BSidesATL 2020 - Detect: Crypto-Agility: Responding Quickly to Cybersecurity Events

you know once again we would not be where we are today with the the involvement and sponsorship dollars that came in from these fine organizations and so we want to thank them again and so for those of you who have been in this track all day sorry you're got you're going to continue to see this but it's important for us to to acknowledge the sponsors who really did stick with us today as we transition from a physical to a virtual event so starting again at the top the diamond level Warner media at the gold level my bosses at Kennesaw State University the Michael J Cole's College of Business my home department the KSU Department of

Information Systems Bishop fire Bishop Fox trying to merge two names they're sorry Bishop Fox and coal fire also genuine parse company and NCR at the crystal level critical path and synopsis at the Silver level Aaron's binary defense Black Hills information security core light and guide point security coming in the Bronze level this year was NCC group and I want to give a shout out to our in-kind sponsors at EC Council for the training that the pay training opportunities that they offered yesterday and I also want to acknowledge a secure code warrior for coming in and offering to run an online CTF birthday which is actually ongoing in its own track additionally we would like to

thank the following individuals and organizations or making contributions to our raffle prize effort Mike Kosta and crosshair Information Technology Joe gray in offensive security and pentester lab and so with that I will stop yapping and I will now introduce our next speaker from this piece of paper coming up next is Bart Leonard's and he's gonna talk with us about crypto agility and how to respond quickly to cyber security of that so give me a minute here to stop sharing my screen and Bart the the floor is yours awesome excellent thank you so much any battery awesome job on the B side steam for organizing the weight is organized the way it's incredible job well thank

you very much it has been the these last two weeks have been the longest year of my life but we are we're glad to have been able to pull it off and we can't thank our sponsors enough when we can't thank our speakers enough so yeah we appreciate the kind words thank you okay thanks again I think it's an example for many many other organizations all right so I have I'm gonna take about 25 minutes to talk about crypto agility and it's actually a very interesting the way this presentation gets into the sequence is very interesting because we just talked about detecting and the great demo that was shown around detecting and investigating but what do you do next

let's say you find something how do you react what how are you going to track and how quickly can you react and so crypto agility is really about that quick responding to cyber security balance but a specific type of cyber security evidence and that's what we're going to talk about so we're going to talk about those crypto events actually that could happen in your environment good morning everyone again my name is Bart Leonard's I'm product marketing management identified I've been active in the security industry for the last I would say 15 years mostly on the tech side since I'd and more recently on the excess encryption side all right so before we're going to jump in to the

deep technical stuff I want to introduce a France or actually a foe it's not a friend on earth but someone that most of us know in the name of cameras cameras also Carabosse called in greek mythology is actually was actually the hounds of Hades and what was special about him that this guy was actually watching the underground or the underworld to prevent that from leaving and actually cameras as we know it sort of the authentication is sort of a mechanism to keep everyone inside and that was actually what this guy was doing it was keeping the debt inside keeping them inside the underworld but the reason we're going to talk about him now is about something else and that

this this guy was not a normal guy this guy had three hats right and all of those hats could attack him and potentially at the same moment and that's what we see often in an incident in a security incident it's not just one thing but often it's a combination of things it's a combination of a human error or an exposure or vulnerability so it's a combination of multiple things and so when we talk now about crypto crypto has crypto can be attacked by cameras in many many ways and that's what we're going to talk about because let me now introduce how we get into and cryptography and encryption is that the world as we know today is a

hyper-connected world right it's like millions trillions maybe of devices that have been interacted and well have we done reasonably well we introduced well recently I would say 10 15 years ago all these connections they enable from financial institutions to critical infrastructure to manufacturers around the world to IT services whatever and because it's all originally well sort of mostly unencrypted we add an encryption to this so that the connect the communication is secure cannot be looked at it's protected the information is protected actually also the product all that has been used for this that we know most is of course ssl/tls an encryption protocol that is using public private key encryption technology basically the originator of the data

holds a private key and then sends only certain part out the public part that then has been used for decrypting the entire channel right so again when we talk about encryption we talk about those keys public private keys but let's go back to our friends or friends cameras because what can happen now is that one of those hats is actually sometimes human error because what do have what can happen sometimes is that the certificates let's say source of a key right its certificate is nothing else as someone saying that you are who you are and here is an attestation of it and here is no certificate I mean that certificate is a key that you can use

for setting up your public private one or actually your private one and then other than to extract your public one that key has a lifetime that certificate has a lifetime and it's very somewhere between 30 days to maybe a year depending where you use it on type of certificate you're using it and which specific environment you're going to use it but what can happen is that certificate that can expire and when it expires what is gonna happen now is that one of those services is no longer being able to encrypt the data and so now that services that service may shut down and so now what is happening is that we set up all these different services up these

connections the encryption decryption is no longer working and certainly we get huge outage that can take very big implications very big proportions and so one of them was actually I think a year and a half ago which was the o2 outage which was a service provider telco in the UK and when the o2 mobile net failure or the o2 Network went down it was because of an expired software certificate and it impacted not just an individual service anymore but impact a total of 30 million people which was quite a lot actually and that's one of the biggest instances that I have seen it I have witness of the last couple of years there was one more recently maybe

you remember Microsoft team that went out I think in February I think it was the beginning of every Microsoft team stand down why because certificate went down and now there was a certain stream of connections there's no longer to be able to build that all right so that's one risk that's one of those hats that can come to you and attack the cryptographic world another threat is now especially around the libraries but even more about what I would call the specific libraries that could be impacted each library each software library has vulnerabilities right and there may be bugs inside there and those bugs could be exploited and wanted exploit it and someone finds a way to get in now what can happen is

that someone could create a certificate or could good not just a certificate could create a message actually and start exploiting this and an example that we have seen there which is somewhat related is the Equifax issue what what happened with Equifax is that just as any other software software specific instance at Equifax I'd had a vulnerability so an attacker was scanning the map they found the Equifax server there was a specific server which was around the resolution which was about dispute resolution a specific server and attacks were able to exploit the Apache over there they were able to go deeper go to the database started extracting the data and how did they extract it where they extracted it over

an SSL TLS over an encrypted channel actually and so although the problem was initially there right because that got exploited they went on for 76 days because the IT team the security team in that moment was not able to detect it because the extraction was happening over an encrypted Channel and because what the reason behind it actually is was one of those certificates expired and the certificates required to inspect the traffic expired or wasn't refreshed and there was no way to inspect the traffic but you can see it's now the gun is almost turned against you so yes there's a vulnerability but then using the encryption against you as a weapon now to go undetected is sort of the third

the second hat that that animal that I was just showing terrorists was can can point to you and then there's a third one which is of course about the algorithms we talked a little bit about that and how each algorithm can have probabilities but what if those algorithms encryption algorithms are also being exposed and being compromised now is that I would say at the CA level so what is a CA does anyone know about usually I use I ask questions this time it's gonna be a little bit harder but CAS our certificate authorities doors are the instances that will give you a certificate for a certain amount of time well those entities are also not without

any risk and also have been compromised and we'll give a couple of examples later on and I think it was recently where let's encrypt actually was issuing a statement that there was a certain amount of certificates that were not issued in the right way or have a certain vulnerability or need to be reissued again it's okay like for me where I'm only managing one or two websites and I can reuse it quite again but if you have a couple of hundreds maybe a couple of thousands areas where you need to reassure the reissued those certificates again it can take quite a lot of time and you need something something bigger for this bottom line here is this is of

course what is happening bottom line this is false my intro now ten minutes in the presentation but my person my my intro was is that I'm showing examples of how cryptography can be used against you and how Kerberos the guy the the hounds actually of the afterworld almost can look at you and start issuing and throwing things at you one of them is allergists through human error or human error related to other jiz it can be cryptographic bugs and we'll talk about it later on and it can be see a compromise or a certificate ology that you're using actually for the encryption and it's somewhat compromised and now you need to react to this and so what a

