Physical access matters in keeping people and buildings safe. Points to consider when establishing a physical security protocol are ways to lock down an area to keep people safe, approaches to communicate clear safety directions, and access control.

As organizations around the world fortify their systems against the threat of cyberattacks, it’s imperative businesses and cities don't neglect the potential harm from a physical threat. Recent attacks in Sacramento and Brooklyn are horrific examples of the threats that can impact cities without warning.

Attacks that occur in broad daylight and outdoors are difficult to protect against, especially in the immediate surrounding areas. How and when should nearby buildings lock themselves down and maintain access control? What protocols should businesses have in place for when sudden violence arises?

While every building and business will vary in its risk tolerance and security needs, there are several best practices that all should consider when establishing a physical security protocol.

**Understand the Immediate Priorities During Attack**

In a situation of sudden violence, the first priority of any building or business in the surrounding area must be to lockdown its premises to keep employees, guests, and customers safe. In any zones in which the threat is unknown or unidentified, locking down is the safest immediate response. Secondly, communicate clear directions to those in your building or campus, especially if it is sprawling. For example, hospitals and college campuses are large areas where it can be difficult to communicate to everyone at once – having an emergency communications mechanism in place such as mass texts or mobile alerts systems alleviate any confusion.

The third and final priority is access control. Credentialed access in secure areas is critical in times of unexpected violence, when tensions run high and focus is diffused, creating extra security vulnerabilities. Local safety/lockout capabilities can be implemented in many forms, from PIN codes that initiate certain levels of threat protection to duress buttons and duress digits allowing for more specific annunciation of problems, communication, protection, and ultimately escape to safety, which are the goals of a threat-protected environment. At their core, each tactic must be part of a plan for easing the minds of your stakeholders and maintaining secure protocol.

**Recognize Your Business's Specific Threat Levels**

No building or business is built the same. Federal buildings, for example, are more likely to fortify using armed security guards, bulletproof glass, and duress buttons (or panic buttons), while commercial buildings are more likely to invest in high-tech systems such as video analytics and to regularly update access-control protocols.

Threat levels and their applicable security response are solely at the discretion of the businesses developing them; what might be mundane for one business, such as a crowd forming outside a building, might spike a security response for another if it is in a higher-risk industry or area. Organizations _must_ understand what constitutes a deployment action at each threat level and assess a risk as accurately as possible. Gradually ramp up threat levels as a situation develops to maintain order and peace of mind for stakeholders.

**Familiarize Yourself With the Tech Options at Hand**

An ideal security system has integrated access control, video intelligence, and audio interaction — the analytics these technologies provide can help inform your access-control response to understand real, verified threats.

A threat should be able to be identified visually and audibly, making audio information available to tell people in the locked-down locations what is happening and what they should do. Areas remote from the threat should be identified and those people in the safe zone told how and where it is safe for them to evacuate to, avoiding the danger zone. With video intelligence well-integrated with access-control measures, areas can be locked and unlocked as the threat moves, protecting people at risk while identifying the suspect, and allowing escape for every person who's not in the danger area. Ideally an active, intelligent, access-control system can even help with the apprehension of violent actors by locking them into an empty zone, if the opportunity presents itself.

**Key Takeaways**

To prepare for future instances of unexpected violence, business leaders should work with their CSOs, IT managers, and facilities managers to assess vulnerabilities in access control and brainstorm the best way to make sure only the most essential people are entering (or leaving) your premises.

Decentralize your access control and use a combination of physical and digital methods. Do not allow for one point of access that could be easily compromised (such as a central server), instead consider cloud-based options that provide backups from anywhere, and make sure your access-control system can be locked and unlocked remotely and in zones.

Physically, you should be establishing individual tokens and identities for your employees to ensure that the person gaining access to your building is really them. A card reader is great, but anyone who has that card can enter the building unless they are verified against an established identity. 

It's time to move from a reactive physical security stance to one that looks at existing operations and incorporates newer digital methods of monitoring and managing physical security threats.

How Do We Secure Our Cities From Attack?

Panelists from an RSA Conference keynote agreed that organizations need to begin work on PQC migration, if they haven't already.

RSA CONFERENCE 2022 — Even the most future-facing panels at the 2022 RSA Conference in San Francisco are grounded in the lessons of the past. At the post-quantum cryptography keynote "Wells Fargo PQC Program: The Five Ws," the moderator evoked the upheaval from RSAC 1999 when a team from Electronic Frontier Foundation and Distributed.net broke the Data Encryption Standard (DES) in less than a day.

"We're trying to avoid the scramble" when classical cryptography techniques like elliptic curve and the RSA algorithm inevitably fall to quantum decrypting, said moderator Sam Phillips, chief architect for information security architecture at Wells Fargo. And he set up the high stakes encryption battles often have: "Where were all the DES implemented? Hint: ATM machines."

"We had to set up teams to see where-all we were using \[DES\], and then establish the migration plan based upon using a risk-based approach," Phillips said. "We're trying to avoid that by really trying to get ahead of the game and do some planning in this case."

Phillips was joined on stage by Dale Miller, chief architect of information security architecture at Wells Fargo, and Richard Toohey, technology analyst at Wells Fargo.

**A Brief Explanation of Quantum Computing**

Toohey, a doctoral candidate at Cornell University, handled most of the technical aspects of quantum computing during the panel. He explained, "For most problems, if you have a quantum calculator and a regular calculator, they can add numbers just as well. There's a very small subset of problems that are classically very hard, but for a quantum computer, they can solve very efficiently."

