Using a custom encryption scheme within music notation, Merryl Goldberg and three other US musicians slipped information to Soviet performers and activists known as the Phantom Orchestra.

In 1985, saxophonist Merryl Goldberg found herself on a plane to Moscow with three fellow musicians from the Boston Klezmer Conservatory Band. She had carefully packed sheet music, reeds, and other woodwind supplies, along with a soprano saxophone, to bring into the USSR. But one of her spiral-bound notebooks, lined with staves for hand-notating music, contained hidden information.

Courtesy of Merryl Goldberg

Courtesy of Merryl Goldberg

Using a code she had developed herself, Goldberg had obscured names, addresses, and other details the group would need for their trip in handwritten compositions that looked, to an untrained eye, like the real melodies she’d written on other pages of the book. Goldberg and her colleagues didn’t want to give Soviet officials details of who they planned to see and what they planned to do on their trip. They were going to meet the Phantom Orchestra.

The group was a dissident ensemble that Goldberg describes as an amalgamation of Jewish refuseniks (Jews who were barred from emigrating out of the USSR), Christian activists, and Helsinki monitors—watchdogs who tracked Soviet compliance with the 1975 Helsinki Accords. The Americans’ trip was funded and coordinated by the nonprofit Action for Soviet Jewry (now Action for Post-Soviet Jewry), which works on humanitarian relief in the former Soviet Union and was focused on helping Soviet Jews emigrate to Israel and the United States. 

The trip was a rare and special opportunity for American and Soviet players to meet in the USSR and make music together. It was also an opportunity for the American musicians to smuggle information about aid efforts and plans to the Phantom Orchestra, and for the ensemble to send updates out, including details about individuals looking to escape the Soviet Union.

Courtesy of Merryl Goldberg

Goldberg and her colleagues, all of whom are Jewish, traveled to Moscow separately in two pairs to make it less likely that they would arouse suspicion as a group. They had received training on how to react to questioning and been told to expect surveillance, even run-ins with Soviet officials, throughout their trip. But first Goldberg needed to get her notebook past border control. 

“When we arrived, we were immediately pulled aside, and they went through everything in our luggage, to the point of unwrapping Tampax. It was crazy,” says Goldberg, who is presenting about the experience and her musical code at the RSA security conference in San Francisco today. “With my music, they opened it up and there were some real tunes in there. If you’re not a musician, you wouldn’t know what’s what. They went page by page through everything—and then they handed it back.”

Goldberg says that while the code worked and Soviet officials didn’t confiscate their music, they did interrogate all four travelers about what they planned to do while in the USSR. “We were brought into a room with a big burly guy who banged on the table and yelled at us,” remembers Goldberg, now a music education professor at California State University, San Marcos.

Musical note names span the letters A to G, so they don’t provide a full alphabet of options on their own. To create the code, Goldberg assigned letters of the alphabet to notes in the chromatic scale, a 12-tone scale that includes semi-tones (sharps and flats) to expand the possibilities. In some examples, Goldberg wrote only in one musical range, known as treble clef. In others, she expanded the register to be able to encode more letters and added a bass clef to extend the range of the musical scale. These details and variations also added verisimilitude to her encoded music. 

For numbers, Goldberg would simply write them between the staves, where sometimes you might see chord symbols. She also added other characteristics of composition, like rhythms (half notes, quarter notes, eighth notes, whole notes), key signatures, tempo markings, and articulation indicators like slurs and ties. Most of these were there to make the music look more legitimate, but some doubled as coded supplements to the letters hidden in the music notes. She even occasionally drew tiny diagrams that could be mistaken for charts to remind herself of where a meeting place was located or how to deliver something. 

While someone could technically have played the code as music, it would have sounded less like a tune and more like a cat walking across piano keys.

“I picked a note to start, and then I created the alphabet from there. Once you know it, it ends up being pretty easy to write things. I taught my friends on the trip the code, too,” Goldberg says. “We used it in order to take in people’s addresses and other information we would need to find them. And we coded things while we were there so we would be able to take out some information about people and their efforts to emigrate, as well as details we hoped could help other people ask to leave.”

The US musicians got their bearings in Moscow before heading to Tbilisi, the capital of Georgia. There and on their next stop in Yerevan, the capital of Armenia, they successfully met members of the Phantom Orchestra, many of whom spoke some English, and spent time getting to know each other, playing music together, and even staging small, impromptu concerts.

During eight days of travel, the musicians were tailed constantly by Soviet agents and were repeatedly stopped for questioning. Goldberg says that members of the Phantom Orchestra, all of whom faced similar treatment in their daily lives, gave her and her colleagues advice and encouragement. When the Americans would express concerns that their presence was endangering the activists, Goldberg says the Phantom Orchestra members were resolute about the importance of spending time together. She adds, though, that some of the activists were later arrested and even beaten, because of the interactions.

“On the second night, we were playing together and the KGB came in and everything got shut down. The electricity was turned off; it was a scary situation,” Goldberg says. “And yet, when we’re playing music no one can take away that sense of freedom and empowerment. Playing together and communicating with people through music is like nothing else. I was amazed by the strength it brought the people there. Music can be very comforting, but it also conveys a sense of feeling powerful.”

After their time in Yerevan, the American musicians had planned to go to Riga, the capital of Latvia, and then to Leningrad, now St. Petersburg in Russia. Finally, they were set to stop in Paris before returning to the United States. Instead, they were stopped and questioned again. The musicians were supposed to be placed under house arrest in Yerevan, but Goldberg says that Armenian officials bristled at the KGB intrusion and let them continue their trip. Eventually, though, the musicians were picked up and escorted back to Moscow, where Soviet agents confiscated their passports. Goldberg says the group was driven around Moscow for several hours, perhaps as a scare tactic, before finally being allowed to stay together in a dormitory room guarded by young Soviet men with machine guns.

Courtesy of Merryl Goldberg

“At that point, you’re thinking they’re going to take us to Siberia or something,” she says. “We were super freaked out. So we kept playing music for each other that night. And we played a beloved Russian folk tune, but out of tune, to annoy the young soldier outside our door. It gave us a sense of humor and empowerment.”

