Encrypted Traffic Is a Backdoor for Malware — Defend Your Networks Now

In today’s high-risk environment, organizations turn to encryption to keep endpoint and data center traffic safe. But at the same time, encryption has become a double-edged sword with hackers hiding malware within legitimate encrypted traffic. Corelight’s CEO Brian Dye explains how cybersecurity teams can avoid blindspots in SSL/TLS traffic and identify attacks that hide in plain sight without impacting privacy regulations.  

More than ever, organizations are discovering the many benefits of encryption – whether deployed for the endpoint or for data center traffic – to improve data integrity and data privacy. Especially in the post-pandemic era, employers are finding that it greatly helps safeguard an increasingly remote workplace. 

The numbers back this up: research from Cisco indicates that at least 80% Opens a new window of HTTP/HTTPS traffic is now encrypted. In addition, key network services such as DNS are increasingly encrypted over either HTTPS (DoH) or TLS (DoT). Firefox enables DoH by default for users, and other browsers such as Chrome support the feature. But hackers in turn are exploiting the inherent trust of encrypted traffic within corporate networks – hiding their nefarious activities in plain sight. Nearly one-third of malwareOpens a new window and unwanted applications, in fact, enter networks through Transport Layer Security (TLS) encryption, according to research from Sophos. 

Regardless of the form, cybersecurity teams need to know where these encryption types exist in their IT environments and whether to permit them. Once they do, they have to establish visibility of them in order to obtain valuable data for incident response and threat hunting. Otherwise, this traffic will remain hidden and, thus, unchecked.

In other words, cybersecurity teams must identify attacks that are hiding in plain sight within legitimate encrypted traffic – without jeopardizing protection efforts or violating privacy regulations. By taking advantage of the abundance of resources and insights made available from vendors and open source communities, they can implement policies, procedures and practices that support the effective execution of incident response, threat hunting and forensics, allowing them to uncover, track and mitigate encrypted threats.

Learn More: Top 9 Malicious Sites That Should Be Left Behind a DNS Firewall

Cybersecurity teams should pursue three key steps to uncover, analyze and mitigate encrypted threats:

• Understand your network. Provide defenders with the time and tools to research their network to understand which services and protocols are in use, what “normal” is, and which assets/segments are high priority. This is often accomplished through threat hunting, either as a formal role or time allocation within incident response teams.
• Derive as much insight as you can. Encryption creates artifacts in the form of certificates and traffic flows, so it’s essential to monitor for this available information. In addition, vendor solutions allow analysts to infer specific activity within encrypted traffic such as keystrokes, file transfers, and brute force authentication attempts. The more intelligence you gather, the more actionable insights you will create. 
• Leverage open-source techniques and toolkits. As indicated, the vendor and open source communities offer a rich repository of resources and insights. A hallmark example is the JA3 fingerprinting method developed by the Salesforce.com security engineering team: a way of fingerprinting SSL/TLS certificate handshakes to identify a hacker’s toolkit. This leads to better outcomes for defenders than more brittle insights such as IP addresses because a thwarted toolkit forces adversaries to go back to the drawing board and come up with new attacks. It is more time-consuming and costly for them and, therefore, more beneficial for cybersecurity teams.

Learn More: After the Storm: What Should Businesses do Following a Cyber Attack?

How to Protect Against Encrypted Traffic Risks 

Of course, adversaries will seek to counter each generation of detection technology we come up with, which brings up a key, the closing point here: While hackers’ use of encrypted traffic appears “new,” it actually isn’t. It’s just another variation of the cat and mouse game which has defined cybersecurity and threats for decades. We put up defenses, and they attempt to go around them. Then, we put up countermeasures.

The difference in that classic game for the network is that more of the technologies are open source based. The open-source community brings together security professionals so they can connect the dots on the problems they’re seeing, and then work on responses together – a pattern we have seen across frameworks (MITRE), analytics (SIGMA), and detections (Ripple20 and CallStranger). By participating, you can benefit from this direct cooperation across highly capable defenders in trends, techniques, and tactics. 

As you do so, examine your defense portfolio and determine whether your approaches and tools establish a high enough level of encrypted traffic analysis to acquire “light in the darkness.” In absence of this light, you’ll likely find yourself losing the game – perhaps for good.

Let us know if you liked this article or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!