GOINGUNDETECTED:

HOWCYBERCRIMINALS,HACKTIVISTS,AND

NATIONSTATESMISUSEDIGITALCERTIFICATES

KevinBocek

The Future: Machines

The future is machinesAdversaries exploiting machine identitiesGood news: guidance exists• Reduce risk• Build in agility • Respond faster

WhatAreMachines?

Device Code ServiceAlgorithm

v=argmaxb�{Yes,No}Pr(b)Qi Pr(ai |b)

0.0

10.0

20.0

30.0

40.0

50.0

2005 2010 2015 2020 20250.0

50.0

100.0

150.0

200.0

250.0

300.0

2005 2010 2015 2020 2025

SOFTWARE AND DEVICES EXPLODING(EST. IN BILLIONS)

DEVICES

PEOPLE

SOFTWARE

An entity without an identity cannot exist because it would be nothing

AristotleLaw of IdentityMetaphysics, Book IV, Part 4

Machine Identities

HUMANSUser name, Password, Biometric

MACHINES

1 0 1 00 1 0 10 1 0 1

WhatareMachineIdentities?

SSL/TLSCertificates

CodeSigningCertificates

SSHKeys APIKeys

TwL2iGABf9DHoTf09kqeF8tAmbihY

EncryptedTunnel

Authentication Execution

Role&LifecycleLeavesIdentitiesVulnerable

Inception Manufacture Distribution Activation Update Recycle

SSHkeyforcloud-to-cloud DevOpsorchestration

CodesigningcertificatetoauthenticatecoderunningonIoT device

TLScertificatetoauthenticatecloudapptoIoT devices

MisuseofMachineIdentities

TAKEONTRUSTEDIDENTITY

PhishingeffectivenessMaliciouscodeexecution

ESTABLISHTRUSTEDIDENTITY

CreatebackdoorsBuildprivilege

RUNWITHOUTIDENTITY

Hide,stealth,cloak

Problem: Machine Identities?

Would your organization tolerate

with no awareness, policies, or control?

Would your organization tolerate

with no awareness, policies, or control?keys & certificates

Heartbleed:T+1Year

RED=%NOTHEARTBLEEDREMEDIATED

Take On Trusted Identity

Rise of Fast & Free25M certificates

“Stealing Certificates will be the Next Big Market for Hackers”

Up to $980/ea400x more valuable than stolen credit card or identity #

Establishing a trusted identity

Misuse Goes Kinetic

Every business and government has the same lack of awareness and control over SSH keys

Run Without An Identity

SSL/TLSEncryptedTunnel

“70% OF MALWARE ATTACKS WILL USE SSL BY 2020”

LESS THAN 20%Of Organizations

with a FW, IPS/IDS, or UTM decrypt

SSL/TLS traffic

BLINDTOATTACKOneUnknownCertificate

=Encryptedtunnel

=Can’tseewhat’scoming

44©2016 Venafi. Confidential – do not distribute.

Weaponizing Machine Identities

• SSH & server key theft

• Code-signing certificate theft

• MITM by CA compromise

• Targeted key & certificate theft

• Sold on Underground

• Multi-year campaigns

• SSL & SSH vulnerabilities

• Price increases on underground

• Digitally-signed malware doubles quarterly

• SSL/TLS used to hide activity

• MitM attacks

• SSH pivoting

• SSL/TLS used to bypass security

• Encrypt Everywhere grows attack surface

• SHA-1 deprecation• SHA-1 collision

succesful

ThreatscapeExpands

• 2010: Blueprint -Stuxnet and Duqu

• 2011: CAs Attacked

• 2012: Online Trust Questioned by Experts

2010-2012 Attacks Become Mainstream

2013 Advanced Campaigns

Launch

2014 Online Trust Crumbles

2015

2016-2017

Attacks Begin

Preparing Your Plans

Crypto-Agility

Crypto-agility

CA Recovery Plan

Find What’s Out There

Automate Response

Set, Enforce a Policy

Good News: this can be business as usual process

Venafi Maturity Roadmap for TLS/SSLRoadmap: Control of Machine Identities

Level0:

ChaosHaveunquantifiedsecurityrisk,outages,expensiveand

manualprocesses,andcompliancechallenges

Level1:

ControlBuildasecurity

foundationwithfocusonknownandtrustedkeysandcertificates

Level2:CriticalSystems

Secureandprotectallkeysandcertificateson

business-criticalinfrastructure

Level3:EnterpriseProtection

Protectandautomateallkeysandcertificates

enterprise-wideandfurtherreducecostsandextractmorebusinessvalue

Level4:MachineIdentity

ProtectionRapidlyrespondtointernalandexternalthreatsandsecurity

incidentsrelatedtokeysandcertificates

Endpoint/MobileServersVirtual MachinesCloud

StartChange

GOINGUNDETECTED:

HOWCYBERCRIMINALS,HACKTIVISTS,ANDNATIONSTATES

MISUSEDIGITALCERTIFICATES

KevinBocek

Threats of the Future

Taking Action

57©2016Venafi.Confidential– donotdistribute.

• SSL/TLSEncryption

• WiFi &VPNAccess

• Cloud

• DevOps

• Mobility

• InternetofThings

• SSHPrivilegedAccess

KeysandCertificatesAretheFoundationof

YourSecurityInfrastructure