SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Exclusive: Venafi talks weaponisation of machine identities
Wed, 29th Aug 2018
FYI, this story is more than a year old

As companies integrate more digital tools into their business, many of them remain unaware of the risk code-signing certificates are exposing them to.

Meanwhile, on the dark web, these certificates are being sold for over $1,200 each, making them more valuable than false passports or even handguns.

SecurityBrief spoke to Venafi chief cybersecurity strategist Kevin Bocek about how and why hackers are weaponising machine identity.

How are hackers weaponising machine identity? 

Across industries, hackers are weaponising machine identities in three key ways – they are either stealing them for spoofing purposes, using them to establish themselves as trusted inside a network or to move around without being detected.

The first is the most straightforward.

Last year alone saw over 14,000 fake PayPal sites set up by scammers abusing machine identity to help them trick unsuspecting web users.

Shockingly, this type of attack doesn't even necessarily involve getting hold of an authentic PayPal identity, merely convincing a Certificate Authority (CA) like Let's Encrypt to provide one.

In contrast, the other two attacks do involve using legitimate machine identities, either to cause havoc or to move around unseen.

A classic example of the former would be the 2015 Ukrainian power grid attack when Russia managed to insert a valid SSH key into the grid and used it to shut down power across the country.

Meanwhile the latter is crucial for hackers who want either to infiltrate an organisation without being noticed and exfiltrate large amounts of data, or hit targets with malware such as SQL injections attacks or cross-scripting attacks.

What are some of the figures or major breaches involving this method?

Currently, machine identity attacks are happening on a daily basis and the situation is only going to get worse.

Gartner predicts that by 2020, 70% of attacks will come through encrypted traffic while other research has found a significant rise in the number of code-signing certificates being abused by hackers.

We've seen this to be the case in several major instances including the Sony hack and attacks on the SWIFT banking system.

Each of these attacks show just how much chaos cyber-criminals can cause with machine identities, whether it be stealing information, stealing money, or actual damage to physical infrastructure.

Why is this a method hackers are increasingly looking at?

Hackers are turning to machine identity attacks because they're the best way to trick the defences that organisations have in place.

For example, researchers have found over 70 different code-signing certificates currently in use, designed to help hackers present their malware programs as coming from a legitimate source.

By signing their malware with these certificates, hackers can immediately bypass crucial lines of defence such as antivirus and firewalls.

It's why when we investigated the trade of code-signing certificates on the Dark Web, we found that some were being sold for over $1,200 each, making them more valuable than false passports or even handguns.

Why is it more difficult to secure machine identities compared to people's identities?

There are several reasons why securing machine identities is more difficult than human identities.

First off, there are so many more of them – every single digital tool from a Docker container to a mobile app requires an identity and we're producing them at a greater scale every day.

The second issue is that they're simply more complex than human identities.

We understand usernames and passwords, we've used them for our entire lives, but when asked about digital certificates, people have far less knowledge.

Answers to seemingly basic questions such as ‘how are they created' and ‘how do they work in practice' can quickly get very complex.

What are some of the best practices companies can implement to protect themselves from this threat?

The first step in tackling the machine identity problem is getting a handle on the issue.

Without intelligence that tells you the scale of the problem and the location of every relevant machine identity out there, it's impossible to take any action.

Once you have that intelligence, then you can start to take control by making sure every identity is being monitored and by replacing those that need it.

Finally, companies need to automate the process of securing machine identities because they are being created and used on a scale that only other machines can keep up with.

For any decently-sized enterprise, centralising and automating the discovery, replacement and remediation of all machine identities on a network is the only realistic option.