Security Experts:

Malware: Identifying the Code is Only Half the Battle

The First step in Defending Against Malicious Code Infections is Ensuring that a Strong Trust Infrastructure is in Place and Well Secured. 

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has become the go-to source for enterprises looking for sage advice on the intricacies of network security. In August, NIST added a new document to its library of expert advice focused on how to deal with malware: NIST Special Publication 800-83 Revision 1 (PDF).

In short, the NIST bulletin provides direction on how to identify, contain and eliminate malware from enterprise systems. Information presented includes best practices, policy design and incident response ideologies in a concise manner that would benefit any network security manager or administrator. Outside of the advice provided by the paper, organizations in need of an effective malware defense strategy should also ensure they are securing their trust infrastructures, which are comprised of thousands of digital certificates and cryptographic keys. As history as shown, in most cases broken trust has been the gateway that allows malware to slip silently into networks.

Malicious CodeIn a majority of cases, attacks that inject computers with dynamic malware that conducts cyberespionage, data theft and even physical damage, take advantage of broken trust caused by unsecured and exposed certificates and keys. Despite this fact, malware-defense advice often fails to connect all of the links in the attack chain. Just look at the cyber-attack record, which clearly shows that no conversation or conclusions on malware defense can be had without acknowledging the role that unsecured keys and certificates have played. Stuxnet, Shamoon, Flame, Duqu, among the most notorious and effective malware campaigns to date, all relied on compromised certificates to authenticate in systems and deliver their payloads.

In addition, it’s important to acknowledge what Mandiant stated in its APT1 Report. Nation-state backed, China-based hackers used self-signed digital certificates to implant malware into hundreds of U.S. companies over a period of several years. Symantec also recently explained how attackers hijack legitimate certificates to execute their attacks. “If a computer is infected by back door Trojan, the attacker may gain full access to the compromised computer and will be able to control it. The attacker will therefore be able to steal any information found on the computer,” it said in a blog from earlier in the year. “An attacker can also steal both the private key and the digital certificate if he or she is interested in them.”

Many companies put major security resources into malware detection and remediation, but then ignore the more dangerous and broader threat presented by weak and exposed certificates. While it is critical to address malware and to concentrate on detection, it is equally essential to identify how attackers are exploiting broken trust in order to exfiltrate data and penetrate systems—systems ripe with IP, corporate data, customer information, patient records and advanced defense designs.

Certificate-based malware attacks come in many shapes and sizes. One of the most notable concerns comes in the form of a compromised certificate authority (CA), such as what happened to the Dutch CA DigiNotar in 2011. That compromise allowed hackers to issue malicious certificates that appeared to be signed and legitimized by DigiNotar. A number of additional public CA compromises followed. The net result was that hackers used falsified certificates to execute a man-in-the-middle attacks, fooling people into believing that a false website was in fact real. Not only were user credentials siphoned off but also diverted users to malicious sites. This is still a common practice used today, malicious actors even go as far as to use SSL to disguise their activities over the network.

These examples are only a few in a string of many. Frequently, attackers take advantage of unprotected and weak certificates to authenticate and infect systems with malware, as was the case in attacks on Adobe, Bit9, GitHub and FreeBSD. In these instances, the cybercrime world learned that broken trust could be not only used to inflict damage on industrial systems, but also to take over what analyst and author Richard Stiennon refers to as the Holy Grail—the Microsoft Windows update system. In the case of Flame, by taking advantage of vulnerable certificates signed with a weak and outdated hashing algorithm, actors were able to fool thousands of computers running Windows in order to plant malware that stole information for an extended period.

The Bigger Picture

Why doesn’t the NIST report dive deeper into the role that certificates play in malware infections? It is likely because certificate and key protection is overshadowed by the focus placed on the malware itself. Moreover, many organizations and even researchers haven’t yet realized the role that broken trust plays in the malware attack chain. As a result, rather than looking at how they can reduce risk through better certificate protection practices, organizations continue to focus on the malicious code itself as opposed to the factors that erode trust.

Having helped hundreds of Global 2000 organizations secure trust by protecting the technologies that form the foundation of trust—keys and certificates, I have seen too many instances where both companies and governments place themselves at massive risk of attack because improperly secured certificates have opened doors to malware. I recently came across a retailer that estimated it had 5,000 active certificates within its organization. After using our technology to assess their network, we were able to demonstrate that they had more than 20,000 deployed. Lack of visibility into basic components of their trust infrastructure meant that 15,000 of their primary security technologies were vulnerable to hackers, cybercriminals and nation states intent on getting at their information.

NIST should be commended for its efforts to educate security professionals. However, the latest reports prove to be only a starting point, as issues such as protecting encryption keys and digital certificates need to be addressed, otherwise the entire foundation of trust will remain compromised and unable to defend against any type of attacks.

view counter
Jeff Hudson serves as CEO of Venafi. A key executive in four successful, high-technology start-ups that have gone public, Hudson brings over 25 years of experience in IT and security management. Prior to joining Venafi, Hudson was the CEO of Vhayu Technologies which was acquired by ThomsonReuters. Prior to Vhayu, Hudson held numerous executive leadership posts, including CEO and cofounder of MS2, SVP of Corporate Development at Informix Software, CEO of Visioneer, and numerous senior executive posts at NetFRAME Systems and WYSE Technology. He started his career with IBM. Mr. Hudson earned a B.A. in communications at the University of California, Davis.