Attackers stealing machine identities: how can we protect ourselves?
June 14, 2018
How is securing your encrypted traffic like protecting your house? Terrie Anderson, APAC regional director at Venafi shows us how.
Sometimes the noisiest cyber attacks aren’t the most dangerous. For example, a DDoS attack can take down a website for an entire day. And while this is bad, it’s nothing compared to the Sony and Yahoo! data breaches where attackers moved around undetected inside computer systems for years.
In cases like these, attackers pose as legitimate actors on the network, giving them time to find every scrap of information they want. In addition, they can deal maximum damage to companies once news of the breach hits the headlines.
How did the Sony and Yahoo! attackers achieve this? They did not impersonate human employees, they stole machine identities.
Just like people, every machine – be it a server, a device, an app or an algorithm – needs an identity with the ability to authenticate and communicate in a private, encrypted and secure way. These identities are powerful because they allow access to huge swaths of a firm’s network.
Because cyber attackers are aware of this, they’re stealing these identities to impersonate valid machine-to-machine communications at an increasing rate. This allows them to move around completely undetected by the companies they’re attacking, spying and exfiltrating data as they go.
It’s useful to illustrate the situation by comparing how companies protect their machine identities to how you protect your home. Let’s say you have a big house with expensive locks and alarms to keep the bad guys out. To get in, your family uses keys to operate the gates and to make sure the alarm doesn’t go off. In other words, security gates authenticate individuals by recognizing trusted keys.
This is similar to how machine identity protection works. Both methods involve keys, although with machine identities, keys tend to be digital rather than physical. They also establish who is trustworthy. Defenses like anti-virus or firewalls operate just like security gates, except they use machine identities to know which traffic needs to be blocked as malicious, as well as which can be trusted.
If a machine or attacker has hold of a machine identity, that means they also have the right key and will be granted access to the system. In both instances, defenses base their decision on the key, not who is holding it.
Don’t leave you spare key under the mat – anyone can find it!
If you use your keys every day, you are likely to know when they are missing; for instance, you come home and can’t open the front door. But imagine that you have a rarely used spare key for guests. If that key somehow is stolen, it could be weeks – or even months – before you notice. All the while, whoever stole the key has the power to come and go as they please. They could spy on you and search your private documents. They could also take something small, but extremely valuable – say a pair of diamond earrings only worn on special occasions – or make copies of the documents in your office.
How long would it take before you notice something has gone missing? And what would you do? You could tell the police, but there would be no sign of forced entry or physical evidence, and you wouldn’t even know when these things went missing.
It’s the same for businesses, except most organizations have thousands of machine identities to track rather than a couple of spares. Remember that every single machine an organization uses is another identity that has to be tracked and managed. Research has shown that the average enterprise has over 16,500 undiscovered machine identities lying around unprotected, and IT professionals expect the number of identities to increase exponentially each year.
If we lose a set of keys in the real world, we waste no time getting the locks replaced. However, when it comes to the digital world, this is much more complicated. While it’s a herculean task to keep track of each machine identity – how it’s being used, where and by whom – some businesses are still running the risk of a cyber attack by trying to track all of their keys manually on Excel sheets.
Trying to manage so many identities manually is a recipe for disaster, as there is far more scope for error – from recording incomplete data to failing to assign responsibility for remediation and replacement. If a key goes missing, it could make things more challenging and take years before the theft comes to light.
The solution to this problem is for organizations to take the same care of their machine identities as their physical security. The scale of this is too huge to handle manually, so businesses need to adopt automated platform solutions that can identify when a key is created and manage it throughout its life cycle.
Just as you might install a closed-circuit television (CCTV) to make sure nobody is creeping around your house unannounced, organizations need to confirm they are watching their encrypted network traffic to ensure there isn’t anyone hiding or lurking within. To do this, they need to provide security tools with access to the keys of private corridors in the enterprise. Such systems can react and replace any compromised certificates that might be used by attackers, helping boot out the burglars before they have a chance to do any damage.
As digital transformation advances, the number of machines that enterprises have to manage will continue to skyrocket, making each one a potential point of infiltration for hackers. In order to effectively protect the enterprise, businesses have to think like homeowners and ensure that all of their keys are properly monitored and secured.