These problems that quantum computers handle better than conventional computers are called np-hard problems. "A lot of cryptography, specifically in asymmetric cryptography, relies on these np-hard type problems — things like elliptic curve cryptography; the RSA algorithm, famously — and when quantum computers are developed enough, they'll be able to brute-force their way through these," Toohey explained. "So that breaks a lot of our modern classical cryptography."

The reason why we don't have crypto-breaking quantum computers today, despite headline-making offerings from IBM and others, is because the technology to reach that level of power has not been accomplished yet. Toohey said, "To become a cryptographically relevant quantum computer, a quantum computer needs to have about 1-10 million logical qubits, and those logical qubits all need to be made up of about 1,000 physical qubits. Today, right now, the largest quantum computers are somewhere around 120 physical qubits." He estimated that to even muster the first logical qubit will take three years, and from there, it's got to scale up to "a million or so logical qubits. So it's still quite a few years away."

Another of the technical challenges that needs solving before we get these powerful quantum computers is the cooling systems they require. As Toohey said, "Qubits are incredibly sensitive; most of them have to be held at very low, cryogenic temperatures. So because of that, quantum computing architecture is incredibly expensive right now." Other problems include decoherence and error correction. The panel agreed that the combination of these issues means crypto-cracking quantum computers are 8-10 years away. But that doesn't mean we have a decade to address PQC.

**Now Is the Time**

The panel was named for the journalistic model of five questions that start with w, but that didn't come up until late in the audience Q&A portion. Miller said, "Sam was asking the what, the who, the why, the where, and the when. So I think we've covered that in our conversations here."

Most of the titular questions were somewhat vague and a matter of judgment. However, on the concept of when you should start planning for the post-quantum future, there was complete agreement: now. Miller said, "You've gotta start the process now, and you have to move yourself forward so that you are ready when a quantum computer comes along."

Phillips concurred, saying "There is not right now a quantum computer that is commercially viable, but the amount of money and effort going into the work there to move it forward because people recognize the benefits that are there, and we are recognizing the risk. We feel that it's an eventuality, that we don't know the exact time, and we don't know when it'll happen."

Toohey suggested beginning your preparations with a crypto inventory — again, _now_. "Discover where you have instances of certain algorithms or certain types of cryptography, because how many people were using Log4j and had no idea because it was buried so deep?" he said. "That's a big ask, to know every type of cryptography used throughout your business with all your third parties — that's not trivial. That's a lot of work, and that's going to need to be started now."

"What we're trying to do right now is drive ourselves toward a goal: five years" until Wells Fargo is ready to run post-quantum cryptography, Miller said. "The key is: large company, five years, is a very aggressive goal. So, the time to start is now, and that's one of the most important takeaways from this get-together."

**Crypto Agility Gets You to Quantum Resilience**

Pivoting is a key marker of agility for the panel, and agility is vital for being able to react to not just quantum threats, but whatever comes next. "The goal here should be crypto agility, where you're able to modify your algorithms fairly quickly across your enterprise and be able to counter a quantum-based attack," Miller said. "And I'm really not thinking on a day-to-day basis about when is the quantum computer going to get here. For us, it's more about laying a path and a track for quantum resiliency for the organization."

Toomey agreed on the importance of agility. He said, "Whether it's a quantum computer or new developments in classical computing, we don't want to be put in a position where it takes us 10 years to do any kind of cryptographic transition. We want to be able to pivot and adapt to the market as new threats come out."

Because there will be computers that can break current cryptography techniques, organizations do need to develop new encryption methods that stand up to quantum brute-force attacks. But that's only the half of it. Phillips said, "Don't just focus on the algorithms. Start looking at your data. What data are you transiting back and forth? And look at devaluing that data. Where do you need to have that confidential information, and what can you do to remove that from the exposure? It will help a lot not only in the crypto efforts, but in terms of who has access to the data and why they have to have access."

**You've Got to Have Standards**

One open question loomed over the discussion: When would NIST announce its picks for the new standards to develop for post-quantum cryptography? The answer is: not yet.

The lack of certainty is no cause for inaction, Miller said. "So NIST will continue to work with other vendors and other companies and research groups to look at algorithms that are further out there. Our job is to be able to allow those algorithms to come into place quickly, in a very orderly manner without disrupting business or breaking your business processes and be able to keep things moving along."

Phillips agreed. "That's one of the reasons for pushing on plug and play. Because we know that the first set of algorithms that come out may not satisfy the long-term need, and we don't want to keep jumping through these hoops every time somebody goes through it."

Toohey tied the standards question back into the concept of preparing _now_: "That way, when NIST finally finish publishing their recommendations, and standards get developed in the coming years, we're ready as an industry to be able to take that and tackle it."

He added, "That's going back to crypto agility, and this mindset that we need to be able to plug and play, we need to be able to pivot as an industry very quickly to new and developing threats."

Now Is the Time to Plan for Post-Quantum Cryptography

A successful attack against 5G networks could disrupt critical infrastructure, manipulate sensor data, or even cause physical harm to humans.

RSA CONFERENCE — San Francisco — While 5G security is not new as a topic of conversation, emerging attack vectors continue to come to the fore. Deloitte & Touche researchers have uncovered a potential avenue of attack targeting network slices, a fundamental part of 5G's architecture.

The stakes are high: Not just a faster 4G, next-generation 5G networks are expected to serve as the communications infrastructure for an array of mission-critical environments, such as public safety, military services, critical infrastructure, and the Industrial Internet of Things (IIoT). They also play a role in supporting latency-sensitive future applications like automated cars and telesurgery. A cyberattack on that infrastructure could have significant implications for public health and national security, and impact a range of commercial services for individual enterprises.

