Lookout's Jim Dolce joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss the advantages of Secure Service Edge.

COVID and the work-from-home push accelerated many organizations' plans for digital transformation, but the rush to push applications and workloads to the cloud inadvertently created gaps. By implementing Secure Service Edge technology, security pros can consolidate their cloud access security broker, secure Web gateway, and zero-trust offerings onto a single platform, according to Jim Dolce, CEO and chairman of Lookout.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Lookout: Getting It Right at the Secure Service Edge

Spirits were high at the return of the in-person contest, which kicked off by bringing last year's virtual event winner on stage.

RSA CONFERENCE 2022 – San Francisco – At the Moscone Center on Monday, RSA Conference program committee chair Hugh Thompson's happiness was palpable. He told a cute story about his kids learning to hack during the COVID-19 lockdown and exulted in holding the Innovation Sandbox competition in person.

"You will not be able to walk out of this place today without being so excited about the kinds of innovation that are happening in security today," Thompson said.

At the in-person 2022 Innovation Sandbox, representatives from 10 cybersecurity startups made their case for having the most innovative technology in the sector. Each finalist had three minutes to pitch their tech to a panel of experienced judges. The judges were Dorit Dor, chief product officer of Check Point Software; Paul Kocher, independent researcher and founder of Cryptography Research (who Thompson called the "Simon Cowell of the judging panel"); Niloo Razi Howe, senior operating partner at Energy Impact Partners; Shlomo Kramer, co-founder and CEO of Cato Networks; and Christopher Young, executive VP of business development, strategy, and ventures at Microsoft.

Thompson brought Dor and Howe to the stage to discuss the judges' deliberations and announce the winner. He tried to gin up some good-natured drama by asking about altercations and pointing out the judges' lack of obvious injuries.

"There was a big dispute," Dor acknowledged, but Howe assured him, "We're not bloodied or bruised."

Both Howe and Dor had high praise for all 10 companies. "There are many good technologies out there, and it was not an easy selection," Dor said.

Added Howe: "There was conversation about every single company. The top 10 are really fantastic, solving really important problems."

First Thompson announced the top two: Talon Cyber Security and BastionZero. Ofer Ben Noon, co-founder and CEO of Talon, and Shannon Goldberg, CEO of BastionZero, shook hands with everyone. Goldberg even hugged Noon.

Dor called Talon's custom browser portal a "legit alternative that brings simplicity and manageability" for organizations with distributed workforces. Howe praised BastionZero for tackling the "really important problem of management of sessions connecting into the infrastructure."

But in the end, there could be only one winner — and it was Talon.

Here's how the presentations went down.

**The 10 Contestants**

The first contestant was Leonid Belkind, CTO of Torq, which Thompson described as "no-code automation for security teams." Belkind ran through his spiel in exactly three minutes "to the second," Thompson marveled.

The first judge question was from Kocher, who asked, "If someone isn't technical enough to write code, how are they going to understand what they're going to screw up with their automation?" Kramer asked about departments that don't want to collaborate with security teams, while Howe pointed out that in the crowded no-code sector, Torq would need to displace an existing contender.

Next up was Ben Noon, whose company's tagline is "solving security for hybrid work and unmanaged devices." He made a compelling case, saying, "Your browser is your front door," and it's been left open. The company built a secure corporate portal in Chromium with a user experience like Google Chrome and a backend that provides visibility and malware protection.

Then Sevco Security co-founder and CEO J.J. Guy presented for his company, "the starting point for all of your security activities." The company's tech aims to make a complete inventory of all devices connected to an organization to improve asset management.

The fourth contestant was Giora Engel, CEO and founder of Neosec, which is "reinventing API security by bringing XDR techniques and true behavioral analytics." His company addresses what he calls "the API blindspot" — B2B APIs, which are overlooked while people address B2C concerns.

Vladi Sandler represented Lightspin, which sells "graph-based cloud security built by and for cloud engineers." Refreshingly, the CEO mentioned 50% female representation on staff as a differentiating factor. Kocher tried to earn his Simon Cowell rep by saying, "So on Amazon's website I had to turn off One-Click ordering because I kept getting the wrong stuff. You claim on your website that in one click, you can remediate problems. Should I be scared by that?" Sandler rejoined that he trusts his team's skills, and Thompson gently ribbed Kocher about his Amazon problem afterward.

David McCaw co-founded Dasera, which is "helping cloud-first organizations operationalize data governance," according to its tagline. "We think DataGovOps is going to be the next revolution and finally solve the data challenges we've been facing for a long time," he asserted.

Cycode, which provides "complete software supply chain security," was represented by CEO and co-founder Lior Levy. Dor dropped a judge's question that brought laughs to the room: "How do you convince developers to fix their code?" Levy responded that his company helps developers implement bug fixes within their existing workflows and adds in automation "so they don't get frustrated."

"Bringing incident response into the cloud era" is Cado Security. CEO and co-founder James Campbell compared the manual process of investigating and responding to cloud incidents to the tedious procedure for creating a mix tape (Gen X represent).

"Is data collection happening before an attack or after an attack?" Kramer asked. "Is it part of the investigation, or is it part of the ongoing process?" The answer was that it depends on which services a customer uses.

