Over the past few years, the threatscape has changed more than some realize. Cyberattackers want trusted status and they are misusing the very technologies that create trust for their nefarious purposes.
So, you may ask, what exactly creates trust? Every mobile app, every cloud platform, every website—virtually anything that’s software, hardware, or Internet-enabled—relies upon digital certificates and cryptographic keys to create trust and define whether a source is good (trusted) or bad (untrusted). And the bad guys are going for these “keys to the kingdom” like never before!
Unfortunately, 2014 saw a significant rise in attacks that misused the keys and certificates that create trust in our digital kingdoms (businesses and governments). Let’s look at a few important examples:
In January, Kaspersky Labs revealed details on The Mask, an APT operator that had been misusing keys and certificates for years. As reported by Kaspersky, The Mask’s Windows malware was digitally signed with a valid certificate.
In April, a major vulnerability in OpenSSL called Heartbleed was widely reported and companies all over the world were warned to take action to protect their networks, including replacing and revoking compromised certificates and keys. Experts from Bruce Schneier to Gartner stated clearly that SSL/TLS keys and certificates must be replaced. Several months later, not surprisingly, a key and certificate that were not replaced were compromised to breach Community Health Systems, a Fortune 500 company.
In July, IoActive researchers released a report on vulnerability in the U.S. Emergency Alert System, where a publicly available SSH key made it possible to hijack the nation’s warning system.
In September, news of Shellshock, a flaw in the Bash shell, was reported that showed hackers could create long-term backdoors by inserting SSH keys and running critical shell commands on affected machines.
In November, DarkHotel was reported, showing that a very effective APT campaign that tricked traveling executives using hotel WiFi networks was enabled by dozens of misused digital certificates.
And finally, this December, Sony’s SSH keys and code-signing certificates were leaked as part of a massive breach, allowing the attackers to gain authorized access into Sony’s network and causing even more damage.
So while 2014 saw more attacks misusing SSL/TLS keys and certificates, along with SSH keys, these aren’t exactly new threats; in fact, they go back to Flame and Stuxnet years ago. These actually created blueprints and sophisticated designs of attacks that can now arm nation-state attackers, APT operators, and common industry criminals with tools on how to use weaponized malware. The problem is that good guys have not been paying attention to the impact of misused certificatess and keys until just recently.
In fact, in its latest threat report, McAfee Labs referred to 2014 as “The Year of Shaken Trust.” The report discussed attempts to exploit the Internet trust model, dramatic rise in misuse of digital certificates, growth in underground marketplaces selling compromised certificates, and the impact of SSL vulnerabilities such as Heartbleed and BERserk. Cisco also released its mid-year security report that said “compromised, secure encrypted connections” (aka SSL/TLS) are a major threat to enterprises. And recent University of Maryland research published in November 2014 validated findings by Venafi about non-remediation of Heartbleed, whereby 97 percent of Global 2000 SSL certificates were still vulnerable to Heartbleed several months after it was initially reported.
Organizations need to be prepared for rampant rise in attacks on trust. We predict the following major developments in 2015:
SSL will be used and abused a lot more. With the bad guys attacking and stealing data, there will be a need to use more SSL/TLS. We’ve seen CloudFlare and the “Let’s Encrypt” teams now giving away free SSL certificates, and this is a great thing—more SSL/TLS protects data and privacy. But more certificates, and especially those that might not protect and continuously monitor, will create more criminal interest and activity. In fact, we’ve already seen the first free certificates misused by bad guys.
Certificate expiration and outages will be recognized as a major security issues. It’s a fact: digital certificates expire, costing millions of dollars every year. But that’s not just a major operations issue; it’s a huge security issue—because it’s clear that if a certificate expires and users ignore this, the organization is being blindly trusted. At that point, what’s the difference between an organization’s expired certificates and those that are out-of-policy, misconfigured, or even malicious? But expirations also bring down services. We’ve already seen some recognize certificate expirations and outages as a major security issue following a major payments terminal outage.
Our security controls will be useless against half of the network attacks. Gartner predicts that 50 percent of all inbound and outbound network attacks will use SSL/TLS by 2017. By the end of the year, we’ll likely already be there. Bad guys understand that most security systems either trust SSL/TLS or lack the keys to decrypt traffic and find their hidden threats. This undermines a whole slew of critical security controls like sandbox threat protection, NGFW, IDS/IPS, and DLP.
Incident response teams will leave the door open for bad guys, resulting in more attacks. We also predict that incident response (IR) and forensics analysis teams will increasingly be called in to determine the root cause of breaches—i.e., to understand the forensics of the malware, where it is, what data was stolen and what parts of the network were infected with it. They will be able to bring these breached networks back to a good, trusted state, but breaches will still recur. Why? Because IR teams will forget to revoke and replace the certificates.
Our hearts will continue to bleed. The Community Health Systems breach was likely just a proof-of-concept, and a sign of more exploits to come. Because of the lack of remediation—replacing keys and certificates—the impact of Heartbleed isn’t going away anytime soon.
Kinetic attack will go through misused certificates and keys. Stuxnet is the first known kinetic attack that leveraged misused keys and certificates, but it won’t be the last. All sorts of interconnected networks and physical devices and systems—also known as the Internet of Things—are authenticated using SSL/TLS keys and certificates. Bad guys seeking to compromise these devices or misuse them in their attacks will look to keys and certificates as a means to an end.
Compliance and security frameworks will continue to add guidance on how to protect keys and certificates. This past year, the SANS 20 critical security controls added multiple control checks on how to protect SSL/TLS keys and certificates and they are now including this in SANS trainings. This is a good step in the right direction. We expect to see more compliance and security frameworks do the same in 2015, especially now that the PCI Security Standard Council considered key and certificate security for a Special Interest Group (SIG).
Given all that, it looks like 2015 will also be the year when we look to not just manage keys and certificates, but also protect them and the trust they establish. I like to call it Next Generation Trust Protection. It requires constant surveillance, immediate detection of misuse (whether a policy violation or possibly malicious), and fully automated remediation to replace old or bad keys and certificates with new ones and get trusted keys and certificates out to more security systems like SSL decryption, sandbox threat protection, NGFW, IDS/IPS, DLP, and other security systems.
This year one of Forrester’s top data protection predictions for 2015 pointed out that “Attackers who compromise trust end up with the keys to the kingdom.” We need to update our playbook when it comes to SSL/TLS keys and certificates, SSH keys, and keys and certificates used for VPN, WiFi, MDM, and more. The bad guys are attacking trust. It’s time for the good guys to defend it.