At the heart of any 5G network is a flexible, IP-based core network that allows resources and attributes to be assembled into individual "slices" — each of these network slices is tailored to fulfill the requirements requested by a particular application. For instance, a network slice supporting an IIoT network of sensors in a smart-factory installation might offer extremely low latency, long device battery life, and constricted bandwidth speed. An adjacent slice could enable automated vehicles, with extremely high bandwidth and near-zero latency. And so on.

Thus, one 5G network supports multiple adjacent network slices, all of which make use of a common physical infrastructure (i.e., the radio access network, or RAN). Deloitte collaborated on a 5G research project with Virginia Tech to explore whether it was possible to exploit 5G by compromising one slice, then escaping it to compromise a second. The answer to that turned out to be yes.

"Throughout our journey with Virginia Tech, our objective was uncovering how to make sure that appropriate security is in place whenever a 5G network is put in for any type of industry or any customer," Shehadi Dayekh, specialist leader at Deloitte, tells Dark Reading. "We saw network slicing as a core area of interest for our research, and we set about discovering avenues of compromise."

**Achieving Lateral Movement Via Network Slicing**

Abdul Rahman, associate vice president at Deloitte, notes that attacking one slice in order to get to a second could be seen as a form of container escape in a cloud environment — in which an attacker moves from one container to another, moving laterally through a cloud infrastructure to compromise different customers and services.

"When we look at the end-to-end picture of a 5G network, there's the 5G core, and then the 5G RAN, then there are the end devices and the users after the end devices," he says. "The core has really evolved to a point where a lot of the services are essentially in containers, and they've been virtualized. So there may then be a similar \[attack-and-escape\] process where we're able to influence or affect a device on network slice two from a device or a compromise within network slice one."

The research uncovered that an initial compromise of the first network slice can be achieved by exploiting open ports and vulnerable protocols, he explains. Or, another path to compromise would involve obtaining the metadata necessary to enumerate all of the services on the network, in order to identify a service or a set of services that may have a vulnerability, such as a buffer overflow that would allow code execution.

Then, to achieve "slice-escape," "there are capabilities in the wireless space to emulate tons of devices that can join networks and start causing some stress on the core network," Dayekh says. "It's possible to bring in some scanning capabilities to start exploiting vulnerabilities across slices."

A successful attack would have a number of layers and steps, and would be non-trivial, Deloitte found — but it can be done.

From a real-world feasibility perspective, "it's really dependent on how much money is spent," Dayekh says, adding that cyberattackers would likely make an ROI calculation when weighing whether an attack is worth the time and expense.

"It's about how serious \[and hardened\] the network is, if it's a mission-critical network, and how serious the target application is," he explains. "Is it an application for, say, shelf replenishment or cashierless checkout, or is it a military or government application?"

If the attacker is a well-funded advanced persistent threat (APT) interested in mounting destructive attacks on, say, an automated pipeline, the approach would be more convoluted and resource-intensive, Rahman adds.

"This sets the stage for a bad actor that utilizes advanced recon and surveillance-detection techniques, to minimize on the blue side being seen," he says. "You utilize observation to determine avenues of approach and key terrain, while ensuring concealment. If we're going to recon a network, we want to do it from a place where we can scan the network and obfuscate our reconnaissance traffic amongst all the other traffic that's there. And they're going to build this network topology, aka an attack graph, with nodes that have metadata associated with enumerative services around what we would like to attack."

**Real-World Risk**

When it comes to potential outcomes of a successful attack, Rahman and Dayekh used the example of a campaign against an industrial sensor network for a smart-factory application.

"Ultimately, we can deploy malware that can actually impact the data that's gathered from those sensors, whether it's temperature, barometric pressure, its line of sight, computer vision, whatever that may be," Rahman notes. "Or it may be able to occlude the image or maybe only send back a portion of the results by manipulating what the sensor has the ability to see. That could potentially cause false readings, false positives, and the impact is huge for manufacturing, for energy, for transportation — any of those areas that depend on sensors to give them near-real-time outputs for things like health and status."

The Internet of Medical Things (IoMT) is another area of concern, due to the ability to directly impact patients using remote health services such as kidney dialysis or liver monitoring, or those who have a pacemaker.

There's also another form of attacks that involve deploying malware on vulnerable IoT devices, then using them to jam or flood the air interfaces or take up shared computational resources at the edge. That can lead to denial of service across slices since they all share the same RAN and edge computing infrastructure, Deloitte found.

**Defending Against 5G Network-Slicing Attacks**

When it comes to defending against attacks involving network slicing, there are at least three broad layers of cybersecurity to deploy, the researchers note:

*   Convert threat intelligence, which consists of indicators of compromise (IOCs), into rules.
*   Use artificial intelligence and machine learning to detect anomalous behaviors.
*   Implement platforms that contain standard detection mechanisms, filtering, the ability to create automation, integration with SOAR, and alerting.

It's important, as ever, to ensure defense in depth. "The rules have a shelf life," Rahman explains. "You can't totally depend on rules because they get aged off because people create malware variants. You can't totally depend on what an AI tells you about probability of malicious activity. And you can't really believe in the platform because there may be gaps."

Much of the defense work also has to do with gaining a view into the infrastructure that doesn't overwhelm defenders with information.

