DeepSurface's Tim Morgan joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss how to fortify vulnerability management.

DeepSurface's co-founder and CTO Tim Morgan talks about how context awareness and risk-based prioritization can fortify the processes and activity associated with vulnerability management. Morgan also encourages security pros to look beyond CVSS scores to consider other data types when performing risk assessments, and he’s got some tips for better communicating risks to boards of directors.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DeepSurface Security: Risk-Based Prioritization Adds New Depth to Vulnerability Management

Compromised routers, VPNs, and NAS devices from Cisco, Citrix, Pulse, Zyxel, and others are all being used as part of an extensive cyber espionage campaign.

State-sponsored cyberattackers affiliated with China are actively building out a large network of attack infrastructure by compromising targets in the public and private spheres.

According to a joint alert from Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI, the attackers are targeting major telecom companies and network service providers with a set of exploits for known vulnerabilities in a variety of routers, VPNs, and other networking gear, as well as network-attached storage (NAS) devices.

The network devices are then being used as additional access points to route command-and-control (C2) traffic and act as midpoints to carry out network intrusions on other entities, according to the alert — all bent on stealing sensitive information.

The cyberattackers "typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based IP addresses resolving to different Chinese ISPs," the Feds noted. "The cyber-actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers. They use these servers to register and access operational email accounts, host C2 domains, and interact with victim networks. Cyber-actors \[also\] use these hop points as an obfuscation technique when interacting with victim networks."

On the obfuscation front, CISA said it has observed the groups monitoring network defenders' accounts and actions, modifying their ongoing campaign as needed to remain undetected.

The groups also "often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network."

    

Commonly exploited bugs used by China-linked threat actors. (Source: NSA/CISA/FBI)

To avoid compromise, users should apply available patches, disable unnecessary ports and protocols, and replace end-of-life infrastructure, the agencies noted.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

China-Sponsored Cyberattackers Target Networking Gear to Build Widespread Attack Infrastructure

Concentric AI's Karthik Krishnan joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss how artificial intelligence has transformed the security landscape.

Concentric AI's Karthik Krishnan joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss how artificial intelligence has transformed the security landscape.

Dark Reading's Terry Sweeney in conversation with Karthik Krishnan, CEO and founder of Concentric AI

Informa Tech

Artificial intelligence has transformed the security landscape and given security professionals powerful tools to do their jobs more efficiently, says Karthik Krishnan, CEO and founder of Concentric AI. Krishnan also discusses where AI is best implemented and how the technology is helping to reduce data volumes that inundate most active security operations centers (SOCs).

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Concentric: How To Maximize Your AI Returns, In and Out of the SOC

It only takes one successful attack to spell disaster for a company. Learn how to protect your company with this email security best practice guide.

The number of emails sent _each day_ is expected to top 330 billion this year.

Cybercriminals know this, with phishing and other email-targeting tactics the top attack vectors ― because they work so well. And as we discussed in the first article of this two-part series, "For MSPs, Next-Gen Email Security Is a Must," advances in automation have made it easy to run these attacks at scale, with no organization too small to target anymore.

It only takes one successful attack to spell disaster. What can you do to protect your company? Although proper email security is never a walk in the park, we have prepared a checklist of email security best practices for small and midsize businesses (SMBs), divided into three categories: organizational culture, security posture management, and technology stack.

**Organizational Culture**

A security-first organizational culture bolsters email safety by prioritizing the following:

1.  **Clear policies:** Get IT and business leaders to co-formulate clear security policies, including email-specific ones.
2.  **Continuous reinforcement:** Make email security practices part of employee onboarding, ongoing training, and performance reviews.
3.  **Peer buy-in:** Buy-in for the company's security strategy from _non-security_ peers is crucial for good security outcomes for SMBs.
4.  **Learning from incidents:** Leverage email security incidents to address vulnerabilities and finetune policies.

**Security Posture Management**

Here are four best practices for email security posture management that SMBs can adopt:

1.  **Timely incident response:** A _companywide_ incident response plan (that includes notifications, responsibilities, response and mitigation workflows, reporting, etc.) must be regularly tested and updated.
2.  **Data loss prevention (DLP) program:** A DLP program incurs costs, but the ROI is clear when a company can achieve near-zero RPO/RTO outcomes in response to ransomware or other data theft exploits.
3.  **Systematic management of email passwords:** UK survey: 82% of security breaches over the previous year started with weak email passwords. IT should enforce strong, unique passwords that are updated regularly.
4.  **Clear reporting:** Be able to _demonstrate_ diligent tracking of email security metrics and effectively _address_ incidents and vulnerabilities.

