2020 has been an especially challenging year for cybersecurity professionals because the pandemic has forced many organizations to dramatically accelerate digital transformation plans—to move even greater portions of their business online. However, in the interest of speed, digital transformation efforts often ignore machine identity management. Undervaluing the importance of machine identities can prove to be a serious mistake because they are required for secure connection and communication between devices, cloud workloads, AI algorithms, containers and APIs.
This problem is so serious that the attack surface connected with machine identities expanded by more than 400% over the last two years. Pandemic-driven digital acceleration efforts will further add to these critical machine identity management issues.
We asked three cybersecurity experts at Venafi for their cybersecurity predictions for the next year. They have identified a set of key machine identity management security trends that are likely to increase in 2021.
Lack of automation will fuel a machine identity crisis and increase the attack surface
Kevin Bocek, vice president of security strategy and threat intelligence notes:
“We are hurtling towards a machine identity crisis. Modern organizations are increasingly structured around speed and focused on digital acceleration and automation. However, the automation used to support digital acceleration is not being applied to the management of machine identities, even though organizations are using twice as many as they used just 24 months ago. This leaves organizations vulnerable to sophisticated cyberattacks that target machine identities. For example, we are seeing some botnet campaigns that have their own development teams in order to accelerate the rate of innovation. We should expect this level of sophistication to increase exponentially over the next year.
“In 2021, cybercriminals will take control of machines that use weak or poorly managed machine identities in order to monetize them. This is a natural evolution of ransomware, which typically takes one machine hostage at a time. In 2021, cybercriminals will begin to take over more virtual machines, containers and eventually, entire clouds—and put them to work. Cybercriminals will do this by stealing or creating fraudulent machine identities using SSH keys, which make them appear trusted, and then monetize them using techniques such as cryptomining.”
SSH marketplaces on the dark web and attacks against open-source repositories
Yana Blachman, principal threat intelligence analyst warns:
“We could see SSH marketplaces on the dark web in 2021. We have already seen RDP marketplaces offering access to compromised machines, so marketplaces, where SSH keys are sold to allow backdoor access into specific networks, are a logical next step. This is the natural evolution of the broader ‘professionalization of cybercrime’ trend and an expansion of Crime-as-a-Service (CaaS) and Access-as-a-Service (AaaC). In 2020, we saw CaaS grow rapidly where cybercriminals turn prolific malware, like Trickbot and Emotet, into commodity modular malware and rent parts of it to the competitors without conflicts of interest. These new SSH marketplaces will enable crime gangs and run-of-the-mill cybercriminals to use tools previously limited to large cybercrime organizations and nation-state groups.
“There will also be a sharp rise in attacks against open-source software tools and libraries. By targeting the supply chain of open source repositories, cybercriminals potentially can hit many more targets and maximize their results with less work. We have already begun to see this happen where attackers target open-source supply chains in various ways. From the repeating typosquatting attacks against popular package managers such as PyPi and RubyGems to new sophisticated supply chain attacks, like Octopus Scanner that targets open-source software projects on GitHub to serve back-doored code through the NetBeans IDE without the knowledge of the project owners.”
A dramatic increase in attacks on APIs and new RDP brute-force attacks
Pratik Savla, senior security engineer predicts:
“Attacks on APIs will grow exponentially in 2021. In the past few years, there has been a substantial increase in both the number of APIs and the number of companies using them in external, customer-facing applications. Because APIs connect different systems, a compromise could expose huge amounts of sensitive data. And because APIs use machine identities for authentication, threat actors can steal or otherwise misuse those identities, leading to serious risk.
“For example, the APIs used for open banking initiatives in Europe allows for huge amounts of personal and financial data to flow freely between organizations. We have already seen some serious API vulnerabilities, including one that allowed privilege escalations of authenticated low permission-level users, and it’s clear that this trend will continue. To combat this, organizations need to thoroughly audit and pen test APIs to ensure they have a DevSecOps mindset. This should be common sense but doesn’t seem to be implemented in many cases.”
“Due to the large-scale prevalence of remote working, companies are now increasingly leveraging RDP—an application-level protocol that verifies machine identities when providing access to Windows workstations or servers. That has in turn led to RDP brute-force attacks increasing exponentially in 2020, and the volume and intensity of such attacks will only continue to increase further in 2021. These attacks involve threat actors using different tools at their disposal to cycle through multiple user authentication credentials, in an attempt to find the target machine’s correct RDP login credentials.
“Practicing defense-in-depth and applying the least privilege principle can help in reducing the risk of such attacks.”
Are you prepared to effectively manage machine identities in 2021?
- Domain Spoofing Is Still a Serious Threat for Online Retailers
- What Is IP Spoofing and How to Prevent It?
- Can Attackers Circumvent Domain Validation to Spoof Your Website?