"The key is visibility," Dayekh says, "because when we look at 5G, there's massive connectivity: A lot of IoT, sensors, and devices, and you also have containerized deployments and cloud infrastructure that scales up and down and gets deployed in multiple zones and multiple hybrid clouds, and some clients have more than one vendor for their cloud. It's easier when we don't have a lot of slices or we don't have a lot of device IDs or SIM cards or wireless connections. But there are potentially millions of devices that you may have to look at and correlate data for."

There's also ongoing management to consider, since the 5G standard is updated every six months with new features.

As a result, most operators are still scratching the surface on the amount of work they have to put into shoring up security for 5G networks, the researchers say, noting that the workforce shortage is also affecting this segment. And that means that automation will be required to handle tasks that need to be done in a repeatable manner.

"Automation from a source perspective can go out to these devices and reconfigure them on the fly," Rahman says. "But the question is, is do you want to do that in production? Or do you want to test that first? Typically, we are risk averse, so we test when we do change requests, and then we vote on it. And then we deploy those changes in production, and that takes a certain amount of time. But those processes can be automated with DevSecOps pipelines. Solving this will take some out-of-the-box thinking."

An Emerging Threat: Attacking 5G Via Network Slices

As Mandiant CEO Kevin Mandia's company prepares to become part of Google, the incident response company continues to investigate many of the most critical cyber incidents.

RSA CONFERENCE 2022 – San Francisco – Back in the early 2000s when Mandiant was a small consulting firm in Northern Virginia, Kevin Mandia typically worked on just one incident response (IR) case at a time. Today, Mandia's team at the now IR giant Mandiant – which Google is in the process of acquiring – works on more than a half-dozen cases concurrently.

The volume of attacks is growing, especially so over the past year, according to Mandia. In recent IR cases Mandiant has been investigating, zero-day attacks and pilfered credentials have become the weapon of choice to infiltrate an organization, overtaking phishing.

"A lot of customers are saying, 'How long do we have to have our Shields Up?'" he said, in reference to the Cybersecurity and Infrastructure Security Agency (CISA)'s current slogan for warning organizations to operate at heightened alert amid increasing cyber threat activity. "I think you have to keep \[them\] up. That's a lesson we're learning this year," Mandia said in an interview with Dark Reading this week.

"The impact of a breach is so much graver now," he said. Not only are ransomware and extortion getting more brazen and chaos-causing with public data leaks and digital blackmail, but cybercriminals are basically catching up with nation-states when it comes to exploiting expensive zero-day vulnerabilities in software, he said.

"In the early days, zero days were the purview of governments. In 2017, you started to see criminal elements arming a zero day," he said. Today, it's close to a 60-40 split, with nation-states still leading in zero-day attacks but with criminals not far behind. "That came sooner than I thought," Mandia added. "It just tells you how much money you can make hacking."

**Silver Lining**

But if there's a bit of good news, it's that organizations calling on Mandiant for help with an incident are spotting their intrusions sooner: "We're getting hired earlier in the breach process, and there's less \[attacker\] dwell time," he said.

Specifically, Mandiant saw the amount of time attackers remained unnoticed on a victim's network dropped to 21 days in 2021, down from 24 days in 2020. That trend has been steady for the past four years in Mandiant's IR cases.

There's also a sense of urgency now among cybercriminals to ensure they snag the valuable data or demand their ransom for stolen data, Mandia said. "I was told today that the time frame dwell time used to be that they had access for about seven days, and that's coming down to four to five days now. That speed means it's getting harder to monetize" and cybercriminals have to work faster and more publicly to make their money, he explained.

And the stakes are higher than ever for CISOs trying to deter and deflect a big breach. "This is the hardest year to be a CISO," he said. "Now you're \[also\] protecting your people threatened online, your employees, your customers. It's so much, and it's an unfair fight with \[mostly\] no risk of repercussions for the bad guys."

The threat includes the recent wave of phony or impossible-to-prove public data leak claims by threat actors and other fraudsters attempting to shake down or defame a victim organization. 

"It's impossible to prove a negative," Mandia said of these phony breach declarations that emerge. And organizations are forced to investigate an intrusion that may not even have occurred. 

"It's becoming more frequent," he said of this latest form of pressure by cybercriminals. There's nothing harder to respond to; something that's public, the hacker is vocal and making claims. And a company can't dispute them \[at first\] because they have to figure out the answers first. Those are terrible situations."  

That hit close to home for Mandia because, while Dark Reading was interviewing him on Monday, Mandiant itself became the subject of a fake breach assertion by the LockBit ransomware gang, which posted on Twitter that it had hacked the IR company. The claim appears to have been retribution for a recent ransomware report by Mandiant. 

"Based on the data released, there are no indications that Mandiant data has been disclosed," Mandiant said in a tweet today about the claims. "Rather the actor appears to be trying to disprove our June 2, 2022 research on UNC2165 and LockBit. We stand behind the findings of this research."

**Googling Mandiant**

Meanwhile, Mandiant is preparing for the completion of its merger with Google. Google announced its intent to acquire Mandiant in March for a whopping $5.4 billion, and Mandia at the time touted the merger as a way to build out Mandiant's planned strategy of automating specific elements of the IR process. Google's investment should accelerate that strategy.

"You have to automate as much as you can," Mandia told Dark Reading this week. Tasks such as detection, collecting artifacts, and log file analysis could be automated, he noted. But there still are parts of IR that remain human tasks, such as attribution and deep-dive forensic analysis.  

"If there's ever a deepfake or false-flag operation, it will be a human that will \[spot it\]," Mandian said.

