How To Handle Breached Certificate and Key?

Overview

As per the attack statistics for global enterprises, it takes a minimum of a day or more to figure out the breach within the enterprise’s environment. The longer the amount of time it takes to find the breach, the higher the chances of more damage being enacted, as there are bad actors continuously monitoring the situation and using it for their advantage.

Every organization must have a plan on how to respond to an environment under attack. Considering diverse industries have different IT processes specific to their scenarios, we can come to certain remediation steps that should be followed, irrespective of industry type:

  1. Inventory the systems impacted by the breach/attack.
  2. Follow the standard, pre-defined approach towards the attack.
  3. Validation of if the bad actors have been dealt with or not.

Once an attack is identified and confirmed, it is only half way done. Next, the challenge is how to remove the access of an adversary on the enterprises’ critical digital assets, such as keys and certificates as most organizations fail to understand the real impact of a certificate or key breach. We can dig into the past and find that there were breach incidents like stolen digital certificates where an organization was unable to understand the consequences due to not replacing the digital certificates immediately. Ideally, organizations should be able to react quickly and respond to all systems impacted by breach to have their operations running in a secure manner.

Let’s elaborate on the steps required to be followed in the case of a breach/attack:

Impact Analysis

While remediating a breach, the first step is to identify the inventory of the systems impacted in the environment. For example, if any breach related to SSL is discovered, then the next steps are to find out the comprehensive usage of SSL while connecting to URLs, Web Servers, Share Point portals etc. With this, the penetration depth of the breach can be ascertained up to a great extent. The usage of any SSL/TLS certificate or key compromise can be taken into account to determine the overall impact on the environment.

Follow the Pre-defined Approach

Once the attack is confirmed, the pre-defined approach should kick-off, where the responsibilities are pre-decided as to who will do what. At the same time, when the security team is taking actions to contain and remediate the attack, attackers try to plant some rogue certificates and keys that can help them access the resources in the future. In that case, the security team should revalidate the inventory of the certificates/keys through the certificate and key lifecycle management tools and discard/deactivate the rogue digital assets.

Validation of Remediation Action

Once the remediation action has been completed for the attack, and the rogue certificates and keys have been replaced successfully, it becomes important to revalidate the remediation report and confirm if the remediation steps were completed successfully or not. This might cause serious consequences in case an adversary’s footprint is still left in the environment. Organizations can match the breach report and remediation report to determine the accuracy of the remediation attempt and to make themselves confident about its present security strength.