Is Your Encryption Being Used Against You? Why you shouldn’t blindly trust encrypted tunnels

White Paper

2www.venafi.com

White Paper

Overview

Encrypted tunnels are critical to our global digital economy—they make it possible to secure website transactions, mobile devices and a wide variety of system-to-system transactions. Organizations rely heavily on encrypted tunnels to protect data, and, usually, these encrypted tunnels are effective at keeping the data that flows through them secure and private. However, encrypted tunnels are not immune to cyber attacks; in fact, over 70 percent of network attacks target SSL/TLS tunnels.1

To authenticate the machines that communicate through encrypted tunnels, organizations use a combination of cryptographic keys and digital certificates. These critical security assets create identities for machines that are the equivalent of human usernames and passwords. Once a machine identity is authorized and a secure tunnel is created, the sophisticated security controls employed by organizations to protect them against cyber attacks assume that the encrypted data that flows through the tunnel is secure and private.

However, cyber criminals routinely steal machine identities in order to use encryption to hide malicious activity. And as the use of encryption has expanded, this problem has grown exponentially. Organizations that realize the risks connected with machine identity theft believe the only way to protect themselves is to decrypt and inspect network traffic. While this strategy does reveal malicious activity, it is extremely resource intensive and seriously degrades network performance so most organizations are forced to use it very selectively.

This white paper explores how the most common types of tunnels can be misused by cyber criminals. It also outlines strategies for protecting tunnels that do not require decryption and inspection of all encrypted traffic.

Encrypted Tunnels at Risk

Although encrypted tunnels are meant to secure communications, attackers routinely use forged or compromised keys and certificates to create malicious tunnels or hijack legitimate tunnels to get malware in and sensitive data out. Once attackers have access to a trusted machine identity, they can encrypt malicious activities within tunnels and remain undetected.

Unfortunately, over half of organizations are unable to track all of the active keys and certificates that make up machine identities.2 Because of this lack of visibility, rogue and compromised keys or certificates are extremely difficult to identify. This problem is compounded by the rapid growth in keys and certificates. DevOps

3www.venafi.com

White Paper

projects, IoT and mobile devices are driving enormous growth in the number of machines on enterprise networks. As a result, key and certificate relationships are becoming much more complex.

Many organizations use manual tracking methods or basic databases to manage keys and certificates, but these solutions do not provide centralized oversight or the detailed information that is necessary to quickly identify a rogue or compromised machine identity.

The expanding number of machines is further complicated by the pressure to encrypt more data. As encryption is used more widely, more tunnels are created and more data flows through each tunnel. The only way to be certain that every tunnel on enterprise networks should be trusted is to have real-time intelligence on the identities of the machines connected to those tunnels. Also required is clear identification of where those tunnels are and, most importantly, the ability to confirm that a trusted source is using them.

How Encrypted Tunnels Are Used in a Cyber attack

Typically, cyber criminals start with user credentials they gather via a phishing attack or purchase on the dark web. The attacker then uses these credentials to begin reconnaissance with the goal of identifying systems or applications that can be used as a beachhead for an attack. After a target is identified, the attacker uses stolen credentials or an unpatched vulnerability to gain entry through an email account, network or file.

Cyber criminals can hijack a machine idenitity to create or take over an existing encrypted tunnel in order to bypass layered security controls and deliver a malware payload. Because tunnel traffic is trusted, malware passes through undetected. And once deployed, it can establish additional tunnels to ensure a cyber attack will continue, even if access to the original tunnel is lost.

Once bad actors have established reliable network access, they can systematically gather high-value data, such as customer names, passwords and credit card numbers. Data is often collected on a staging server, so it can be exfiltrated via an encrypted VPN tunnel that is controlled by the threat actor. To cover their tracks, hackers remove evidence of their attack, but they often retain access to the encrypted tunnel. With this access, they can return at any time to continue gathering and exfiltrating data on the compromised network.

4www.venafi.com

White Paper

Tunnel Vulnerabilities

Any type of encrypted tunnel can be misused in a cyber attack. Virtual Private Networks (VPNs) are the most recognizable example of encrypted tunnels and are understood to be vulnerable, but many organizations do not realize that SSL/TLS and SSH tunnels are also susceptible. As a result, most organizations don’t provide adequate oversight for the full range of tunnels that travel into and out of their networks.