Goldberg showed up to talk about her company BastionZero, which says it is "redefining zero trust for access to cloud infrastructure." Thompson asked Kocher, who co-created the SSL protocol, to ask a question. He obliged by asking whether organizations should use BastionZero or the strong encryption of a YubiKey to replace passwords.

Goldberg answered, "You should use us, for sure, absolutely," which again brought laughs, but she continued by saying that the separate authentication path could include things like YubiKeys.

Araali Networks, whose tagline was "surviving intrusions in cloud-native environments," closed out the contest with co-founder and CEO Abhishek Singh. The judges asked several technical questions about how the system handles various situations and configurations, which Singh handled ably.

"It works out of the box for Google, Amazon, and Azure," he assured Microsoft's Young. "Any system that works with Linux ... is ready to work with us."

**In-Person Do-Over for Apiiro**

    

Source: Screen-grab from RSA Conference

One of the most poignant moments came at the beginning of the show: Thompson brought up the winner of the 2021 Innovation Sandbox, which was held virtually, so that he could have his in-person moment of glory. Idan Plotnik, co-founder of Apiiro, shook Thompson's hand and told him his company had increased its revenue by 398% in the past year.

"Everything changed," Plotnik said.  

The 10 finalists, in alphabetical order, were:

1.  Araali Networks
2.  BastionZero
3.  Cado Security
4.  Cycode
5.  Dasera
6.  Lightspin
7.  Neosec
8.  Sevco Security
9.  Talon Cyber Security
10.  Torq

For more about each of these companies, read our contest preview.

Talon Grasps Victory at a Jubilant RSAC Innovation Sandbox

The new ransomware strain Black Basta is now actively targeting VMware ESXi servers in an ongoing campaign, encrypting files inside a targeted volumes folder.

The Black Basta ransomware emerged last month to target Windows-based systems only, but now the latest ransomware binary is going after VMware virtual machines (VMs). 

The latest variant looks to encrypt VMs present inside the volumes folder (/vmfs/volumes) on ESXi-based systems and servers, according to research shared with Dark Reading by Uptycs. It uses the ChaCha20 algorithm to encrypt the files, researchers say, and also multithreading for encryption to utilize multiple processors and make itself faster and harder to detect.

“Provided that the resources on the servers are much more than on a normal system, using these kinds of mechanisms makes the ransomware work much faster for encrypting files,” explains Uptycs security researcher Siddharth Sharma.

He tells Dark Reading that the attackers are constantly making advancements in the malware attack chain to target more and more victims – just like in this case, which the team could see by the addition of the "\*nix" component inside the binary.

“Most of the organizations that have private clouds based on VMware ESXi hosts, or organizations that use ESXi hosts to store data and other operational work, it becomes important to keep a close eye and monitoring mechanisms on sensitive folders \[and data\] present inside the systems and servers,” he said.

During Uptycs’ investigation and analysis of the ransomware binary, it found evidence indicating that the actors behind this campaign are the same ones behind early Black Basta campaigns.

“We found the onion link for the attacker's chat panel was the same as previous versions of the Black Basta ransomware binaries, which targeted Windows systems,” Sharma said.

Along with that, the extension used by the ransomware binary on encrypted files was the same as previous versions (.basta).

The Uptycs finding follows research by the NCC Group, which Tuesday uncovered a new partnership between Black Basta and the Qbot (aka Qakbot) malware family, which steals bank credentials, Windows domain credentials, and delivers malware onto infected systems.

During a recent incident response, the Black Basta gang was observed using Qbot to spread laterally throughout the network.

“Qakbot was the primary method utilized by the threat actor to maintain their presence on the network," the report stated.

Other hallmarks of the campaign included:  

*   Gathering internal IP addresses of all hosts on the network.
*   Disabling Windows Defender.
*   Deleting Veeam backups from Hyper-V servers.
*   Use of WMI to push out the ransomware.

YouAttest CEO Garret Grajek tells Dark Reading that the key takeaway from this advisory is the collaboration and integration of hacking components and groups.

“One group discovers the vulnerability, another creates the exploit, and yet another mans the C2 \[command and control\] center to receive the communication from the infected host,” Grajek says. “The seriousness and efficiency of the collaboration cannot be underestimated.”

He advises enterprises to implement concepts like zero trust and stringent identity governance to know what permissions they have granted to all accounts -- and to watch for any changes.

Black Basta Ransomware Targets ESXi Servers in Active Campaign

Physical access matters in keeping people and buildings safe. Points to consider when establishing a physical security protocol are ways to lock down an area to keep people safe, approaches to communicate clear safety directions, and access control.

As organizations around the world fortify their systems against the threat of cyberattacks, it’s imperative businesses and cities don't neglect the potential harm from a physical threat. Recent attacks in Sacramento and Brooklyn are horrific examples of the threats that can impact cities without warning.

Attacks that occur in broad daylight and outdoors are difficult to protect against, especially in the immediate surrounding areas. How and when should nearby buildings lock themselves down and maintain access control? What protocols should businesses have in place for when sudden violence arises?