script or agility now script agility has been able to handle those things all right so what I've done now is simply explain cryptography is great crypto ring is awesome we need it but there are some gotchas with that you have to prepare for so here's a couple of things I'm going to talk about this presentation is usually an hour and I'm skimming it down to 25 minutes we can again talk a little bit more about crypto agility what are other instances saying about in a couple of examples we're going to talk about specific mitigation risk that you have to take what is the mitigation how can you mitigate those risk and then I'm gonna point out to a couple of resources that

you can download and start using so bottom line I use the example of cameras but actually what is crypto agility crypt agility means is actually the process of it describes actually a way to implement encrypt already to ensure that the algorithm can be replaced quickly without changing the function of the application all right that is a description that comes out directly of a Gardner document so it's basically about are you able to handle those without changing your application and out and doing it very very quickly actually and a prediction that Godin has said is that next year organizations who have this will suffer sixty percent fewer related security breaches than those without the plan and I'm gonna get

a link later on where you can download this document and read more about this but now let's give a couple of very very specific examples recent examples of how crypto agility came to surface and how important it is and how deep it can go sometimes so another example of a specific type of attack that needed now crypto agility so flame malware maybe you've heard about this flame malware also known as flame or sky wiper it's actually a modular malware it was I think discovered already in twenty fourteen or fifteen but it was a very large program it was a scripting language actually and what it would do is it would inject code into various processes very stealthy and what it

would do this it would actually try to compromise it would start breaking different algorithms inside the compute engine and then it increased the computing capabilities and it would start breaking share as Shah actually which is one of those encryption signage capabilities that is used now a very specific example how it was misused so this is just showing the malware breaking in into or breaking one actually but what really was happening is was a following and it's a true example have happened is that everyone knows about Windows and how Microsoft sends out Windows Update packages right what they do is they create a package they sign it the you sign it by using their own route

CA and MIDI you see a signing certificate and so they sign it through a chain of thrust hierarchy or thrust actually and then they send it out to individual devices right and then you download it and you will install it now guess what what's happening is that there multiple of these change and one of those chains was the Terminal Services CA which is especially around the terminal services from at Microsoft and attackers were able to go and to David still using md5 actually and create a fake or a wrong certificate and then they were signing some software bitter thrusts at Windows Update actually and sending this out so they were sort of pivoting off that

top hierarchy and then using one of the key one of the certificates actually to sign Mel were actually and that's how this another sign of malware got out and was able to reach out to I think thirty thousand devices in total so bottom line here is that the flame malware actually exploited this was able to pivot off take one of those compromised and certificate and then sign malware with this and distributed over out so again a weapon being used against you against us okay another example that I have where specific cryptographic bugs that you may have heard about it really gotten use I would say five years ago to heartbleed Infineon Debian was one of them all

examples where there are bugs into cryptographic libraries and they allow the attacker to get access to the keys to get access to them break them and death happened and more than likely gonna happen again now a third example actually I'm going a little bit quicker now a third example is all about CAS being compromised right or certificates from a CA being compromised one that was very recently was North v p.m. nor DPM VPN provider and that happened recently out of last year where again one of those certificates got compromised I think was a private city that compromise or the wrong one was issued to them and of course now they use a certificate to encrypting some of the VPN network

connection and that led to of course less secure connectivity so bottom line here is what is this different cyber incident cyber encryption events it could happen it is about abusing the trust right it's about making sure it's malicious activity that violates the trust between you as a consumer and this CA that is assuring this and that is a big ones that chain of trust is come all bets are off it's about also hackers trying to use those for specific purposes it's also it could be about business partners right who are maybe or who have used the wrong certificates and connecting to you and maybe the data is going through the wrong area it could be

technology malfunction the human errors that we talked about both on the exploration of the certificates as well as the implementation where you do this and in a little lack of internal controls actually is that how you're gonna do it is bottom line I'm showing here a set of examples around how encryption can be used against you and in need for able to react to this and that's what the last five minutes I'm going to talk about what can you do now not going to tell about specific products I'm gonna say about what on outer standards what are the best practices you can do to get prepared for this and it's actually relatively simple it's actually three things the first

thing you need is establishing a very comprehensive inventory right making sure that you have somewhere database that is able to or you set up somewhere a certificate advantage database you discover your network and you stole or you start storing all those certificates in that database the second thing that you have to do is now being able to set that database between the individual systems and different CAS where you getting it so sort of a step in the middle actually and basically what you can do is when you discover this and you can do that agent or agent was based now you get a clear view you can start building a clear view to an individual

it can be the PGI team but it also could be your info section the InfoSec team who's really in charge of all the individuals and protecting the different businesses and the information inside the business but that individual inside whether it's the PGI team or the InfoSec team is now able to get the global overview about who are where is actually the pivot is where they are coming from what are the individual devices assets that I have that that need this and what are now the specific certificates that I have in my environment and so this gives you a better overview also around the timing and this inventory can now give you a little bit of better views so it

can give you overview about the key lengths is the right key land in place yes is the right key algorithm in place they are all algorithms are they no longer been used right can i outpace those can I can I replace those deciding algorithms the occasions the owners the time the expiration time any specific regulation so if you are in the specific regulations you have specific guidance around which type of case needs to be used maybe the reissuing and the rotation frequency and then last but not meals make sure that you have an overview about which assets and which certificates on that assets are being a link to which CAS which are the issuing certificate authorities that are

providing this so that when something happens at that CA level you can actu'ly this but the first step is make sure you have a comprehensive inventory and it's not a one-to-one it's really a one-to-many can be one too many what I mean with this is it's an asset it's a certificate and then it's all those different ad attributes that you have to make sure you have a view on all right the second thing that you have to do is establish policies create clear policies and that can really depends on the environment that you have maybe you need multiple type of policies do you have to create them by yourself no you don't have to do there is something called

NIST 1816 B which describes this very very well detailed so if you have time i really suggest to take a look at this and it describes like how to establish ssl certificate policies which are the ones it talks about inventory it will talk about also the service what is sort of the service that you have to deplore that you have to get installed and people so people can work with and what Rd now the specific requirement Asian requirements key length all those things and it's it's very well described around so my suggestion is take a look at this also this section this regulation from NIST will really talk about crypto agility and it will describe the cable

II on how you need to replace that it will indicate that you really need that cable to replace large number of certificates and private keys to resists from things like quantum computing other things and I think the current recommendation is being able to replace all your keys within two days that's sort of the high level now do you want to tell your manager well give me two days to replace those critical service today now you don't want to tell us so if you can do it quicker it's it's it's definitely a bonus on this all right merit was one of those and going a little bit quicker here where they were not able to do that quickly and the last

thing did I want to talk about because my time is almost up here is it so there are three things inventory policies right and apply those policies now against the inventory so you can get the intelligence and the third thing is now be able to automate the management and replacement so basically when you have let's say a self-service where the individual lines of business could request certificates and and you hand those out that you can then not just hand those out and but you also can orchestrate the deployments of those certificates immediately whether it is provisioning services API that you're using SSH is another good example where you want SSH especially today when more and more IT admins are remote you want

SSH but there's a key part to this again so how are you gonna manage that be how that key and how you gonna have manage that key deployment are you gonna make sure that the right private keys are in the right place and that nothing is orphan that I know none of the five keys are gone and left the building or somewhere else anyway so that is now the third part to protect from cyber incident this specific type of cyber incidents is that you can if necessarily rotate remove the certificates the keys wherever or issue and rotate them if necessarily as well at high speed all right I went a little bit faster here's something that I want to highlight if

you so we have so I'm working for a company called Vanna Phi but we offer access to a research document that talks about this and you can find the link here it's again about crypto agility and it's we promote it it's not necessarily written about verify it's about Gardner that that describes the need for this and how to do this and what the specific benefits are my suggestion is take a look at this and download it and you're gonna learn a lot more on the specific ability there's also a link to our website where you can find more information if necessary alright I have about two minutes left for questions and I'm gonna open I can

maybe open it now yes absolutely if you've got questions post them in the slack Channel for Bart let's see if I can open my select channel I do see any questions coming up maybe I'm not looking at the roads yeah I see what okay hello West Lambert typing so yeah some nice compliments and some thank you guys a nice job so thank you so much for us cool and thank you so much Andy as well