Finally, officials said the group would be deported to Sweden. They were heavily guarded and brought to a plane that had come from Sweden and was going to return without passengers. While officials searched their possessions again before letting them on the plane, no one ever flagged the sheet music. Goldberg points out that she even got the film from her camera back, perhaps thanks to a sympathizer.

“They were given no reason for their expulsion, and US officials are still waiting for information from the Soviet Foreign Ministry,” Reuters reported in a wire about the situation on May 31, 1985. “The spokesman said the expulsion appeared to be linked to their meeting with … Georgian dissidents.”

Goldberg says that while she later learned that some of the Soviet activists faced consequences for the visit, some of the people the musicians met on the trip were eventually able to permanently leave the USSR. She notes that while her musical code wouldn’t have been very difficult to crack if someone were focused on it, the obfuscation served its purpose, making it both an elegant and harmonious encryption scheme.

How a Saxophonist Tricked the KGB by Encrypting Secrets in Music

Spirits were high at the return of the in-person contest, which kicked off by bringing last year's virtual event winner on stage.

RSA CONFERENCE 2022 – San Francisco – At the Moscone Center on Monday, RSA Conference program committee chair Hugh Thompson's happiness was palpable. He told a cute story about his kids learning to hack during the COVID-19 lockdown and exulted in holding the Innovation Sandbox competition in person.

"You will not be able to walk out of this place today without being so excited about the kinds of innovation that are happening in security today," Thompson said.

At the in-person 2022 Innovation Sandbox, representatives from 10 cybersecurity startups made their case for having the most innovative technology in the sector. Each finalist had three minutes to pitch their tech to a panel of experienced judges. The judges were Dorit Dor, chief product officer of Check Point Software; Paul Kocher, independent researcher and founder of Cryptography Research (who Thompson called the "Simon Cowell of the judging panel"); Niloo Razi Howe, senior operating partner at Energy Impact Partners; Shlomo Kramer, co-founder and CEO of Cato Networks; and Christopher Young, executive VP of business development, strategy, and ventures at Microsoft.

Thompson brought Dor and Howe to the stage to discuss the judges' deliberations and announce the winner. He tried to gin up some good-natured drama by asking about altercations and pointing out the judges' lack of obvious injuries.

"There was a big dispute," Dor acknowledged, but Howe assured him, "We're not bloodied or bruised."

Both Howe and Dor had high praise for all 10 companies. "There are many good technologies out there, and it was not an easy selection," Dor said.

Added Howe: "There was conversation about every single company. The top 10 are really fantastic, solving really important problems."

First Thompson announced the top two: Talon Cyber Security and BastionZero. Ofer Ben Noon, co-founder and CEO of Talon, and Shannon Goldberg, CEO of BastionZero, shook hands with everyone. Goldberg even hugged Noon.

Dor called Talon's custom browser portal a "legit alternative that brings simplicity and manageability" for organizations with distributed workforces. Howe praised BastionZero for tackling the "really important problem of management of sessions connecting into the infrastructure."

But in the end, there could be only one winner — and it was Talon.

Here's how the presentations went down.

**The 10 Contestants**

The first contestant was Leonid Belkind, CTO of Torq, which Thompson described as "no-code automation for security teams." Belkind ran through his spiel in exactly three minutes "to the second," Thompson marveled.

The first judge question was from Kocher, who asked, "If someone isn't technical enough to write code, how are they going to understand what they're going to screw up with their automation?" Kramer asked about departments that don't want to collaborate with security teams, while Howe pointed out that in the crowded no-code sector, Torq would need to displace an existing contender.

Next up was Ben Noon, whose company's tagline is "solving security for hybrid work and unmanaged devices." He made a compelling case, saying, "Your browser is your front door," and it's been left open. The company built a secure corporate portal in Chromium with a user experience like Google Chrome and a backend that provides visibility and malware protection.

Then Sevco Security co-founder and CEO J.J. Guy presented for his company, "the starting point for all of your security activities." The company's tech aims to make a complete inventory of all devices connected to an organization to improve asset management.

The fourth contestant was Giora Engel, CEO and founder of Neosec, which is "reinventing API security by bringing XDR techniques and true behavioral analytics." His company addresses what he calls "the API blindspot" — B2B APIs, which are overlooked while people address B2C concerns.

Vladi Sandler represented Lightspin, which sells "graph-based cloud security built by and for cloud engineers." Refreshingly, the CEO mentioned 50% female representation on staff as a differentiating factor. Kocher tried to earn his Simon Cowell rep by saying, "So on Amazon's website I had to turn off One-Click ordering because I kept getting the wrong stuff. You claim on your website that in one click, you can remediate problems. Should I be scared by that?" Sandler rejoined that he trusts his team's skills, and Thompson gently ribbed Kocher about his Amazon problem afterward.

David McCaw co-founded Dasera, which is "helping cloud-first organizations operationalize data governance," according to its tagline. "We think DataGovOps is going to be the next revolution and finally solve the data challenges we've been facing for a long time," he asserted.

Cycode, which provides "complete software supply chain security," was represented by CEO and co-founder Lior Levy. Dor dropped a judge's question that brought laughs to the room: "How do you convince developers to fix their code?" Levy responded that his company helps developers implement bug fixes within their existing workflows and adds in automation "so they don't get frustrated."

"Bringing incident response into the cloud era" is Cado Security. CEO and co-founder James Campbell compared the manual process of investigating and responding to cloud incidents to the tedious procedure for creating a mix tape (Gen X represent).

"Is data collection happening before an attack or after an attack?" Kramer asked. "Is it part of the investigation, or is it part of the ongoing process?" The answer was that it depends on which services a customer uses.

Goldberg showed up to talk about her company BastionZero, which says it is "redefining zero trust for access to cloud infrastructure." Thompson asked Kocher, who co-created the SSL protocol, to ask a question. He obliged by asking whether organizations should use BastionZero or the strong encryption of a YubiKey to replace passwords.

Goldberg answered, "You should use us, for sure, absolutely," which again brought laughs, but she continued by saying that the separate authentication path could include things like YubiKeys.