Mandia: Keep 'Shields Up' to Survive the Current Escalation of Cyberattacks

The innovative ransomware targets NAS devices, has a multitiered payment and extortion scheme as well as a flexible configuration, and takes a heavily automated approach.

The DeadBolt ransomware family is targeting QNAP and Asustor network-attached storage (NAS) devices by deploying a multitiered scheme aimed at both the vendors and their victims, and offering multiple cryptocurrency payment options.  

These factors make DeadBolt different from other NAS ransomware families and could be more problematic for its victims, according to an analysis from Trend Micro this week.

The ransomware uses a configuration file that will dynamically choose specific settings based on the vendor that it targets, making it scalable and easily adaptable to new campaigns and vendors, according to the researchers.

The payment schemes allow either the victim to pay for a decryption key, or for the vendor to pay for a decryption master key. This master key would theoretically work to decrypt data for all victims; however, the report notes less than 10% of DeadBolt victims actually paid the ransom.

"Even though the vendor master decryption key did not work in DeadBolt's campaigns, the concept of holding both the victim and the vendors ransom is an interesting approach," according to the report. "It's possible that this approach will be used in future attacks, especially since this tactic requires a low amount of effort on the part of a ransomware group."

Fernando Mercês, senior threat researcher at Trend Micro, points out that the actors also created a functional, nicely designed Web app to deal with ransom payments.

"They also know about the internals of QNAP and Asustor," he says. "Overall, it's an impressive job from a technical standpoint."

Mercês adds that ransomware actors in general are targeting NAS devices due to a combination of factors: low security, high availability, the high value of data, modern hardware, and common OS (Linux).

"It's like targeting Internet-facing Linux servers with all kinds of applications installed and no professional security in place," he says. “Additionally, these servers contain high-value data for the user. It sounds like the perfect target for ransomware."

For organizations to protect against attacks targeting internet-facing NAS devices, he says, they could use a VPN service, although the configuration may require a few technical skills.

"Suppose there's no other way other than exposing the NAS on the Internet," he says. "In that case, I'd recommend using strong passwords, 2FA, disabling/uninstalling all unused services and apps, and configuring a firewall in front of it to only allow the ports you want to access. This can be done in a router, for example."

Mercês notes that while it doesn't seem effective, it's interesting to see criminals trying to put some pressure on vendors to "fix the problem" for their customers.

"I think criminals thought the vendors would be worried about their image in front of their customers and maybe pay to get free decryptors for all of them," he says. "It could be interesting if customers started pushing vendors to pay on their behalf, but that didn't happen."

In May, QNAP warned its NAS devices are under active attack by DeadBolt ransomware, and in January, a report from attack surface solutions provider Censys.io noted that out of 130,000 QNAP NAS devices that were potential targets, 4,988 services showed signs of a DeadBolt infection.

Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, points out that the DeadBolt ransomware operation is interesting for several reasons, including the fact that victims do not need to contact the threat actors at any time.

"With most ransomware groups, victims need to negotiate with the threat actors, who are often in different time zones," she says. “These interactions can add a significant amount of time to the recovery process and a level of uncertainty because the outcome could rely on the success of the interaction."

However, she notes that from a technical perspective, DeadBolt ransomware attacks are different from ransomware attacks that target many enterprise devices, as initial access is gained by exploiting vulnerabilities in unpatched Internet-facing NAS devices.

"There are no social engineering or lateral movement techniques required to carry out their objectives," Hoffman says. "The threat actors do not need a lot of time, tools, or money to carry out these opportunistic attacks."

Multilevel Extortion: DeadBolt Ransomware Targets Internet-Facing NAS Devices

A full 77% of tech executives say they'll increase spending in zero-trust architecture in the coming year.

Executive leaders across organizations are prioritizing zero-trust security strategies in the next year, as organizations hope to build significantly on early baby steps in these initiatives.

According to a new survey out from the Cloud Security Alliance (CSA), 80% of CxO technology leaders report that zero trust is a significant priority for their organizations, with 77% of executives saying that they'll increase spending to support this prioritization.

The added zero-trust funding will be significant at many organizations, with more than two in five executives reporting an increase of 26% or more.

"With the advancement of digital transformation, the shift of the workforce during the pandemic, and the announcement of the US executive order on cybersecurity, zero trust has taken a front seat as a promise for protecting enterprises," says the report, which details results from a survey of more than 800 IT and security professional worldwide, including responses broken out from more than 200 C-level executives.

The study shows that zero-trust strategies are still a relatively a new cybersecurity roadmap for most organizations, with 53% of organizations saying their initial implementations of zero-trust strategies were put underway fewer than two years ago. The standards they're using to guide strategic planning are all over the map, with a fairly even distribution across CISA, Forrester ZTX, IEEE, NIST, and CSA standards. The front-runner by a plurality was the CISA standard, with 33% of organizations reporting they use it to guide their zero-trust strategy.

Zero trust is an evolving model of security developed to tie together many long-running security concepts of least privilege, conditional access based on risk factors, and segmentation — not only at network levels, but also down to the application and workload level. At its heart, the core concept is eliminating the implicit trust on the network that IT has long afforded users and devices once they log in with their password.

The goal is to replace that with a more adaptive and continuously assessed mode of granting access that provides limited access and bases it not just on identity, but also on operational and threat context. Executing on this takes a lot of moving parts, including strong identity and access management (IAM), effective network policy enforcement, strong data security, and effective security analytics. Many of these are areas that organizations have already put significant cybersecurity investment into in the past — it's just a matter of integrating and creating a more effective architecture to utilize these investments.

