Machine identity related cyberattacks grew by 433% between 2018 and 2019

The machine identity attack surface is exploding, with a rapid increase in all types of machine identity-related security events in 2018 and 2019, according to Venafi. For example, the number of reported machine identity-related cyberattacks grew by over 400% during this two-year period.

machine identity related cyberattacks

“We have seen machine use skyrocket in organizations over the last five years, but many businesses still focus their security controls primarily on human identity management,” said Kevin Bocek, VP of security strategy and threat intelligence at Venafi.

Digital transformation initiatives are in jeopardy because attackers are able to exploit wide gaps in machine identity management strategies. The COVID-19 pandemic is driving faster adoption of cloud, hybrid and microservices architectures, but protecting machine identities for these projects are often an afterthought.

“The only way to mitigate these risks is to build comprehensive machine identity management programs that are as comprehensive as customer, partner and employee identity and access management strategies.”

Key findings

  • Between 2015 and 2019, the number of reported cyberattacks that used machine identities grew by more than 700%, with this amount increasing by 433% between the years 2018 and 2019 alone.
  • From 2015 to 2019, the number of vulnerabilities involving machine identities grew by 260%, increasing by 125% between 2018 and 2019.
  • The use of commodity malware that abuses machine identities doubled between the years 2018 and 2019 and grew 300% over the five years leading up to 2019.
  • Between 2015 and 2019, the number of reported advanced persistent threats (APTs) that used machine identities grew by 400%. Reports of these attacks increased by 150% between 2018 and 2019.

“As our use of cloud, hybrid, open source and microservices use increases, there are many more machine identities on enterprise networks—and this rising number correlates with the accelerated number of threats,” said Yana Blachman, threat intelligence researcher at Venafi.

“As a result, every organization’s machine identity attack surface is getting much bigger. Although many threats or security incidents frequently involve a machine identity component, too often these details do not receive enough attention and aren’t highlighted in public reports.

“This lack of focus on machine identities in cyber security reporting has led to a lack of data and focus on this crucial area of security. As a result, the trends we are seeing in this report are likely just the tip of the iceberg.”

New infosec products of the week: October 9, 2020

Checkmarx provides automated security scans within GitHub repositories

Checkmarx announced a new GitHub Action to bring comprehensive, automated static and open source security testing to developers. It integrates the company’s application security testing (AST) solutions – Checkmarx SAST (CxSAST) and Checkmarx SCA (CxSCA) – directly with GitHub code scanning, giving developers more flexibility and power to work with their preferred tools of choice to secure proprietary and open source code.

infosec products October 2020

Apricorn announces 18TB version of its Aegis Padlock DT FIPS desktop drives

Consistent with the Apricorn line of secure drives, all passwords and commands are entered by way of the device’s onboard keypad. One hundred percent of the authentication and encryption processes take place within the device itself and never involve software or share passwords / encryption keys with its host computer.

infosec products October 2020

Venafi Zero Touch PKI: Eliminating the effort, expense and risk of traditional PKI

Many internal and legacy PKI solutions require massive consulting investments to implement and maintain. Venafi’s new solution is a simple and fast way to replace these antiquated systems. Venafi Zero Touch PKI creates and integrates root and intermediate certificate authorities (CAs) and maps them to an organization’s needs.

infosec products October 2020

APIsec now provides detailed pen-test reports that can be automated and published automatically

APIsec provides a 100% automated and continuous API security testing platform that eliminates the need for expensive, infrequent, manual pen-testing. With this latest release, APIsec now produces certified and on-demand penetration testing reports required by the compliance standards, enabling enterprises to stay compliant at all times at a fraction of cost.

infosec products October 2020

Raytheon Intelligence & Space provides a virtualized environment to evaluate and reduce cyber threats

DejaVM enables system-level cyber testing without requiring access to the limited number of highly specialized physical hardware assets. The tool creates an emulation environment that virtualizes complex systems to support automated cyber testing. DejaVM focuses on improving software development, testing and security via its advanced analysis features.

infosec products October 2020

Venafi Zero Touch PKI: Eliminating the effort, expense and risk of traditional PKI

Venafi announced the debut of Venafi Zero Touch PKI, a cloud-based, turnkey solution that delivers no-touch, fully automated modern PKI. With Venafi Zero Touch PKI, users can eliminate the effort, expense and risk of traditional PKI, while still providing the speed and control enterprises need to be successful.

