This week is the 1-year anniversary of when the government revealed in June 2015 that the Chinese had attacked the U.S. Office of Personnel Management (OPM). Attackers stole over 20 million records of government employees, contractors, and others. This included 5.6 million fingerprint records and millions of highly sensitive background checks. All of this data could be used to support the nefarious activities of other nation states. After visiting my old home of Washington, DC, I thought I’d put together a few thoughts on how this attack might have been prevented, or at least quickly identified and stopped, minimizing exposure and damages.
How the OPM was attacked
First, the bad guys used digital certificates to make malicious websites appear trusted. Digital certificates are used to enable secure Internet connections using HTTPS. Sites with HTTPS display a secure padlock icon in the address bar. When HTTPs is used on malicious sites, it creates a false sense of security.
The bad guys established fake sites pretending to be OPM-related services. Fake sites like opmsecurity.org operated undetected for at least 5 months.
In addition, the bad guys used digital certificates to sign malware. Digital certificates are used to verify the source and integrity of software. Using stolen certificates allowed the malware to appear legitimate and evade detection by traditional security controls. The bad guys used legitimate certificates stolen from Korean companies. (These same certificates and malware were also used in the Anthem breach.)
Why the attack worked
Using certificates allowed the bad guys to hide behind the HTTPS protocol. With the browser padlock displayed in the address bar, the fake sites appeared to be secure. Users are trained to identify the padlock with safety and security.
Unfortunately, the OPM security team did not detect the weaponized certificates (the certificates misused in the attack) as an early warning sign of the attack. If they had, the resulting breach of millions of sensitive personnel records by Chinese agents could have been prevented.
Left alone, the problem will only get worse
In the US federal government, these problems are only going to escalate (although these trends apply to all organizations):
- Using malicious certificates in attacks will be the default.
There is a new U.S. federal agency mandate for 100% encryption on public-facing websites. This will force bad guys to use certificates to fit with the norm. Knowing the reputation of a certificate—whether it should be trusted or is likely being misused as part of an attack—will become much more important in any environment that is 100% HTTPS.
- Encryption certificates will be used to bypass security controls, creating security blind spots.
As encrypted traffic grows, almost all inbound attacks will be hidden within encrypted channels. Organizations will need to be able to inspect all encrypted traffic to determine if it should be trusted.
Security systems, like IPS/IDS, Next Gen Firewalls, Sandboxes, and/or dedicated SSL Visibility appliances, need to have ready access to all current and active encryption keys. This access is required to decrypt and inspect encrypted traffic in real time.
Without this visibility into malicious activity hidden within encrypted traffic, organizations will be increasingly blind and vulnerable to attacks. This is why integrating key and certificate security with Blue Coat, Palo Alto Networks, and other security controls is so important.
Preventing this type of attack
This anniversary reminds us of the importance of key and certificate security. Given the proper security, attacks against the OPM could have been prevented or at least stopped much earlier. Currently, Venafi is the only solution that provides the required visibility into certificates being weaponized in attacks, whether on a customer’s network or across the Internet. All of this is why organizations must make full use of Venafi to protect all of their keys and certificates.
How Venafi helps
Venafi helps prevent these attacks:
- Detects the misuse of certificates across the Internet.
With continuous monitoring, security teams can identify certificates that are likely being used in attacks much earlier. They can then use this information to minimize the impact of the attacks by rapidly putting a stop to or preventing a breach.
- Identifies a baseline and uses it to detect the misuse of certificates on internal networks.
With Venafi TLS Protect, organizations can establish a baseline of what should be trusted. They do this by discovering and validating their keys and certificates. Organizations can then quickly identify anomalous certificate usage, whether on their network or across the Internet.
It’s not a new problem
The malicious use of certificates was first well documented in the Mandiant APT1 report. It shows how certificates have been misused to hide malicious activities within encrypted traffic and trick users into believing sites are real or not a threat.
The APT1 Appendix in this report lists dozens of certificates, purporting to be from IBM, AOL, and others, that went undetected but were clearly malicious and anomalous. And a growing number of bad guys are obtaining completely valid and trusted certificates from the likes of Let’s Encrypt, which provides encryption certificates for free.
Government agencies need to stop these breaches by strengthening key and certificate security. They need to know where their keys and certificates live, who owns them, and which ones are trusted (and which ones aren’t).
The good news is Venafi can help. We already protect the keys and certificates of over 260 of the Global 5000. Even as government agencies work to scope and secure budget for major security updates, Venafi can help them manage machine identities to protect the foundation of their cybersecurity.