Back to Blog
Why the 5G World Needs Real-Time Attack Detection


5G is here. The build-up to the rollout of 5G has been years, but in 2020 the world is slowly but surely beginning to connect to and use 5G. In 2020, 160 million devices are projected to connect to the network, with hundreds of millions more expected to be added in the coming years. As the network of the future is now a reality, so are cyberattacks that target it. 

In the last year alone, three major cyberattacks have targeted organizations that are also making forays into the 5G market. In the span of five months between October 2019 and February 2020, there were three major instances of vulnerabilities found in devices from companies like Cisco, Huawei, and Broadcom.

In October 2019, a bug in the Linux kernel of Realtek Wi-Fi chips, used by several models of Android mobile phones, allowed attackers to execute a simple buffer overflow and gain complete control of the system. 

Just months later in January, another buffer overflow bug was identified in Broadcom-based modems. This bug became known as Cable Haunt and it affected over 200 million devices, including modems from NETGEAR, Cisco, Technicolor, and Arris.

Then in February, the Kr00k cyberattack impacted organizations like Apple, Cisco, Huawei and Aruba. Attackers were able to exploit a vulnerability in Broadcom and Cypress Wi-Fi chips which allowed them to intercept and decrypt Wi-Fi network traffic. 

Attack prevention starts with attack detection 

It is clear that the vulnerabilities and exploits that have plagued in previous network generations are not going away. In fact, 5G is introducing devices using even more software than before. And experts are warning that this massive cybersecurity risk is only going to get worse—if left unaddressed. 

Luckily, there are many attack tools out there today that provide the means to detect cyberattacks. Though there may be countless options from a myriad of cybersecurity providers, they all fall into two general categories of cyberattack detection: signature-based and anomaly-based.

Signature-based detection systems are very well-known: almost everyone has either a McAfee or  Norton antivirus program on their computer. These signature-based systems work by detecting ‘known’ malware based on a preprogrammed list of known Indicators of Compromise (IoCs).  IoCs are forensic evidence of potential attacks. This evidence can range from anything from malicious network behavior, file hashes, known byte sequences, or malicious domains. 

If an IoC is known, a signature-based system will stop it. However, these systems do nothing to detect unknown malware—and we know that new malware is being created all the time. In fact, there are 350,000 new cases of malware every single day. In addition, the more advanced the signature-based system is, the higher the CPU load is on the overall system (at minimum their tax is 15%) and it must run continuously in order to be ready to detect an intrusion.

Luckily, anomaly-based intrusion detection begins to address the problem of detecting unknown malware. Anomaly-based detection looks for and flags system activity that is outside the norm or baseline. Because it looks for unusual activity and not specific attacks, it can actually detect some unknown malware and zero-day attacks.  It is able to achieve this by training the system to identify what normalized, baseline behavior looks like. Once that behavior is learned, it compares system activity against that baseline. Any behavior that does not fall within the parameters of ‘normal’ behavior is flagged as anomalous and an alert is issued.

However, it is extremely difficult for a system to define every single ‘normal’ behavior, and as a result many false positives are issued by these systems. In addition, today’s attackers are smart and can field attacks that mimic normal behavior so an anomaly-based system wouldn’t be able detect it.

Software vulnerabilities are the Achilles' heel of attack detection tools

Software vulnerabilities are not exclusive to the application software that runs on our devices. They exist anywhere complex software is found, including in the attack detection software that is meant to protect your system. In 2019, Trend Micro’s Apex One threat detection software had a path-traversal vulnerability that allowed an attacker to bypass authentication and log onto an affected product’s management console as a root user, without authentication. 

It is clear that current attack detection tools are lacking a proactive way to protect against cyberattacks. Neither signature nor anomaly-detection systems have the ability to detect and prevent attacks in real-time. 

With a proactive approach to cybersecurity, attacks aren’t just detected and prevented in real-time, but processors are immunized against the potential attack before it ever gets the chance to infect a system. Think of it like producing a vaccine for an illness and then distributing across the population, rather than quarantining those that become infected.