While every building and business will vary in its risk tolerance and security needs, there are several best practices that all should consider when establishing a physical security protocol.

**Understand the Immediate Priorities During Attack**

In a situation of sudden violence, the first priority of any building or business in the surrounding area must be to lockdown its premises to keep employees, guests, and customers safe. In any zones in which the threat is unknown or unidentified, locking down is the safest immediate response. Secondly, communicate clear directions to those in your building or campus, especially if it is sprawling. For example, hospitals and college campuses are large areas where it can be difficult to communicate to everyone at once – having an emergency communications mechanism in place such as mass texts or mobile alerts systems alleviate any confusion.

The third and final priority is access control. Credentialed access in secure areas is critical in times of unexpected violence, when tensions run high and focus is diffused, creating extra security vulnerabilities. Local safety/lockout capabilities can be implemented in many forms, from PIN codes that initiate certain levels of threat protection to duress buttons and duress digits allowing for more specific annunciation of problems, communication, protection, and ultimately escape to safety, which are the goals of a threat-protected environment. At their core, each tactic must be part of a plan for easing the minds of your stakeholders and maintaining secure protocol.

**Recognize Your Business's Specific Threat Levels**

No building or business is built the same. Federal buildings, for example, are more likely to fortify using armed security guards, bulletproof glass, and duress buttons (or panic buttons), while commercial buildings are more likely to invest in high-tech systems such as video analytics and to regularly update access-control protocols.

Threat levels and their applicable security response are solely at the discretion of the businesses developing them; what might be mundane for one business, such as a crowd forming outside a building, might spike a security response for another if it is in a higher-risk industry or area. Organizations _must_ understand what constitutes a deployment action at each threat level and assess a risk as accurately as possible. Gradually ramp up threat levels as a situation develops to maintain order and peace of mind for stakeholders.

**Familiarize Yourself With the Tech Options at Hand**

An ideal security system has integrated access control, video intelligence, and audio interaction — the analytics these technologies provide can help inform your access-control response to understand real, verified threats.

A threat should be able to be identified visually and audibly, making audio information available to tell people in the locked-down locations what is happening and what they should do. Areas remote from the threat should be identified and those people in the safe zone told how and where it is safe for them to evacuate to, avoiding the danger zone. With video intelligence well-integrated with access-control measures, areas can be locked and unlocked as the threat moves, protecting people at risk while identifying the suspect, and allowing escape for every person who's not in the danger area. Ideally an active, intelligent, access-control system can even help with the apprehension of violent actors by locking them into an empty zone, if the opportunity presents itself.

**Key Takeaways**

To prepare for future instances of unexpected violence, business leaders should work with their CSOs, IT managers, and facilities managers to assess vulnerabilities in access control and brainstorm the best way to make sure only the most essential people are entering (or leaving) your premises.

Decentralize your access control and use a combination of physical and digital methods. Do not allow for one point of access that could be easily compromised (such as a central server), instead consider cloud-based options that provide backups from anywhere, and make sure your access-control system can be locked and unlocked remotely and in zones.

Physically, you should be establishing individual tokens and identities for your employees to ensure that the person gaining access to your building is really them. A card reader is great, but anyone who has that card can enter the building unless they are verified against an established identity. 

It's time to move from a reactive physical security stance to one that looks at existing operations and incorporates newer digital methods of monitoring and managing physical security threats.

How Do We Secure Our Cities From Attack?

Panelists from an RSA Conference keynote agreed that organizations need to begin work on PQC migration, if they haven't already.

RSA CONFERENCE 2022 — Even the most future-facing panels at the 2022 RSA Conference in San Francisco are grounded in the lessons of the past. At the post-quantum cryptography keynote "Wells Fargo PQC Program: The Five Ws," the moderator evoked the upheaval from RSAC 1999 when a team from Electronic Frontier Foundation and Distributed.net broke the Data Encryption Standard (DES) in less than a day.

"We're trying to avoid the scramble" when classical cryptography techniques like elliptic curve and the RSA algorithm inevitably fall to quantum decrypting, said moderator Sam Phillips, chief architect for information security architecture at Wells Fargo. And he set up the high stakes encryption battles often have: "Where were all the DES implemented? Hint: ATM machines."

"We had to set up teams to see where-all we were using \[DES\], and then establish the migration plan based upon using a risk-based approach," Phillips said. "We're trying to avoid that by really trying to get ahead of the game and do some planning in this case."

Phillips was joined on stage by Dale Miller, chief architect of information security architecture at Wells Fargo, and Richard Toohey, technology analyst at Wells Fargo.

**A Brief Explanation of Quantum Computing**

Toohey, a doctoral candidate at Cornell University, handled most of the technical aspects of quantum computing during the panel. He explained, "For most problems, if you have a quantum calculator and a regular calculator, they can add numbers just as well. There's a very small subset of problems that are classically very hard, but for a quantum computer, they can solve very efficiently."

These problems that quantum computers handle better than conventional computers are called np-hard problems. "A lot of cryptography, specifically in asymmetric cryptography, relies on these np-hard type problems — things like elliptic curve cryptography; the RSA algorithm, famously — and when quantum computers are developed enough, they'll be able to brute-force their way through these," Toohey explained. "So that breaks a lot of our modern classical cryptography."

