Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

HLA ID: 90FZSBZFZSB56BVCXVBVCK23YSLUSYSLI01GATCAGATC • Cyber space is very similar to organic realm • Keys & certificates are like HLA tags • But, we don’t have an active or adaptive immune system • Trust seems “blind” • Did we really solve the first Internet security problem? 5 July 1993, New Yorker Magazine Foundation of Online Security

6 Building Layered Security

7 When the Foundation Isn’t Protected

8 2015 2014 Weaponization of Keys and Broken Trust

Certificates Advanced 2013 campaigns • 100% Responded 2012 Mainstream usage as an attack vector to Attacks • Certificate Price 2011 • Key and Certificate Can any Increase on key or certificate Theft be trusted? Underground 2010 Attackers open • SSL & SSH new front with • Digitally-signed • SSH Key Theft Vulnerabilities assault on Malware Certificate • CA Compromise to Enable • Sold on the Stuxnet and Authorities Doubling Every Duqu “MITM” Attacks Underground Market demonstrate Quarter powerful • Server Key Theft • Own the Network weapon Everyday • TLS Used to • Weak Crypto Exploits • Multi-year Campaigns Uping Attack Method • Code Signing Certificate Hide Activity the ante Theft • MITM Attacks Blueprints

Lucky13 • Vulnerability in OpenSSL • Enables extraction of data without a breach Heartbleed • SSL/TLS Keys and certificates must be assumed compromised Patch vulnerable OpenSSL systems

Assume ALL keys and certificates compromised

Must generate new keys and certificates

Validate changes to demonstrate remediation Global 2000: Heartbleed Remediation

April 2015 $ “Stealing Certificates will be the Next Big Market for Hackers” Marketplace for Stolen Certificates

Up to $980/ea 400x more valuable than stolen credit card 3x more valuable than bitcoin Underground Certificates-as-a-service (CaaS)

Some of the certificates for sales were issued for 1 year, which is enough for targeted APT

InfoArmor: GovRAT Underground Certificates-as-a-service (CaaS)

The bad actors actively use legitimate certificate authorities (CA) to issue digital certificates for malware

InfoArmor: GovRAT misuse of certificates is a danger to global economy trusted: in your computer, browser, smartphone, server Example: MCS Holdings, an intermediate CA for CNNIC issued a fraudulent certificate for Google to perform Man-in-the-Middle

Security risks from untrustworthy Browser action to protect you CAs like CNNIC?

Untrusted by Google 22% Untrusted by Mozilla 6% 58% 14% Trusted by Apple

by Microsoft MITM attacks Replay attacks No risk Don't know Trusted

Venafi: Black Hat 2015 survey Tim Cook – CEO Apple Tim Cook Letter (Cont’d) What action did your organization take after CNNIC was deemed untrusted?

17%

34%

74% 26% remain exposed 23%

Wait for Microsoft and Apple to take action Remove CNNIC from all desktops, laptops, and mobile devices No action was taken Don't know Venafi: Black Hat 2015 survey Security Blind Spot in

Awareness Visibility Detection MDM Encryption DLP IAM AV Firewall IDS IPS VPN How much network traffic will be encrypted? “50% of network attacks will use SSL by 2017” Security Undermines

Awareness Visibility Detection MDM Encryption DLP IAM AV Firewall IDS IPS VPN “Basically, the enterprise is a sitting duck.”

Customer Problems we Find

Our network is down – certificate expired Marketing purchased 50 We can’t certificates to decrypt all improve SEO Cloud inbound traffic What’s on the – we don’t network??? we have the keys just found 50,000 self- signed certificates

Application Owner PKI Owner Business Owner

Internal CA External CA #1 External CA #2 GLOBAL TELCO millions of certificates Consequences of the Problems we Find

We’re unable to continuously monitor and remediate We have no automatically visibility in to certificates We can’t securely collect outside the Cloud firewall and transfer keys to security We can’t systems enforce policy and detect anomalies

Application Owner PKI Owner Business Owner

Internal CA External CA #1 External CA #2 Survey and monitor Secure keys as a all certificates ‘top priority’

Where to

Start? RECOMMENDATIONS

Document and Monitor security feeds enforce policies, like for compromised CAs revocation processes and certificates SANS - 20 Critical Security Controls

Data Incident Secure Boundary Recovery Response & Configurations Defense Capability Management Control of Account Inventory Application Network Ports, Monitoring of Software Protocols, And Devices Security Security Services Maintain, Control Skills Continuous Monitor, and Data Assessment Vulnerability Analysis Protection Assessment And Of Audit Controlled Inventory Wireless Training Logs Secure Use of of Access Network Administrative Software Control Engineering Secure Privileges Penetration Malware Network Controlled Tests and Defense Device Access Red Team Configs CSC17 Update  Know what’s out there Data Incident Secure Boundary Recovery Response & Configurations Defense Capability Management Control of Account Inventory DoesApplication it fit with policy Network Ports, Monitoring of Software Protocols, And Devices Security Security Services Maintain, Control Skills Continuous Monitor, and Data VulnerabilityIf not, fixAssessment it Analysis Protection Assessment And Of Audit Controlled Inventory Wireless Training Logs Secure Use of of Access Network Administrative Software EstablishControl ownershipEngineering Secure Privileges Penetration Malware Network Controlled Tests and Defense Device Access Red Team  AutomateConfigs & Repeat Venafi TrustAuthority & Venafi TrustNet: Visibility and Control

Establish Understand Establish Assign Roles, Monitor & ID 1 Inventory, 2 and Fix 3 Norms 4 Secure Self- 5 Anomalies Internet Gain Visibility Vulnerabilities Service

Internet-wide 1 Discovery Validate 5 Baseline TrustNet 1 SSH Cloud Discovery Certificate Notify on 2 reputation 5 anomalies 1 Network Discovery 2 Reporting/Analysis

1 CA Import Application Owner Self Service PKI Owner Portals / API 3 Business Owner Set Policy, 4 Internal 2 CA Workflow & Notification Enroll and External CA #1 Revoke External CA #2 For all SSL, SSH, Mobile keys and certificates Venafi TrustForce & Venafi TrustNet: Rapid Response and Remediation

Respond Scale Powerful Install, Configure 1 2 3 Automation 4 and Validate Internet

4 Post Install: App Configuration and TrustNet Validation Cloud

Certificate 3rd Party API 1 4 Blacklisting Integration 2

Build Associations between Applications and Certificates Monitor Trust Bundles, SSH Keys, and Users

1 3 Take Action from Alerts and Notifications Install Certs and Rotate Keys on Demand (Physical, Virtual, Cloud) For all SSL keys/certificates and SSH keys Lessons from Human Immune System • Keys and certificates can’t be blindly trusted • We have to actively inspect, constantly adapt • Find keys certificates, trusted?, fix, securely distribute and scale Find out more at venafi.com