Cloud-based email management company Mimecast recently disclosed that a threat actor obtained one of its digital certificates and used it to gain access to some of its clients’ Microsoft 365 accounts.
<p><span lang=\"EN-CA\">These attacks are not about FireEye, SolarWinds or Mimecast; the disturbing trend we are seeing is that these breaches are becoming habitual. The threat actors behind the attacks, whether they are using the SolarWinds backdoor or another, are targeting certificates and credentials. They are leveraging cryptographic assets to gain network access and evade security controls.</span></p> <p> </p> <p><span lang=\"EN-CA\">The current trendline indicates that parts of the industry are still treating certificates as ‘just certificates’ rather than cryptographic assets that play a more important role in hardening network security. Technology alone cannot prevent breaches like this – companies need to ensure that they have in place the right controls, policies and follow industry best practices in order defend themselves against the evolving thread landscape. Companies need to take a hard look at how they manage and secure digital certificates and cryptographic keys in order to better protect themselves and their customers.</span></p> <p> </p> <p>Here are some best practices to mitigate misuse of keys and certificates:</p> <ul> <li>Never store code-signing keys on developer workstations, web servers or build servers. Private keys should be kept in a FIPS 140-2 validated HSM</li> <li>Segregate duties between who is authorized to sign code, who can approve the request, and who can monitor and enforce compliance with signing policies.</li> <li>Maintain an active inventory of all certificates, where they are installed, who they were issued from, and who owns them (and your domains).</li> <li>Control certificate issuance and approval workflows to ensure that every certificate is trusted, compliant with policy, and up-to-date.</li> <li>Test your certificate re-issuance and revocation capabilities to ensure you can respond effectively to a compromise.</li> </ul>
<p><span lang=\"EN-CA\">These attacks are not about FireEye, SolarWinds or Mimecast; the disturbing trend we are seeing is that these breaches are becoming habitual. The threat actors behind the attacks, whether they are using the SolarWinds backdoor or another, are targeting certificates and credentials. They are leveraging cryptographic assets to gain network access and evade security controls.</span></p> <p> </p> <p><span lang=\"EN-CA\">The current trendline indicates that parts of the industry are still treating certificates as ‘just certificates’ rather than cryptographic assets that play a more important role in hardening network security. Technology alone cannot prevent breaches like this – companies need to ensure that they have in place the right controls, policies and follow industry best practices in order defend themselves against the evolving thread landscape. Companies need to take a hard look at how they manage and secure digital certificates and cryptographic keys in order to better protect themselves and their customers.</span></p> <p> </p> <p>Here are some best practices to mitigate misuse of keys and certificates:</p> <ul> <li>Never store code-signing keys on developer workstations, web servers or build servers. Private keys should be kept in a FIPS 140-2 validated HSM</li> <li>Segregate duties between who is authorized to sign code, who can approve the request, and who can monitor and enforce compliance with signing policies.</li> <li>Maintain an active inventory of all certificates, where they are installed, who they were issued from, and who owns them (and your domains).</li> <li>Control certificate issuance and approval workflows to ensure that every certificate is trusted, compliant with policy, and up-to-date.</li> <li>Test your certificate re-issuance and revocation capabilities to ensure you can respond effectively to a compromise.</li> </ul>