The reason why we don't have crypto-breaking quantum computers today, despite headline-making offerings from IBM and others, is because the technology to reach that level of power has not been accomplished yet. Toohey said, "To become a cryptographically relevant quantum computer, a quantum computer needs to have about 1-10 million logical qubits, and those logical qubits all need to be made up of about 1,000 physical qubits. Today, right now, the largest quantum computers are somewhere around 120 physical qubits." He estimated that to even muster the first logical qubit will take three years, and from there, it's got to scale up to "a million or so logical qubits. So it's still quite a few years away."

Another of the technical challenges that needs solving before we get these powerful quantum computers is the cooling systems they require. As Toohey said, "Qubits are incredibly sensitive; most of them have to be held at very low, cryogenic temperatures. So because of that, quantum computing architecture is incredibly expensive right now." Other problems include decoherence and error correction. The panel agreed that the combination of these issues means crypto-cracking quantum computers are 8-10 years away. But that doesn't mean we have a decade to address PQC.

**Now Is the Time**

The panel was named for the journalistic model of five questions that start with w, but that didn't come up until late in the audience Q&A portion. Miller said, "Sam was asking the what, the who, the why, the where, and the when. So I think we've covered that in our conversations here."

Most of the titular questions were somewhat vague and a matter of judgment. However, on the concept of when you should start planning for the post-quantum future, there was complete agreement: now. Miller said, "You've gotta start the process now, and you have to move yourself forward so that you are ready when a quantum computer comes along."

Phillips concurred, saying "There is not right now a quantum computer that is commercially viable, but the amount of money and effort going into the work there to move it forward because people recognize the benefits that are there, and we are recognizing the risk. We feel that it's an eventuality, that we don't know the exact time, and we don't know when it'll happen."

Toohey suggested beginning your preparations with a crypto inventory — again, _now_. "Discover where you have instances of certain algorithms or certain types of cryptography, because how many people were using Log4j and had no idea because it was buried so deep?" he said. "That's a big ask, to know every type of cryptography used throughout your business with all your third parties — that's not trivial. That's a lot of work, and that's going to need to be started now."

"What we're trying to do right now is drive ourselves toward a goal: five years" until Wells Fargo is ready to run post-quantum cryptography, Miller said. "The key is: large company, five years, is a very aggressive goal. So, the time to start is now, and that's one of the most important takeaways from this get-together."

**Crypto Agility Gets You to Quantum Resilience**

Pivoting is a key marker of agility for the panel, and agility is vital for being able to react to not just quantum threats, but whatever comes next. "The goal here should be crypto agility, where you're able to modify your algorithms fairly quickly across your enterprise and be able to counter a quantum-based attack," Miller said. "And I'm really not thinking on a day-to-day basis about when is the quantum computer going to get here. For us, it's more about laying a path and a track for quantum resiliency for the organization."

Toomey agreed on the importance of agility. He said, "Whether it's a quantum computer or new developments in classical computing, we don't want to be put in a position where it takes us 10 years to do any kind of cryptographic transition. We want to be able to pivot and adapt to the market as new threats come out."

Because there will be computers that can break current cryptography techniques, organizations do need to develop new encryption methods that stand up to quantum brute-force attacks. But that's only the half of it. Phillips said, "Don't just focus on the algorithms. Start looking at your data. What data are you transiting back and forth? And look at devaluing that data. Where do you need to have that confidential information, and what can you do to remove that from the exposure? It will help a lot not only in the crypto efforts, but in terms of who has access to the data and why they have to have access."

**You've Got to Have Standards**

One open question loomed over the discussion: When would NIST announce its picks for the new standards to develop for post-quantum cryptography? The answer is: not yet.

The lack of certainty is no cause for inaction, Miller said. "So NIST will continue to work with other vendors and other companies and research groups to look at algorithms that are further out there. Our job is to be able to allow those algorithms to come into place quickly, in a very orderly manner without disrupting business or breaking your business processes and be able to keep things moving along."

Phillips agreed. "That's one of the reasons for pushing on plug and play. Because we know that the first set of algorithms that come out may not satisfy the long-term need, and we don't want to keep jumping through these hoops every time somebody goes through it."

Toohey tied the standards question back into the concept of preparing _now_: "That way, when NIST finally finish publishing their recommendations, and standards get developed in the coming years, we're ready as an industry to be able to take that and tackle it."

He added, "That's going back to crypto agility, and this mindset that we need to be able to plug and play, we need to be able to pivot as an industry very quickly to new and developing threats."

Now Is the Time to Plan for Post-Quantum Cryptography

A successful attack against 5G networks could disrupt critical infrastructure, manipulate sensor data, or even cause physical harm to humans.

RSA CONFERENCE — San Francisco — While 5G security is not new as a topic of conversation, emerging attack vectors continue to come to the fore. Deloitte & Touche researchers have uncovered a potential avenue of attack targeting network slices, a fundamental part of 5G's architecture.

