The recent and unprecedented SolarWinds breach, and subsequent breaches of  Microsoft, Cisco, VMWare, Intel, NVIDIA and others, has exposed a much deeper and insidious challenge associated with the already troubling supply-chain attack.  

What we know:

1. The malicious code from the SolarWinds breach initially landed into environments wrapped in a legitimate code update.
2. That code update used a private connection from the customer’s systems and network, across the internet to the SolarWinds server, using TLS authentication and encryption.
3. SolarWinds implemented TLS Certificate pinning in that connection to eliminate the security risks of man-in-the-middle attacks (e.g., via intercept and certificate resigning).
   
   

Lessons from the SolarWinds Breach: Using pinned connections to enable speedy software and firmware updates to on-premises systems is a typical architecture for nearly all vendors.  It was exactly this efficient and effective distribution that made the SolarWinds breach so terrible.

What is Certificate Pinning: The process in which an application validates that the TLS certificates presented by the application's backend TLS web servers match a known set of certificates pinned or hard coded in the application. The core security intention of TLS certificate pinning eliminates man-in-the-middle attacks via intercept techniques and certificate resigning and the ability to use a forward-proxy to inspect traffic to and from the internet for malware and other threats.

With the use of certificate pinning, traditional security systems are unable to inspect this traffic, creating the need for trust as the strategy. The use of forward proxy/Man-in-the-middle technique to inspect traffic is null. These systems had no opportunity to inspect, detect, or even run the update in a sandbox. The certificate pinning required by SolarWinds for updates forced organizations into a vulnerable position for anything coming in through that vector.

The Pinned Certificate Exception Is Killing You

The lesson here is not to beat up on SolarWinds. Big vendors are the biggest targets. Supply chain attacks like this are notoriously difficult to pull off. Nation-states are likely involved. Yet, with 2020 hindsight, we know they happen. Trust no one, no matter who it is from and no matter how big or important they are.

With pinned cert implementation, firewalls, IPS, IDS, APTs, and other inspection and detection systems must create bypass exceptions to allow pinned connections through. Even with the latest updates from Palo Alto, Checkpoint, or <insert your firewall and perimeter security solution>, the system still wouldn't catch it. With the use of pinned certs, the administrator says, “don’t block or inspect traffic with pinned certs from here”, the traffic is bypassed and there’s no other alternative than catching something only after a breach. Not a great bet.

Trusting the supply chain leads to break-ins. If your system cannot catch a threat on entry, then organizations are relying on catching the traffic upon malicious or suspicious execution once inside. This requires significant infrastructure, person power and leads to massively increased dwell times. Sleep timers like those in the SolarWinds malware further complicate efficacy and cost of “wait till it explodes inside” approaches to security.

The Solution: Monitor and Inspect Pinned Traffic

Previously there were no other alternatives. Until now. The ability to employ top security practices (i.e., the use of Pinned Certs and top security protocol) is important but visibility is possible for monitoring and inspection as well, bypassing the traffic isn’t the only option.

Nubeva offers a solution for network security and application monitoring solutions. With a full TLS visibility solution, provide the ability to inspect all traffic, including that “hard to see” pinned traffic. Your firewall and perimeter security systems need to do what they were designed to do: inspect everything coming across the wire.

Nubeva SKI (Session Key Intercept) is simple, yet powerful. Discover and deliver the final symmetric session encryption keys from TLS endpoint memory in enterprise hosts without altering the application or modifying protocols, production traffic, code, or libraries. With session secrets in-hand, high-performance, non-disruptive decryption is simple.  The solution works for all security and monitoring solutions, without the need for server certs or private keys, without inserting performance bottlenecks or traffic modification - even when the trusted connections require certificate pinning.

You can accept AND inspect the pinned connections rather than being forced to choose between the two. So, learn the lesson from the SolarWinds breach and restore complete functionality, visibility, and security to your systems.

The goal here is not to be another ambulance chaser, but to get the word out that you can, and should, in fact, offer a worthy solution to monitoring pinned traffic.

Security Challenge with Pinned Certificates & Trusted Architectures