The relative vulnerability of encrypted tunnels depends on a variety of factors, such as the security of their protocols, their attributes and an organization’s overall awareness of how tunnels are being used. The following list examines the different types of encrypted tunnels used in most organizations and how cyber criminals typically misuse each of them.

IPsec Tunnels

Organizations use Internet Protocol Security (IPsec) to create a VPN that secures internet communication across an IP network. Frequently used to set up a tunnel from a remote site into a central site, IPsec verifies each session and individually encrypts data packets throughout the connection. A benefit of using an IPsec VPN tunnel is that it also can be used as a supplement to other security protocols, such as Layer to Tunneling Protocol (L2TP), providing a stronger security system. An L2TP VPN forms a tunnel between two L2TP connection points and another VPN, such as IPsec, to further secure communication between the tunnels.

Attacker Play: An IPSec/L2TP tunnel is most often used during the discovery and incursion attack phases. The tunnel is used to gain initial access to an organization, perform reconnaissance and establish a beachhead. This type of attack generally compromises only established VPN endpoints, because creating a new tunnel would require the attacker to penetrate perimeter layer defenses to gain access to the VPN administrative console—a much more technically complex task.

Site-to-Site VPN Tunnels

Large organizations use a site-to-site VPN to connect their main location networks to multiple offices and business partners. When tunnels connect two or more sites to form a VPN using the same ISP, they generally use Multi-Protocol Label Switching (MPLS). Because they are the most flexible and adaptable option, and because they speed up the distribution of network packets over multiple protocols, MPLS VPNs are preferred for site-to-site VPNs.

Protection of SSH keys

is not a one-time task,

but an ongoing security

strategy that ensures

your SSH environment

remains secure.

5www.venafi.com

White Paper

Attacker Play: Attackers use site-to-site tunnels after they have compromised the initial internal system as part of a pivot portion of an attack. These tunnels are ideal for the reconnaissance phase of the attack—when attackers are trying to gain access to other network segments or devices. Because of the impact to performance, site-to-site VPN tunnels are rarely inspected, which allows attackers to go undetected while using them.

SSH Tunnels

The SSH, or Secure Shell, protocol is the most convenient way to administer remote servers and applications. Using several encryption technologies, SSH provides a mechanism for establishing a cryptographically secure connection between two systems or machines. By authenticating each machine via stored servers and client keys, SSH allows them to securely connect to each other, bypassing the need for manually typed authentication credentials.

Attacker Play: SSH tunnels are an easy way for attackers to pivot across network segments and devices and are ideal for moving malicious payloads undetected between file servers and applications. Attackers can transfer concealed malware by using a compromised SSH tunnel, and, through phishing attacks, they are able to gain access to an administrator’s credentials or a system where their SSH keys are stored. SSH keys are increasingly sought after by attackers because they grant administrators privileged access to applications and systems.

Malicious insiders can also misuse the privileged access granted by SSH tunnels. Often, SSH tunnels are used to exfiltrate data from a file server because copying files is a routine, automated task used to transfer data between machines, and, since the data is encrypted, it’s thought to be safe.

SSL and TLS Tunnels

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the most common forms of tunnels. SSL/TLS tunnels provide a secure session from any PC browser to an application server and are used to secure web-based transactions, such as banking or payments. They are designed to restrict user access to a specific application instead of an entire network.

Attacker Play: The goals of attackers are to create false identities and steal data from their victims. They can do this via man-in-the-middle attacks where they take advantage of cipher and protocol vulnerabilities to eavesdrop on encrypted traffic. Or, they can use stolen keys to decrypt a session to steal data from victims.

6www.venafi.com

White Paper

Another very common attack is to set up phishing websites, either on the internet or on organizations’ intranets. Attackers use stolen or compromised certificates to establish an identity that the victims’ browsers will trust. The victims connect to the malicious site, establish encrypted sessions and, because they believe they are connected to a trusted machine, begin to send sensitive data to the attackers. Since HTTPS sessions are trusted and are rarely inspected by layered security technologies, these attacks often go undetected.

Using Machine Identity Protection to Secure Encrypted Tunnels

If you can maintain complete visibility over all the keys and certificates that govern machine identity, then you’ll have the intelligence you need to know whether a machine identity is valid or suspicious. You will also know whether the encrypted tunnels connected to that machine should be trusted. Controlling the machine idenitites that act as gates to your tunnels makes it possible for you to determine the legitimacy and integrity of the data that is flowing through them.