Araali Networks, whose tagline was "surviving intrusions in cloud-native environments," closed out the contest with co-founder and CEO Abhishek Singh. The judges asked several technical questions about how the system handles various situations and configurations, which Singh handled ably.

"It works out of the box for Google, Amazon, and Azure," he assured Microsoft's Young. "Any system that works with Linux ... is ready to work with us."

**In-Person Do-Over for Apiiro**

    

Source: Screen-grab from RSA Conference

One of the most poignant moments came at the beginning of the show: Thompson brought up the winner of the 2021 Innovation Sandbox, which was held virtually, so that he could have his in-person moment of glory. Idan Plotnik, co-founder of Apiiro, shook Thompson's hand and told him his company had increased its revenue by 398% in the past year.

"Everything changed," Plotnik said.  

The 10 finalists, in alphabetical order, were:

1.  Araali Networks
2.  BastionZero
3.  Cado Security
4.  Cycode
5.  Dasera
6.  Lightspin
7.  Neosec
8.  Sevco Security
9.  Talon Cyber Security
10.  Torq

For more about each of these companies, read our contest preview.

Talon Grasps Victory at a Jubilant RSAC Innovation Sandbox

Panelists from an RSA Conference keynote agreed that organizations need to begin work on PQC migration, if they haven't already.

RSA CONFERENCE 2022 — Even the most future-facing panels at the 2022 RSA Conference in San Francisco are grounded in the lessons of the past. At the post-quantum cryptography keynote "Wells Fargo PQC Program: The Five Ws," the moderator evoked the upheaval from RSAC 1999 when a team from Electronic Frontier Foundation and Distributed.net broke the Data Encryption Standard (DES) in less than a day.

"We're trying to avoid the scramble" when classical cryptography techniques like elliptic curve and the RSA algorithm inevitably fall to quantum decrypting, said moderator Sam Phillips, chief architect for information security architecture at Wells Fargo. And he set up the high stakes encryption battles often have: "Where were all the DES implemented? Hint: ATM machines."

"We had to set up teams to see where-all we were using \[DES\], and then establish the migration plan based upon using a risk-based approach," Phillips said. "We're trying to avoid that by really trying to get ahead of the game and do some planning in this case."

Phillips was joined on stage by Dale Miller, chief architect of information security architecture at Wells Fargo, and Richard Toohey, technology analyst at Wells Fargo.

**A Brief Explanation of Quantum Computing**

Toohey, a doctoral candidate at Cornell University, handled most of the technical aspects of quantum computing during the panel. He explained, "For most problems, if you have a quantum calculator and a regular calculator, they can add numbers just as well. There's a very small subset of problems that are classically very hard, but for a quantum computer, they can solve very efficiently."

These problems that quantum computers handle better than conventional computers are called np-hard problems. "A lot of cryptography, specifically in asymmetric cryptography, relies on these np-hard type problems — things like elliptic curve cryptography; the RSA algorithm, famously — and when quantum computers are developed enough, they'll be able to brute-force their way through these," Toohey explained. "So that breaks a lot of our modern classical cryptography."

The reason why we don't have crypto-breaking quantum computers today, despite headline-making offerings from IBM and others, is because the technology to reach that level of power has not been accomplished yet. Toohey said, "To become a cryptographically relevant quantum computer, a quantum computer needs to have about 1-10 million logical qubits, and those logical qubits all need to be made up of about 1,000 physical qubits. Today, right now, the largest quantum computers are somewhere around 120 physical qubits." He estimated that to even muster the first logical qubit will take three years, and from there, it's got to scale up to "a million or so logical qubits. So it's still quite a few years away."

Another of the technical challenges that needs solving before we get these powerful quantum computers is the cooling systems they require. As Toohey said, "Qubits are incredibly sensitive; most of them have to be held at very low, cryogenic temperatures. So because of that, quantum computing architecture is incredibly expensive right now." Other problems include decoherence and error correction. The panel agreed that the combination of these issues means crypto-cracking quantum computers are 8-10 years away. But that doesn't mean we have a decade to address PQC.

**Now Is the Time**

The panel was named for the journalistic model of five questions that start with w, but that didn't come up until late in the audience Q&A portion. Miller said, "Sam was asking the what, the who, the why, the where, and the when. So I think we've covered that in our conversations here."

Most of the titular questions were somewhat vague and a matter of judgment. However, on the concept of when you should start planning for the post-quantum future, there was complete agreement: now. Miller said, "You've gotta start the process now, and you have to move yourself forward so that you are ready when a quantum computer comes along."

Phillips concurred, saying "There is not right now a quantum computer that is commercially viable, but the amount of money and effort going into the work there to move it forward because people recognize the benefits that are there, and we are recognizing the risk. We feel that it's an eventuality, that we don't know the exact time, and we don't know when it'll happen."

Toohey suggested beginning your preparations with a crypto inventory — again, _now_. "Discover where you have instances of certain algorithms or certain types of cryptography, because how many people were using Log4j and had no idea because it was buried so deep?" he said. "That's a big ask, to know every type of cryptography used throughout your business with all your third parties — that's not trivial. That's a lot of work, and that's going to need to be started now."

"What we're trying to do right now is drive ourselves toward a goal: five years" until Wells Fargo is ready to run post-quantum cryptography, Miller said. "The key is: large company, five years, is a very aggressive goal. So, the time to start is now, and that's one of the most important takeaways from this get-together."

**Crypto Agility Gets You to Quantum Resilience**

Pivoting is a key marker of agility for the panel, and agility is vital for being able to react to not just quantum threats, but whatever comes next. "The goal here should be crypto agility, where you're able to modify your algorithms fairly quickly across your enterprise and be able to counter a quantum-based attack," Miller said. "And I'm really not thinking on a day-to-day basis about when is the quantum computer going to get here. For us, it's more about laying a path and a track for quantum resiliency for the organization."

Toomey agreed on the importance of agility. He said, "Whether it's a quantum computer or new developments in classical computing, we don't want to be put in a position where it takes us 10 years to do any kind of cryptographic transition. We want to be able to pivot and adapt to the market as new threats come out."

