As many of us look to put the madness of 2020 behind us, one thing is still evidently clear. In 2021, we’re just not going to be getting a break from hackers who are not slowing down their efforts to compromise SSH machine identities. But SSH malware was bad enough already. 2020 brought us new SSH focused malware like Lemon Duck, Fritz Frog, and Doki. Not to mention TrickBot and Emotet, which roared back to life with new variants as well. Even though we are barely into 2021, hackers are already off to a hot start with Kobalos, Hildegard, and Pro-Ocean hitting the scene.
While each malware is slightly different in its approach and end goal, one thing is clear: attackers are clearly setting their sights on cloud and DevOps environments. As such, they are mis-using unmanaged SSH machine identities for persistence and to move laterally throughout their victim’s environments. These types of malware are all becoming more sophisticated as time goes on—making them all the more difficult to detect without having all of your machine identities under management.
Hildegard uses a legitimate Linux process name to disguise its nefarious activities within Kubernetes clusters to mine for crypto currency. But it is still unknown how Kobalos infiltrated its victims as it has many obfuscation tactics built in. And Pro-Ocean will remove monitoring agents to avoid being found on its infected hosts. This begs the question: with unmanaged SSH machine identities, how sure can you be that one of these types of malware isn’t on your network already? And how agile do you have to be to remove compromised SSH keys if they are on your network?
How Venafi can help
The first step to preventing any SSH related attack is having complete visibility of all the SSH machine identities in your organization. One of the main things Venafi’s SSH Protect can give you is an accurate inventory of SSH keys across your environment. Mapping all SSH trust relationships allows you to analyze and monitor key usage, giving you the ability to quickly detect malicious activity and remove compromised keys with the click of a button.
While discovering what is already in the environment is a key to successfully managing SSH machine identities, it is crucial to get SSH keys under management as quickly as possible. With new machines coming on and off-line all the time, having Venafi built into the build process allows for these machine identities to have a secure lifecycle. This allows machine identities to be easily brought into inventory as the machines come online. The immediate onboarding of these SSH keys gives applications teams the access they need to their workloads while adding an extra layer of security against bad actors.
Along with having visibility and control of SSH keys from their creation, clearly defining SSH key management policies is a cornerstone in protecting these machine identities. Once SSH policies are configured, it allows you to quickly detect if there are keys in the environment that do not meet the set policy and quickly remove them.
The final step to preventing an SSH related attack is to automate the management of your SSH keys and enforcement of your SSH policies. For example, if your organization’s policy dictates that keys must be rotated annually, an automated task can be created to ensure that all keys that are a member of the specific keyset are rotated. This gives your organization the peace of mind that your policies around SSH are being enforced in a quickly auditable way. Better yet, it’s all managed for you through Venafi SSH Protect.