The stakes are high: Not just a faster 4G, next-generation 5G networks are expected to serve as the communications infrastructure for an array of mission-critical environments, such as public safety, military services, critical infrastructure, and the Industrial Internet of Things (IIoT). They also play a role in supporting latency-sensitive future applications like automated cars and telesurgery. A cyberattack on that infrastructure could have significant implications for public health and national security, and impact a range of commercial services for individual enterprises.

At the heart of any 5G network is a flexible, IP-based core network that allows resources and attributes to be assembled into individual "slices" — each of these network slices is tailored to fulfill the requirements requested by a particular application. For instance, a network slice supporting an IIoT network of sensors in a smart-factory installation might offer extremely low latency, long device battery life, and constricted bandwidth speed. An adjacent slice could enable automated vehicles, with extremely high bandwidth and near-zero latency. And so on.

Thus, one 5G network supports multiple adjacent network slices, all of which make use of a common physical infrastructure (i.e., the radio access network, or RAN). Deloitte collaborated on a 5G research project with Virginia Tech to explore whether it was possible to exploit 5G by compromising one slice, then escaping it to compromise a second. The answer to that turned out to be yes.

"Throughout our journey with Virginia Tech, our objective was uncovering how to make sure that appropriate security is in place whenever a 5G network is put in for any type of industry or any customer," Shehadi Dayekh, specialist leader at Deloitte, tells Dark Reading. "We saw network slicing as a core area of interest for our research, and we set about discovering avenues of compromise."

**Achieving Lateral Movement Via Network Slicing**

Abdul Rahman, associate vice president at Deloitte, notes that attacking one slice in order to get to a second could be seen as a form of container escape in a cloud environment — in which an attacker moves from one container to another, moving laterally through a cloud infrastructure to compromise different customers and services.

"When we look at the end-to-end picture of a 5G network, there's the 5G core, and then the 5G RAN, then there are the end devices and the users after the end devices," he says. "The core has really evolved to a point where a lot of the services are essentially in containers, and they've been virtualized. So there may then be a similar \[attack-and-escape\] process where we're able to influence or affect a device on network slice two from a device or a compromise within network slice one."

The research uncovered that an initial compromise of the first network slice can be achieved by exploiting open ports and vulnerable protocols, he explains. Or, another path to compromise would involve obtaining the metadata necessary to enumerate all of the services on the network, in order to identify a service or a set of services that may have a vulnerability, such as a buffer overflow that would allow code execution.

Then, to achieve "slice-escape," "there are capabilities in the wireless space to emulate tons of devices that can join networks and start causing some stress on the core network," Dayekh says. "It's possible to bring in some scanning capabilities to start exploiting vulnerabilities across slices."

A successful attack would have a number of layers and steps, and would be non-trivial, Deloitte found — but it can be done.

From a real-world feasibility perspective, "it's really dependent on how much money is spent," Dayekh says, adding that cyberattackers would likely make an ROI calculation when weighing whether an attack is worth the time and expense.

"It's about how serious \[and hardened\] the network is, if it's a mission-critical network, and how serious the target application is," he explains. "Is it an application for, say, shelf replenishment or cashierless checkout, or is it a military or government application?"

If the attacker is a well-funded advanced persistent threat (APT) interested in mounting destructive attacks on, say, an automated pipeline, the approach would be more convoluted and resource-intensive, Rahman adds.

"This sets the stage for a bad actor that utilizes advanced recon and surveillance-detection techniques, to minimize on the blue side being seen," he says. "You utilize observation to determine avenues of approach and key terrain, while ensuring concealment. If we're going to recon a network, we want to do it from a place where we can scan the network and obfuscate our reconnaissance traffic amongst all the other traffic that's there. And they're going to build this network topology, aka an attack graph, with nodes that have metadata associated with enumerative services around what we would like to attack."

**Real-World Risk**

When it comes to potential outcomes of a successful attack, Rahman and Dayekh used the example of a campaign against an industrial sensor network for a smart-factory application.

"Ultimately, we can deploy malware that can actually impact the data that's gathered from those sensors, whether it's temperature, barometric pressure, its line of sight, computer vision, whatever that may be," Rahman notes. "Or it may be able to occlude the image or maybe only send back a portion of the results by manipulating what the sensor has the ability to see. That could potentially cause false readings, false positives, and the impact is huge for manufacturing, for energy, for transportation — any of those areas that depend on sensors to give them near-real-time outputs for things like health and status."

The Internet of Medical Things (IoMT) is another area of concern, due to the ability to directly impact patients using remote health services such as kidney dialysis or liver monitoring, or those who have a pacemaker.

There's also another form of attacks that involve deploying malware on vulnerable IoT devices, then using them to jam or flood the air interfaces or take up shared computational resources at the edge. That can lead to denial of service across slices since they all share the same RAN and edge computing infrastructure, Deloitte found.

**Defending Against 5G Network-Slicing Attacks**

When it comes to defending against attacks involving network slicing, there are at least three broad layers of cybersecurity to deploy, the researchers note:

*   Convert threat intelligence, which consists of indicators of compromise (IOCs), into rules.
*   Use artificial intelligence and machine learning to detect anomalous behaviors.
*   Implement platforms that contain standard detection mechanisms, filtering, the ability to create automation, integration with SOAR, and alerting.