Here are six steps that will help you achieve high levels of visibility and control over your machine identities.

1. Discover all machine identities. The first step to better tunnel security is to perform continuous, automated discovery on internal systems that are capable of establishing encrypted tunnels, including at the file and keystore level. This will facilitate the discovery of rogue or compromised keys. Once you have an accurate inventory, you’ll have a resource that will help you verify whether a tunnel should be trusted.

2. Secure the lifecycle of keys and certificates. Securing your keys and certificates will help prevent them from being misused to create malicious tunnels. Automated machine identity protection will help you track all keys and certificates, enforce security best practices and promptly rotate, replace or remove outdated, rogue or compromised keys and certificates.

3. Continually monitor the health of your PKI. If not handled properly, even the process of collecting and distributing keys can introduce new security and compliance risks. Automating that process will help you eliminate human error and lower your risk of intrusion. Continuous monitoring of your key and certificate inventories will help you identify weak ciphers, vulnerabilities and anomalies.

7www.venafi.com

White Paper

4. Lock down privileged access. SSH tunnels are difficult to detect because most organizations don’t enforce security policies for SSH keys. It is important that you limit access control lists on SSH-enabled machines to only those that require connectivity to perform business functions. Enforce policies on transaction servers to lock down keystores and prevent creation of unauthorized keys.

5. Maximize decryption investments. To detect anomalous traffic in encrypted tunnels, many security solutions perform high-speed SSL/TLS decryption. But these systems cannot decrypt traffic if they don’t have access to an accurate, real-time, detailed inventory of all your keys and certificates. You need an automated PKI management solution that makes keys and certificates readily available to SSL/TLS inspection solutions.

6. Automate remediation for real-time response. In the event that you detect suspicious tunnels in your network, you’ll need to act quickly to shut them down. If you have an automated machine identity solution, you’ll be able to quickly isolate, revoke, replace and validate compromised certificates to block malicious access to legitimate tunnels.

In Summary

Many organizations feel that the only way to eliminate the blind trust of tunnels is to decrypt and inspect all encrypted tunnel traffic. However, this is rarely feasible because it can’t be scaled to cover all encrypted traffic. Additionally, decrypting all network traffic for inspection is not only resource intensive, but it can seriously degrade network performance—impacts that many organizations are not willing to accept. Moreover, organizations are also exposed to escalating security risks created by network attacks that use encryption.

There is another way to solve this problem: improving the oversight and management of the identities of machines used to gain access to tunnels. This gives organizations real-time visibility into any rogue or malicious tunnels. Tight control over keys and certificates makes it possible to quickly find and remove compromised machine identities and shut down tunnels being used for malicious purposes. This approach is more cost-effective and less resource intensive than attempting to expand decryption and inspection across all encrypted traffic, and it allows for automated remediation that quickly reduces exposure if an attacker does gain access to an encrypted tunnel.

8www.venafi.com ©2017 Venafi, Inc. All rights reserved. Venafi and the Venafi logo are trademarks of Venafi, Inc.

White Paper

Does Your Organization Blindly Trust Encrypted Tunnels?

Venafi helps organizations protect all types of machine identities by securing cryptographic keys and digital certificates for SSL/TLS, SSH, IoT, mobile and code-signing. We provide global visibility of all machine identities and the risks associated with them for the extended enterprise—on premises, mobile, virtual, cloud and IoT—at machine speed and scale. We put this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities, which can be used to attack encrypted tunnels. This safeguards the flow of information to trusted machines and prevents communication with machines that are not trusted.

TRUSTED BY THE TOP5 OF 5 Top U.S. Health Insurers 5 OF 5 Top U.S. Airlines 4 OF 5 Top U.S. Retailers 4 OF 5 Top U.S. Banks 4 OF 5 Top U.K. Banks 4 OF 5 Top S. African Banks 4 OF 5 Top AU Banks

ABOUT VENAFIVenafi is the cybersecurity market leader in machine identity protection, securing the cryptographic keys and digital certificates on which every business and government depends to deliver safe machine-to-machine communication. Organizations use Venafi key and certificate security to protect communications, commerce, critical systems and data, and mobile and user access. To learn more, visit www.venafi.com

References

1. Symantec. Internet Security Threat Report. Volume 21. April 2016.2. Ponemon Institute. 2015 Cost of Failed Trust Report: Trust Online is at

the Breaking Point. 2015.