Because there will be computers that can break current cryptography techniques, organizations do need to develop new encryption methods that stand up to quantum brute-force attacks. But that's only the half of it. Phillips said, "Don't just focus on the algorithms. Start looking at your data. What data are you transiting back and forth? And look at devaluing that data. Where do you need to have that confidential information, and what can you do to remove that from the exposure? It will help a lot not only in the crypto efforts, but in terms of who has access to the data and why they have to have access."

**You've Got to Have Standards**

One open question loomed over the discussion: When would NIST announce its picks for the new standards to develop for post-quantum cryptography? The answer is: not yet.

The lack of certainty is no cause for inaction, Miller said. "So NIST will continue to work with other vendors and other companies and research groups to look at algorithms that are further out there. Our job is to be able to allow those algorithms to come into place quickly, in a very orderly manner without disrupting business or breaking your business processes and be able to keep things moving along."

Phillips agreed. "That's one of the reasons for pushing on plug and play. Because we know that the first set of algorithms that come out may not satisfy the long-term need, and we don't want to keep jumping through these hoops every time somebody goes through it."

Toohey tied the standards question back into the concept of preparing _now_: "That way, when NIST finally finish publishing their recommendations, and standards get developed in the coming years, we're ready as an industry to be able to take that and tackle it."

He added, "That's going back to crypto agility, and this mindset that we need to be able to plug and play, we need to be able to pivot as an industry very quickly to new and developing threats."

Now Is the Time to Plan for Post-Quantum Cryptography

A successful attack against 5G networks could disrupt critical infrastructure, manipulate sensor data, or even cause physical harm to humans.

RSA CONFERENCE — San Francisco — While 5G security is not new as a topic of conversation, emerging attack vectors continue to come to the fore. Deloitte & Touche researchers have uncovered a potential avenue of attack targeting network slices, a fundamental part of 5G's architecture.

The stakes are high: Not just a faster 4G, next-generation 5G networks are expected to serve as the communications infrastructure for an array of mission-critical environments, such as public safety, military services, critical infrastructure, and the Industrial Internet of Things (IIoT). They also play a role in supporting latency-sensitive future applications like automated cars and telesurgery. A cyberattack on that infrastructure could have significant implications for public health and national security, and impact a range of commercial services for individual enterprises.

At the heart of any 5G network is a flexible, IP-based core network that allows resources and attributes to be assembled into individual "slices" — each of these network slices is tailored to fulfill the requirements requested by a particular application. For instance, a network slice supporting an IIoT network of sensors in a smart-factory installation might offer extremely low latency, long device battery life, and constricted bandwidth speed. An adjacent slice could enable automated vehicles, with extremely high bandwidth and near-zero latency. And so on.

Thus, one 5G network supports multiple adjacent network slices, all of which make use of a common physical infrastructure (i.e., the radio access network, or RAN). Deloitte collaborated on a 5G research project with Virginia Tech to explore whether it was possible to exploit 5G by compromising one slice, then escaping it to compromise a second. The answer to that turned out to be yes.

"Throughout our journey with Virginia Tech, our objective was uncovering how to make sure that appropriate security is in place whenever a 5G network is put in for any type of industry or any customer," Shehadi Dayekh, specialist leader at Deloitte, tells Dark Reading. "We saw network slicing as a core area of interest for our research, and we set about discovering avenues of compromise."

**Achieving Lateral Movement Via Network Slicing**

Abdul Rahman, associate vice president at Deloitte, notes that attacking one slice in order to get to a second could be seen as a form of container escape in a cloud environment — in which an attacker moves from one container to another, moving laterally through a cloud infrastructure to compromise different customers and services.

"When we look at the end-to-end picture of a 5G network, there's the 5G core, and then the 5G RAN, then there are the end devices and the users after the end devices," he says. "The core has really evolved to a point where a lot of the services are essentially in containers, and they've been virtualized. So there may then be a similar \[attack-and-escape\] process where we're able to influence or affect a device on network slice two from a device or a compromise within network slice one."

The research uncovered that an initial compromise of the first network slice can be achieved by exploiting open ports and vulnerable protocols, he explains. Or, another path to compromise would involve obtaining the metadata necessary to enumerate all of the services on the network, in order to identify a service or a set of services that may have a vulnerability, such as a buffer overflow that would allow code execution.

Then, to achieve "slice-escape," "there are capabilities in the wireless space to emulate tons of devices that can join networks and start causing some stress on the core network," Dayekh says. "It's possible to bring in some scanning capabilities to start exploiting vulnerabilities across slices."

A successful attack would have a number of layers and steps, and would be non-trivial, Deloitte found — but it can be done.

From a real-world feasibility perspective, "it's really dependent on how much money is spent," Dayekh says, adding that cyberattackers would likely make an ROI calculation when weighing whether an attack is worth the time and expense.

"It's about how serious \[and hardened\] the network is, if it's a mission-critical network, and how serious the target application is," he explains. "Is it an application for, say, shelf replenishment or cashierless checkout, or is it a military or government application?"

If the attacker is a well-funded advanced persistent threat (APT) interested in mounting destructive attacks on, say, an automated pipeline, the approach would be more convoluted and resource-intensive, Rahman adds.

"This sets the stage for a bad actor that utilizes advanced recon and surveillance-detection techniques, to minimize on the blue side being seen," he says. "You utilize observation to determine avenues of approach and key terrain, while ensuring concealment. If we're going to recon a network, we want to do it from a place where we can scan the network and obfuscate our reconnaissance traffic amongst all the other traffic that's there. And they're going to build this network topology, aka an attack graph, with nodes that have metadata associated with enumerative services around what we would like to attack."

**Real-World Risk**

When it comes to potential outcomes of a successful attack, Rahman and Dayekh used the example of a campaign against an industrial sensor network for a smart-factory application.

"Ultimately, we can deploy malware that can actually impact the data that's gathered from those sensors, whether it's temperature, barometric pressure, its line of sight, computer vision, whatever that may be," Rahman notes. "Or it may be able to occlude the image or maybe only send back a portion of the results by manipulating what the sensor has the ability to see. That could potentially cause false readings, false positives, and the impact is huge for manufacturing, for energy, for transportation — any of those areas that depend on sensors to give them near-real-time outputs for things like health and status."