Given that, it's not a surprise that in spite of many organizations saying it's only been a year or two since they started on their zero-trust journey, respondents to this survey reported that they were slightly to moderately mature in core zero-trust areas like endpoint/device maturity, application security, IAM, data-flow management, network-security management, and user behavior and asset management.

Fundamental policy, architectural, and integration work separates the pretenders from the contenders when it comes to executing a zero-trust strategy. According to Eric Bednash, CEO of RackTop systems and a longtime security and tech practitioner in the defense and financial worlds, organizations have to start their zero-trust journey by understanding how IT and security stacks all tie together.

"It's about starting with a strong view of your overall architecture and business processes, and understanding how it all ties together. It goes beyond any single element. It's important to remember that zero trust is not a thing, it's a prescribed way of being," he says. "It's a guideline for how everything should interoperate. It's not like, 'This is a zero-trust thing and this is not a zero-trust thing.' It's a methodology. There are no shortcuts, which is why it's so hard to implement."

Doing it right requires a lot of executive buy-in, adequate expertise and staffing, and smart change management. According to the CSA survey, 40% of organizations reported a lack of knowledge and expertise, 34% said they didn't have internal alignment or buy-in, and 23% said a resistance to change was blocking the way.

In many ways, getting through these business and process barriers will require both diplomatic and disciplined communication, experts say.

"To effectively manage the change, you need to telegraph your moves and implement small changes gradually. You may know where you want to go, you may even have contracts signed for your cyber solutions, but you can't implement everything at once. It will be too unsettling," says Amit Bareket, CEO and co-founder of Perimeter 81. "The art of change management is knowing how much to implement — so don't change too much at once, yet don't drag out the process indefinitely."

How the C-Suite Puts Shoulders Into Zero Trust in 2022

Cybersecurity needs to shift its thinking ahead of the next disruption, RSA's CEO said during the opening 2022 conference keynote.

RSA CONFERENCE 2022 – San Francisco – A catastrophic pandemic, an escalating war in Eastern Europe, and the Colonial Pipeline ransomware shutdown are all in their own ways recent seismic disruptions that forced external change on the cybersecurity sector. 

That was the word from RSA CEO Rohit Ghal, who used the opening keynote of this year's RSA Conference to encourage cybersecurity leadership to embrace intentional transformation – with the goal of coming out on the other side of these cascading disruptions stronger and better than ever.  

"Transforming security will require us to reorient our thinking," Ghal said. 

To accomplish that goal, he shared three core ideas he thinks will help set the information-security community on a path that will enable it to use recent events to crystalize and transform into something better. 

**1\. Rethinking Identity **

First, Ghal suggested that a focus on user identities is the future, and figuring out how to center access on identity without traditional access mechanisms (i.e., passwords) is the way forward.

"Identity is the one constant in cybersecurity," he said. "It's time to hold a requiem for passwords." 

Ghal called for the industry to focus on creating a single, decentralized, infrastructure-agnostic platform that puts control back in the hands of users. 

**2\. Truth Matters **

Next, Ghal said that protecting the veracity of information is going to be a key role for cybersecurity in the coming years. Fake news and misinformation have emerged as powerful weapons to bring down institutions and more.

"What matters most is the truth, the veracity of information," he said. "Hacked brains are way more dangerous than hacked systems." 

Ghal added that a disciplined application of technology is the solution to weeding out bad information, and the only real way to verify whether information is true is to authenticate its creator . 

**3\. Convenience Shouldn't Win **

When it comes to the well-worn debate over whether security is too onerous for users to adopt, Ghal called on the industry to ditch its old "dogmas."

"We need to stop sacrificing security at the altar of convenience," he said.

The answer, Ghal said, will lie with innovators, who have the "most important role." 

"Innovation grows the pie and delivers new benefits," he said. 

The sector shouldn't wait for a comparable "cybersecurity pandemic" to force change, Ghal added.   

"Transforming security will require us to reorient our thinking," he said.

RSAC Opens With Message of Transformation

Enterprise cybersecurity awareness training has evolved to include informal lessons for employees' family members, and it has many benefits.

When I’ve talked to cybersecurity awareness training vendors about changes brought on by the pandemic — and further changes brought on by its reduction and end — I've been surprised by how few changes they've discussed.

One change, though, has been talked about by many of the players in the market, and it's one that I didn't anticipate: There's been a change in who they've been asked to train.

As employees flowed out of offices and into work-from-home (WFH) situations, cybersecurity professionals quickly realized that home networks and everyone who used them were suddenly part of the corporate infrastructure. If little Johnny visits the wrong website or grandma clicks on a phishing email, the ramifications could not only harm the household but also the companies of those WFH users.

Different organizations tried different ways to keep the ongoing WFH security risk from becoming a massive security disaster, and many of those ways involved training the employees' family members to be more responsible, security-aware computer users.

For vendors providing cybersecurity awareness training, this new training tended to require teaching those who might not have had previous awareness training the basics of phishing behaviors, malicious links on websites, ransomware, and even mobile threats like smishing and vishing. Omdia's research on how these efforts have affected enterprise security is ongoing, but we have not seen massive increases in corporate security failures over the last two years, so they certainly couldn't have hurt.

**What Are the Benefits of Cybersecurity Awareness Training?**

Beyond the benign impact, there are important long-term benefits to cybersecurity awareness training that extend to employees' family members. The benefits fall, broadly, into short-term and long-term groups.

