Recently the Department of Homeland Security and FBI released a joint analysis report (JAR) that provides the details of methodologies used to compromise and exploit sensitive data related to the U.S. election, as well as a range of U.S. Government, political, and private sector entities. That this attack could occur in a nation where critical infrastructure standards are so well defined highlights the need for increased scrutiny—in this case for encryption assets, such as digital keys and cryptographic certificates.
The techniques used by adversaries to infiltrate the victims’ infrastructure for these election attacks are not unique. They are certainly not revolutionary. And these kinds of attacks will continue to remain undetected anywhere that encrypted traffic is natively trusted and minimally inspected. The problem is even more likely to occur when the associated private keys are not scrutinized and protected.
How can we prevent an attack of this severity from happening again? We can learn from physical attacks of a similar nature. Let’s take the example of a bank robbery where no one saw the robber. How was it robbed? Criminals may have used tunnels that went underground and came through the floor within the vault. Lately, there has been a lot of talk about building walls to protect borders, but a wall cannot protect against tunnels that go from a church in Mexico to a warehouse in California. Attacks that hijack encryption face essentially the same problem.
Tunneling is used in the internet world to communicate via SSL/TLS & SSH. These types of tunnels are natively trusted because their “identities” are linked to known certificates. When we natively trust a tunnel, we assume the certificate presented is that of the trusted actor, and therefore we trust whatever they do within the tunnel. In the case referenced in the diagram below, the espionage adversaries didn’t have to use “trusted” keys and certificates. They used their own unique private keys to appear to be trusted to establish an encrypted session, or “tunnel”. Once this trust was established and the tunnel was set up they could perform their attack and remain undetected.
If the unique rogue keys had been discovered, it would have indicated a possible attack. But that discovery would have required the organization to have the complete visibility that would identify keys that were not trusted or were installed in a location (or locations) they shouldn’t be. Because the organizations that were attacked did not have this intelligence, they were unable to locate this illegitimate tunnel, and the malicious actor remained free to perform the attack and steal data through the tunnel.
As encryption becomes more widely used and more tunnels exist, every organization will need to have complete control and visibility of all the keys end certificates that enable them. The only way to verify that our tunnels are legitimate, is to have real-time intelligence that can help us identify which tunnels can truly be trusted, where they are trusted to exist, and most importantly, exactly who is using them.