The Internet of Medical Things (IoMT) is another area of concern, due to the ability to directly impact patients using remote health services such as kidney dialysis or liver monitoring, or those who have a pacemaker.

There's also another form of attacks that involve deploying malware on vulnerable IoT devices, then using them to jam or flood the air interfaces or take up shared computational resources at the edge. That can lead to denial of service across slices since they all share the same RAN and edge computing infrastructure, Deloitte found.

**Defending Against 5G Network-Slicing Attacks**

When it comes to defending against attacks involving network slicing, there are at least three broad layers of cybersecurity to deploy, the researchers note:

*   Convert threat intelligence, which consists of indicators of compromise (IOCs), into rules.
*   Use artificial intelligence and machine learning to detect anomalous behaviors.
*   Implement platforms that contain standard detection mechanisms, filtering, the ability to create automation, integration with SOAR, and alerting.

It's important, as ever, to ensure defense in depth. "The rules have a shelf life," Rahman explains. "You can't totally depend on rules because they get aged off because people create malware variants. You can't totally depend on what an AI tells you about probability of malicious activity. And you can't really believe in the platform because there may be gaps."

Much of the defense work also has to do with gaining a view into the infrastructure that doesn't overwhelm defenders with information.

"The key is visibility," Dayekh says, "because when we look at 5G, there's massive connectivity: A lot of IoT, sensors, and devices, and you also have containerized deployments and cloud infrastructure that scales up and down and gets deployed in multiple zones and multiple hybrid clouds, and some clients have more than one vendor for their cloud. It's easier when we don't have a lot of slices or we don't have a lot of device IDs or SIM cards or wireless connections. But there are potentially millions of devices that you may have to look at and correlate data for."

There's also ongoing management to consider, since the 5G standard is updated every six months with new features.

As a result, most operators are still scratching the surface on the amount of work they have to put into shoring up security for 5G networks, the researchers say, noting that the workforce shortage is also affecting this segment. And that means that automation will be required to handle tasks that need to be done in a repeatable manner.

"Automation from a source perspective can go out to these devices and reconfigure them on the fly," Rahman says. "But the question is, is do you want to do that in production? Or do you want to test that first? Typically, we are risk averse, so we test when we do change requests, and then we vote on it. And then we deploy those changes in production, and that takes a certain amount of time. But those processes can be automated with DevSecOps pipelines. Solving this will take some out-of-the-box thinking."

An Emerging Threat: Attacking 5G Via Network Slices

By Owais Sultan
Let’s talk about how AI in cybersecurity protects the corporate networks of companies. Technological progress has not only…
This is a post from HackRead.com Read the original post: How to use AI in cybersecurity?

****Let’s talk about how AI in cybersecurity protects the corporate networks of companies.****

Technological progress has not only pleasing but also bad consequences. Together with the accelerated pace of corporate security systems development, new and more sophisticated types of cyber-attacks are emerging.

According to the World Economic Forum, the protection measures taken by enterprises become outdated instantly. Over the previous year, the number of attacks increased by 30%, and this alarming trend continues.

The market is short of about 2.72 million cybersecurity professionals to deal with the growing number of threats. This is where artificial intelligence can help businesses. Let’s talk about six AI use cases in cybersecurity.

**Statistics on AI use in cybersecurity**

Researchers contributing to the 2022 Cybersecurity Almanac predict that spending on fighting cybercrimes will rise to $10.5 trillion. This is three times more than in 2015 ($3 trillion). Given the fact that the amount of global data is growing, it becomes more difficult to track and prevent vulnerabilities.

For example, 80% of telecommunications organizations are confident that they will not be able to respond to cyber-attacks without AI. The professional sector is a target for cyber villains (934 incidents were recorded in 2020). The public sector, manufacturing, and healthcare suffer from cyberattacks.

In 2020, AI in cybersecurity was worth more than $10 billion, and by 2027, the price will increase by almost 4.5 times. IBM estimates that companies that lack AI spend three times as much to mitigate cyberattacks as companies with deployed automated tracking systems.

Nearly half of the managers surveyed by Capgemini say they use a smart algorithm to detect cyber threats. With its help, 34% of these professionals predict attacks and 18% respond to incidents.

Based on the above trends, Meticulous Research says that AI in cybersecurity will grow by 24% per year to reach $46 billion by 2027.

**Six main AI use cases in cybersecurity**

Imagine a campus that consists of several buildings. Getting inside is not difficult, because it is impossible to put a guard at each door. This is where AI helps: cameras read the faces of visitors and find those who “sit on someone’s tail” following employees with passes to enter buildings. This may be a worker who was too lazy to show a pass or a scammer.

The larger the office, the higher the risk of intrusion, and the more useful AI systems for face recognition are. In a video, an algorithm singles out people who violate the security policy. An image of a person’s face is compared with the database of staff members’ photographs; thus, the system defines if it is an employee or a stranger who decided to illegally enter the office.

If we consider the use of AI in a corporate network or on the Internet, we can talk about six main options for using a smart algorithm.

*   **Detection of malicious code and malicious activity in corporate networks**

AI automatically classifies domains by analyzing DNS traffic to identify C&C, malicious, spam, phishing and clone domains, and so on. Previously, to manage this environment, it was enough to have good blacklists. They coped with their task albeit with regular updates and with large volumes.

Today, domains are created in 1-2 minutes, used no more than 2-3 times within half an hour, and then criminals switch to other domains. To track them, blacklisting is not enough: you need to use AI technology. A smart algorithm learns to detect such domains and block them immediately.

*   **Encrypted traffic analysis**

According to Cisco, more than 80% of Internet traffic is encrypted. It needs to be analyzed. You can apply the “government man in the middle” scheme or use AI technology, which, without encryption and decryption, allows you to identify the following issues by metadata and network packets and without analyzing the payload:

*   Malicious code; 
*   Malware family;
*   Applications that are used;
*   Devices that work within the framework of an encrypted TLS session or SSL of one version or another.

These are technologies that work in practice and allow you to understand what is happening inside the encrypted traffic the volume of which is growing. And you needn’t invest much in it.  

