In January last year, it was predicted that 2015 would bring more attacks on trust involving digital certificates and cryptographic keys, which provide the foundation of trust for cyber-security. These predictions proved correct through a line-up of attacks involving misused keys and certificates and occurred repeatedly throughout the year. Gogo's man-in-the-middle (MITM) attacks, Logjam and Superfish, more Heartbleed vulnerabilities, and recently, Netcraft's analysis are all examples involving compromised certificates.
According to Ponemon Institute research, every major enterprise has been attacked using compromised keys and certificates in the past four years. The likelihood that these enterprises and public sector organisations will fall victim to an attack on trust is very high. This brings up a number of worrying conclusions as we consider the threat landscape for the next year.
To start with, the Certificate Authority (CA) model is broken and the value of certificates is being chipped away, resulting in a lack of trust. Recently, we've seen newer business models with the launch of free certificate issuing services through programmes like Let's Encrypt and Amazon's new Certificate Manager. This ultimately means more certificates will be in use, giving cyber-criminals more opportunities to carry out their attacks by hiding in encrypted traffic, and conducting MITM attacks.
Internet of Things (IoT) ransomware is also a growing concern. IoT devices all rely upon keys and certificates for authentication and privacy that can be compromised by cyber-criminals. This risk was made explicit when security researchers demonstrated the GM Onstar system could be hacked during BlackHat 2015. Looking ahead, cyber-criminals will take full advantage of the connected IoT world and demand ransom as they threaten to take entire networks. Using a MITM attack, cyber-criminals can easily intercept traffic between the IoT device and its ‘mothership', telling the IoT device to perform a malicious action, such as applying brakes on a connected car, change a plane's altitude, or applying too much morphine to a patient.
It would come as no surprise then to see large security vendors lose customers, revenue and overall credibility because they cannot see attackers lurking in encrypted traffic. More encryption will create challenges for security vendors who cannot decrypt traffic, both inbound and outbound, in real time. This is where cyber-criminals will have the upper hand: by hiding in encrypted traffic, vendors won't be able to detect APT-like attacks and assume threats have been remediated. More encryption will once again grow the attack surface and leave criminals with more opportunities to attack.
Interestingly, this might lead to the user community and even the major browsers begin to rank CAs such as CNNIC. Google and Mozilla no longer acknowledge CNNIC as a trusted root in their browsers, yet Apple and Microsoft still do. However, based on a survey conducted at BlackHat USA 2015, 24 percent of respondents said they removed CNNIC from their browsers as a trusted root, showing that user communities are starting to rank CAs themselves. To make matters worse, Netcraft research revealed that multiple CAs like Cloudflare, Comodo, Symantec, and GoDaddy were issuing fraudulent certificates. Based on this and user behaviour toward CNNIC, it's fair to say that we can expect to see more ranking of CAs implemented by user communities and even browsers themselves.
Lastly, the coming months will also see code-signing services for malicious code become the norm, as increased use of encryption creates more blind spots for organisations. Netcraft researchers recently discovered a malware code-signing service on the underground. This is one of first services of its kind for malware signing that allows an attacker to choose which CA certificate they want to use -- which will further drive CA rankings. We expect to see more services like this increase, based in the increase of signed malware growing by 50 percent per quarter.
Within the space of just a few years, the security conversation appears to have moved on significantly. After a 2015 full of headline-grabbing data breaches, it seems as if the industry as a whole is beginning to develop a greater understanding of the evolving methods cyber-criminals favour. Yet the real danger will come down to whether or not the response is a greater focus on encryption, which will simply give cyber-criminals a place to hide.
Contributed by Kevin Bocek, VP of security strategy & threat intelligence, Venafi