“Due to the rise of remote working, digital transformation requires new levels of machine identity speed and agility,” said Jeff Hudson, CEO at Venafi.

“Venafi Zero Touch PKI is a breakthrough for enterprises, which have had limited options from small providers that require expensive consultants to host antiquated CA software. Customers want fast, modern, easy solutions, and now they have one. With Venafi Zero Touch PKI, companies get a next-generation service that delivers immediate value with increased security.”

Many internal and legacy PKI solutions require massive consulting investments to implement and maintain. Venafi’s new solution is a simple and fast way to replace these antiquated systems. Venafi Zero Touch PKI creates and integrates root and intermediate certificate authorities (CAs) and maps them to an organization’s needs.

This solution was designed and delivered by the inventors of machine identity management, with the security and integrity of services in mind. The new solution is also seamlessly integrated with the Venafi Trust Protection Platform.

Key features include:

  • Ready-made certificate issuing profiles: Templates for TLS, mobile device and network device use cases.
  • Hardware-based root and intermediate key storage: Implements a crucial best practice that makes keys less vulnerable to compromise.
  • Auto-enrollment ready: Seamlessly connects with enterprise Microsoft desktop and laptop deployments, providing automated certificate issuance.
  • Real-time certificate revocation: Gives customers the agility to rotate, replace or revoke any group of keys and certificates across issuing CAs, publish CRLs and answer OCSP status requests.
  • Global operations: Delivered from United States and European data centers to meet privacy and compliance requirements.
  • 24×7 security monitoring: Professional 24×7 monitoring to ensure high availability as well as security.

“Security teams are under a lot of pressure right now; they need automation and simplification to get things done safely and efficiently,” said Kevin Bocek VP of Ecosystem and Threat Intelligence at Venafi.

“With our new service, customers will get immediate access to modern PKI that lets them deliver the scalability, agility and data privacy demands they need. It is the next logical step for customers that are embracing digital transformation or are considering a move to new PKI services from Google and others.”

Reduced lifespan of TLS certificates could cause increase in outages

Beginning September 1st, all publicly trusted TLS certificates must have a lifespan of 398 days or less. According to security experts from Venafi, this latest change is another indication that machine identity lifetimes will continue to shrink.

TLS certificates lifespan

Since many organizations lack the automation capabilities necessary to replace certificates with short lifespans at machine scale and speed, they are likely to see sharp increases in outages caused by unexpected certificate expirations.

“Apple’s unilateral move to reduce machine identity lifespans will profoundly impact businesses and governments globally,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

“The interval between certificate lifecycle changes is shrinking, while at the same time, certificates lifecycles themselves are being reduced. In addition, the number of machines—including IoT and smart devices, virtual machines, AI algorithms and containers—that require machine identities is skyrocketing.

“It seems inevitable that certificate-related outages, similar to those that have haunted Equifax, LinkedIn, and the State of California, will spiral out-of-control over the next few years.”

Certificate lifespans

The interval between changes in the length of certificate lifespans has been shrinking over the last decade:

  • Pre-2011: Certificate lifespans were 8–10 years (96 months)
  • 2012: Certificate lifespans were shortened to 60 months (five years), a reduction of 37%. This change was preplanned in CA/Browser Forum Baseline Requirements.
  • 2015: Certificate lifespans were shortened to 39 months (3 years), a reduction of 35%. This change happened three years after the five-year limitation was adopted.
  • 2018: Certificate lifespans were shortened to 27 months (two years), a reduction of 30%. This change happened two years after the three-year limitation was adopted.
  • 2020: Certificate lifespans were shortened to 13 months, a reduction of 51%. This change happened one year after the two-year limitation was adopted.