It's important, as ever, to ensure defense in depth. "The rules have a shelf life," Rahman explains. "You can't totally depend on rules because they get aged off because people create malware variants. You can't totally depend on what an AI tells you about probability of malicious activity. And you can't really believe in the platform because there may be gaps."

Much of the defense work also has to do with gaining a view into the infrastructure that doesn't overwhelm defenders with information.

"The key is visibility," Dayekh says, "because when we look at 5G, there's massive connectivity: A lot of IoT, sensors, and devices, and you also have containerized deployments and cloud infrastructure that scales up and down and gets deployed in multiple zones and multiple hybrid clouds, and some clients have more than one vendor for their cloud. It's easier when we don't have a lot of slices or we don't have a lot of device IDs or SIM cards or wireless connections. But there are potentially millions of devices that you may have to look at and correlate data for."

There's also ongoing management to consider, since the 5G standard is updated every six months with new features.

As a result, most operators are still scratching the surface on the amount of work they have to put into shoring up security for 5G networks, the researchers say, noting that the workforce shortage is also affecting this segment. And that means that automation will be required to handle tasks that need to be done in a repeatable manner.

"Automation from a source perspective can go out to these devices and reconfigure them on the fly," Rahman says. "But the question is, is do you want to do that in production? Or do you want to test that first? Typically, we are risk averse, so we test when we do change requests, and then we vote on it. And then we deploy those changes in production, and that takes a certain amount of time. But those processes can be automated with DevSecOps pipelines. Solving this will take some out-of-the-box thinking."

An Emerging Threat: Attacking 5G Via Network Slices

As Mandiant CEO Kevin Mandia's company prepares to become part of Google, the incident response company continues to investigate many of the most critical cyber incidents.

RSA CONFERENCE 2022 – San Francisco – Back in the early 2000s when Mandiant was a small consulting firm in Northern Virginia, Kevin Mandia typically worked on just one incident response (IR) case at a time. Today, Mandia's team at the now IR giant Mandiant – which Google is in the process of acquiring – works on more than a half-dozen cases concurrently.

The volume of attacks is growing, especially so over the past year, according to Mandia. In recent IR cases Mandiant has been investigating, zero-day attacks and pilfered credentials have become the weapon of choice to infiltrate an organization, overtaking phishing.

"A lot of customers are saying, 'How long do we have to have our Shields Up?'" he said, in reference to the Cybersecurity and Infrastructure Security Agency (CISA)'s current slogan for warning organizations to operate at heightened alert amid increasing cyber threat activity. "I think you have to keep \[them\] up. That's a lesson we're learning this year," Mandia said in an interview with Dark Reading this week.

"The impact of a breach is so much graver now," he said. Not only are ransomware and extortion getting more brazen and chaos-causing with public data leaks and digital blackmail, but cybercriminals are basically catching up with nation-states when it comes to exploiting expensive zero-day vulnerabilities in software, he said.

"In the early days, zero days were the purview of governments. In 2017, you started to see criminal elements arming a zero day," he said. Today, it's close to a 60-40 split, with nation-states still leading in zero-day attacks but with criminals not far behind. "That came sooner than I thought," Mandia added. "It just tells you how much money you can make hacking."

**Silver Lining**

But if there's a bit of good news, it's that organizations calling on Mandiant for help with an incident are spotting their intrusions sooner: "We're getting hired earlier in the breach process, and there's less \[attacker\] dwell time," he said.

Specifically, Mandiant saw the amount of time attackers remained unnoticed on a victim's network dropped to 21 days in 2021, down from 24 days in 2020. That trend has been steady for the past four years in Mandiant's IR cases.

There's also a sense of urgency now among cybercriminals to ensure they snag the valuable data or demand their ransom for stolen data, Mandia said. "I was told today that the time frame dwell time used to be that they had access for about seven days, and that's coming down to four to five days now. That speed means it's getting harder to monetize" and cybercriminals have to work faster and more publicly to make their money, he explained.

And the stakes are higher than ever for CISOs trying to deter and deflect a big breach. "This is the hardest year to be a CISO," he said. "Now you're \[also\] protecting your people threatened online, your employees, your customers. It's so much, and it's an unfair fight with \[mostly\] no risk of repercussions for the bad guys."

The threat includes the recent wave of phony or impossible-to-prove public data leak claims by threat actors and other fraudsters attempting to shake down or defame a victim organization. 

"It's impossible to prove a negative," Mandia said of these phony breach declarations that emerge. And organizations are forced to investigate an intrusion that may not even have occurred. 

"It's becoming more frequent," he said of this latest form of pressure by cybercriminals. There's nothing harder to respond to; something that's public, the hacker is vocal and making claims. And a company can't dispute them \[at first\] because they have to figure out the answers first. Those are terrible situations."  

That hit close to home for Mandia because, while Dark Reading was interviewing him on Monday, Mandiant itself became the subject of a fake breach assertion by the LockBit ransomware gang, which posted on Twitter that it had hacked the IR company. The claim appears to have been retribution for a recent ransomware report by Mandiant. 

"Based on the data released, there are no indications that Mandiant data has been disclosed," Mandiant said in a tweet today about the claims. "Rather the actor appears to be trying to disprove our June 2, 2022 research on UNC2165 and LockBit. We stand behind the findings of this research."

