The abuse of machine identities is increasing. In a guest article, Kevin Bocek, Vice President, Security Strategy & Threat Intelligence at Venafi, describes the dangers and ways to defend against them.
There is currently an increase in the abuse of machine identities to launch serious attacks on companies. Recent security incidents involving SolarWinds and Kaseya, among others, have used the software supply chain as an attack vector. This is due to poor management of machine identities and code signing.
The Equifax data breach of 2018 exposed the personal information of millions of US consumers, dealing a serious blow to the company’s reputation and leading to US regulators imposing a $575 million fine. This was caused by an expired certificate: an easy-to-overlook detail that had devastating consequences.
The COVID-19 pandemic has added complexity to using and managing machine identities. The shift to the cloud, widespread adoption of remote working, and increasing reliance on IoT devices and mobility have changed the business landscape—perhaps permanently.
Unfortunately, as rapid technological innovation became vital to the survival of many businesses during the pandemic, security often took a back seat. Robust machine identity management is now a critical tool for organizations to catch up and protect their customers and assets.
The importance of machine identities
Machines control everything from connectivity to data flow. PCs, IoT and mobile devices, apps, office equipment such as printers and fax machines, containers and microservices all play a role in modern enterprise environments.
Each machine requires a unique identity to manage and secure machine-to-machine connections and communications across a network. These devices are given a digital “ID” via SSL, TLS, and code-signing security certificates, authentication tokens, and SSH keys acting as their machine identity.
They are needed to power the billions of transactions around the world every day – from routing to processing of financial transactions. So it’s no wonder cyber attackers are constantly trying to compromise them.
Machine identities: Opportunities for attacks
Even a single mismanaged or unprotected machine identity can cause a security incident. Once an identity has been stolen or compromised, attackers can disguise malicious activity, steal data, conduct surveillance, deploy ransomware, etc.
This is a significant risk factor that many companies have not fully understood. However, the number of incidents related to machine identities is increasing every year. There was a 700% increase in reported incidents between 2015 and 2019 and a 400% increase between 2018 and 2019 alone.
A study conducted by Venafi and AIR Worldwide estimates that the global economy suffers between US$51 billion and US$72 billion in losses annually due to inadequate protection of machine identities. The largest companies with more than $2 billion in annual revenue are the hardest hit, accounting for 14% to 25% of the total loss.
Ways to exploit
Cybercriminals look for vulnerabilities in corporate networks and the underlying machine identity protocols. As attack techniques continue to evolve, the most popular observable attack vectors are as follows:
SSL/TLS security certificate compromise
Stolen or fake certificates can make websites or activities appear legitimate. Expired certificates can also be exploited to eavesdrop on communications or intervene in transactions.
Exploiting Inadequate Protections for Code Signing Certificates
Although they are crucial for verifying the authenticity and integrity of software, code signing certificates can also be exploited to sign malware.
An example of this is the SolarWinds vulnerability in 2019. Attackers penetrated the software vendor’s network and exploited missing code signing and verification policies to install a malicious Orion update containing the Sunburst backdoor. The malware was distributed to around 18,000 customers, some of whom were targeted for further attacks.
Misuse of SSH keys
SSH keys are used to access encrypted and secure channels and establish trust. However, company assets and accounts can be hijacked if these keys are compromised, forgotten, not verified, or acquired through trading on the dark web.
Many malware strains are now able to abuse SSH keys. Enforcing weak credentials on public servers and adding keys to authorized key protocols can allow credential theft, lateral movement, and persistence on infected systems. Trickbot, CryptoSink and Skipmap are variants that have these abilities.
In the five years leading up to 2019, the development of off-the-shelf malware with capabilities to abuse machine identities increased by 300%.
How can machine identities be protected?
Managing machine identities can be a time-consuming and difficult endeavour. Most companies don’t know how many certificates and keys they have. With a larger attack surface caused by the rapid shift to hybrid working and the high number of devices in corporate networks, companies must prioritize protecting machine identities to secure their networks.
Enterprises should now adopt machine identity management solutions to protect devices and give IT teams better visibility into their protected systems without placing additional burdens on them. Automation can streamline this process and reduce the risk of human error leading to a data breach.
However, that alone is not enough: security must be implemented at every stage of the software development cycle to reduce the risk of machine identity, certificates and keys being compromised.
Overall, organizations need to adopt a security-centric mindset, from senior management to IT professionals on the front line of defence.