**Staying on Top of Technology**

Cyber threats are constantly evolving, increasing the pressure on businesses to optimize and modernize their protection. Ensure that your current email security stack is best of breed and up to date:

1.  **Proactive refreshing of email security stack:** SMBs with a process in place to proactively refresh their security technology stack achieve superior security outcomes.
2.  **SaaS:** A SaaS email security solution ensures continuous improvement while eliminating infrastructure overhead.
3.  **Two-factor authentication (2FA):** An additional authentication step considerably hardens email security. There are plenty of freeware and commercial 2FA solutions out there.
4.  **Multiple, overlapping layers of defense:** Sophisticated exploits require a multilayer defense based on email security gateways; anti-phishing or anti-malware tools; and threat intelligence solutions.

**Using an MSP**

MSPs have the resources and experience to deploy a well-integrated, end-to-end solution that protects their customers' email flows. The benefits of using an MSP include:

*   24/7/365 threat detection and response

*   Scalability

*   Easy integration with existing email infrastructure

*   Flexibility and configurability

It's a win-win solution: The MSP works against the weaponization of email while the SMB can focus its resources on core business activities.

**Acronis and Email Security**

Whether a business manages email security itself or turns to an MSP, having an integrated data protection and cybersecurity solution that secures an organization's online assets — including email — is critical. Learn how Acronis can help with its cyber protection solutions, featuring ML-based anti-malware, antivirus, and anti-ransomware protection, fail-proof patching, continuous backups, safe and rapid recovery, global threat monitoring, smart alerts, and more.

**About the Author**

    

Candid Wüest is the VP of Cyber Protection Research at Acronis, where he researches new threat trends and comprehensive protection methods. Previously, he worked for more than 16 years as the tech lead for Symantec's global security response team. Wüest is a frequent speaker at security-related conferences, including RSAC and AREA41, and is an adviser for the Swiss federal government on cyber-risks. He holds a master's in computer science from ETH Zurich and various certifications and patents.

Cracking the Email Security Code: 12 Best Practices for Small and Midsize Businesses

Lookout's Jim Dolce joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss the advantages of Secure Service Edge.

COVID and the work-from-home push accelerated many organizations' plans for digital transformation, but the rush to push applications and workloads to the cloud inadvertently created gaps. By implementing Secure Service Edge technology, security pros can consolidate their cloud access security broker, secure Web gateway, and zero-trust offerings onto a single platform, according to Jim Dolce, CEO and chairman of Lookout.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Lookout: Getting It Right at the Secure Service Edge

Spirits were high at the return of the in-person contest, which kicked off by bringing last year's virtual event winner on stage.

RSA CONFERENCE 2022 – San Francisco – At the Moscone Center on Monday, RSA Conference program committee chair Hugh Thompson's happiness was palpable. He told a cute story about his kids learning to hack during the COVID-19 lockdown and exulted in holding the Innovation Sandbox competition in person.

"You will not be able to walk out of this place today without being so excited about the kinds of innovation that are happening in security today," Thompson said.

At the in-person 2022 Innovation Sandbox, representatives from 10 cybersecurity startups made their case for having the most innovative technology in the sector. Each finalist had three minutes to pitch their tech to a panel of experienced judges. The judges were Dorit Dor, chief product officer of Check Point Software; Paul Kocher, independent researcher and founder of Cryptography Research (who Thompson called the "Simon Cowell of the judging panel"); Niloo Razi Howe, senior operating partner at Energy Impact Partners; Shlomo Kramer, co-founder and CEO of Cato Networks; and Christopher Young, executive VP of business development, strategy, and ventures at Microsoft.

Thompson brought Dor and Howe to the stage to discuss the judges' deliberations and announce the winner. He tried to gin up some good-natured drama by asking about altercations and pointing out the judges' lack of obvious injuries.

"There was a big dispute," Dor acknowledged, but Howe assured him, "We're not bloodied or bruised."