CoreGuard can detect attacks in real-time

Dover’s CoreGuard solution provides the real-time attack detection 5G demands by immunizing processors against entire classes of software vulnerabilities and detecting cyberattacks in real-time at the byte level.

CoreGuard accomplishes this by monitoring every instruction executed by the host processor in real-time ensuring it only does what it is meant to do, not what an attacker wants it to do. 

CoreGuard is a hybrid, hardware/software approach. CoreGuard’s Policy Enforcer hardware monitors and protects the host processor. It is implemented as part of the processor’s silicon design, and enables CoreGuard to check every instruction for compliance against a set of micropolicies. Micropolicies are security, safety, and privacy rules. Micropolicies in combination with metadata, information relevant entities in memory, gives CoreGuard the knowledge it needs to make informed decisions about the safety of each instruction. If an instruction violates a micropolicy, like trying to write to a portion of memory that is marked read-only, the Policy Enforcer hardware stops it from executing and sends a violation back to the host.

What all this means is that CoreGuard is a proactive, immunization approach. In fact, CoreGuard immunizes systems against 95% of the over 84,000 known software vulnerabilities in MITRE’s CVE and CWE databases. CoreGuard is able to do this because of the way CoreGuard micropolicies are written. They are designed to stop entire classes of vulnerabilities, including known and unknown ones. 

For example, instead of protecting against a specific, known vulnerability, like Cable Haunt or Kr00k (mentioned above), CoreGuard’s memory safety micropolicies together can stop all buffer overflow vulnerabilities … ever. That means today or ten years from now—with CoreGuard, an attacker will never be able to accomplish a buffer overflow again. That’s huge because there are 12,000 known buffer overflow vulnerabilities and CoreGuard immunizes against all of them, as well as any future cohorts. 

Please note, we are not saying that CoreGuard fixes these bugs in the software itself. What CoreGuard does is make sure that those bugs cannot be exploited to take over the system and wreak havoc.

CoreGuard does all of this in real-time—detecting and stopping any violations at the byte-level, before any damage can be done. 

Responding to a cyberattack in real-time

It’s not enough to just detect or prevent attacks, systems need to be able to take action and respond to attacks in real-time, when they are actually happening. 

When a CoreGuard micropolicy violation happens, a packet of attack information is produced and made available via SNMP to network operations management systems. Simultaneously, the application is notified that an attack is occurring and is able to take action via a preprogrammed response. That response could be anything from a segmentation fault which terminates the application, to logging the error but continuing to execute, to asking for user input or activating Address Space Layout Randomization (ASLR).

Of course, the response can be customized to the system that CoreGuard is protecting. If we’re talking about an autonomous vehicle that might get attacked while in use, you probably don’t want that car to stop in the middle of a highway. 

What is most often considered to be the safest option is to have an alternate, safe application that the system can revert to, and this application would take over in the event of an attack. Take for example, a package delivery drone. Someone has figured out how to take control of this drone and wants to redirect its packages to a different location. But if the drone was protected by CoreGuard, it would detect this attack, stop it from executing, and switch to an alternate “safe” application. This application would go into an encrypted store and get the GPS location for home and without listening to the network fly there safely. So all that toilet paper and hand sanitizer being delivered, wouldn’t end up in the wrong hands. 

Next level protection is required for the future of 5G

5G will enable so many new technologies, including advancements in AI and machine learning. However, it will also usher in a whole new set of vulnerabilities and security concerns. That is why 5G, being the next generation of network, also needs the next generation of protection—CoreGuard is that solution.  

To learn more about CoreGuard, check out a recording of Dover’s latest webinar; Real-time Cyberattack Detection, Prevention & Response.

Share This Post

More from Dover

PublishedApril 02, 2021

Months after being discovered, the world is still abuzz with talk of the SolarWinds attack. In all likelihood, we’ll still be talking about it for years to come. SolarWinds was unprecedented in its target and scope. It also highlights a new and...

Safety Defense-in-Depth