**Googling Mandiant**

Meanwhile, Mandiant is preparing for the completion of its merger with Google. Google announced its intent to acquire Mandiant in March for a whopping $5.4 billion, and Mandia at the time touted the merger as a way to build out Mandiant's planned strategy of automating specific elements of the IR process. Google's investment should accelerate that strategy.

"You have to automate as much as you can," Mandia told Dark Reading this week. Tasks such as detection, collecting artifacts, and log file analysis could be automated, he noted. But there still are parts of IR that remain human tasks, such as attribution and deep-dive forensic analysis.  

"If there's ever a deepfake or false-flag operation, it will be a human that will \[spot it\]," Mandian said.

Mandia: Keep 'Shields Up' to Survive the Current Escalation of Cyberattacks

The innovative ransomware targets NAS devices, has a multitiered payment and extortion scheme as well as a flexible configuration, and takes a heavily automated approach.

The DeadBolt ransomware family is targeting QNAP and Asustor network-attached storage (NAS) devices by deploying a multitiered scheme aimed at both the vendors and their victims, and offering multiple cryptocurrency payment options.  

These factors make DeadBolt different from other NAS ransomware families and could be more problematic for its victims, according to an analysis from Trend Micro this week.

The ransomware uses a configuration file that will dynamically choose specific settings based on the vendor that it targets, making it scalable and easily adaptable to new campaigns and vendors, according to the researchers.

The payment schemes allow either the victim to pay for a decryption key, or for the vendor to pay for a decryption master key. This master key would theoretically work to decrypt data for all victims; however, the report notes less than 10% of DeadBolt victims actually paid the ransom.

"Even though the vendor master decryption key did not work in DeadBolt's campaigns, the concept of holding both the victim and the vendors ransom is an interesting approach," according to the report. "It's possible that this approach will be used in future attacks, especially since this tactic requires a low amount of effort on the part of a ransomware group."

Fernando Mercês, senior threat researcher at Trend Micro, points out that the actors also created a functional, nicely designed Web app to deal with ransom payments.

"They also know about the internals of QNAP and Asustor," he says. "Overall, it's an impressive job from a technical standpoint."

Mercês adds that ransomware actors in general are targeting NAS devices due to a combination of factors: low security, high availability, the high value of data, modern hardware, and common OS (Linux).

"It's like targeting Internet-facing Linux servers with all kinds of applications installed and no professional security in place," he says. “Additionally, these servers contain high-value data for the user. It sounds like the perfect target for ransomware."

For organizations to protect against attacks targeting internet-facing NAS devices, he says, they could use a VPN service, although the configuration may require a few technical skills.

"Suppose there's no other way other than exposing the NAS on the Internet," he says. "In that case, I'd recommend using strong passwords, 2FA, disabling/uninstalling all unused services and apps, and configuring a firewall in front of it to only allow the ports you want to access. This can be done in a router, for example."

Mercês notes that while it doesn't seem effective, it's interesting to see criminals trying to put some pressure on vendors to "fix the problem" for their customers.

"I think criminals thought the vendors would be worried about their image in front of their customers and maybe pay to get free decryptors for all of them," he says. "It could be interesting if customers started pushing vendors to pay on their behalf, but that didn't happen."

In May, QNAP warned its NAS devices are under active attack by DeadBolt ransomware, and in January, a report from attack surface solutions provider Censys.io noted that out of 130,000 QNAP NAS devices that were potential targets, 4,988 services showed signs of a DeadBolt infection.

Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, points out that the DeadBolt ransomware operation is interesting for several reasons, including the fact that victims do not need to contact the threat actors at any time.

"With most ransomware groups, victims need to negotiate with the threat actors, who are often in different time zones," she says. “These interactions can add a significant amount of time to the recovery process and a level of uncertainty because the outcome could rely on the success of the interaction."

However, she notes that from a technical perspective, DeadBolt ransomware attacks are different from ransomware attacks that target many enterprise devices, as initial access is gained by exploiting vulnerabilities in unpatched Internet-facing NAS devices.

"There are no social engineering or lateral movement techniques required to carry out their objectives," Hoffman says. "The threat actors do not need a lot of time, tools, or money to carry out these opportunistic attacks."

Multilevel Extortion: DeadBolt Ransomware Targets Internet-Facing NAS Devices

A full 77% of tech executives say they'll increase spending in zero-trust architecture in the coming year.

Executive leaders across organizations are prioritizing zero-trust security strategies in the next year, as organizations hope to build significantly on early baby steps in these initiatives.

According to a new survey out from the Cloud Security Alliance (CSA), 80% of CxO technology leaders report that zero trust is a significant priority for their organizations, with 77% of executives saying that they'll increase spending to support this prioritization.

The added zero-trust funding will be significant at many organizations, with more than two in five executives reporting an increase of 26% or more.

"With the advancement of digital transformation, the shift of the workforce during the pandemic, and the announcement of the US executive order on cybersecurity, zero trust has taken a front seat as a promise for protecting enterprises," says the report, which details results from a survey of more than 800 IT and security professional worldwide, including responses broken out from more than 200 C-level executives.