Both Howe and Dor had high praise for all 10 companies. "There are many good technologies out there, and it was not an easy selection," Dor said.

Added Howe: "There was conversation about every single company. The top 10 are really fantastic, solving really important problems."

First Thompson announced the top two: Talon Cyber Security and BastionZero. Ofer Ben Noon, co-founder and CEO of Talon, and Shannon Goldberg, CEO of BastionZero, shook hands with everyone. Goldberg even hugged Noon.

Dor called Talon's custom browser portal a "legit alternative that brings simplicity and manageability" for organizations with distributed workforces. Howe praised BastionZero for tackling the "really important problem of management of sessions connecting into the infrastructure."

But in the end, there could be only one winner — and it was Talon.

Here's how the presentations went down.

**The 10 Contestants**

The first contestant was Leonid Belkind, CTO of Torq, which Thompson described as "no-code automation for security teams." Belkind ran through his spiel in exactly three minutes "to the second," Thompson marveled.

The first judge question was from Kocher, who asked, "If someone isn't technical enough to write code, how are they going to understand what they're going to screw up with their automation?" Kramer asked about departments that don't want to collaborate with security teams, while Howe pointed out that in the crowded no-code sector, Torq would need to displace an existing contender.

Next up was Ben Noon, whose company's tagline is "solving security for hybrid work and unmanaged devices." He made a compelling case, saying, "Your browser is your front door," and it's been left open. The company built a secure corporate portal in Chromium with a user experience like Google Chrome and a backend that provides visibility and malware protection.

Then Sevco Security co-founder and CEO J.J. Guy presented for his company, "the starting point for all of your security activities." The company's tech aims to make a complete inventory of all devices connected to an organization to improve asset management.

The fourth contestant was Giora Engel, CEO and founder of Neosec, which is "reinventing API security by bringing XDR techniques and true behavioral analytics." His company addresses what he calls "the API blindspot" — B2B APIs, which are overlooked while people address B2C concerns.

Vladi Sandler represented Lightspin, which sells "graph-based cloud security built by and for cloud engineers." Refreshingly, the CEO mentioned 50% female representation on staff as a differentiating factor. Kocher tried to earn his Simon Cowell rep by saying, "So on Amazon's website I had to turn off One-Click ordering because I kept getting the wrong stuff. You claim on your website that in one click, you can remediate problems. Should I be scared by that?" Sandler rejoined that he trusts his team's skills, and Thompson gently ribbed Kocher about his Amazon problem afterward.

David McCaw co-founded Dasera, which is "helping cloud-first organizations operationalize data governance," according to its tagline. "We think DataGovOps is going to be the next revolution and finally solve the data challenges we've been facing for a long time," he asserted.

Cycode, which provides "complete software supply chain security," was represented by CEO and co-founder Lior Levy. Dor dropped a judge's question that brought laughs to the room: "How do you convince developers to fix their code?" Levy responded that his company helps developers implement bug fixes within their existing workflows and adds in automation "so they don't get frustrated."

"Bringing incident response into the cloud era" is Cado Security. CEO and co-founder James Campbell compared the manual process of investigating and responding to cloud incidents to the tedious procedure for creating a mix tape (Gen X represent).

"Is data collection happening before an attack or after an attack?" Kramer asked. "Is it part of the investigation, or is it part of the ongoing process?" The answer was that it depends on which services a customer uses.

Goldberg showed up to talk about her company BastionZero, which says it is "redefining zero trust for access to cloud infrastructure." Thompson asked Kocher, who co-created the SSL protocol, to ask a question. He obliged by asking whether organizations should use BastionZero or the strong encryption of a YubiKey to replace passwords.

Goldberg answered, "You should use us, for sure, absolutely," which again brought laughs, but she continued by saying that the separate authentication path could include things like YubiKeys.

Araali Networks, whose tagline was "surviving intrusions in cloud-native environments," closed out the contest with co-founder and CEO Abhishek Singh. The judges asked several technical questions about how the system handles various situations and configurations, which Singh handled ably.

"It works out of the box for Google, Amazon, and Azure," he assured Microsoft's Young. "Any system that works with Linux ... is ready to work with us."