*   **Detection of fake photos and substituted pictures.**

An algorithm recognizes whether the face of a person in the photo has been replaced with someone else’s picture. This feature is particularly useful for remote biometric authentication in financial services. It prevents scammers from creating fake photos or videos and presenting themselves as legal citizens who could be granted a loan. Thus, they won’t steal the money of others. 

*   **Recognition of voice, language, and speech.**

This AI feature is used to detect information leaks and read unstructured information in non-machine readable formats. This information enriches the data from firewalls, gateways, proxy systems, and other technical solutions that provide structured data.

Thus, you will know who and when accessed the Internet and whether they used corporate or departmental networks. AI helps enrich this information with data from news, company newsletters, and so on.

*   **Providing recommendations**

Based on statistics, AI makes recommendations on what protection tools to use or what settings need to be changed to automatically increase the security of a corporate network. For example, the Massachusetts Institute of Technology has created AI2, a system that detects unknown threats with a probability of up to 85%.

The more analyses the system performs, the more accurately it gives the next estimate due to the feedback mechanism. Moreover, a smart algorithm does this on such a scale and at such a speed that human defenders would not be able to handle.

*   **Automation of software vulnerability search**

A vulnerability is a bug in a program that allows someone to benefit from it (for example, extract data for sale, transfer money, steal private data from a phone, and so on). Thanks to AI, it has become possible to search for such errors automatically.

AI looks for vulnerabilities in a program and examines the application interface. If it finds ransomware on a computer, it immediately disconnects its user from the network, thereby saving the rest of the company from dangerous infection.

**Conclusion**

AI in cybersecurity has great prospects. But it must be handled reasonably, like any other technology. It is not a silver bullet and having even the most advanced technology does not mean 100% protection. AI will not save you from serious attacks caused by neglecting basic cybersecurity rules. A smart algorithm should be implemented if a clear ecosystem that can adapt to a changing corporate network has been built.

AI will be genuinely effective if it is developed, corrected, and tuned. This is time-consuming and difficult work, which will benefit if the technology is used carefully and not for the sake of being trendy.

**More AI Topics**

1.  Fields of application of artificial intelligence
2.  How Artificial intelligence (AI) Stops Cybercriminals
3.  ‘Optical Adversarial Attack’ uses a low-cost projector to trick AI
4.  Ways to Take Advantage of Artificial Intelligence in Technology
5.  Website uses Artificial Intelligence to create utterly realistic human faces

How to use AI in cybersecurity?

As Mandiant CEO Kevin Mandia's company prepares to become part of Google, the incident response company continues to investigate many of the most critical cyber incidents.

RSA CONFERENCE 2022 – San Francisco – Back in the early 2000s when Mandiant was a small consulting firm in Northern Virginia, Kevin Mandia typically worked on just one incident response (IR) case at a time. Today, Mandia's team at the now IR giant Mandiant – which Google is in the process of acquiring – works on more than a half-dozen cases concurrently.

The volume of attacks is growing, especially so over the past year, according to Mandia. In recent IR cases Mandiant has been investigating, zero-day attacks and pilfered credentials have become the weapon of choice to infiltrate an organization, overtaking phishing.

"A lot of customers are saying, 'How long do we have to have our Shields Up?'" he said, in reference to the Cybersecurity and Infrastructure Security Agency (CISA)'s current slogan for warning organizations to operate at heightened alert amid increasing cyber threat activity. "I think you have to keep \[them\] up. That's a lesson we're learning this year," Mandia said in an interview with Dark Reading this week.

"The impact of a breach is so much graver now," he said. Not only are ransomware and extortion getting more brazen and chaos-causing with public data leaks and digital blackmail, but cybercriminals are basically catching up with nation-states when it comes to exploiting expensive zero-day vulnerabilities in software, he said.

"In the early days, zero days were the purview of governments. In 2017, you started to see criminal elements arming a zero day," he said. Today, it's close to a 60-40 split, with nation-states still leading in zero-day attacks but with criminals not far behind. "That came sooner than I thought," Mandia added. "It just tells you how much money you can make hacking."

**Silver Lining**

But if there's a bit of good news, it's that organizations calling on Mandiant for help with an incident are spotting their intrusions sooner: "We're getting hired earlier in the breach process, and there's less \[attacker\] dwell time," he said.

Specifically, Mandiant saw the amount of time attackers remained unnoticed on a victim's network dropped to 21 days in 2021, down from 24 days in 2020. That trend has been steady for the past four years in Mandiant's IR cases.

There's also a sense of urgency now among cybercriminals to ensure they snag the valuable data or demand their ransom for stolen data, Mandia said. "I was told today that the time frame dwell time used to be that they had access for about seven days, and that's coming down to four to five days now. That speed means it's getting harder to monetize" and cybercriminals have to work faster and more publicly to make their money, he explained.

And the stakes are higher than ever for CISOs trying to deter and deflect a big breach. "This is the hardest year to be a CISO," he said. "Now you're \[also\] protecting your people threatened online, your employees, your customers. It's so much, and it's an unfair fight with \[mostly\] no risk of repercussions for the bad guys."

The threat includes the recent wave of phony or impossible-to-prove public data leak claims by threat actors and other fraudsters attempting to shake down or defame a victim organization. 

"It's impossible to prove a negative," Mandia said of these phony breach declarations that emerge. And organizations are forced to investigate an intrusion that may not even have occurred. 

"It's becoming more frequent," he said of this latest form of pressure by cybercriminals. There's nothing harder to respond to; something that's public, the hacker is vocal and making claims. And a company can't dispute them \[at first\] because they have to figure out the answers first. Those are terrible situations."  

That hit close to home for Mandia because, while Dark Reading was interviewing him on Monday, Mandiant itself became the subject of a fake breach assertion by the LockBit ransomware gang, which posted on Twitter that it had hacked the IR company. The claim appears to have been retribution for a recent ransomware report by Mandiant. 

"Based on the data released, there are no indications that Mandiant data has been disclosed," Mandiant said in a tweet today about the claims. "Rather the actor appears to be trying to disprove our June 2, 2022 research on UNC2165 and LockBit. We stand behind the findings of this research."

