If you are engaging in e-commerce or sharing sensitive data over the web, you want to know that it is protected, right? So it’s no surprise that encrypted traffic has been steadily on the rise in recent years and industry estimates now indicate that at least half of all web traffic is encrypted and that’s likely to increase, so it would be fair to say we are at a tipping point in terms of encryption on the web.
So what’s driving this trend? Apart from the fact that we’re all getting a bit more security conscious, or at least we like to think we are, the move to put services in ‘the cloud’ is definitely one of the key drivers.
As a business, you would probably feel relieved knowing that a significant amount of your data leaving the organisation is encrypted and therefore protected, and you would be right – to an extent.
Whilst the general trend of greater use of encryption is a good thing, it also offers a way for cyber criminals to stay off your radar, because HTTPS is one of the most likely forms of traffic that is allowed through your network, this can be exploited as a weakness, as attackers use the privacy the encryption offers to mask their malicious behaviour.
HTTPS web traffic is essentially HTTP with Transport Layer Security (TLS), also known as Secure Sockets Layer (SSL), it’s TLS that provides the cryptography and therefore the privacy. The trend of malware utilising encryption is concerning as this interferes with the effectiveness of signature-based techniques such as Intrusion Prevention Systems (IPS).
There are a couple of approaches which can be taken to defend against this; firstly it’s possible to implement an SSL inspection technology, known as a ‘man-in-the-middle’ method. A security device with this feature is able to intercept the traffic, and then create a secure connection between the remote server and itself, as well as between itself and the internal host. Once this traffic path has been established, it is then possible to decrypt the traffic from the endpoint and encrypt it before it gets transmitted to the remote end. Whilst the traffic is decrypted it is possible to run inspection with your IPS against the packets to determine if the data stream contains malicious behaviour and block.
Secondly, it’s possible to take a less intrusive approach by using analytics, because in most cases, malware’s use of TLS is distinct from that of benign traffic, which means it’s possible to identify malicious traffic. Use of NetFlow in conjunction with a metadata analysis tool, when combined with contextual data can help provide an overview of what’s actually happening on your network.
For more details on the specific traits of malware used with TLS, please read the Cisco Blog ‘Hiding in Plain Sight: Malware’s Use of TLS and Encryption’:
Encryption is a must have tool in your armoury to defend against cyber criminals, but you need to understand the inherent weakness it introduces and not be complacent, otherwise you may find that hackers have a back door to your network.