deobfuscate: 5G

Networks of the Future, Today

If you’ve been working in network security operations for big-name providers of mobile/wireless technology, then you’ve probably ran into this term. 5G, pronounced Five-G, is the fifth generation of mobile network technologies, and the successor to 4G technologies like LTE. While it tends to be a buzz word, I’ve been working with a few high level organizations that are already prepping the technology for widespread adoption, now that the foundations of 5G have been laid out around the world.

As a note for readers, I do intend this topic to be SOC-centric, so I’m going to introduce a general overview of the topic before relaying what’s important for SOC’s to understand about this technology. If you’re looking for more information on 5G in general, here’s the Wikipedia Page.

This Isn’t Your Dad’s Mobile Network

When we tend to hear technologies like 3G, 4G, and 5G, we tend to immediately think of our cellphone providers. Verizon, T-Mobile, AT&T, etc all have implementing standards of 5G tech, but that is merely a microscope to what the technology has the capability to do. Expand your ideas beyond the cellphone in your pocket to the concept of the Internet or Things (IoT).

IoT is the concept of (mostly) embedded systems and sensors that transmit data for consumption and use. IoT are things like our smart thermostats, Chromecasts, and wifi-enabled garage doors and door locks. However, smart homes aren’t the only users of IoT. Commercial implementation of IoT has been the major driver in the development of these technologies for decades, bridging the gap between Industrial Control Systems (ICS) and our cyber world, and it’s only been in the last ten years that we introduced Google, Alexa, and Siri into our homes to automate the really easy tasks of lights, locks, and cameras. Healthcare also plays a massive role in the development of these technologies, implementing them for automated care of patients not just inside the hospital, but also in the home (think insulin pumps, heart monitors, blood pressure machines, body scales, and other devices doctors can remotely monitor for patient data in developing a treatment plan).

With this in mind, our networks, especially our wireless ones, are in need of an overhaul if they are to gain massive amounts of users and devices, all needing to send time-sensitive data. That’s where this next generational leap comes into play.

Latency and Security Came First

5G was introduced in July of 2016 by the 3rd Generation Partnership Project (3GPP), who is a conglomerate of standards organizations that create the mobile network protocols, such as 4G LTE. One of the primary discussion points of building this technology standard was ensuring latency and security (what 5G refers to as Trustworthiness) were built with the platform from the ground up. There are five pillars that make up 5G Trustworthiness, according to an Ericsson whitepaper:

• Security Assurance - Ensuring that the hardware utilized meets or exceeds security requirements and is implemented following a secure systems/software development lifecycle (SDLC).

• Resilience - Ensuring that 5G systems appropriately implement Defense-in-Depth principles to be resistant to malicious and benign incidents that can impact availability.

• Privacy - Protecting the information of the subscribers to the system and the subsequent network.

• Communication Security - The ability for the system to secure all communications for both itself and devices on the network.

• Identity Management - Ensuring that only authenticated and authorized subscribers have access to the network.

What these five pillars bring is something that a lot of SOC’s are familiar with, which is important as we try and translate what these technologies mean for us.

Talking in reference to Latency, we must discuss the topic of Edge Computing. Mobile Edge Computing (MEC) is important for many organizations, especially those specifically interfacing with things like ICS, but also consider things like smart cars and augmented reality. MEC implements the wireless infrastructure and the data repositories all close together to keep latency as low as possible. This is essentially cloud computing teetering on the edge of being in the ‘cloud’ There’s little overhead needed to get to the resources, and many of these are built upon 5G infrastructure to handle the input. In some instances they call these ‘cloudlets’ or ‘fog’ to emphasize they are ‘lower to the ground’, or closer to the end user who is utilizing the data.

Convergence of Wi-Fi and 5G

As we slowly pivot back into the discussion of how this technology pertains to the SOC, we must cover that 5G isn’t just for the telecom providers. 5G is converging Wi-Fi (specifically Wi-Fi 6e) and Mobile Telecommunications. The reason for this is to reduce the cost, complexity, and consumption of our networking infrastructure, and it’s been happing since 4G LTE. Many of 5G’s radio bands are short-wave, meaning their penetration capabilities and overall range are terrible for your cellphone provider, but absolutely amazing on college or hospital campuses, industrial areas, etc. This means that devices can either choose to be Wi-Fi enabled, 5G enabled, or both (just like our cell phones), and that matters to us immensely as our I.T. departments begin choosing how we implement technology standards in our own environments.

Why the SOC Should Care

Our networks getting more complex gives us nightmares in the SOC. There’s a lot to juggle already without the idea of needing some complex technology that merges cloud computing, AI/ML, mobile networks, and Wi-Fi networks in a single generation, but here we are.

First and foremost, is if your security team hears about 5G being implemented in your organization and you aren’t involved, everyone is wrong, from top the bottom. This is a hand-in-hand implementation, and everyone from your CIO and CISO to your analysts and engineers need to be involved and prepared in these conversations about the use of the technology and how to properly secure it.

In addition, the organization must be prepared for securing IoT in the environment (assuming that’s what the vast majority of implementation of 5G is for). Detailed asset tracking, if the 5G network is going to be private, hybrid, or public, and detailed use cases are the best places to start. I.T. should also be working to allocate resources for your 5G systems, like any IP’s, certificates, domains, etc, which will be important to track and monitor appropriately. We should also define our services needing accounts and our users needing accounts, and how we merge those principles into a secure practice like Zero Trust. From there, we need to add them to any needed user tracking lists specifically for 5G or tag them for 5G.

Finally, as you offload logs to your SIEM or plug in logs for analytics in something like an XDR, you should be prepared to understand what normal is and what isn’t. A baseline is a good place to start, but if you can work in a lab environment with the I.T. group and understand what ‘normal’ looks like before you even roll out to prod, you can better trend out the good and benign to find the bad stuff rather easily, especially if the roll out is slow like many organizations tend to (and should) do.

There are third-party vendors that work in the space to secure IoT, 5G, secure access service edge (SASE), Edge and Cloud Computing, etc that can work with your organization to process the onboarding of 5G, and provide specific and detailed alerting that can be fed to your SOC for consumption and remediation as well, but most (not all) tend to work more as supplemental I.T. monitoring rather than a tool in a security stack (and yet something else we have to pivot off to), however, right now beggars can’t be choosers as vendors work to secure the space and help develop SOC utilities for us to leverage in the event these networks begin being attacked.

It would be a priority to get these technologies added to the portfolio however, as the ability to monitor and detect is the core function of the SOC. Even if these alerts aren’t immediately actionable by an analyst, and must be passed to a network or cloud engineer, they still need remediated. Remember, a security policy violation is still a security incident and should be treated just the same.