**Googling Mandiant**

Meanwhile, Mandiant is preparing for the completion of its merger with Google. Google announced its intent to acquire Mandiant in March for a whopping $5.4 billion, and Mandia at the time touted the merger as a way to build out Mandiant's planned strategy of automating specific elements of the IR process. Google's investment should accelerate that strategy.

"You have to automate as much as you can," Mandia told Dark Reading this week. Tasks such as detection, collecting artifacts, and log file analysis could be automated, he noted. But there still are parts of IR that remain human tasks, such as attribution and deep-dive forensic analysis.  

"If there's ever a deepfake or false-flag operation, it will be a human that will \[spot it\]," Mandian said.

Mandia: Keep 'Shields Up' to Survive the Current Escalation of Cyberattacks

Cybersecurity needs to shift its thinking ahead of the next disruption, RSA's CEO said during the opening 2022 conference keynote.

RSA CONFERENCE 2022 – San Francisco – A catastrophic pandemic, an escalating war in Eastern Europe, and the Colonial Pipeline ransomware shutdown are all in their own ways recent seismic disruptions that forced external change on the cybersecurity sector. 

That was the word from RSA CEO Rohit Ghal, who used the opening keynote of this year's RSA Conference to encourage cybersecurity leadership to embrace intentional transformation – with the goal of coming out on the other side of these cascading disruptions stronger and better than ever.  

"Transforming security will require us to reorient our thinking," Ghal said. 

To accomplish that goal, he shared three core ideas he thinks will help set the information-security community on a path that will enable it to use recent events to crystalize and transform into something better. 

**1\. Rethinking Identity **

First, Ghal suggested that a focus on user identities is the future, and figuring out how to center access on identity without traditional access mechanisms (i.e., passwords) is the way forward.

"Identity is the one constant in cybersecurity," he said. "It's time to hold a requiem for passwords." 

Ghal called for the industry to focus on creating a single, decentralized, infrastructure-agnostic platform that puts control back in the hands of users. 

**2\. Truth Matters **

Next, Ghal said that protecting the veracity of information is going to be a key role for cybersecurity in the coming years. Fake news and misinformation have emerged as powerful weapons to bring down institutions and more.

"What matters most is the truth, the veracity of information," he said. "Hacked brains are way more dangerous than hacked systems." 

Ghal added that a disciplined application of technology is the solution to weeding out bad information, and the only real way to verify whether information is true is to authenticate its creator . 

**3\. Convenience Shouldn't Win **

When it comes to the well-worn debate over whether security is too onerous for users to adopt, Ghal called on the industry to ditch its old "dogmas."

"We need to stop sacrificing security at the altar of convenience," he said.

The answer, Ghal said, will lie with innovators, who have the "most important role." 

"Innovation grows the pie and delivers new benefits," he said. 

The sector shouldn't wait for a comparable "cybersecurity pandemic" to force change, Ghal added.   

"Transforming security will require us to reorient our thinking," he said.

RSAC Opens With Message of Transformation

A coalition of over 25 industry leaders, led by NightDragon and non-profit NextGen Cyber Talent, partner to raise $1 million for collegiate cybersecurity education

SAN FRANCISCO, June 6, 2022 /PRNewswire/ -- NightDragon, an investment and advisory firm focused on the cybersecurity, safety, security, and privacy industries, and NextGen Cyber Talent, a nonprofit organization dedicated to increasing diversity and inclusion in the cybersecurity industry through education and career opportunities for underserved and underrepresented students, today announced the launch of the Coalition to Close the Cybersecurity Talent Gap ("Coalition"), a campaign to raise $1 million to help fund one year of community college courses for Bay Area students pursuing careers in cybersecurity.

The Coalition is composed of more than 25 industry-leading cybersecurity and technology leaders that are passionate about cultivating the next generation of cybersecurity talent and committed to closing the cybersecurity skills gap. Driven to make a difference in the lives of students and their local communities, at launch, the Coalition has raised more than $300,000 of the $1 million needed to fund the cybersecurity education initiative for Bay Area students.

Through leveraging its vast network, NightDragon led the formation of the coalition including NightDragon portfolio companies, go-to-market and investment partners. Founding members for the initial cohort include: AllegisCyber Capital, Carahsoft, Claroty, Coalfire, Cyderes, Deloitte, Exclusive Networks, ForgeRock, HUMAN Security, iboss, Immuta, Ingram Micro, Interos, Knight Group, Macnica, Marsh, Merlin, Mezmo, NightDragon, Onapsis, Optiv, Palo Alto Networks, Prosek, Team8, Ten Eleven Ventures, ThriveDX, SafeGuard Cyber, Snowflake, and vArmour.

"There are an estimated 2.7 million unfilled cybersecurity positions. These vacancies create a significant challenge as security teams everywhere struggle to hire talent to monitor and remediate cyberattacks, as well as develop new technology to combat today's latest threats," said Krishnan Chellakarai, Founder and Co-Chairman of NextGen Cyber Talent and CISO of Gilead Sciences. "Solving the cybersecurity talent shortage will take a collective industry-wide effort. We are calling on the industry during the RSA Conference to contribute to the campaign and look forward to the impact we can make together to close the cybersecurity talent gap."

"The cybersecurity talent shortage is an issue that impacts all of us and is one of the biggest challenges facing our industry and national security. Let's demonstrate that as an industry we can come together to help solve for the talent shortage and foster the next generation in cyber talent that will help us combat today's threats," said Dave DeWalt, Founder, and Managing Director, NightDragon, and Board Member, NextGen Cyber Talent.

"The partners who have pulled together on this important mission are an impactful group of leaders from across the industry, which speaks to the universal nature of this mission to close the cybersecurity talent gap. By reaching out to the broader industry at the RSA Conference, we hope to show the power and compassion of our industry to help the underserved and enrich the cybersecurity workforce with more diversity," said Amy De Salvatore, VP Business Development and Strategic Alliances, NightDragon, who initiated the campaign and led the formation of the Coalition.

