Again and again the news breaks: bad actors have succeeded in infiltrating an organization and stealing data. How did they get in, and how did they evade detection for long periods? Increasingly often, they are using crimeware designed to steal keys and certificates.
Keys and certificates should form the foundation of every enterprise’s security. But organizations—blindly trusting in the security of keys and certificates that they do not inventory and track, let alone regulate with assigned custodians and access policies—have left the door open to bad actors, all too ready to steal a key or certificate. Stolen security assets then become weapons in the hackers’ hands. The bad actors can sign malware so that it appears legitimate, crack into cloud systems managed by SSH keys—the possibilities spin out from there. With the recent leak of the source code of the Carberp Trojan, one example of crimeware that steals keys and certificates, similar attacks will only proliferate.
To protect your organization, you need to understand bad actors’ tactics. Let’s examine a common targeted attack for infiltrating an organization. This attack is based on a spear-phishing campaign, in which a victim inadvertently installs a remote access Trojan (RAT). The hacker then ramps up the damage using the RAT to obtain more keys and greater access, burrowing past the original victim further and further into the organization’s data.
Phase 1: The bad actor first obtains or builds the RAT and any other crimeware to be used during the attack. From this very first phase, hijacked encryption assets play a role. Typically, the bad actor digitally signs the malicious code with a fake or stolen digital key, helping the crimeware evade security solutions.
Phase 2 & 3: The hacker selects and investigates potential victims. Using information that is freely available on the Internet, the hacker designs a spear-phishing campaign with personal details to lure victims into clicking a URL or opening an attachment. Either action delivers the malicious payload, which is installed on the victim’s machine.
Phase 4: During this phase the malicious payload establishes an outbound connection back to the bad actor. In most cases, this connection is encrypted with SSL, helping attackers to evade network-based threat detection and interfering with security vendors attempting to analyze their traffic.
Phase 5: Having infiltrated the network, the bad actors expand the scope of the attack. They strengthen their foothold in the network by stealing user credentials; in particular, they seek elevated credentials like SSH keys, which can offer root access to valuable systems. Also during this phase, bad actors add further outbound connections for redundancy, as well as for providing more immediate access to systems and data flagged as high value.
Phase 6: The final phase consists of slowly extracting the data from the victim. Bad actors know to encrypt their traffic and to keep it slow, avoiding unusual behavior that might trip an event trigger.
Recommendations:
Gain visibility: The first step in mitigating these trust-based attacks—attacks that use your trusted keys and certificates against you—is to understand your key and certificate inventory. Without clear visibility into the cryptographic credential inventory, strong control over the number and types of keys and certificates, and clear policies assigning owners to particular cryptographic credentials, an organization can do little to defend itself against these attacks.
Monitor for anomalies: Network monitoring tools can help you detect the use of suspicious SSL certificates or SSH sessions in your network. By cross-referencing a suspicious SSL certificate with the known certificate inventory—once you have gained that visibility—you can quickly determine whether the SSL traffic is legitimate or possibly part of a targeted attack. Similarly, you can detect suspicious SSH sessions that might indicate a hacker quietly expanding into your critical systems.
Respond quickly: In the event that you detect an anomaly and prove it to be malicious, you must respond quickly, limiting the scope of the damage by removing compromised credentials and replacing them with new, valid keys and certificates. Because improper removal of a certificate may impact applications’ trust chains and cause an outage, you must carefully plan and monitor the rotation of any key material. Automated deployment and verification tools not only speed the response but prevent unexpected downtime due to human errors.
The Venafi Platform provides Enterprise Key and Certificate Management enabling organizations to gain insight and control over their keys and certificates in the datacenter, on desktops and mobile devices, and in the cloud. Director is a vendor-agnostic platform that reduces organizations’ threat surface and response time to targeted attacks with full key and certificate lifecycle control spanning across the widest range of certificate authorities (CA). The Director platform enables organizations to rapidly develop an accurate key and certificate inventory to quickly identify security risks associated with trust exploits, operational and compliance risks. Enterprises can quickly establish consistent policies and automate operations across the organization and in to the cloud. As a result, organizations can successfully prevent security breaches, eliminate unplanned outages, and achieve audit success and compliance.