**In-Person Do-Over for Apiiro**

    

Source: Screen-grab from RSA Conference

One of the most poignant moments came at the beginning of the show: Thompson brought up the winner of the 2021 Innovation Sandbox, which was held virtually, so that he could have his in-person moment of glory. Idan Plotnik, co-founder of Apiiro, shook Thompson's hand and told him his company had increased its revenue by 398% in the past year.

"Everything changed," Plotnik said.  

The 10 finalists, in alphabetical order, were:

1.  Araali Networks
2.  BastionZero
3.  Cado Security
4.  Cycode
5.  Dasera
6.  Lightspin
7.  Neosec
8.  Sevco Security
9.  Talon Cyber Security
10.  Torq

For more about each of these companies, read our contest preview.

Talon Grasps Victory at a Jubilant RSAC Innovation Sandbox

The new ransomware strain Black Basta is now actively targeting VMware ESXi servers in an ongoing campaign, encrypting files inside a targeted volumes folder.

The Black Basta ransomware emerged last month to target Windows-based systems only, but now the latest ransomware binary is going after VMware virtual machines (VMs). 

The latest variant looks to encrypt VMs present inside the volumes folder (/vmfs/volumes) on ESXi-based systems and servers, according to research shared with Dark Reading by Uptycs. It uses the ChaCha20 algorithm to encrypt the files, researchers say, and also multithreading for encryption to utilize multiple processors and make itself faster and harder to detect.

“Provided that the resources on the servers are much more than on a normal system, using these kinds of mechanisms makes the ransomware work much faster for encrypting files,” explains Uptycs security researcher Siddharth Sharma.

He tells Dark Reading that the attackers are constantly making advancements in the malware attack chain to target more and more victims – just like in this case, which the team could see by the addition of the "\*nix" component inside the binary.

“Most of the organizations that have private clouds based on VMware ESXi hosts, or organizations that use ESXi hosts to store data and other operational work, it becomes important to keep a close eye and monitoring mechanisms on sensitive folders \[and data\] present inside the systems and servers,” he said.

During Uptycs’ investigation and analysis of the ransomware binary, it found evidence indicating that the actors behind this campaign are the same ones behind early Black Basta campaigns.

“We found the onion link for the attacker's chat panel was the same as previous versions of the Black Basta ransomware binaries, which targeted Windows systems,” Sharma said.

Along with that, the extension used by the ransomware binary on encrypted files was the same as previous versions (.basta).

The Uptycs finding follows research by the NCC Group, which Tuesday uncovered a new partnership between Black Basta and the Qbot (aka Qakbot) malware family, which steals bank credentials, Windows domain credentials, and delivers malware onto infected systems.

During a recent incident response, the Black Basta gang was observed using Qbot to spread laterally throughout the network.

“Qakbot was the primary method utilized by the threat actor to maintain their presence on the network," the report stated.

Other hallmarks of the campaign included:  

*   Gathering internal IP addresses of all hosts on the network.
*   Disabling Windows Defender.
*   Deleting Veeam backups from Hyper-V servers.
*   Use of WMI to push out the ransomware.

YouAttest CEO Garret Grajek tells Dark Reading that the key takeaway from this advisory is the collaboration and integration of hacking components and groups.

“One group discovers the vulnerability, another creates the exploit, and yet another mans the C2 \[command and control\] center to receive the communication from the infected host,” Grajek says. “The seriousness and efficiency of the collaboration cannot be underestimated.”

He advises enterprises to implement concepts like zero trust and stringent identity governance to know what permissions they have granted to all accounts -- and to watch for any changes.

Black Basta Ransomware Targets ESXi Servers in Active Campaign

Physical access matters in keeping people and buildings safe. Points to consider when establishing a physical security protocol are ways to lock down an area to keep people safe, approaches to communicate clear safety directions, and access control.

As organizations around the world fortify their systems against the threat of cyberattacks, it’s imperative businesses and cities don't neglect the potential harm from a physical threat. Recent attacks in Sacramento and Brooklyn are horrific examples of the threats that can impact cities without warning.

Attacks that occur in broad daylight and outdoors are difficult to protect against, especially in the immediate surrounding areas. How and when should nearby buildings lock themselves down and maintain access control? What protocols should businesses have in place for when sudden violence arises?

While every building and business will vary in its risk tolerance and security needs, there are several best practices that all should consider when establishing a physical security protocol.

