The Noise Before Defeat: A Focus On Cybersecurity Tactics

By John Walsh, director of product marketing, SSH Communications Security

While everyone is busy addressing the most recent cybersecurity threat in the news, the fundamental flaw in their company’s cybersecurity strategy is often overlooked.

While it is imperative to stop the type of attacks making headlines today, a determined attacker can and will get inside your network. The goal of the initial breach is to spread the attack, and the best way to do that is to steal credentials such as SSH keys. SSH keys are access credentials for the SSH protocol, similar to passwords, prevalent in most Fortune 500 enterprise computing environments.

SSH keys grant access to critical company infrastructure and proprietary data. Stealing SSH credentials is the way attackers turn a relatively small breach into one of the large multimillion-dollar catastrophes in the news that can cause a company’s stock to the tank and to miss earnings projections.

Focusing simply on the latest type of malware, ransomware or phishing attack in the headlines is a focus on tactics with no overarching strategy. According to Sun Tzu in The Art of War, this is the noise before defeat:
Strategy without tactics is the slowest route to victory. Tactics without strategy are the noise before defeat. – Sun Tzu

There is a common theme with a number of recent attacks. The attackers are after user credentials, like SSH keys, in an effort to spread the initial breach to critical system infrastructure. This allows an attacker to access machines that would have otherwise been immune to the malware, ransomware or phishing attack. There are many examples of this breach strategy being deployed in the news recently.

SSH Keys in the News
On July 6, 2017, WikiLeaks published documents purportedly from the CIA Vault 7 breach. These documents contain user manuals for tools capable of stealing credentials and metadata from active SSH sessions. These tools can extract SSH keys and their passwords from memory while the SSH session is active. A common defense against SSH key misuse is to password-protect your keys, but an attack like this renders that technique useless. The threat of phishing tools, built by anyone or any government, that can steal credentials such as SSH keys is real. The protocol itself is still safe, but credential theft through human error, phishing or hacking is a growing issue.

The biggest cyber attack in the world to date is the WannaCry ransomware attack. This attack impacted hundreds of thousands of computers in as many as 150 different countries and a range of business segments including healthcare, retail, government, and finance. It is also now coming to light that the ransom demand was a distraction for a much more sinister and invasive attack to steal employee’s credentials. This explains why the attack seemed so sloppy in achieving its perceived goal of collecting ransom; so far only about $129,000 has been collected by WannaCry.

Stealing employee credentials is not a new strategy. There are other examples of this, such as the devastating Sony Pictures attack where credentials were again stolen to spread the initial attack.

Why Steal SSH Keys?
An attacker doesn’t need to be sophisticated or well funded to breach and steal credentials. The Iranian cyber espionage group known as the CopyKittens has shown far less sophistication when compared to other top hacking groups. They do not use the latest exploits and hacks such as 0-days, and their tools are considered inferior. Yet they have still managed to exfiltrate large volumes of data from government organizations, academic institutions, and IT companies across the world. They have done this by using malware that steals credentials and then uses those credentials to steal more credentials to move across the compromised network.

Advanced malware and hackers have been collecting SSH keys for years because:
• SSH keys provide a long-term backdoor, and they can be used to spread the attack from one server to another, across nearly all servers in an enterprise, including disaster recovery data centers and backup data centers.
• The keys often grant access to credit card payment environments and financial data environments in public companies.
• The keys commonly provide root or administrator access, thus allowing installation of malware, compromising of software or even outright destruction.

The Danger of Poor Management
Most large organizations have far more SSH keys than they have servers or user accounts. For example, in one typical financial institution, 3 million SSH keys were found granting access to 15,000 servers. That is an average of 200 keys per server. Most organizations have SSH keys granting access that is no longer necessary, not compliant, or redundant. No wonder SSH keys are an attractive target for both insider and external attackers.

Once an attacker breaks into one server, it is highly likely that the attacker will find one or more private keys from that initial server. The attacker can then use these discovered private keys to log in to other servers—typically more than one—and again find private keys from these servers. Repeating this quickly spreads the breach and exposes more and more of the target network.

What’s Your Strategy?
Your strategy should be to mitigate the damage a sustained attack can cause after the initial breach by protecting the credentials used to spread the attack across your network. This strategy protects your network against both external and insider threats. It makes no sense to prioritize security against ever-changing threats, such as the latest hacking exploit or malware while leaving what the attackers are really after, credentials like SSH keys, unguarded.

To effectively address SSH key management issues in your environment, you need to understand, first and foremost, who has access to your most critical infrastructure. It’s important to get control of which SSH key-based access may have root access in your environment and, more importantly, how deep the transitive trust of this access extends. The question to be answered here is, “If I breach one root key, how deeply can I penetrate into the environment?”

You also need to understand which SSH key-based trusts are for interactive usage, and which are related to service accounts. Each key-based trust, regardless of its usage, should be assigned back to an individual owner in the environment to establish accountability.
Where SSH user key-based trusts are in use, it is critical to ensure the clear separation of duties. This means having a clear understanding of what key-based connections may be running across development to production environments and re-establishing clear IP source and command restriction accountability of all key-based access within the production environment.

Playing it Safe
Leveraging unmanaged SSH keys allows the attacker to establish and expand a foothold in the target networks, and an attack like this may quickly spread through your entire environment. To avoid becoming the next victim, design a robust SSH key management strategy using the principles outlined above.

About the Author
John Walsh serves as director of product marketing at SSH Communications Security, where he is focused on raising industry awareness of risk and compliance issues of unmanaged credentials. John has more than 15 years of experience in the IT security industry, having held product management, product marketing, and software engineering positions at IBM and SSH Communications Security. Prior to joining the company, he worked at IBM, where he obtained a patent, contributed to solutions guides and designed a number of key software features for security products such as SSH, LDAP, Firewall and Java Cryptography. John holds a BS in Computer Science from Binghamton University as well as an MS in Management Information Systems from Marist College. For more information please visit the SSH company website at www.ssh.com