturity Model (SOMM). Over time, they progressed to level 3. However, a red team exercise revealed they could still obtain domain admin access, highlighting that their SOC maintained too much of a defender’s mindset while lacking an attacker’s perspective.
This realization led them to implement attack paths.
SA Power Networks developed a Python script that integrates data from various security tools including CrowdStrike (vulnerability management and identity protection), Microsoft Entra, and Proofpoint (email security). This integration generates visual attack paths from entry points to critical assets.
They demonstrated several attack path visualizations created with these scripts, which now help them address security risks more effectively and enhance their SOC’s understanding of the network. Benefits of this approach include:
- SOC defenders adopting more of an attacker’s mindset
- Easier identification of vulnerable endpoints
- Higher-impact risk remediation with lower effort
- Better understanding of technical and non-technical constraints
- Improved insights into the organization’s security landscape through environment graphing
I found this approach particularly effective for vulnerability management and prioritizing remediation efforts. I recently presented a similar concept to the Dutch CISO Community (detailed write-up coming soon). However, I wish security vendors would integrate this approach into their tools rather than requiring custom Python scripts. If you know of vendors offering comparable capabilities, please share in the comments!
Why is Ransomware Still a Thing in 2025?
Christiaan Beek from Rapid7 explored the persistent threat of ransomware and its future evolution.
Ransomware targeting strategies have shifted over time. Initially, attackers focused on large organizations with substantial financial resources. Now, as these larger targets enhance their defenses, ransomware groups are increasingly targeting smaller organizations and any entity they can successfully extort.
The Economics of ransomware
Beek presented the annual ransom payment totals, noting these figures likely represent the lower end as many payments go unreported:
| Year | Ransom paid |
|---|---|
| 2019 | 1.1 billion USD |
| 2020 | 999 million USD |
| 2021 | 20 billion USD |
| 2022 | 567 million USD |
| 2023 | 1.25 billion USD |
| 2024 | 813 million USD |
Notable drops in 2022 and 2024 coincided with law enforcement actions against specific ransomware groups. However, the overall payment amounts remain staggering.
Ransomware profits fuel further criminal innovation, as groups reinvest in more sophisticated technologies. Zero-day vulnerabilities sold on the dark web are particularly popular among these groups. With millions in annual revenue, they can easily afford to spend hundreds of thousands on zero-days to enhance their attack capabilities; another compelling reason not to pay ransoms.
Ransomware Innovation Trends
Ransomware groups continue to innovate in several ways:
- Switching programming languages to evade detection
- Expanding beyond Windows and ESXi to target different platforms
- Experimenting with new crypto protocols or abandoning encryption altogether
- Leveraging LLMs to build malware, craft phishing emails, and deploy chatbots
- Shifting focus from endpoints to edge devices
Edge devices present unique security challenges, as they typically lack self-protection capabilities. For instance, it’s generally not possible to install EDR solutions on firewalls or VPN concentrators.
Despite their innovations, ransomware operators often take shortcuts, sharing source code among groups and reusing published code.
Future Developments
Ransomware groups collect extensive data during attacks but currently use it primarily for ransom leverage. By applying AI to analyze this data, they could extract valuable information like credentials, API keys, intellectual property, and other sensitive content; enabling more sophisticated attacks or increasing ransom demands.
Additionally, recent years have revealed more vulnerabilities at the firmware and CPU levels. Ransomware groups are experimenting with these vulnerabilities to embed malware directly into CPUs, making it invisible to EDR tools and nearly impossible to remove. While criminal groups haven’t fully realized this capability yet, nation-states likely already possess it.
CPU-level attacks represent a particularly concerning threat, as current defense tools offer limited protection. Our best current strategy relies on defense-in-depth: combining email security, identity protection, EDR, and NDR to detect and prevent attacks before they can compromise CPU security.
The Five Most Dangerous Attack Techniques… And What to Do for Each
The day concluded with the annual SANS Institute keynote featuring four analysts presenting their findings from the past year:
Joshua Wright
Wright discussed how adversaries exploit privileged accounts in unexpected ways. He highlighted both the advantages and significant risks of centralized account management. While single-pane-of-glass account management offers convenience, it creates a high-value target, granting attackers who compromise an SSO account unlimited access.
Tim Conway (ICS and OT specialist)
Conway identified two critical trends:
- The rise of ransomware specifically targeting ICS and OT systems. While equipment manufacturers are improving security, organizations often disable these protections, or attackers find ways around them.
- Nation-states targeting critical infrastructure not for ransom but to gather intelligence and potentially cause physical destruction.
Heather Barnhart
Barnhart addressed insufficient logging practices, where organizations become their own worst enemies. Without proper logs, there’s no data for incident responders to investigate, essentially working blind. Her message was clear: prioritize comprehensive logging.
Rob T. Lee
Lee began by discussing attackers’ use of AI, noting it’s already 93% accurate and faster than traditional methods when conducting attacks.
He then went full on American and starting ranting about regulation and how it hampers defenders. He offered the solution to include bypasses to regulation to allow Security Personnel to bypass regulation. When asked, he specifically wanted to bypass the GDPR. It became quickly apparent in the discussion that his understanding of GDPR and European regulation was extremely limited.
Personally I’m happy that regulation exists and restricts us around privacy. I wouldn’t want to live in an Orwellian state where big brother is watching us.
Leave a Reply