Post on 16-Aug-2020
GOINGUNDETECTED:
HOWCYBERCRIMINALS,HACKTIVISTS,AND
NATIONSTATESMISUSEDIGITALCERTIFICATES
KevinBocek
The Future: Machines
The future is machinesAdversaries exploiting machine identitiesGood news: guidance exists• Reduce risk• Build in agility • Respond faster
WhatAreMachines?
Device Code ServiceAlgorithm
v=argmaxb�{Yes,No}Pr(b)Qi Pr(ai |b)
0.0
10.0
20.0
30.0
40.0
50.0
2005 2010 2015 2020 20250.0
50.0
100.0
150.0
200.0
250.0
300.0
2005 2010 2015 2020 2025
SOFTWARE AND DEVICES EXPLODING(EST. IN BILLIONS)
DEVICES
PEOPLE
SOFTWARE
An entity without an identity cannot exist because it would be nothing
AristotleLaw of IdentityMetaphysics, Book IV, Part 4
Machine Identities
HUMANSUser name, Password, Biometric
MACHINES
1 0 1 00 1 0 10 1 0 1
WhatareMachineIdentities?
SSL/TLSCertificates
CodeSigningCertificates
SSHKeys APIKeys
TwL2iGABf9DHoTf09kqeF8tAmbihY
EncryptedTunnel
Authentication Execution
Role&LifecycleLeavesIdentitiesVulnerable
Inception Manufacture Distribution Activation Update Recycle
SSHkeyforcloud-to-cloud DevOpsorchestration
CodesigningcertificatetoauthenticatecoderunningonIoT device
TLScertificatetoauthenticatecloudapptoIoT devices
MisuseofMachineIdentities
TAKEONTRUSTEDIDENTITY
PhishingeffectivenessMaliciouscodeexecution
ESTABLISHTRUSTEDIDENTITY
CreatebackdoorsBuildprivilege
RUNWITHOUTIDENTITY
Hide,stealth,cloak
Problem: Machine Identities?
Would your organization tolerate
with no awareness, policies, or control?
Would your organization tolerate
with no awareness, policies, or control?keys & certificates
Heartbleed:T+1Year
RED=%NOTHEARTBLEEDREMEDIATED
Take On Trusted Identity
Rise of Fast & Free25M certificates
“Stealing Certificates will be the Next Big Market for Hackers”
Up to $980/ea400x more valuable than stolen credit card or identity #
Establishing a trusted identity
Misuse Goes Kinetic
Every business and government has the same lack of awareness and control over SSH keys
Run Without An Identity
SSL/TLSEncryptedTunnel
“70% OF MALWARE ATTACKS WILL USE SSL BY 2020”
LESS THAN 20%Of Organizations
with a FW, IPS/IDS, or UTM decrypt
SSL/TLS traffic
BLINDTOATTACKOneUnknownCertificate
=Encryptedtunnel
=Can’tseewhat’scoming
44©2016 Venafi. Confidential – do not distribute.
Weaponizing Machine Identities
• SSH & server key theft
• Code-signing certificate theft
• MITM by CA compromise
• Targeted key & certificate theft
• Sold on Underground
• Multi-year campaigns
• SSL & SSH vulnerabilities
• Price increases on underground
• Digitally-signed malware doubles quarterly
• SSL/TLS used to hide activity
• MitM attacks
• SSH pivoting
• SSL/TLS used to bypass security
• Encrypt Everywhere grows attack surface
• SHA-1 deprecation• SHA-1 collision
succesful
ThreatscapeExpands
• 2010: Blueprint -Stuxnet and Duqu
• 2011: CAs Attacked
• 2012: Online Trust Questioned by Experts
2010-2012 Attacks Become Mainstream
2013 Advanced Campaigns
Launch
2014 Online Trust Crumbles
2015
2016-2017
Attacks Begin
Preparing Your Plans
Crypto-Agility
Crypto-agility
CA Recovery Plan
Find What’s Out There
Automate Response
Set, Enforce a Policy
Good News: this can be business as usual process
Venafi Maturity Roadmap for TLS/SSLRoadmap: Control of Machine Identities
Level0:
ChaosHaveunquantifiedsecurityrisk,outages,expensiveand
manualprocesses,andcompliancechallenges
Level1:
ControlBuildasecurity
foundationwithfocusonknownandtrustedkeysandcertificates
Level2:CriticalSystems
Secureandprotectallkeysandcertificateson
business-criticalinfrastructure
Level3:EnterpriseProtection
Protectandautomateallkeysandcertificates
enterprise-wideandfurtherreducecostsandextractmorebusinessvalue
Level4:MachineIdentity
ProtectionRapidlyrespondtointernalandexternalthreatsandsecurity
incidentsrelatedtokeysandcertificates
Endpoint/MobileServersVirtual MachinesCloud
StartChange
GOINGUNDETECTED:
HOWCYBERCRIMINALS,HACKTIVISTS,ANDNATIONSTATES
MISUSEDIGITALCERTIFICATES
KevinBocek
Threats of the Future
Taking Action
57©2016Venafi.Confidential– donotdistribute.
• SSL/TLSEncryption
• WiFi &VPNAccess
• Cloud
• DevOps
• Mobility
• InternetofThings
• SSHPrivilegedAccess
KeysandCertificatesAretheFoundationof
YourSecurityInfrastructure