In the short term, it's unlikely that businesses are going to go back to the simple "everyone comes to the office everyday" model that existed three years ago. More employees will be doing more work at home, at least some of the time, so the home network must now be considered part of the enterprise infrastructure from a cybersecurity standpoint.

While some organizations are installing company-controlled home routers and firewalls on employee networks, those devices aren't magic bullets; there are plenty of cybersecurity threats they won't stop. The users who share physical (and network) space with the employee can have an impact on enterprise security, so those users should receive at least some cybersecurity awareness training.

Once trained, family members will not only be less likely to fall victim to cyberattacks, but they can also become valuable early warning sensors for malicious campaigns. In addition, family members might well become important behavior-reinforcing agents for good cybersecurity hygiene for the employee. Every parent knows that there's often nothing that a little child treasures more than the opportunity to point out poor behavior on the parent's part.

Over the long term, it is unquestionably true that no organization lives as a cybersecurity island. Each is part of a global community of email, messaging, and Internet users. Making the community safer overall makes the individual organization safer by association. As the cyber hygiene of the total community improves, the risk posture of the individual organization cannot help but improve.

In addition, the family members of today are the potential employees of tomorrow. Imagine how much more effective your cybersecurity awareness training could be if employees came to the table with a better baseline understanding of risks and responses.

It is true that there is no guideline or regulation that states a company's cybersecurity program must include teaching good cyber hygiene to employees' family members. However, in the shifting business understanding of 2022, teaching those family members about cybersecurity could be an investment that pays off for years to come.

Enterprise Security Around the Dinner Table

By using artificial intelligence to predict how an attacker would carry out their attack, we can deploy defenses and preemptively shut down vulnerable entry points.

Security teams can't protect what they don't know about. But it is not enough to just understand what they have within their organizations' environment. Defenders also need to put themselves in an adversary's shoes to understand which systems are likely to be targeted and how the attack would be carried out. Technologies such as attack surface management and attack path modeling make it possible for security teams to gain visibility into which assets adversaries can see and how they might gain access.

With attack surface management, organizations are continuously discovering, classifying, and monitoring the IT infrastructure. Unlike asset management, which looks for everything the organization has, attack surface management looks at the IT infrastructure from outside of the organization to determine what is exposed and accessible. Since new assets are always being created and cloud infrastructure can be spun up dynamically, this inventory needs to be updated continuously or the organization will have gaps in its knowledge of all the potential entry points, says Pieter Jansen, CEO of Cybersprint, which was acquired by Darktrace in February for $52.3 million (€47.5 million).

Cybersprint's attack surface management platform gives customers their own "hacker's lens" that they can use to determine where an attacker could strike next, Jansen says. Attack surface management goes beyond tracking Internet-accessible systems by considering how the assets are configured, what security controls are in place, and how the various tools and devices are connected.

Someone creating new infrastructure components within the DevOps environment may think they are working within the test environment, but an attacker doesn't care whether it is in testing or production. "It's an ideal way of getting in \[to the organization's environment\] early and to move to production systems," Jansen says.

Darktrace acquired Cybersprint for its external view of the organization's environment, says Jack Stockdale, CTO of Darktrace. Darktrace's artificial intelligence (AI) technology develops a comprehensive view of the organization's infrastructure, but it is an internal view, he says. Darktrace can see what the organization has within the IT environment — the network, email, cloud assets, and endpoints — as well as OT. Bringing Cybersprint's external view into Darktrace's platform makes it possible to find more threats earlier.

"It's essential to put all those different areas into one platform" instead of maintaining individual silos of information, Stockdale says. "Trying to infer what's happening and stop attacks by looking at individual silos — we truly believe that is not the way to go."

**A Shift to Proactive AI**

Up until now, Darktrace's self-learning AI technology has focused on detection and response, which means it is reactive, Stockdale notes. "Essentially, \[the AI\] sits there and waits for a problem," he says. Teaching the AI about the attacker shifts the balance, since the AI now doesn't have to wait for an attack to do something about the organization's security.

This is where attack path modeling comes in.

Security teams are beginning to think about attack path analysis. For the past few years, Verizon's "Data Breach Investigations Report" (DBIR) has devoted a section to analyzing attack paths. Understanding the paths adversaries are likely to take helps security teams identify places they can add more controls or tools to stop the attack.

"Our job as defenders is to lengthen that attack path. Attackers tend to avoid longer attack chains because every additional step is a chance for the defender to prevent, detect, respond to, and recover from the breach," Verizon's researchers wrote.

Attack path modeling uses the existing view of the environment to determine the most likely and most effective paths attackers would take through the organization, Stockdale says. After identifying the key assets and people, as well as the organization's crown jewels, it is possible to use both the internal and external views to identify the likely path the attacker would follow to reach the crown jewels. After analyzing the path, it is possible to run a simulation to see what would happen in the case of an incident.

"What happens if ransomware was detected on a particular laptop or a particular type of compromise started in a particular environment? How will the attacker most likely move through \[the\] organization to cause the damage or to reach the crown jewels or to sell information?" he asks.

Attack path modeling is more than a red team exercise of a penetration test, Jansen notes, because it allows security teams to identify the most likely steps an attacker would take in order to compromise the organization. AI shines here because it is capable of going down every path and seeing every permutation of possible attacker scenarios. Human teams, in contrast, would be able to run only a limited number of exercises.

Once they can see all the potential entry points, security teams can start testing defenses along those particular paths and determine whether additional resources are necessary. Perhaps they discover four or five most likely routes an attacker could take from a compromised email account or system login. At this point, the team can deploy additional controls or defenses to make those paths unfeasible for the attacker.

