I Hunt Sys Admins’ SSH
Blog Article Published: 03/28/2014
KEVIN BOCEK, VP, SECURITY STRATEGY & THREAT INTELLIGENCE, VENAFI
SSH keys again confirmed as a favorite target for advanced attackers - how will IT security fight back?Newly leaked NSA documents from Edward Snowden, entitled “I Hunt Sys Admins” show that sophisticated attackers are aiming to breach targets by taking aim on system administrators. Threatpostaptly described this strategy as the “biggest no-brainer.” A core part of this playbook is targeting SSH and the keys used to gain authenticated privileged access. We must assume that based on previous attacks that adversaries of all types also are targeting system administrators and have the same or even more effective techniques. These sophisticated adversaries include nation states seeking to exploit intellectual property for economic benefit and organized cybercriminals motivated for profit. The targeting of SSH comes as know surprise given The Mask APT operatorsand others hunger for SSH keys to infiltrate networks, gain administrator level access, and keep it for a very, very long time. Part 4 of the leaked documents - “I hunt admins that use SSH” – demonstrates attackers understand the opportunity SSH provides and value for Computer Network Exploitation (CNE) - also known as owning your network, data, and business. As previous Venafi research identified, an attacker with SSH is able to gain administrator-level access that travels over encrypted sessions and in most organizations will never expire. With 1 in 2 organizations never changing SSH keys, attackers fly under the radar and remain in a breached state, forever. And in recent conversations I’ve had with some of the world’s most sophisticated IT security teams, incident response teams indicated they don’t change SSH keys during remediation – perpetuating the insanity! If organizations can take just a few steps, they’ll have taken giant leaps in defending their enterprises from the assault on SSH and system administrators:
- Place IT security in charge of securing SSH: This has nothing to with technology. Systems administrators are not security experts but yet they are self-policing SSH keys that provide access to critical systems. IT security is best equipped to understand threats and security controls necessary to protect systems.
- Survey all keys, map key owners and access, and continuously monitor: No enterprise today knows who is responsible for all SSH keys and which servers, VMs, and cloud services these keys provide access to. Searching networks, servers, and endpoints to find all keys and map these to trusted key lists is no longer optional.
- Enforce key rotation policies: Probably the biggest step forward is treating SSH keys like IT security has secured other critical systems. Replacing SSH keys at regular intervals (e.g. every 30 days like your Windows password) helps to limit the exposure of a possible breach. Attackers will need to keep stealing keys, increasing the likelihood of detection, to maintain access to your network and systems.
- Detect anomalies, respond fast: In addition to stealing keys, attackers are known to insert their own keys as trusted. These anomalies can be detected and instantly remediated if the current trusted state of keys is known and understood. As well, incident response teams must replace SSH and SSL keys whenever they perform remediation on systems even if the compromise of a key is not suspected.