Virtualization Technology News and Information
Keyfactor 2021 Predictions: What's Old Is New Again - Cryptographic Innovation Set to Dominate 2021 IT Security

vmblog 2021 prediction series 

Industry executives and experts share their predictions for 2021.  Read them in this 13th annual series exclusive.

What's Old Is New Again - Cryptographic Innovation Set to Dominate 2021 IT Security

By Chris Hickman, chief security officer at Keyfactor

Cryptography is one of our oldest security practices. Its existed for centuries, its application morphing over time. Cryptography has changed the way we secure daily activities and do business. The pace of digitization and distributed IT means that when it comes to security, everything considered secure by yesterday's standards will become insecure in the future.

Businesses are addressing and adopting crypto management, but many have yet to fully embrace crypto-agile best practices. As 2020 wound down security and IT leaders were taking stock of lessons learned from an already chaotic year - and then along came news of the SolarWinds breach. The attack, now known as SUNBURST, was first uncovered by FireEye with the theft of Red Team tools but deepened as investigators realized the full extent of the breach and identified tools used by the attackers. As it turns out, misused X.509 certificates and keys were one tool used by attackers to infiltrate and laterally spread without detection.

Behind the Attack: X.509 Certificates

An article released by the Microsoft Security Response Center last month surmises the technical details that facilitated the supply chain attack:

  • Infiltration: A trail of breadcrumbs leads us back to SolarWinds, where attackers modified source code to include a malicious backdoor, which was then compiled, signed and delivered unknowingly by SolarWinds to nearly 18,000 customers via their software update and code-signing systems. The initial breach was not the result of a stolen code-signing certificate, but the tampered library was signed by a valid (albeit compromised) certificate. This raises concerns about the weaponization of trust. Similar supply chain attacks involved the theft of code-signing certificates or compromised signing systems, including the attack on ASUS last year.
  • Proliferation: According to Microsoft, "once in the network, the intruder then uses the administrative permissions acquired through the on-premises compromise to gain access to the organization's global administrator account and/or trusted SAML token signing certificate." In this case, attackers forged SAML tokens and signed them with legitimate, compromised certificates to impersonate trusted users and accounts, allowing the attacker to move laterally.
  • Persistence: In some cases, attackers made modifications to Azure Active Directory settings to gain long-term access, including "adding credentials (X.509 keys or password credentials) to one or more legitimate OAuth Applications..." Once they have gained a foothold, the next priority for attackers is often finding ways to stay inside. Here they leveraged X.509 certificates to create legitimate OAuth access to the network.

Beyond SolarWinds

The key lesson here comes back to the need to effectively track and monitor the use of certificates across applications, cloud services and network infrastructure.

Here are five best practices teams can use to mitigate misuse of keys and certificates in their own environments:

  1. Never store code-signing keys on developer workstations, web servers or build servers. Private keys should be kept in a FIPS 140-2 validated HSM.
  2. Segregate duties between who is authorized to sign code, who can approve the request and who can monitor and enforce compliance with signing policies.
  3. Maintain an active inventory of all certificates, where they are installed, who they were issued from and who owns them (and your domains).
  4. Control certificate issuance and approval workflows to ensure that every certificate is trusted, complies with policy, and up to date.
  5. Test your certificate re-issuance and revocation capabilities to ensure you can respond effectively to a compromise.

The truth is that there is no silver bullet when it comes to preventing sophisticated attacks, but the lessons we learn from these breach events go a long way in strengthening our defenses and potentially catching similar threats before they can exfiltrate data or do damage within our networks.


About the Author

Chris Hickman 

Chris Hickman is the chief security officer at Keyfactor, a leading provider of secure digital identity management solutions. As a member of the senior management team, Chris is responsible for establishing and maintaining Keyfactor's leadership position as a world-class, technical organization with deep security industry expertise. He leads client success initiatives and helps integrate the voice of the customer directly into Keyfactor's platform and capability set. For more information visit: or follow @Keyfactor on Twitter and LinkedIn.

Published Wednesday, January 27, 2021 7:45 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2021>