Skip to main content
banner image
venafi logo

Education Center - Dealing with Keys after a breach

What to do with keys and certs when you have a breach

Once discovered, over 65% of Global 2000 organizations take one or more days to respond to a trust-based attack that has infiltrated the enterprise network. When it comes to remediation of any attack on the enterprise, the longer it takes to remediate the breach, the more damage that is caused—cybercriminals have longer to implement backdoors and are able to steal more data.



There is a 3-step cycle that should be followed after a breach until full remediation has been achieved:
  1. Reducing the time required to identify all systems impacted by a breach is paramount
  2. Rapid remediation of a breach requires swift action
  3. Remediation includes validation that the adversary does not still have access to the network

Even when detected, it is often very difficult to remove an adversary’s access from the network. They prey on the knowledge that most Global 2000 organizations do not have a clear grasp of security related to keys and certificates. Heartbleed is a good example of this. Months after the vulnerability was discovered, the majority of Global 2000 organizations still had only partially remediated Heartbleed because they did not comprehend the gravity of failing to replace all keys and certificates, as recommended by industry experts. And there were catastrophic consequences. Organizations need to be able to quickly and completely respond to all breaches that impact keys and certificates to keep their business secure.

The Solution

Swift action is required when remediating any attack. Trust-based attacks are among the worst because the adversary has trusted status on the network and can implement backdoors for consistent access. Next Generation Trust Protection aids organizations in addressing trust-based attacks more swiftly than other techniques, thereby reducing the overall impact to the organization.

Identify the Impact

When remediating a breach it is vital to understand which systems are impacted by the breach. For example, if the breach is confirmed to be exploiting SSH, any system that is accessible via SSH and all SSH keys need to be accounted for in the network. By establishing a comprehensible understanding of SSH usage in the enterprise, the process of identifying the impact is dramatically enhanced. This is true for all types of key and certificate compromises, including those used for SSL, SSH, mobile, and authentication.

Take Swift Action

Once a breach is confirmed, the clock starts ticking. Adversaries work under the assumption that they will be discovered and continuously take countermeasures to avoid denial of access to the environment once they are discovered. With a trust-based attack, this would involve insertion of rogue keys and certificates that would allow future access. As with user password rotation, so too should keys and certificates be replaced and rogue ones deleted in an expedited manner—and this must be done faster than an adversary can add new ones.

Validate Remediation

Once remediation of a breach has been completed and credentials like keys and certificates have been replaced, it is critical to validate that the remediation process was completed successfully. One compromised credential may result in a continued breach as the adversary still has access. By cross referencing the breach report with the remediation report, organizations can be confident that their remediation process was successful.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more