**Adding 'Prevent' to the Cybersecurity Loop**

Darktrace's Cyber AI Research Centre has been working on ways to apply AI to attack path modeling for almost two years, Stockdale says. The research is now being incorporated into Darktrace's new product family, Darktrace Prevent, which will be generally available by the summer.

"We're now taking \[attack path modeling\] out of the research center and building it into our next set of products that will go to our customers," he says. Several customers in the early adopter program already have the new technology in their production environments.

Darktrace views security as a continuous loop where the AI learns about the organization, identifies potential attack paths, and feeds those outcomes to detect and respond to harden the environment, Stockdale says. Eventually, the plan is for AI to learn to heal from the damage caused by attacks, as well.

"When we talk to our customers, we tend to look at the areas where human beings are doing lots of repetitive work, or challenging work, that we think AI is a perfect fit for," Stockdale says. There are areas where AI can help make these teams more efficient or allow companies that don't have the resources to hire human teams to add security capabilities.

"Our vision moving forward is to be much more proactive," Stockdale says.

Harnessing AI to Proactively Thwart Threats

Brands should be vigilant to ensure sites and listings promoting NFTs for sale are legitimate and not being used as an instrument by fraudsters to swindle customers.

Brands should be vigilant to ensure sites and listings promoting NFTs for sale are legitimate and not being used as an instrument by fraudsters to swindle customers.

Source: Cor Laffra via Alamy Stock Photo

Life seems to move exponentially faster with each passing month. And while many recent innovations serve to illustrate that point, few match the nonfungible token (NFT) for the breathtaking speed with which it went mainstream. 

The global market for NFTs has grown to over $40 billion in 2021 and attracted stars like Tom Brady and big brands like Coca-Cola and Nike. Meanwhile, many consumers are still trying to figure out what NFTs are and why they even exist.

Cybersecurity always lags behind the digital innovations it's designed to protect – and therein lies the problem. The faster technology innovation becomes, the bigger the window of opportunity for cybercriminals to swoop in and exploit the vulnerabilities. Brands are destroyed, CEOs fired, customer identities swiped and sold on the Dark Web, bank accounts raided, and credit destroyed. With NFTs, we're in that window now and we're seeing seven primary ways that cybercriminals are exploiting the situation.

1.  **Celebrity/brand impersonation:** A scammer sets up a social media group or website using the name of a brand or celebrity. They then sell fake or nonexistent NFTs to people or use a fake NFT as a lure to swipe someone’s credentials.
2.  **Counterfeit NFTs:** Just like counterfeit currencies, a brand's NFTs can be reproduced without its knowledge or consent and then traded online. In some cases, artists and brands have discovered thousands of fake reproductions of their property in online marketplaces. Some marketplaces have developed tools to spot fakes, but it’s still a tangled mess of copyright issues given all the visuals, music, and logos involved.
3.  **Unprotected marketplaces**: Putting aside the irony of relying on centralized players like marketplaces to execute decentralized transactions, these third parties can also introduce significant risk. In the short span that NFTs have existed, more than 200 marketplaces have sprung up, and many lack the security needed to handle the impressive ingenuity of the attackers. In one scam, attackers targeted NFT marketplace users lacking two-factor authentication and used smart contracts to transfer ownership to their accounts.
4.  **Fake platforms:** There are so many NFT marketplaces that it’s relatively easy for cybercriminals to build new ones, hide in plain sight, and sell fake NFTs. Another tactic in this category is to create identical replicas of existing NFT marketplaces and use social media or email to lure people in.
5.  **Untraceable payments:** Because of the nature of cryptocurrencies, payments are very difficult to follow. The problem with untraceable transactions, in addition to circumventing taxes, is that they can be used for illegal activities – a vulnerability that cybercriminals exploit. By the time a company, artist, or celebrity realizes that something is amiss, the money is safely in the cybercriminal's bank account. It’s nearly impossible to trace and even harder to reverse.
6.  **Cryptocurrency scams:** Cryptocurrency, predominantly Ethereum, is the key payment method used in NFT transactions, and cryptocurrency scams are incredibly common. This is especially the case around highly anticipated NFT releases that generate a lot of buzz. In the inevitable buying frenzy, scammers create scam-minting sites that request users' private wallet keys. When customers, often the most fervently loyal and valuable, fall victim to these scams, they may sour on the brand.
7.  **Text or email scams:** A cybercriminal sends a malicious email notifying a person of "suspicious behavior" on one of their accounts. As that person logs in and enters their credentials, they are asked for their private wallet keys or 12-word security seed phrases. The scammers then use those credentials to hack into the user’s digital wallet and deplete all of the crypto and NFTs stored therein.

**How Should Companies View NFTs Today?**

NFTs represent a great opportunity for brands to build lasting loyalty with their customers. Some experts even predict they will become the central digital touchpoint between brands and their consumers. The possibilities are exciting and perhaps by then, NFTs will be mostly safe. But in this chaotic, early window where vulnerabilities are everywhere, they do pose serious risks.  

Companies, as well as executives, would be wise to allocate resources to monitoring and mitigating these types of threats. Employees that handle digital assets should also be trained on how to avoid phishing attacks that target them specifically.

Someday, it will be safer to play with NFTs, but until then, we're living in the Wild West. Brands should be vigilant to ensure sites and listings promoting NFTs for sale are legitimate and not being used as an instrument by fraudsters to swindle customers out of money.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading