Every time I see a breach such as the recent one at Marriott, I look for details of how encryption was misused to hide or prolong the breach and the resulting exfiltration. (It’s an occupational hazard of working for the leader in machine identity protection). But even though I know that encryption plays a critical role in many of these breaches, details about how keys and certificates were misused in attacks are not often forthcoming.
Earlier this year, we did see an example of how a certificate gone wrong may have prolonged a breach. The U.S. Government Accountability Office (GAO) released a comprehensive report that revealed that an expired certificate on an SSL/TLS inspection system was not replaced for 10 months or so. This may have allowed attackers to exfiltrate data undetected for an extended period of time.
And now Marriott reveals that intruder tactics included encrypting information from the hacked database, a move that is often used to avoid detection when removing the stolen information from a company’s network. This type of blind spot is not as uncommon as we’d like to think. A recent Venafi study revealed that “Nearly a quarter (23%) of security professionals don’t know how much of their encrypted traffic is decrypted and inspected.”
According to Michael Thelander, Director of Product Marketing at Venafi, “Session logging might tell where SSH keys were used while the attackers were in the network, but there’s a real possibility that keys could have been exfiltrated in parallel with the data. If that’s the case, we may not know it happened until newly-decrypted payment card data begins to drive new fraud schemes.”
Even worse, the company cannot confirm that stolen keys are all accounted for. According to Krebs on Security, “customer payment card data was protected by encryption technology, but that the company couldn’t rule out the possibility the attackers had also made off with the encryption keys needed to decrypt the data.”
As Robyn Weisman states in her coverage of the GAO report on the Equifax breach, “what should have been a secure tunnel for the safe transmission of legitimate data became a secure tunnel for exfiltrating stolen private financial records.” In the case of Marriott, the information includes some combination of name, mailing address, phone number, email address, passport number.
Although Marriot “deeply regrets [what] happened”, the challenge remains to determine what went wrong when acquiring the besieged Starwood, and how baited keys and certificates may still be an issue.
To me, this only underscores why organizations need to have a complete an accurate accounting of all of their machine identities, such as TLS certificates and SSH keys. Continuous monitoring of all keys and certificates is the only way that organizations can detect when any of these machine identities is doing something that may indicate suspicious activity. Any key or certificate that is out of your control is one that is available for use by attackers.
As Thelander sums up, “Without constant visibility into the location of the keys and certificates that protect machine identities, there’s no way of knowing what systems are vulnerable, where pivots have occurred, and where new attacks will be pointed.”