Attackers Are Misusing Machine Identities to Hide in Plain Sight

The senior executives I speak with often ask me, “If machine identity attacks are so dangerous, why don’t we hear more about them?” My answer is that just because machine identity compromises are not well publicized doesn’t mean that they aren’t happening in your network. And the fact that no one is talking about them makes them even more pernicious.

Don’t’ get me wrong. Encryption is a wonderful thing. But once a person with evil intentions gets inside of your encryption, they are extremely hard to detect. It’s a little bit like guerrilla warfare vs full frontal attack. With full frontal attack you know where it’s coming from. You can see it, you can take aim, you can do something about it. The cyber equivalent of that would be a brute force attack. But we’re not seeing a lot of those types of attacks anymore. We’re seeing more sophisticated guerilla-type attacks where cyber criminals steal a certificate, get the key, see where it can take them.

Now, I realize that cyber criminals hiding in plain sight may seem a bit unlikely. To help you understand why it’s not only possible but quite likely, let me share a parallel in the physical world that everyone understands: the security in my home.

I have a home with an electronic gate with lots of deadlocks everywhere and I have three sets of keys which all have an automatic remote for the gate in front of the house. One set is for me, one set is for my husband, and the extra set is for visitors or house sitters which is kept separately.

The reality is that I don’t keep tabs on the third set of keys on a daily basis. So, if they become lost, I probably wouldn’t notice until I need them again. In the meantime, anyone who finds them could just walk along my street and keep pressing the remote until a gate opens. At that point, they don’t have to do anything. They can just quietly close the gate and walk away with the knowledge that they now have a house that they can enter whenever they decide they want to come in.

At an appropriate time, perhaps in the middle of the night, they can open the gate and front door and they’ve got free reign of my house. My husband and I could be sleeping upstairs and wouldn’t know that anything untoward was happening. Our dog is trained to detect unauthorized intruders, but allows people in who have a key, assuming that they are authorized to enter.

On the first visit, the intruders may take something. Or they may just have a look around, take an inventory of available assets, walk out and wait for later. All the while, I’m blissfully unaware that my keys are missing or that somebody’s just had a good look around my home.

If the intruders come back when I’m on holiday, they can empty my house. Or they can take just one specific thing. Let’s say that I was lucky enough to own a Renoir and they take that. Because the Renoir is small, and it sits on a wall that I don’t pass very often, I may not notice for a while. But one day I realize that it’s missing. There’s no sign of forced entry. There’s no physical evidence and no auditable trail of anything happening. And now I’m trying to explain to my insurance company why my Renoir isn’t there anymore.

When I share this analogy with senior executives, I see them make the connection between this entirely plausible story and the reality that this is exactly what they are doing with their digital environments. They have digital keys that they don’t necessarily check on every day, or maybe they have so many sets of keys they don’t even know what they have. So, they don’t know if any of these keys have been lost or stolen. And, to make matters worse, they won’t know if an attacker has just used any of them enter their network and quietly left with or without something valuable.

In this new digital economy, people don’t break into an office any more. I mean, what can they steal? A few laptops or monitors worth maybe $20,000. And they face a 40-50% chance of getting caught. Yet, with one successful digital penetration attackers can make many times that much. And the chances of getting caught online are less than 10%. This makes cyber crime very attractive with a very good ROI.

If cyber criminals have the keys to your network, would you know? Are you sure?

Related blogs

• The 5 Worst Things Attackers Can Do in Your Encrypted Tunnels
• Shadow Brokers and Beyond: What Insider Threats Are Hiding on Your Network?
• Threats Are Hiding in Encrypted Traffic on Your Network