I’ve been attending RSA for many years now, each year it seems to get bigger and better. This year a record breaking 28,500 attendees were in San Francisco to learn how to stop cyber-criminals in their ever increasing malicious campaigns against organizations.
At RSA 2013, Microsoft declared “PKI is under attack”, and Intel Security-McAfee outright questioned the validity of digital certificates as a trust mechanism. In an ironic twist of fate, the Mask “Careto” malware was discovered days before RSA 2014. Dubbed one of the most advanced threats to date, the Mask malware payload included the theft of SSL, VPN, and SSH cryptographic keys and digital certificates.
At Venafi, each year we conduct a survey of RSA attendees to get a better understanding how well organizations are doing at protecting themselves against compromise, and responding when compromised. Our focus is specifically on how malicious actors abuse the blind trust that every organization has in keys and certificates—trust-based attacks.
Responding to an Attack
In the last 24 months, the significant increase in trust-based attacks has caught the media’s attention. It would seem with all the publicity, that organizations should be more aware and better prepared to detect and remediate trust-based attacks. But it’s quite the contrary; last year 43% of organizations took less than 24 hours to correct certificate trust on all devices for trust-based malware—malware that uses keys and certificates. This year only 35% of organizations could do the same—the time to respond actually increased, resulting in enterprise networks being compromised for longer periods of time.
The time to respond to any attack determines the amount of damage incurred to any organization. The challenge, you first need to be able to detect that your organization has been compromised and understand the attack vector. When it comes to keys and certificates as an attack vector, most organizations don’t know how to detect malicious activity. 58% of survey respondents stated that their organizations either don’t know how they would detect stolen or compromised keys and certificates used to attack their network, or simply could not detect this attack vector at all.
According to Intel Security-McAfee, in the last 24 months mobile malware has risen by 1600%. In an effort to mitigate this new threat, many organizations deploy MDM solutions and remote-wipe devices that are lost or potentially compromised. Regardless how many time a device is remote-wiped; if the certificates associated with the user (VPN, S/MIME) of the device are not revoked, and a malicious actor already has a copy, they still have access to your network. Our survey shows that almost 20% of organizations do not revoke certificates when remote-wiping a device, the result is that anyone with the certificate will have access to the network.
Worse yet, 60% of organizations would take more than 24 hours to identify and replace rogue SSH keys used in an attack on the network.
Rise of a New Attack Vector
Gartner predicts that by 2017, over 50% of all network attacks will use encryption. We asked RSA 2014 attendees what their thoughts were on this. The results were in line with Gartner predictions, 62% of respondents believe there will be an increase in the use of SSL in cyber-attacks.
I’m not surprised by the response that cyber-attacks will use more SSL over the next 3 years. The demand for “always on SSL” is only fueling the use of SSL in cyber-attacks. Cyber-criminals need to be able to disguise malicious traffic, and what better way to do so when less than 20% of SSL traffic is inspected by organizations.
Every organization needs to take a step back and reevaluate their security strategy. Cyber-criminals are taking advantage of the trust established by keys and certificates. So much so that Forrester Research has concluded “advanced threat detection provides an important layer of protection but is not a substitute for securing keys and certificates that can provide an attacker trusted status that evades detection.”
As any good security practitioner would recommend, when malware known to steal credentials—including keys and certificates, and SSH keys—like Mask malware, is discovered on the network; the recommended practice is to remove the malware, change passwords, replace keys and certificates, and patch for any zero-day exploits. Sadly, 67% of RSA 2014 survey respondents work at organizations that are in a state of continuous vulnerability to cybercriminals. Only 33% of them replace user password and keys & certs when credential stealing malware is discovered on the network. Are you one them?