**Understand the Immediate Priorities During Attack**

In a situation of sudden violence, the first priority of any building or business in the surrounding area must be to lockdown its premises to keep employees, guests, and customers safe. In any zones in which the threat is unknown or unidentified, locking down is the safest immediate response. Secondly, communicate clear directions to those in your building or campus, especially if it is sprawling. For example, hospitals and college campuses are large areas where it can be difficult to communicate to everyone at once – having an emergency communications mechanism in place such as mass texts or mobile alerts systems alleviate any confusion.

The third and final priority is access control. Credentialed access in secure areas is critical in times of unexpected violence, when tensions run high and focus is diffused, creating extra security vulnerabilities. Local safety/lockout capabilities can be implemented in many forms, from PIN codes that initiate certain levels of threat protection to duress buttons and duress digits allowing for more specific annunciation of problems, communication, protection, and ultimately escape to safety, which are the goals of a threat-protected environment. At their core, each tactic must be part of a plan for easing the minds of your stakeholders and maintaining secure protocol.

**Recognize Your Business's Specific Threat Levels**

No building or business is built the same. Federal buildings, for example, are more likely to fortify using armed security guards, bulletproof glass, and duress buttons (or panic buttons), while commercial buildings are more likely to invest in high-tech systems such as video analytics and to regularly update access-control protocols.

Threat levels and their applicable security response are solely at the discretion of the businesses developing them; what might be mundane for one business, such as a crowd forming outside a building, might spike a security response for another if it is in a higher-risk industry or area. Organizations _must_ understand what constitutes a deployment action at each threat level and assess a risk as accurately as possible. Gradually ramp up threat levels as a situation develops to maintain order and peace of mind for stakeholders.

**Familiarize Yourself With the Tech Options at Hand**

An ideal security system has integrated access control, video intelligence, and audio interaction — the analytics these technologies provide can help inform your access-control response to understand real, verified threats.

A threat should be able to be identified visually and audibly, making audio information available to tell people in the locked-down locations what is happening and what they should do. Areas remote from the threat should be identified and those people in the safe zone told how and where it is safe for them to evacuate to, avoiding the danger zone. With video intelligence well-integrated with access-control measures, areas can be locked and unlocked as the threat moves, protecting people at risk while identifying the suspect, and allowing escape for every person who's not in the danger area. Ideally an active, intelligent, access-control system can even help with the apprehension of violent actors by locking them into an empty zone, if the opportunity presents itself.

**Key Takeaways**

To prepare for future instances of unexpected violence, business leaders should work with their CSOs, IT managers, and facilities managers to assess vulnerabilities in access control and brainstorm the best way to make sure only the most essential people are entering (or leaving) your premises.

Decentralize your access control and use a combination of physical and digital methods. Do not allow for one point of access that could be easily compromised (such as a central server), instead consider cloud-based options that provide backups from anywhere, and make sure your access-control system can be locked and unlocked remotely and in zones.

Physically, you should be establishing individual tokens and identities for your employees to ensure that the person gaining access to your building is really them. A card reader is great, but anyone who has that card can enter the building unless they are verified against an established identity. 

It's time to move from a reactive physical security stance to one that looks at existing operations and incorporates newer digital methods of monitoring and managing physical security threats.

How Do We Secure Our Cities From Attack?

Panelists from an RSA Conference keynote agreed that organizations need to begin work on PQC migration, if they haven't already.

RSA CONFERENCE 2022 — Even the most future-facing panels at the 2022 RSA Conference in San Francisco are grounded in the lessons of the past. At the post-quantum cryptography keynote "Wells Fargo PQC Program: The Five Ws," the moderator evoked the upheaval from RSAC 1999 when a team from Electronic Frontier Foundation and Distributed.net broke the Data Encryption Standard (DES) in less than a day.

"We're trying to avoid the scramble" when classical cryptography techniques like elliptic curve and the RSA algorithm inevitably fall to quantum decrypting, said moderator Sam Phillips, chief architect for information security architecture at Wells Fargo. And he set up the high stakes encryption battles often have: "Where were all the DES implemented? Hint: ATM machines."