Bocek continued: “If the interval between lifecycle changes continues on its current cadence, it’s likely that we could see certificate lifespans for all publicly trusted TLS certificates reduced to 6 months by early 2021 and perhaps become as short as three months by the end of next year.

“Actions by Apple, Google or Mozilla could accomplish this. Ultimately, the only way for organizations to eliminate this external, outside risk is total visibility, comprehensive intelligence and complete automation for TLS machine identities.”

Digital keys and certificates act as machine identities

They control the flow of sensitive data to trusted machines in a wide range of security and operational systems.

Enterprises rely on machine identities to connect and encrypt over 330 million internet domains, over 1.8 billion websites and countless applications. When these certificates expire unexpectedly, the machines or applications they identify will cease to communicate with other machines, shutting down critical business processes.

Unfortunately, eliminating certificate-related outages within complex, multitiered architectures can be challenging. Ownership and control of these certificates often reside in different parts of the organization, with certificates sometimes shared across multiple layers of infrastructure.

These problems are exacerbated by the fact that most organizations have certificate renewal processes that are prone to human error. When combined, these factors make outage prevention a complex process that is made much more difficult by shorter certificate lifetimes.

Malware attacks abusing machine identities grew 8x over the last 10 years

Commodity malware campaigns utilizing machine identities are increasing rapidly, according to threat analysis from Venafi. For example, malware attacks using machine identities doubled from 2018 to 2019, including high-profile campaigns such as: TrickBot, Skidmap, Kerberods and CryptoSink.

malware attacks machine identities

Researchers gathered data on the misuse of machine identities by analyzing security incidents and third-party reports in the public domain.

Overall, malware attacks utilizing machine identities grew eightfold over the last 10 years and increased more rapidly in the second half of the decade. These findings are part of an ongoing threat research program focused on mapping the security risks connected with unprotected machine identities.

“Unfortunately, machine identities are increasingly being used in off-the-shelf malware,” said Yana Blachman, threat intelligence researcher at Venafi. “In the past, machine identity capabilities were reserved for high-profile and nation-state actors, but today we’re seeing a ‘trickle-down’ effect. Machine identity capabilities have become commoditized and are being added to off-the-shelf malware, making it more sophisticated and harder to detect. For example, massive botnet campaigns abuse machine identities to get an initial foothold into a network and then move laterally to infect further targets. In many recorded cases, bots download crypto-mining malware that hijacks a target’s resources and shuts down services. When successful, these seemingly simple and non-advanced attacks can inflict serious damage on an organization and its reputation.”

This problem is made much more complicated by the explosion of microservices, DevOps projects, cloud workloads and IoT devices on enterprise networks. Today, there are already more than 31 billion IoT devices worldwide and the number of connected mobile devices is expected to grow to 12.3 billion by 2022.

Between 2018 and 2023, 500 million new logical apps will be created, which is equal to the number built over the past 40 years. All of these applications and devices must have machine identities to authenticate themselves to each other so they can communicate securely.

However, machines—whether they are an app in a Kubernetes cluster or a serverless function in the cloud—don’t rely on usernames or passwords to establish trust, privacy and security. Instead, they use cryptographic keys and digital certificates that serve as machine identities. Because most organizations do not have machine identity management programs in place, attacks exploiting machine identities are already causing serious economic damage.

malware attacks abusing machine identities

“As we continue to move through digital transformation of nearly every essential service, it’s clear that human-centric security models are no longer effective,” said Kevin Bocek, VP of security strategy and threat intelligence at Venafi. “To protect our global economy, we need to provide machine identity management at machine speed and cloud scale. Every organization needs to ensure they have full visibility and comprehensive intelligence over every authorized machine they are using in order to defend themselves against the rising tide of attacks.”

CIOs are apprehensive about interruptions due to expired machine identities

TLS certificates act as machine identities, safeguarding the flow of sensitive data to trusted machines. With the acceleration of digital transformation, the number of machine identities is skyrocketing.

expired machine identities

At the same time, cybercriminals are targeting machine identities, including TLS keys and certificates, and their capabilities, such as the encrypted traffic they enable, to use in attacks, according to Venafi.

