Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

Transcription

1 Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

2

3 HLA ID: 90FZSBZFZSB 56BVCXVBVCK 23YSLUSYSLI 01GATCAGATC

4 Cyber space is very similar to organic realm Keys & certificates are like HLA tags But, we don t have an active or adaptive immune system Trust seems blind Did we really solve the first Internet security problem?

5 5 July 1993, New Yorker Magazine

6 6 Foundation of Online Security

7 7 Building Layered Security

8 8 When the Foundation Isn t Protected

9 Weaponization of Keys and Certificates 2010 Stuxnet and Duqu demonstrate powerful weapon Blueprints 2011 Attackers open new front with assault on Certificate Authorities Uping the ante 2012 Can any key or certificate be trusted? Everyday Attack Method 2013 Mainstream usage as an attack vector SSH Key Theft CA Compromise to Enable MITM Attacks Server Key Theft Weak Crypto Exploits Code Signing Certificate Theft 2014 Advanced campaigns Key and Certificate Theft SSL & SSH Vulnerabilities Sold on the Underground Market Own the Network Multi-year Campaigns Broken Trust % Responded to Attacks Certificate Price Increase on Underground Digitally-signed Malware Doubling Every Quarter TLS Used to Hide Activity MITM Attacks Lucky13

10 Vulnerability in OpenSSL Enables extraction of data without a breach Heartbleed SSL/TLS Keys and certificates must be assumed compromised

11 Patch vulnerable OpenSSL systems Assume ALL keys and certificates compromised Must generate new keys and certificates Validate changes to demonstrate remediation

12 Global 2000: Heartbleed Remediation April 2015

13 $

14 Stealing Certificates will be the Next Big Market for Hackers

15 Marketplace for Stolen Certificates Up to $980/ea 400x more valuable than stolen credit card 3x more valuable than bitcoin

16 Underground Certificates-as-a-service (CaaS) Some of the certificates for sales were issued for 1 year, which is enough for targeted APT InfoArmor: GovRAT

17 Underground Certificates-as-a-service (CaaS) ad actors actively gitimate cate authorities o issue digital cates for malware InfoArmor: GovRAT

18

19 misuse of certificates is a danger to global economy

20 trusted: in your computer, browser, smartphone, server

21 Example: MCS Holdings, an intermediate CA for CNNIC issued a fraudulent certificate for Google to perform Man-in-the-Middle Security risks from untrustworthy CAs like CNNIC? 22% Browser action to protect you Untrusted by Google 6% 14% 58% Untrusted by Mozilla Trusted by Apple MITM attacks Replay attacks No risk Don't know Trusted by Microsoft Venafi: Black Hat 2015 survey

22 Tim Cook CEO Apple

23 Tim Cook Letter (Cont d)

24 What action did your organization take after CNNIC was deemed untrusted? 74% 34% 17% 26% remain exposed 23% Wait for Microsoft and Apple to take action Remove CNNIC from all desktops, laptops, and mobile devices No action was taken Don't know Venafi: Black Hat 2015 survey

25 Awareness Visibility Detection Blind Spot in Security Encryption MDM DLP AV VPN Firewall IDS IAM IPS

26 How much network traffic will be encrypted?

27 50% of network attacks will use SSL by 2017

28 Awareness Visibility Detection Undermines Security Encryption MDM DLP AV VPN Firewall IDS IAM IPS

29 Basically, the enterprise is a sitting duck.

30

31 Customer Problems we Find Marketing purchased 50 certificates to improve SEO Cloud We can t decrypt all inbound traffic we don t have the keys Our network is down certificate expired What s on the network??? we just found 50,000 selfsigned certificates Application Owner PKI Owner Business Owner Internal CA External CA #1 External CA #2

32 GLOBAL TELCO millions of certificates

33 Consequences of the Problems we Find We have no visibility in to certificates outside the firewall Cloud We can t securely collect and transfer keys to security systems We re unable to continuously monitor and remediate automatically We can t enforce policy and detect anomalies Application Owner PKI Owner Business Owner Internal CA External CA #1 External CA #2

34 Survey and monitor all certificates Secure keys as a top priority Where to Start? RECOMMENDATIONS Document and enforce policies, like revocation processes Monitor security feeds for compromised CAs and certificates

35 SANS - 20 Critical Security Controls Inventory of Devices Inventory of Software Secure Configurations Continuous Vulnerability Assessment Malware Defense Application Software Security Wireless Access Control Data Recovery Capability Security Skills Assessment And Training Secure Network Device Configs Control of Network Ports, Protocols, Services Controlled Use of Administrative Privileges Boundary Defense Maintain, Monitor, and Analysis Of Audit Logs Controlled Access Account Monitoring And Control Secure Network Engineering Incident Response & Management Data Protection Penetration Tests and Red Team

36 CSC17 Update Know what s out there Secure Configurations Data Recovery Capability Boundary Defense Does it fit with policy Control of Account Inventory Application Network Ports, Monitoring of Software Protocols, And Devices If not, Security fix Security it Maintain, Skills Services Control Continuous Monitor, and Vulnerability Assessment Analysis Assessment And Of Audit Inventory Establish Training Controlled Wireless ownership Logs of Use of Secure Access Software Administrative Network Control Engineering Secure Privileges Malware Automate Network & Repeat Controlled Defense Device Access Configs Incident Response & Management Data Protection Penetration Tests and Red Team

37 Venafi TrustAuthority & Venafi TrustNet: Visibility and Control Internet Establish Understand 1 Inventory, 2 and Fix Gain Visibility Vulnerabilities Establish 3 Norms 4 Assign Roles, Secure Self- Service 5 Monitor & ID Anomalies 1 Internet-wide Discovery 5 Validate Baseline 2 Certificate reputation TrustNet 5 Notify on anomalies Cloud 1 SSH Discovery 1 Network Discovery 2 Reporting/Analysis Self Service Portals / API 4 2 Enroll and Revoke External CA #2 1 External CA #1 CA Import Internal CA 3 Set Policy, Workflow & Notification Application Owner PKI Owner Business Owner For all SSL, SSH, Mobile keys and certificates

38 Internet Venafi TrustForce & Venafi TrustNet: Rapid Response and Remediation 1 Respond Powerful 2 Scale 3 Automation 4 Install, Configure and Validate TrustNet Certificate 1 Blacklisting 4 3 rd Party API Integration Cloud 4 Post Install: App Configuration and Validation 2 Build Associations between Applications and Certificates Monitor Trust Bundles, SSH Keys, and Users Install Certs and Rotate Keys on Demand (Physical, Virtual, Cloud) 3 1 Take Action from Alerts and Notifications For all SSL keys/certificates and SSH keys

39 Lessons from Human Immune System Keys and certificates can t be blindly trusted We have to actively inspect, constantly adapt Find keys certificates, trusted?, fix, securely distribute and scale

40 Find out more at venafi.com