According to Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, in many of the largest incidents in 2019, the cryptographic keys and digital certificates that serve as machine identities played a primary role in the breaches.
“Cybercriminals understand the power of machine identities and know they are poorly protected, so they target them for exploitation,” said Bocek.
“In 2019, organisations spent over $10 billion protecting human identities, but most are just beginning to safeguard their machine identities.
“This continues to be true even though the number of humans on enterprise networks remains relatively flat while the number of machines that need identities – including virtual machines, applications, algorithms, APIs and containers – is projected to grow exponentially in 2020.
“It’s inevitable that machine identity attacks will intensify in the coming year.”
Bocek predicts cybercriminals will pursue machine identities in three distinct ways in 2020 and says:
Compromise automatic software updates
Last year, the ASUS Live Update Utility service was successfully attacked by cybercriminals, which allowed them to load malicious code on over one million machines using the pre-installed automatic software update function. Attacks like these are likely to escalate in 2020 because many devices have a built-in automatic software update service, and when an update is signed with a legitimate code-signing certificate, these updates are automatically trusted. Unfortunately, because most organisations don’t tightly control code-signing keys and certificates, it’s easier for attackers to gain access and insert malware into the automatic software update process.
Ransomware Targets the Internet of Things (IoT)
Researchers have been detailing security flaws in IoT devices for years. In 2019, there were multiple product recalls on smart home devices due to critical security issues. While there hasn’t been a major security incident involving enterprise IoT, 2020 could be the year the pendulum swings the other way. Last year, ransomware attacks targeted individual machines in hospitals and local governments, which led to whole cities being taken offline. If these tactics expand beyond targeting specific machines to hold data for ransom, it’s reasonable to assume that attackers will expand the ransomware model to target larger groups of IoT devices, such as medical devices – including pacemakers and insulin pumps – or focus on other systems like traffic control. Compromised machine identities make it entirely possible to use code signing certificates to ‘kidnap’ IoT devices using malware or use TLS certificates to create zombies. It seems quite possible that we’ll see an entire IoT network held for ransom in 2020.
Seize on artificial intelligence (AI)
In 2020, algorithmic decision-making AI will become more mainstream. This will bring both opportunities and challenges, particularly around the transparency of AI algorithms. If organisations do not understand how some AI models work to reach specific decisions, it’s possible that bad actors will use this confusion to manipulate AI outcomes. Many AI models rely on blindly trusted machine identities. If machine identities are compromised, attackers can send malicious data streams that feed AI models. These types of attacks could have a wide-reaching impact on everything from predictive policing to financial forecasting.
“Machine identities are a relatively new, and very effective, point of attack because there is a huge gap between the security controls applied to human identities and those applied to machine identities,” says Bocek.
“In 2020, everyone – from CISOs to security architects and security practitioners – will need to prioritise the protection of machine identities in their organisations in order to reduce these very real security risks.”