The study evaluated the opinions of 550 CIOs from the United States, United Kingdom, France, Germany and Australia.

Compromised machine identities can have a major financial impact. A recent AIR Worldwide study estimated that between $51 billion to $72 billion in losses to the global economy could be eliminated through the proper protection of machine identities.

Key findings

  • 75% of global CIOs expressed concern about the security risks connected with the proliferation of TLS machine identities.
  • 56% of CIOs said they worry about outages and business interruptions due to expired certificates.
  • 97% of CIOs estimated that the number of TLS machine identities used by their organization would increase at least 10–20% over the next year.
  • 93% of respondents estimated that they had a minimum of 10,000 active TLS certificates by their organizations; 40% say they have more than 50,000 TLS certificates in use.

“According to a Venafi survey from 2018, once IT professionals deployed a comprehensive machine identity protection solution, they typically found 57,000 TLS machine identities that they did not know they had in their businesses and cloud,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

“This study indicates that many CIOs are likely significantly underestimating the number of TLS machine identities currently in use. As a result, they are unaware of the size of the attack surface and the operational risks that these unknown machine identities bring to their organization. Whether it’s debilitating outages from expired certificates, or attackers hiding in encrypted traffic for extended periods of time, risks abound.

“The only way to eliminate these risks is to discover, continuously monitor and automate the lifecycle of all TLS certificates across the entire enterprise network—and this includes short lived certificates that are used in the cloud, virtual and DevOps environments.”

What is driving the machine identity crisis?

Every machine needs a unique identity in order to authenticate itself and communicate securely with other machines. This requirement is radically changing the definition of machines—from traditional physical devices, like laptops and servers, to virtual machines, containers, microservices, IoT devices and AI algorithms.

According to Kevin Bocek, vice president at Venafi, all of these device types have been critical to innovation and digital transformation—yet little is done to safeguard their identities.

“While the number of machines in the cloud, hybrid infrastructure and enterprise networks is exploding, most organizations are still attempting to protect machine identities using human methods like spreadsheets,” said Bocek.

“However, this approach creates its own set of problems—businesses can’t keep up with the changes in volume and are being exposed to unacceptable risks.”

Authentication is essential

Secure, reliable authentication is essential to protect machine-to-machine communication, yet protecting every machine identity across an enterprise can be a challenge. But, if machine identities are not adequately protected the resulting damage can be serious.

According to a report from AIR Worldwide, between $51 billion to $72 billion in losses to the worldwide economy could be eliminated through the proper management and protection of machine identities.

According to Bocek, five major trends are contributing to the complexity and explosive growth of machines, which in turn are creating a Machine Identity Crisis.

DevOps engineering

The business imperatives that drove widespread cloud adoption—speed, agility, efficiency and economies of scale—are also the driving forces behind DevOps. These initiatives build an agile, interdependent relationship between software development and IT operations teams.

However, the containers and microservices used in these projects often need to communicate securely with one another and the network. As a result, organizations need a technical solution designed to help them protect the barrage of new DevOps machine identities. Open APIs add to the complexity of these projects, which underlines the need for each machine to have its own unique identity.

Cloud computing

In the cloud, machines automatically create, configure and destroy other machines in response to business demand. In order to protect the security and privacy of cloud data, businesses must encrypt cloud workload data and adequately secure the machine identities that control communication between machines.

This includes machines in the cloud and across the enterprise. The rapid deployment change and revocation of the identities for cloud-based machines exponentially increase the challenge of keeping communication within the cloud, and between clouds, secure and private.

Automation and AI

One of the major characteristics of digital transformation has been the growth in automation, and in particular, autonomous machines. Automation has delivered efficiency gains across every industry, further augmented by the introduction of Robotic Process Automation (RPA) and Intelligent RPA and underpinned by Artificial Intelligence (AI).

