In 2013, less than half of all web traffic was encrypted, according to Google. Today, the network encryption rate is 95%.
On the one hand, it’s good for safety. The more things are encrypted, the harder it is for attackers to steal data, eavesdrop on communications, and compromise systems.
On the other hand, the same encryption that can be used to protect people, data and systems is also used by cybercriminals and state actors to protect their people, data and systems.
According to a report published by Zscaler last fall, 80% of attacks now use encrypted channels, up from just 57% the year before.
In fact, criminals are ahead of corporations in their use of encryption.
According to the Ponemon Institute’s 2021 Global Encryption Trends Survey, 50% of organizations have an encryption strategy consistently applied. Another 37% have a limited encryption policy applied to a limited number of applications or data types.
Network encryption and privacy
Encrypted traffic is less likely to be inspected by security teams and makes malicious files harder to detect.
According to a SANS Security Operations Center survey released in October, only 22% of organizations inspect all encrypted traffic, while 45% make no interception and 30% have TLS interception in place but do nothing with the information. .
The most common reason for not monitoring traffic? Business concerns about regulations and privacy. However, none of the companies inspecting the encrypted traffic reported any legal issues.
“There is a light side and a dark side in any technology you bring to crack encrypted communications,” said Zach Jones, senior director of detection research at NTT Application Security. “When you open that opening, you might be able to gain visibility, but guess what might be there? PII and sensitive information. You can create more problems for yourself if you mishandle this sensitive data. I saw anecdotes of security teams going wrong if they recorded something they shouldn’t have.”
To defend against encrypted malicious traffic, organizations must implement controls on inbound traffic to prevent malware and attackers from entering, outbound traffic to prevent data exfiltration, and internal traffic to prevent attackers from moving laterally on networks.
Incoming traffic inspection
Legacy systems can easily become bottlenecks, slowing traffic and impacting employees and customers.
Today, enterprises are turning to cloud-native proxies that inspect incoming traffic before it reaches corporate networks, filtering out malicious messages before they can clog channels.
According to a January WatchGuard report, companies that inspected incoming encrypted traffic said 70% of malware arrived over an encrypted connection.
But even though inspection capabilities are built into WatchGuard’s Firebox security product, most customers don’t enable it, the company said. “Having a firewall without configuring it to inspect zero-day malware or configuring it to inspect encrypted connections does not utilize all the benefits a firewall provides and leaves large security holes in your network perimeters. ‘it is not corrected.’
In a similar report released the previous quarter, WatchGuard reported that only 20% of customers scanned encrypted traffic, while 91% of attacks came from this channel.
For example, attackers encrypted traffic to avoid detection of Log4Shell attacks, threat researchers at ExtraHop reported.
Mike Manrod, CISO at Grand Canyon Education, said he was faced with just this problem. The organization provides shared technology services to Grand Canyon University in Phoenix, Arizona, as well as other educational institutions – more than 100,000 users in total.
Managing Log4Shell’s encrypted communications required three layers of defense, Manrod said Knowledge of the data center.
First, there was a cloud-based web application firewall, which stopped 90% of attacks, he said, without creating performance latency issues.
“But not all traffic can go through the WAF cloud,” he added.
Thus, an additional 9% of Log4Shell attacks were stopped by the edge firewall.
That still leaves a small number of attacks that passed through both layers of protection, and here network defenses came into play, Manrod said. The company uses network detection and response tools from Corelight and decryption tools from Gigamon and Citrix Netscaler, among others.
“It’s always unwise for a security official to state with certainty or overconfidence, but we’ve had great success with this multi-layered strategy,” he said.
There are privacy issues when it comes to inspecting traffic, Manrod said, but that’s where organizations need to set policies about what they do and don’t want to see: “There are has things you never want to decipher,” he said.
For example, if corporate users are permitted to access personal banking or healthcare sites on corporate devices, or other items of a highly personal nature, these may be prohibited.
But many other communications that aren’t typically inspected should be, Manrod said. For example, when attackers compromise enterprise software, the return channels those applications use for their own internal communications or updates can be problematic.
This is what happened with SolarWinds: “There is a tendency to trust updates provided by vendors, and a tendency to allow them too much communication, which attackers have compromised in multiple attacks of the supply chain.”
Outbound traffic inspection
If more companies had edge firewall policies that prohibited outbound communications to anywhere but explicit locations, the Solar Winds attack would have been blocked, Manrod said.
And decrypting outgoing communications should be even easier than incoming communications, he added. “You control your endpoints, the certificates deployed on them, and the policies in place.”
According to Zscaler’s report, attackers use encrypted channels to exfiltrate data, such as stolen personal and financial information, and to connect to command and control servers.
“Many IT administrators allow full outbound Internet access from internal machines, which poses a risk to the network,” said Matthew Parsons, director of network and security product management at Sungard Availability Services.
He recommends data center cybersecurity managers lock down all outbound internet traffic so servers can’t send data offsite and use internal servers to push patches and updates.
“For servers that need to initiate outbound access to the Internet, configure them to only access specific IP addresses or patch domains,” Parsons said. Knowledge of the data center. “And, as a best practice, use a proxy for improved visibility and control over outbound traffic.”
Observe lateral movements
Lateral traffic from east to west is a bigger problem than inbound or outbound communications, Grand Canyon’s Manrod said.
“Attackers are good at using cryptography and atypical communication methods,” he said. “Or use expected communication methods and live off the land.”
With internal communications between two malware, both ends of the communication channel are under the control of the attacker, allowing them to use strong encryption to hide the messages. Of course, the simple fact that suspicious processes are sending secret messages to each other inside your network could be a sign that something fishy is going on.
Most traffic inspection tools are designed to monitor inbound and outbound traffic, not internal network traffic.
The constant encryption and decryption of traffic at every step can create network bottlenecks and cause performance issues. At the same time, ignoring network encryption creates a significant visibility issue for security teams.
Zero Trust architectures and network segmentation are currently the go-to answers to the lateral movement problem, but some vendors are beginning to offer centralized SSL decryption solutions that reduce processing and management overhead.