Application-Centric Security Research Actions

We provide a discussion on relevant research actions that need to be taken to mitigate the threats, gaps, and challenges previously identified and reported in Appendix A.5 of document D4.3. As cyber-hygiene practices are improving, threat actors rely more and more on two main aspects to successfully carry their attacks: i) human factor [1][2]; ii) supply-chain [3]. These are the two main areas that research should focus on.

• RA5.1 – Zero Trust (ZT) security. It is a paradigm where, in short, everything is considered malicious and untrusted. It moves from implicitly trusting assets because of their location (e.g., intranet) or ownership, towards a dynamic approach where authentication and authorization are explicitly granted [4]. It can be seen as an enhancement of Security by default (C5.1), We note that ZT is a set of guidelines to apply organization-wide, and it is critically important considering the actual trends towards hybrid architectures (i.e., cloud, edge, IoT, BYOD, remote work). The ideas behind ZT seem to be understood and promising, and some production-ready solutions begin to emerge [5], despite ZT being still in an early stage. There are many aspects to investigate, for instance, i) impact evaluation, i.e., how existing practices change in a ZT architecture; ii) effective migration strategies, to name but a few.
  Threats: T5.1.1 – Security misconfiguration, T5.1.2 – Inadequate design, T5.2.1 – Interception of information, T5.2.2 – Sensitive data exposure, T5.3.1 – Broken authentication and access control, T5.3.2 – Denial of service, T5.3.3 – Code execution and injection (unsecured APIs), T5.3.5 – Untrusted composition, T5.3.6 – Supply-chain security, T5.5.1 – Malicious insider
  Gaps: G5.1 – Gaps on microservice-aware security, G5.2 – Gaps on authentication and authorization, G5.3 – Gaps on orchestration and composition, G5.4 – Gaps on safety and security by default, G5.5 – Gaps on the proper management of configurations, G5.6 – Gaps on supply-chain security, G5.7 – Gaps on skills, G5.9 – Gaps on education, G5.10 – Gaps on sophisticated protection
• RA5.2 – AI/ML for Security. It refers to the use of Artificial Intelligence in the context of security. AI is now capable of solving tasks of huge complexity, from image recognition to text generation. It can play a crucial role in improving security, especially addressing those problems for which traditional approaches have well-known limitations, e.g., IDS, traffic analysis. In the application domain, AI can help in many ways, for instance, code analysis (e.g., to recognize malicious apps whose code is obfuscated), continuous authentication, application, and user monitoring, to name but a few. Parallelly, it is fundamental to understand i) the novel challenges AI brings; ii) the limitations of such approaches, for instance, there are already cases when ML-based detection tools are being bypassed [6]; iii) how AI can be used to cause damage, either voluntary or not.
  Threats: T5.2.1 – Interception of information, T5.2.2 – Sensitive data exposure, T5.3.2 – Denial of service, T5.3.6 – Supply-chain security, T5.5.1 – Malicious insider
  Gaps: G5.2 – Gaps on authentication and authorization, G5.6 – Gaps on supply-chain security, G5.10 – Gaps on sophisticated protection
• RA5.3 – Authentication. It refers to novel forms of sophisticated authentication, which, in its basic form is already a countermeasure (C5.2). Today, MFA is strongly recommended to overcome the issues of weak passwords. However, many MFA systems are only a second layer over passwords [7]. Furthermore, MFA systems are typically complex to setup, because they require supporting infrastructure, policies to deal with devices loss, SIM hijacking threats, etc [8][9]. Rather, novel authentication solutions should be “purely passwordless”, i.e., not requiring passwords at all. To this aim, biometric authentication is acknowledged as the most secure way of authentication, followed by token-based approaches (e.g., apps installed on a device). Still, these methods have their challenges. For instance, biometrics i) often relies on specialized hardware; ii) faces harsh criticisms, as, in some cases, it is perceived as a form of mass surveillance. In this sense, research on authentication should focus on the integration and the applicability of passwordless authentication in wider and much complex architectures, while strictly adhering to privacy requirements.
  Threats: T5.1.2 – Inadequate design, T5.2.2 – Sensitive data exposure, T5.3.1 – Broken authentication and access control
  Gaps: G5.1 – Gaps on microservice-aware security, G5.2 – Gaps on authentication and authorization, G5.4 – Gaps on safety and security by default, G5.7 – Gaps on skills, G5.9 – Gaps on education, G5.10 – Gaps on sophisticated protection
• RA5.4 – Supply-Chain. It refers to the security of all the components (e.g., hardware, libraries) of an application or an ICT product. In general, attackers are shifting towards indirect attacks, exploiting the supply chain (and the human factor as well) [10]. In fact, the supply chain was the means of one of the most severe attacks recently happened: SolarWinds [11]. Supply-chain attacks are often distributed through software updates. For this reason, supply-chain research should address also the long-standing issue of patch management, for instance how to effectively update the plethora of devices forming IoT [12][13][14][15], and to avoid the update mechanism being a threat itself [16]. There are projects explicitly aimed at securing updates (e.g., TUF [17]). However, little research has been devoted to properly addressing supply-chain security as a whole in IT, while it has been investigated in other domains. In general, the supply chain is often related to the concept of risk and trust. Hence, some authors are advocating for supply chain management following the Zero Trust principles [18].
  Threats: T5.1.2 – Inadequate design, T5.2.2 – Sensitive data exposure, T5.3.1 – Broken authentication and access control, T5.3.3 – Code execution and injection (unsecured APIs), T5.3.5 – Untrusted composition, T5.3.6 – Supply-chain security, T5.3.7 – Virtualization
  Gaps: G5.3 – Gaps on orchestration and composition, G5.4 – Gaps on safety and security by default, G5.6 – Gaps on supply-chain security