NextGen Cyber Talent partners with Bay Area community colleges to offer several cohorts of training programs, continuous career development and mentoring, and grants to hundreds of students pursuing cybersecurity education. The funds will be distributed by NextGen Cyber Talent to students at participating Bay Area community colleges who have applied and met the qualifying grade criteria of a B- or better. In addition to capital, founding coalition partners have also contributed additional in-kind donations, including lectures, curriculum materials, and internships for students.

"As we continue to focus on the essential mission of making each day safer than the one before, we have a responsibility as an industry to encourage and educate the next generation of cyber leaders," said BJ Jenkins, President at Palo Alto Networks and NightDragon Board member. "We thank NightDragon and NextGen Cyber Talent for bringing us together on this shared vision. We look forward to helping students recognize all of the cybersecurity career possibilities."

Donations of any size can be made through the Coalition to Close the Cybersecurity Talent Gap campaign donations page.

**About NextGen Cyber Talent**

NextGen Cyber Talent is a non-profit providing a platform to increase diversity and inclusion in the cybersecurity industry. It brings together cybersecurity experts, solution providers and enterprises to make a difference in the underserved and underprivileged community and address a mounting cyber skills shortage and talent gap. To learn more, visit www.NextGencybertalent.com.

**About NightDragon**

NightDragon is an investment and advisory firm focused on growth and late-stage investments within the cybersecurity, safety, security and privacy industries. Its platform and vast industry network provide unparalleled threat insights, deal flow, market leverage and operating expertise to drive portfolio company growth and increase shareholder value. Founded by Dave DeWalt, the NightDragon team has more than 25 years of operational and market expertise leading technology companies such as Documentum, EMC, Siebel Systems (Oracle), McAfee, Mandiant, Avast and FireEye. Read more about NightDragon at www.nightdragon.com.

Cybersecurity Industry Leaders Launch Campaign to Close the Cybersecurity Talent Gap

Basic Pen Tests support rapid, basic vulnerability discovery, while Standard Pen Tests provide compliance-driven testing to meet requirements for Web apps, APIs, and networks.

SAN FRANCISCO, June 6, 2022 /PRNewswire/ -- Bugcrowd, the leader in crowdsourced security, today announced a significant expansion of its Penetration Testing as a Service (PTaaS) product line to include new offerings—Basic Pen Test and Standard Pen Test—purpose built for today's digital business where continuous testing must keep pace with continuous and agile development. These strategic additions expand the use cases covered by Bugcrowd's PTaaS suite to cover the gamut of customer needs, from basic assurance for simple web apps and networks to continuous, crowd-powered testing of complex apps, cloud services, mobile apps, APIs, and IoT devices for maximum risk reduction.

Most pen test providers today offer cumbersome, ad hoc consulting offerings that do not identify all risks and are hard to execute at scale in a consistent and configurable way for buyers as well as pentesters themselves. PTaaS solutions have emerged to address these issues, but most don't go far enough—only Bugcrowd delivers a modern, platform-powered approach, enabling organizations to keep innovating without compromising security.

With Bugcrowd's expanded PTaaS product line, pen test buyers now have an option for meeting every requirement, and for every asset type:

*   **Basic Pen Tests** for rapid, basic vulnerability discovery and reporting
*   **Standard Pen Tests** for easy-to-launch, compliance-driven testing packaged to meet most customer requirements for common use cases for simple web apps, APIs and networks
*   **Plus Pen Tests** for meeting special needs around targets, testing times, geographic requirements, etc.
*   **Max Pen Tests** for continuous, maximum risk reduction

"We have a diverse set of use cases for pen testing, ranging from basic vulnerability discovery for very simple web apps to intensive and continuous risk reduction for business-critical ones," said Jason Frost, Manager, Security Assessment, Paychex. "These new additions to the Bugcrowd PTaaS product line fulfill all our needs in one platform."

The Bugcrowd Security Knowledge Platform™ enables pen tests to run alongside Bugcrowd's managed bug bounty, vulnerability disclosure programs, and other solutions as a fully integrated and orchestrated experience blending data, technology, and human intelligence, with all findings flowing directly into the software development lifecycle. Bugcrowd's PTaaS suite allows customers to:

*   Activate precisely the right crowd at the right time leveraging the platform's CrowdMatch ML technology, delivering a 2x increase in high-impact findings versus manual matching methods
*   Launch tests in days instead of weeks and continually get fresh eyes-on-target from Bugcrowd's broad and diverse crowd
*   Utilize historical information to create standardized tests that reduce the need for contracted SOW discussions, while getting the intelligence of the aggregated experience of the platform, customer needs, and researchers to conduct the most relevant pen test scope
*   Get high-impact results that go beyond compliance checkboxes
*   See prioritized results and methodology progress in real-time via a rich PTaaS Dashboard experience

"Traditional penetration testing often delivers noisy, low-impact results, often takes weeks or even months to produce results, and offers no visibility into test progress," said Ashish Gupta, CEO, Bugcrowd. "We provide real-time visibility into pen testing results and vulnerabilities being found that allow our customers to continuously reduce risk and secure their environments, helping them stay ahead of a breach with solutions tailored to meet their needs."

Click here to learn more about these additions to Bugcrowd's PTaaS.

Click here to learn more about the Bugcrowd Security Knowledge Platform.

"Bugcrowd", "CrowdMatch", and "Bugcrowd Security Knowledge Platform" are trademarks of Bugcrowd Inc. and its subsidiaries. All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

**About Bugcrowd  
**Bugcrowd is the leading provider of crowdsourced cybersecurity solutions purpose-built to secure the digitally connected world. Today's enterprise demands an offensive approach to cybersecurity—and Bugcrowd offers the only solution that orchestrates data, technology, and human intelligence to expose blind spots. The Bugcrowd Security Knowledge Platform™ enables businesses to do everything proactively possible to protect their organization, reputation, and customers with products like Bug Bounty, Penetration Testing-as-a-Service, and more. Trusted by organizations across the globe, Bugcrowd uncovers and remediates vulnerabilities before they interrupt business by leveraging expert ingenuity and the knowledge of world-class security researchers. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at www.bugcrowd.com.

Tag

#cisco