It is essential to the growth of these markets to maintain the integrity and security of input to these algorithms. Because machines need to communicate securely, it is important that communications are not be manipulated in any way that could change the outcomes.

The Internet of Things (IoT)

Many businesses rely on IoT devices, so their use within enterprises is exploding. Each of these machines relies on keys and certificates for authentication and security. Unfortunately, many IoT devices focus on functionality over security, so there are numerous challenges and concerns that revolve around the security of IoT and smart devices. For example, a certificate-related outage or cyberattack could result in widespread business disruption.


Organizations face escalating pressure to uniquely identify and authenticate every mobile device so they can authorize secure communication between these devices, enterprise networks and the internet.

Although smart mobile devices on enterprise networks have been a fact of life for over a decade, securing and protecting the sensitive corporate data that flows through these devices is becoming more challenging. Unfortunately, most organizations do not have the tools necessary to accomplish this.

Bocek added: “Organizations can only solve these problems with intelligent automation, and they must have complete visibility into every machine identity in the cloud, microservice, IoT network, mobile device and enterprise network.

“In addition, businesses need to monitor these identities in real time to detect misuse, misconfiguration and errors, as well as automatically remediate vulnerabilities discovered at machine speed and scale. DevOps and cloud engineering teams need to be given the speed of automation, and security teams must focus on safety.”

Only 54% of security pros have a written policy on length and randomness for keys for machine identities

People rely on usernames and passwords to identify themselves to machines so they can gain access to data and services. Machines also need to authenticate themselves to each other so they can communicate securely, relying on cryptographic keys and digital certificates, which serve as machine identities.

keys for machine identities

To better understand the gap between implementation of security controls for human identities and those for machine identities, Venafi evaluated responses from over 1,500 IT security professionals from the U.S., U.K., France, Germany and Australia across a range of company sizes and industries.

Just half (54%) of organizations have a written policy on length and randomness for keys for machine identities, but 85% have a policy that governs password length for human identities.

Additional findings

  • Less than half (49%) of organizations audit the length and randomness of their keys, while 70% do so for passwords.
  • Only 55% have a written policy stating how often certificates and private keys should be changed, while 79% have the equivalent policy for passwords.
  • Only 42% of organizations automatically enforce the rotation of TLS certificates, compared with 79% that automatically enforce the rotation of passwords.
  • Only 53% audit how often certificates and private keys should be changed, compared with 73% for passwords.

Orgs just getting started with machine identity protection

Organizations will spend over $10 billion protecting human identities this year, but they are just getting started with machine identity protection. However, the number of humans on enterprise networks remains relatively flat while the number of machines that need identities – including virtual machines, applications, algorithms, APIs and containers – is growing exponentially. Because cybercriminals understand the power of machine identities and their lack of protection, they target them for exploitation.

“Identities are widely recognized as a key element in the threat landscape,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi.

“Machine identities are a relatively new, and very effective, point of attack, but there is a huge gap between the security controls applied to human identities and those applied to machine identities. This is a problem because the future of digital business relies heavily on machines.

“Enterprises are seeing dramatic growth in container usage, artificial intelligence, microservices and IoT devices, as well as machines in cloud and virtualized environments. Everyone – from CISOs to security architects and security practitioners – must prioritize the protection of machine identities for their organizations’ digital transformation to be successful.”

Venafi sponsors three new developers from its Machine Identity Protection Development Fund

Venafi, the inventor and leading provider of machine identity protection, announced direct sponsorship of three new developers from its Machine Identity Protection Development Fund.

The funded developers will create integrations that accelerate the delivery of comprehensive protection for machine identities across mobile devices, DevOps and multicloud environments, and Internet of Things (IoT) networks.

“The latest additions to our Development Fund bring exciting new opportunities for effective machine identity protection,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

“The Venafi vision of the world is a space where all machine identities are protected from cybercriminals, outages, displacement and more. The new developers provide Global 5000 organizations with new ways to scale use of mobile devices, safely deploy enterprise IoT and deliver TLS, SSH and code signing reports to executives and much more.”