The study shows that zero-trust strategies are still a relatively a new cybersecurity roadmap for most organizations, with 53% of organizations saying their initial implementations of zero-trust strategies were put underway fewer than two years ago. The standards they're using to guide strategic planning are all over the map, with a fairly even distribution across CISA, Forrester ZTX, IEEE, NIST, and CSA standards. The front-runner by a plurality was the CISA standard, with 33% of organizations reporting they use it to guide their zero-trust strategy.

Zero trust is an evolving model of security developed to tie together many long-running security concepts of least privilege, conditional access based on risk factors, and segmentation — not only at network levels, but also down to the application and workload level. At its heart, the core concept is eliminating the implicit trust on the network that IT has long afforded users and devices once they log in with their password.

The goal is to replace that with a more adaptive and continuously assessed mode of granting access that provides limited access and bases it not just on identity, but also on operational and threat context. Executing on this takes a lot of moving parts, including strong identity and access management (IAM), effective network policy enforcement, strong data security, and effective security analytics. Many of these are areas that organizations have already put significant cybersecurity investment into in the past — it's just a matter of integrating and creating a more effective architecture to utilize these investments.

Given that, it's not a surprise that in spite of many organizations saying it's only been a year or two since they started on their zero-trust journey, respondents to this survey reported that they were slightly to moderately mature in core zero-trust areas like endpoint/device maturity, application security, IAM, data-flow management, network-security management, and user behavior and asset management.

Fundamental policy, architectural, and integration work separates the pretenders from the contenders when it comes to executing a zero-trust strategy. According to Eric Bednash, CEO of RackTop systems and a longtime security and tech practitioner in the defense and financial worlds, organizations have to start their zero-trust journey by understanding how IT and security stacks all tie together.

"It's about starting with a strong view of your overall architecture and business processes, and understanding how it all ties together. It goes beyond any single element. It's important to remember that zero trust is not a thing, it's a prescribed way of being," he says. "It's a guideline for how everything should interoperate. It's not like, 'This is a zero-trust thing and this is not a zero-trust thing.' It's a methodology. There are no shortcuts, which is why it's so hard to implement."

Doing it right requires a lot of executive buy-in, adequate expertise and staffing, and smart change management. According to the CSA survey, 40% of organizations reported a lack of knowledge and expertise, 34% said they didn't have internal alignment or buy-in, and 23% said a resistance to change was blocking the way.

In many ways, getting through these business and process barriers will require both diplomatic and disciplined communication, experts say.

"To effectively manage the change, you need to telegraph your moves and implement small changes gradually. You may know where you want to go, you may even have contracts signed for your cyber solutions, but you can't implement everything at once. It will be too unsettling," says Amit Bareket, CEO and co-founder of Perimeter 81. "The art of change management is knowing how much to implement — so don't change too much at once, yet don't drag out the process indefinitely."

How the C-Suite Puts Shoulders Into Zero Trust in 2022

Cybersecurity needs to shift its thinking ahead of the next disruption, RSA's CEO said during the opening 2022 conference keynote.

RSA CONFERENCE 2022 – San Francisco – A catastrophic pandemic, an escalating war in Eastern Europe, and the Colonial Pipeline ransomware shutdown are all in their own ways recent seismic disruptions that forced external change on the cybersecurity sector. 

That was the word from RSA CEO Rohit Ghal, who used the opening keynote of this year's RSA Conference to encourage cybersecurity leadership to embrace intentional transformation – with the goal of coming out on the other side of these cascading disruptions stronger and better than ever.  

"Transforming security will require us to reorient our thinking," Ghal said. 

To accomplish that goal, he shared three core ideas he thinks will help set the information-security community on a path that will enable it to use recent events to crystalize and transform into something better. 

**1\. Rethinking Identity **

First, Ghal suggested that a focus on user identities is the future, and figuring out how to center access on identity without traditional access mechanisms (i.e., passwords) is the way forward.

"Identity is the one constant in cybersecurity," he said. "It's time to hold a requiem for passwords." 

Ghal called for the industry to focus on creating a single, decentralized, infrastructure-agnostic platform that puts control back in the hands of users. 

**2\. Truth Matters **

Next, Ghal said that protecting the veracity of information is going to be a key role for cybersecurity in the coming years. Fake news and misinformation have emerged as powerful weapons to bring down institutions and more.

"What matters most is the truth, the veracity of information," he said. "Hacked brains are way more dangerous than hacked systems." 

Ghal added that a disciplined application of technology is the solution to weeding out bad information, and the only real way to verify whether information is true is to authenticate its creator . 

**3\. Convenience Shouldn't Win **

When it comes to the well-worn debate over whether security is too onerous for users to adopt, Ghal called on the industry to ditch its old "dogmas."

"We need to stop sacrificing security at the altar of convenience," he said.

The answer, Ghal said, will lie with innovators, who have the "most important role." 

"Innovation grows the pie and delivers new benefits," he said. 

The sector shouldn't wait for a comparable "cybersecurity pandemic" to force change, Ghal added.   

"Transforming security will require us to reorient our thinking," he said.

Source

DARKReading