"We had to set up teams to see where-all we were using \[DES\], and then establish the migration plan based upon using a risk-based approach," Phillips said. "We're trying to avoid that by really trying to get ahead of the game and do some planning in this case."

Phillips was joined on stage by Dale Miller, chief architect of information security architecture at Wells Fargo, and Richard Toohey, technology analyst at Wells Fargo.

**A Brief Explanation of Quantum Computing**

Toohey, a doctoral candidate at Cornell University, handled most of the technical aspects of quantum computing during the panel. He explained, "For most problems, if you have a quantum calculator and a regular calculator, they can add numbers just as well. There's a very small subset of problems that are classically very hard, but for a quantum computer, they can solve very efficiently."

These problems that quantum computers handle better than conventional computers are called np-hard problems. "A lot of cryptography, specifically in asymmetric cryptography, relies on these np-hard type problems — things like elliptic curve cryptography; the RSA algorithm, famously — and when quantum computers are developed enough, they'll be able to brute-force their way through these," Toohey explained. "So that breaks a lot of our modern classical cryptography."

The reason why we don't have crypto-breaking quantum computers today, despite headline-making offerings from IBM and others, is because the technology to reach that level of power has not been accomplished yet. Toohey said, "To become a cryptographically relevant quantum computer, a quantum computer needs to have about 1-10 million logical qubits, and those logical qubits all need to be made up of about 1,000 physical qubits. Today, right now, the largest quantum computers are somewhere around 120 physical qubits." He estimated that to even muster the first logical qubit will take three years, and from there, it's got to scale up to "a million or so logical qubits. So it's still quite a few years away."

Another of the technical challenges that needs solving before we get these powerful quantum computers is the cooling systems they require. As Toohey said, "Qubits are incredibly sensitive; most of them have to be held at very low, cryogenic temperatures. So because of that, quantum computing architecture is incredibly expensive right now." Other problems include decoherence and error correction. The panel agreed that the combination of these issues means crypto-cracking quantum computers are 8-10 years away. But that doesn't mean we have a decade to address PQC.

**Now Is the Time**

The panel was named for the journalistic model of five questions that start with w, but that didn't come up until late in the audience Q&A portion. Miller said, "Sam was asking the what, the who, the why, the where, and the when. So I think we've covered that in our conversations here."

Most of the titular questions were somewhat vague and a matter of judgment. However, on the concept of when you should start planning for the post-quantum future, there was complete agreement: now. Miller said, "You've gotta start the process now, and you have to move yourself forward so that you are ready when a quantum computer comes along."

Phillips concurred, saying "There is not right now a quantum computer that is commercially viable, but the amount of money and effort going into the work there to move it forward because people recognize the benefits that are there, and we are recognizing the risk. We feel that it's an eventuality, that we don't know the exact time, and we don't know when it'll happen."

Toohey suggested beginning your preparations with a crypto inventory — again, _now_. "Discover where you have instances of certain algorithms or certain types of cryptography, because how many people were using Log4j and had no idea because it was buried so deep?" he said. "That's a big ask, to know every type of cryptography used throughout your business with all your third parties — that's not trivial. That's a lot of work, and that's going to need to be started now."

"What we're trying to do right now is drive ourselves toward a goal: five years" until Wells Fargo is ready to run post-quantum cryptography, Miller said. "The key is: large company, five years, is a very aggressive goal. So, the time to start is now, and that's one of the most important takeaways from this get-together."

**Crypto Agility Gets You to Quantum Resilience**

Pivoting is a key marker of agility for the panel, and agility is vital for being able to react to not just quantum threats, but whatever comes next. "The goal here should be crypto agility, where you're able to modify your algorithms fairly quickly across your enterprise and be able to counter a quantum-based attack," Miller said. "And I'm really not thinking on a day-to-day basis about when is the quantum computer going to get here. For us, it's more about laying a path and a track for quantum resiliency for the organization."

Toomey agreed on the importance of agility. He said, "Whether it's a quantum computer or new developments in classical computing, we don't want to be put in a position where it takes us 10 years to do any kind of cryptographic transition. We want to be able to pivot and adapt to the market as new threats come out."