The $12 million development fund is a global initiative designed to increase the visibility, intelligence and automation required for machine identity protection across enterprise networks.

The newest developers to join the Machine Identity Protection Development Fund include:

Device Authority, a global leader in identity and access management for the Internet of Things, will use the fund to provide a new turnkey code signing and update delivery extension to KeyScaler. The extension will be powered by Venafi Next-Gen Code Signing to connect security team policy and controls to secure the code signing process.

Device Authority’s KeyScaler platform provides an automated solution to provision unique certificates, signed by a preconfigured Certificate Authority (CA), to IoT devices – without requiring human intervention.

Additionally, Device Authority will create a new Certificate Authority service connector for the Venafi Platform, which will allow KeyScaler customers to use the Venafi platform as a source for certificate issuance. Device Authority is based in the U.K.

The Information Lab, an expert Tableau developer, will use the fund to develop a Tableau Connector for the Venafi Platform. This will provide Tableau users with the ability to retrieve different information sets from the Venafi REST API, which are required to build TLS, SSH and code signing reports.

In addition, security teams can schedule an automated refresh in case of a Tableau Server deployment. The Information Lab is based in the U.K. and has offices across Europe.

Jamf, an IT leader that brings the Apple experience to businesses, educational institutions and government organizations, will use the fund to integrate the Jamf Pro and Venafi Platform.

This will allow security teams to automate the lifecycle of machine identities across enterprise Apple devices and CAs. Jamf Pro will be able to make requests of the Venafi Platform for machine identity lifecycle operations, which includes certificate issuance, renewal and revocation. Jamf is based in Minnesota.

The Machine Identity Protection Development Fund encourages recipients to build integrations that deliver greater visibility, intelligence and automation across any technology that creates or consumes machine identities, including:

  • Cloud and hybrid cloud infrastructure.
  • DevOps.
  • Containerization.
  • Secure Shell (SSH).
  • Code signing.
  • Robotic Process Automation (RPA).
  • Artificial intelligence, machine learning and big data analytics.
  • IoT.
  • Blockchain-distributed ledger technology.

Most DevOps pros feel proper certificate issuance policies slow them down

75% of DevOps professionals are concerned that policies for issuing certificates slow down development, and over a third (39%) believe developers should be able to circumvent these policies to meet service level agreements, according to a Venafi survey.

certificate issuance policies

In addition, less than half (48%) of those surveyed believe developers in their organization always request certificates through the security team-approved methods and channels.

Cryptographic keys and certificates serve as machine identities and enable authentication and secure communication for applications, service containers and APIs on enterprise networks, the internet and in cloud environments. The use of weak or unauthorized keys and certificates can significantly increase security risks, particularly in cloud environments.

Developers use insecure machine identities, including certificates from unauthorized certificate authorities (CAs) and self-signed or wild card certificates, because corporate certificate issuance processes are seen as too cumbersome. Unfortunately, this leaves security teams in the dark and increases organizational risk, especially if key and certificate vulnerabilities or errors enter production environments.

certificate issuance policies

“DevOps is all about speed, but this survey illustrates that developers often find security policies slow,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

“Unfortunately, security professionals are often unaware of the risks DevOps processes bring to their organizations. Ultimately, security teams need to make it more straightforward for developers to use machine identities—protecting them must be easier and faster than it is to circumvent policy, otherwise these problems will continue to grow exponentially. Organizations that rely on DevOps processes require visibility, intelligence and automation to protect their machine identities.”

Trusted certificates make phishing websites appear valid

There has been a rampant growth of look-alike domains, which are often used to steal sensitive data from online shoppers. Venafi analyzed suspicious domains targeting 20 major retailers in the U.S., U.K., France, Germany and Australia and found over 100,000 look-alike domains that use valid TLS certificates to appear safe and trusted. According to the research, growth in the number of look-alike domains has more than doubled since 2018, outpacing legitimate domains by nearly four … More

The post Trusted certificates make phishing websites appear valid appeared first on Help Net Security.