In the age of trust SSL/TLS man-in-the-middle attacks have become more rampant. The problem is how does one deal with these and more importantly how do you catch it when it happens. I am the author of SANS SEC555: SIEM with Tactical Analytics. This blog does not uncover any new tools. Instead, it shows a different approach to using them that costs nothing yet may save your bacon. So now on to detecting SSL/TLS man-in-the-middle...
When I say SSL/TLS man-in-the-middle, I mean true man-in-the-middle rather than tricks like sslstrip which makes pages appear to be encrypted when they are utilizing HTTP instead of HTTPS. Nowadays adversaries and malware are finding ways to gain the trust of systems and then exploiting them. This can happen in a number of ways such as:
- Installing an evil root certificate into the Trusted Root Certificate Authority of systems (common)
- Generating certificates using an already trusted certificate authority (such as by compromising a less secure but trusted CA)
Once an adversary has a trusted CA certificate on a box they can redirect the victim to their system and the victim's browser will still show it as trusted such as below:
In fact, if you access https://www.hasecuritysolutions.com you will not receive the same certificate as the one captured in this picture. This is because of technologies such as SSL Inspection that legitimately man-in-the-middle encrypted connections (typically at a web proxy or edge firewall) to protect the end users. My home utilizes SSL Inspection so the trusted CA in involved when I access https://www.hasecuritysolutions.com will be different than you as you read this blog. The behavior is the same if an adversary or malware is utilizing a trusted CA to man-in-the-middle your traffic.
Knowing this, what can be done? One technique that works well is Certificate Pinning. This involves forcing a site to only load if it is from a specific root CA regardless of which installed certificate authorities are trusted.
One of the simplest methods for deploying Certificate Pinning for free is to utilize Microsoft EMET. This is a free agent for Windows that can be controlled with group policy. EMET is known more for its ability to enforce protections like DEP, ASLR, SEHOP, and other process mitigation techniques but also includes support for Certificate Pinning.
To setup Certificate Pinning in EMET open it up and click on Trust.
Then (optionally) import your trusted CA certificates under the Pinning Rules section. Then click on Add Website and pin a website to whatever set of certificate authorities you want. In this example, I have mapped www.hasecuritysolutions.com to the certificate authority group called HandACA. This includes the proper Go Daddy certificate authorities and my personal CA.
At this point, if I access https://www.hasecuritysolutions.com and the root certificate authority is not a match to a certificate authority in the protected website/pinning rule an alert will fire such as this:
This makes it so that if someone has installed an unauthorized root CA into my box, I can detect it. Now when I browse to https://www.hasecuritysolutions.com and it does not use one of my pinned certificate authorities I will be alerted to it. Now, here comes the main point of the blog. Certificate pinning is not new. Multiple devices support it, and I am not the first to talk about it. However, good ideas can be made great when used tactically.
For instance, let's assume that I have set all H and A Security Solutions employee systems so that their home page is https://intranet.hasecuritysolutions.com. I then use EMET or another technology to perform certificate pinning on our company intranet page. Because certificate pinning is set up on the first site that opens when employees open their browser I now have an early response system for catching SSL/TLS man-in-the-middle attacks. Also, with EMET there is a toast pop-up on the system notifying the end user that something is out of place.
Thus the title of this blog "The Trusted Evil Intranet Page." By deploying Certificate Pinning to the home page of browsers, you can create a strong defense with early detection. I encourage you to always think outside the box on how you can take a good technique and make it better. My SANS course SEC555: SIEM with Tactical Analytics is heavily focused on utilizing techniques like this in conjunction with SIEM technology (open source or commercial) to gain early detection and have fun doing it.