Because there will be computers that can break current cryptography techniques, organizations do need to develop new encryption methods that stand up to quantum brute-force attacks. But that's only the half of it. Phillips said, "Don't just focus on the algorithms. Start looking at your data. What data are you transiting back and forth? And look at devaluing that data. Where do you need to have that confidential information, and what can you do to remove that from the exposure? It will help a lot not only in the crypto efforts, but in terms of who has access to the data and why they have to have access."

**You've Got to Have Standards**

One open question loomed over the discussion: When would NIST announce its picks for the new standards to develop for post-quantum cryptography? The answer is: not yet.

The lack of certainty is no cause for inaction, Miller said. "So NIST will continue to work with other vendors and other companies and research groups to look at algorithms that are further out there. Our job is to be able to allow those algorithms to come into place quickly, in a very orderly manner without disrupting business or breaking your business processes and be able to keep things moving along."

Phillips agreed. "That's one of the reasons for pushing on plug and play. Because we know that the first set of algorithms that come out may not satisfy the long-term need, and we don't want to keep jumping through these hoops every time somebody goes through it."

Toohey tied the standards question back into the concept of preparing _now_: "That way, when NIST finally finish publishing their recommendations, and standards get developed in the coming years, we're ready as an industry to be able to take that and tackle it."

He added, "That's going back to crypto agility, and this mindset that we need to be able to plug and play, we need to be able to pivot as an industry very quickly to new and developing threats."

Now Is the Time to Plan for Post-Quantum Cryptography

A successful attack against 5G networks could disrupt critical infrastructure, manipulate sensor data, or even cause physical harm to humans.

RSA CONFERENCE — San Francisco — While 5G security is not new as a topic of conversation, emerging attack vectors continue to come to the fore. Deloitte & Touche researchers have uncovered a potential avenue of attack targeting network slices, a fundamental part of 5G's architecture.

The stakes are high: Not just a faster 4G, next-generation 5G networks are expected to serve as the communications infrastructure for an array of mission-critical environments, such as public safety, military services, critical infrastructure, and the Industrial Internet of Things (IIoT). They also play a role in supporting latency-sensitive future applications like automated cars and telesurgery. A cyberattack on that infrastructure could have significant implications for public health and national security, and impact a range of commercial services for individual enterprises.

At the heart of any 5G network is a flexible, IP-based core network that allows resources and attributes to be assembled into individual "slices" — each of these network slices is tailored to fulfill the requirements requested by a particular application. For instance, a network slice supporting an IIoT network of sensors in a smart-factory installation might offer extremely low latency, long device battery life, and constricted bandwidth speed. An adjacent slice could enable automated vehicles, with extremely high bandwidth and near-zero latency. And so on.

Thus, one 5G network supports multiple adjacent network slices, all of which make use of a common physical infrastructure (i.e., the radio access network, or RAN). Deloitte collaborated on a 5G research project with Virginia Tech to explore whether it was possible to exploit 5G by compromising one slice, then escaping it to compromise a second. The answer to that turned out to be yes.

"Throughout our journey with Virginia Tech, our objective was uncovering how to make sure that appropriate security is in place whenever a 5G network is put in for any type of industry or any customer," Shehadi Dayekh, specialist leader at Deloitte, tells Dark Reading. "We saw network slicing as a core area of interest for our research, and we set about discovering avenues of compromise."

**Achieving Lateral Movement Via Network Slicing**

Abdul Rahman, associate vice president at Deloitte, notes that attacking one slice in order to get to a second could be seen as a form of container escape in a cloud environment — in which an attacker moves from one container to another, moving laterally through a cloud infrastructure to compromise different customers and services.

"When we look at the end-to-end picture of a 5G network, there's the 5G core, and then the 5G RAN, then there are the end devices and the users after the end devices," he says. "The core has really evolved to a point where a lot of the services are essentially in containers, and they've been virtualized. So there may then be a similar \[attack-and-escape\] process where we're able to influence or affect a device on network slice two from a device or a compromise within network slice one."

The research uncovered that an initial compromise of the first network slice can be achieved by exploiting open ports and vulnerable protocols, he explains. Or, another path to compromise would involve obtaining the metadata necessary to enumerate all of the services on the network, in order to identify a service or a set of services that may have a vulnerability, such as a buffer overflow that would allow code execution.

Then, to achieve "slice-escape," "there are capabilities in the wireless space to emulate tons of devices that can join networks and start causing some stress on the core network," Dayekh says. "It's possible to bring in some scanning capabilities to start exploiting vulnerabilities across slices."