---

Highlights on Identified Research Actions

The above research actions point to the definition of sophisticated forms of security, built on a solid ground. This ground consists of ZT enhancing security by default (C5.1), where the physical network perimeter no longer coincides with the logical security perimeter, an approach pioneered by Google, among the others [19]. One of the fundamental pillars of ZT is identity [8], as it is often the only barrier to obtain access to resources. Clearly, it requires strong forms of authentication, possibly token-based or biometric, or, in any case, beyond passwords. We note that, as already mentioned in R5.3, this brings in new layers of complexity that are not easy to cope with, especially for small and medium-sized organizations. Next, AI can improve the state of the art in many sectors where, for instance, classification tasks are required. However, AI by itself is not the cure-all solution, and organizations need to strongly think about the implications of AI and its notorious unpredictable behavior. Finally, as attacks are increasingly indirect, supply-chain security should be properly investigated. In general, securing the software supply chain is not an easy task as it involves a thorough knowledge of the whole chain. 

---

[1] Blackberry 2021 Threat Report.

[2] Accenture. Cyber Threatscape Report. 2019. https://www.accenture.com/_acnmedia/pdf-107/accenture-security-cyber.pdf

[3] Accenture. Cyber Treatscape Report. 2020.

[4] NIST SP 800-207. Zero Trust Architecture. 2020. https://csrc.nist.gov/publications/detail/sp/800-207/final

[5] Istio. Security. https://istio.io/latest/docs/concepts/security/

[6] Sophos 2021 Threat Report. https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf

[7] Gartner. Top Security and Risk Management Trends. 2019

[8] Gartner. Top security and risk management trends for 2021

[9] Sophos Threat Report 2020, https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophoslabs-uncut-2020-threat-report.pdf

[10] Accenture. Third Annual State of Cyber Resilience. 2020.  https://www.accenture.com/_acnmedia/PDF-116/Accenture-Cybersecurity-Report-2020.pdf

[11] CSO. SolarWinds attack explained: And why it was so hard to detect. https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html

[12] JSOF. Ripple20. https://www.jsof-tech.com/disclosures/ripple20

[13] Wired. An Operating System Bug Exposes 200 Million Critical Devices. https://www.wired.com/story/vxworks-vulnerabilities-urgent11/

[14] Wired. Decades-Old Code Is Putting Millions of Critical Devices at Risk. https://www.wired.com/story/urgent-11-ipnet-vulnerable-devices/

[15] Armis. URGENT/11 Affects non-Vxworks Operating Systems. https://www.armis.com/blog/urgent11-affects-additional-rtoss-highlights-risks-on-medical-devices/

[16] Wired. This Bluetooth Attack Can Steal a Tesla Model X in Minutes. https://www.wired.com/story/tesla-model-x-hack-bluetooth/

[17] TUF – The Update Framework. https://theupdateframework.io

[18] The zero trust supply chain: Managing supply chain risk in the absence of trust. Zachary A. Collier, Joseph Sarkis. International Journal of Production Research. 2021. https://www.tandfonline.com/doi/full/10.1080/00207543.2021.1884311

[19] Rory Ward and Betsy Beyer. BeyondCorp: A New Approach To Enterprise Security. ;login:, vol 39 n 6. 2014. https://www.usenix.org/system/files/login/articles/login_dec14_02_ward.pdf