Weave your cybersecurity tactics into a cohesive strategy
- By John Walsh
- Aug 25, 2017
Recent headlines about cybersecurity threats tend to focus on the latest ransomware, implying that the worst threats are generated externally. Yet what typically goes unnoticed is a fundamental shortcoming in most agencies’ cybersecurity strategy.
A determined attacker can and will get inside a network. The goal of the initial breach is to spread the attack, and the best way to do that is to steal credentials such as Secure Shell, or SSH, keys that secure remote login from one computer to another.
Because SSH keys grant access to critical agency infrastructure and proprietary data, stealing them lets attackers turn a relatively small breach into one that can cause an agency to lose credibility and potentially put the personal data of millions of citizens at risk.
SSH keys are attractive to hackers because they:
- Often grant access to financial data environments in public companies and government databases.
- Typically provide root or administrator access, thereby allowing installation of malware, compromising of software or even outright destruction.
- Deliver a long-term backdoor for attacks
- Can be used to spread an attack across nearly all servers in an organization, including disaster recovery systems and backup data centers.
Government agencies must not get so caught up in the tactics of defeating the latest type of malware, ransomware or phishing attack that they forget to create or execute an overarching strategy. According to Sun Tzu in The Art of War, "Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat."
Just recently, the importance and implications of SSH keys were thrust into the spotlight.
WikiLeaks published documents purportedly from the CIA Vault 7 breach that contain user manuals for tools that can extract SSH keys and their passwords from memory while a session is active. A common defense against SSH key misuse is to password-protect keys, but this exploit renders that technique useless.
The protocol itself is still safe, but credential theft through human error, phishing or hacking is a growing issue.
In fact, the WannaCry attack -- the biggest ransomware attack in the world to date -- was not what it seems. The attach that impacted hundreds of thousands of computers in as many as 150 different countries and a range of business segments including healthcare, retail, government and finance was actually a distraction for a much more sinister and invasive scheme to steal employee credentials. This explains why the attack seemed so inefficient in achieving its perceived goal of collecting ransom; so far only about $129,000 has been collected.
Cybercriminals don’t need to be sophisticated or well funded to steal credentials. The Iranian cyber espionage group known as the CopyKittens has shown far less sophistication compared to other top hacking groups, yet they have still managed to exfiltrate large volumes of data from government organizations, academic institutions and IT companies across the world. Attackers used stolen credentials to login to other servers where they found and stole private keys. Repeating this process quickly spreads the breach and exposes more and more of the target network.
Government and other enterprise organizations usually have many more SSH keys than they have servers or user accounts. For example, in one typical financial institution, 3 million SSH keys were found granting access to 15,000 servers. That is an average of 200 keys per server. Most organizations have SSH keys granting access that is no longer necessary, not compliant, or redundant.
No wonder SSH keys are an attractive target for both insider and external attackers.
Strategy with tactics
How can this situation be avoided? By protecting the credentials used to spread the attack across a network, IT managers can mitigate the damage a sustained attack can cause after the initial breach. This strategy protects the network against both external and insider threats. It makes no sense to shift security to address the latest hacking exploit or malware, while leaving what the attackers are really after -- credentials like SSH keys -- unguarded.
To effectively address SSH key management issues in an agency, IT managers must determine who has access to the most critical infrastructure. It’s important to get control of which SSH key-based access may have root access in the environment and, more importantly, how deep the transitive trust of this access extends. The question to be answered here is, “If I breach one root key, how deeply can I penetrate into the environment?”
It’s also important to grasp which SSH key-based trusts are related to service accounts and which are for interactive use. Each key-based trust, regardless of its usage, should be assigned back to an individual owner in the environment to establish accountability.
Where SSH user key-based trusts are in use, it is critical to ensure the clear separation of duties. This means having a clear understanding of what key-based connections may be running across development to production environments and re-establishing clear IP source and command restriction accountability of all key-based access within the production environment.
Sun Tzu knew a thing or two about warfare. The fact that the battle theater is now digitized changes nothing. Once attackers gets hold of unmanaged SSH keys, they can establish a beachhead and expand the assault across agency networks. Rather than scrambling to implement just-in-time tactics, use the principles above to create a cybersecurity strategy. Rather than making a lot of tactical noise that accomplishes little, agencies will achieve a faster victory as tactics back up their strategy.
John Walsh is the director of product marketing at SSH Communications Security.