Root Causes 464: Defending Against Harvest and Decrypt
Harvest and decrypt is a well-known attack vector against traditional cryptography prior to PQC. In this episode, we discuss what enterprises should be doing today to defend themselves against harvest and decrypt.
- Original Broadcast Date: February 5, 2025
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
Jason, we're here in Toronto for Toronto session Season Two. We've had a great session. We talked a lot in the past and today about post-quantum cryptography. One of the things that we've defined very well for our listeners, going back a number of years, is the concept of a harvest and decrypt attack.
Where bad guys come in and they grab your blobs, they store them, and they wait until they are then able to decrypt them. And we understand that the ultimate solution for this is to put post-quantum cryptography in place and that will solve it. However, we also understand there's a gap between the identification of the potential for the attack, which is now. It's a very doable attack, so we need to assume that it's happening.
The implementation of PQC really in any kind of scale at all to prevent that attack. So here's the question, and if the answer is a big shrug and a nothing, this will be a very short podcast.
If I am a CISO, and I'm 100% cognizant of this problem, and I don't have PQC systems today, what am I doing NOW to defend myself against this attack. Not prepping, not inventorying my crypto, not all the stuff we always say. What am I doing so that TODAY, this attack doesn't happen or is less likely to happen.
Short episode. I'm just in trouble. So it's just good old-fashioned security. It's got to keep the bad guys out, because once they're in, it's a done deal.
-
Jason Soroko
Hose village. 100%. I have to go back to preparation. It's all there is. It's the one thing that I don't hear people saying enough of is, do you truly understand your crown jewels? What if it were to be harvest and decrypted? What are you transmitting in transit right now?
-
Tim Callan
So, how’s this? Prioritization of defenses. Look at my targets. Stack them. By how damaging it is to me. Then take the top of the stack. Make sure you're doing everything you can correctly in that circumstance. We do prioritization of red teaming. Hey, red team. I know your normal job is find any way through the fence, and that's fine. But I'm going to give you a set of hot targets, and I want you to really show me how you're going to get to those.
-
Jason Soroko
We talked earlier. I was painting this incredibly bleak picture of the vision of post-quantum where we have, inevitably, systems that are insecure. Operational and yet insecure systems. 2030, with the NIST deprecation time. So to me, understanding right now exactly where your crown jewels are being transmitted with cryptographic algorithms, if you can do that, if you can articulate that right now, you're the one that said it, Tim. You can Zero Trust yourself up. You can identity first yourself all up.
-
Tim Callan
So it's not new things, per se, but it's doing the things that are well understood with rigor. And completeness and full alacrity, and again, probably smart to do it in a prioritized way. I think that's important. Now let me ask you about this. What about data exfiltration solutions? Stuff that's supposed to watch for stuff going out. I know it's already ex-filtered, I guess. But can I use that to at least understand if I've been had.
-
Jason Soroko
Look, I think DLP, is absolutely one of those layers that's just, if you've got the money, you probably should consider it. Just realize that there are so many bypasses and they’re clever. But at least you did something. So if you've got crown jewels in a specific system, you might, I'm not saying go off and buy DLP for, like, enterprise license, it's like, maybe DLP very well implemented, very well, system is crafted extremely targeted DLP against a specific zone where it's like, anything out of here context is everything, Tim. In other words, shouldn't be just anything other than, say, a CFO who's logging in, logging out daytime hours. As soon as you can start locking down context – my God, that's sometimes better than the underlying technology. But unless where your crown jewels are, you can't target like that.
-
Tim Callan
So it's targeted. It's real. It's aggressive segmentation. It's aggressive Zero Trust.
-
Jason Soroko
What's the authentication mechanism into those systems? Is it some sort of weak MFA?
-
Tim Callan
Strong authentication. Digital identity up and down the stack. So again, fast is good, and focus on the highest value targets. Yes, we understand you're not going to get your PQC systems yet because they're still being built, but this is actually action people can be taking now. And really should be.
-
Jason Soroko
I'm gonna say go one further, which is, once you've identified your targets and how to, all right, I know what systems my hot secrets are on, start talking to your security vendors right now who are in the post- quantum space, and start saying, help me to think through what kind of innovative post-quantum private Certificate Authority that I can use to encrypt, to authenticate and to protect that data in transit. So encryption just in rest and at transit. Don't do private CAs the way you did it 20 or 30 years ago. I think you're going to find right now that really, really targeted systems, the building blocks, the Lego blocks of building a PQC private CA right now, they are available and we're gonna have some announcements about that next little while. But I will tell you right now that if you're talking to a competent private CA vendor in 2024 and 2025 they will start helping to productize something for you to help to solve your very, very focused problems that you've identified. So it's not like there's nothing. Go away. I am fully inviting you to talk to your security vendors right now.
-
Tim Callan
Your security vendors are not necessarily prioritizing this as a today productization exercise, but you as the buyer have the opportunity to change their priorities. This is one of the things I say a lot, because I talk to a lot of buyers. I talk to a lot of IT buyers and I say, if your vendors suddenly start hearing from a whole bunch of their customers that this is a must have, rest assured, it will rock it up to the top of the roadmap.
-
Jason Soroko
Absolutely, Tim and I will tell you, if you're talking to a vendor who has innovation such as multitenant post-quantum HSMs that you don't have to worry about in order to stand up quick private CAs that have everything you need and are far better than anything you set up 20 years ago, that's the world we're living in right now. So don't feel hopeless. Go talk to your vendors right now.