A successful attack would have a number of layers and steps, and would be non-trivial, Deloitte found — but it can be done.

From a real-world feasibility perspective, "it's really dependent on how much money is spent," Dayekh says, adding that cyberattackers would likely make an ROI calculation when weighing whether an attack is worth the time and expense.

"It's about how serious \[and hardened\] the network is, if it's a mission-critical network, and how serious the target application is," he explains. "Is it an application for, say, shelf replenishment or cashierless checkout, or is it a military or government application?"

If the attacker is a well-funded advanced persistent threat (APT) interested in mounting destructive attacks on, say, an automated pipeline, the approach would be more convoluted and resource-intensive, Rahman adds.

"This sets the stage for a bad actor that utilizes advanced recon and surveillance-detection techniques, to minimize on the blue side being seen," he says. "You utilize observation to determine avenues of approach and key terrain, while ensuring concealment. If we're going to recon a network, we want to do it from a place where we can scan the network and obfuscate our reconnaissance traffic amongst all the other traffic that's there. And they're going to build this network topology, aka an attack graph, with nodes that have metadata associated with enumerative services around what we would like to attack."

**Real-World Risk**

When it comes to potential outcomes of a successful attack, Rahman and Dayekh used the example of a campaign against an industrial sensor network for a smart-factory application.

"Ultimately, we can deploy malware that can actually impact the data that's gathered from those sensors, whether it's temperature, barometric pressure, its line of sight, computer vision, whatever that may be," Rahman notes. "Or it may be able to occlude the image or maybe only send back a portion of the results by manipulating what the sensor has the ability to see. That could potentially cause false readings, false positives, and the impact is huge for manufacturing, for energy, for transportation — any of those areas that depend on sensors to give them near-real-time outputs for things like health and status."

The Internet of Medical Things (IoMT) is another area of concern, due to the ability to directly impact patients using remote health services such as kidney dialysis or liver monitoring, or those who have a pacemaker.

There's also another form of attacks that involve deploying malware on vulnerable IoT devices, then using them to jam or flood the air interfaces or take up shared computational resources at the edge. That can lead to denial of service across slices since they all share the same RAN and edge computing infrastructure, Deloitte found.

**Defending Against 5G Network-Slicing Attacks**

When it comes to defending against attacks involving network slicing, there are at least three broad layers of cybersecurity to deploy, the researchers note:

*   Convert threat intelligence, which consists of indicators of compromise (IOCs), into rules.
*   Use artificial intelligence and machine learning to detect anomalous behaviors.
*   Implement platforms that contain standard detection mechanisms, filtering, the ability to create automation, integration with SOAR, and alerting.

It's important, as ever, to ensure defense in depth. "The rules have a shelf life," Rahman explains. "You can't totally depend on rules because they get aged off because people create malware variants. You can't totally depend on what an AI tells you about probability of malicious activity. And you can't really believe in the platform because there may be gaps."

Much of the defense work also has to do with gaining a view into the infrastructure that doesn't overwhelm defenders with information.

"The key is visibility," Dayekh says, "because when we look at 5G, there's massive connectivity: A lot of IoT, sensors, and devices, and you also have containerized deployments and cloud infrastructure that scales up and down and gets deployed in multiple zones and multiple hybrid clouds, and some clients have more than one vendor for their cloud. It's easier when we don't have a lot of slices or we don't have a lot of device IDs or SIM cards or wireless connections. But there are potentially millions of devices that you may have to look at and correlate data for."

There's also ongoing management to consider, since the 5G standard is updated every six months with new features.

As a result, most operators are still scratching the surface on the amount of work they have to put into shoring up security for 5G networks, the researchers say, noting that the workforce shortage is also affecting this segment. And that means that automation will be required to handle tasks that need to be done in a repeatable manner.

"Automation from a source perspective can go out to these devices and reconfigure them on the fly," Rahman says. "But the question is, is do you want to do that in production? Or do you want to test that first? Typically, we are risk averse, so we test when we do change requests, and then we vote on it. And then we deploy those changes in production, and that takes a certain amount of time. But those processes can be automated with DevSecOps pipelines. Solving this will take some out-of-the-box thinking."

Source

DARKReading