Times are extremely restless for security teams as they face highly motivated adversaries, and the onslaught of very active and progressive cyber-attacks.  Today’s hacking techniques are stealthy, unpredictable in nature and waged by skillful attackers capable of developing innovative ways of circumventing security defenses. One new and more popular way that is becoming a status quo among malware writers today is the malicious use of encryption. Using encryption methods such as Transport Layer Security (TLS) or Secure Sockets Layer (SSL), attackers now cipher malicious payloads and command and control communication to evade detection. I offer some helpful tips to overcome these threats.

Based on a small sample of threat data recently collected by NSS Labs’ BaitNETTM test environment1, it shows the malicious use of encryption soared nearly 13,000% in 2016 compared to 2014.  Moreover, information gathered by Virus Total and SSL BlackList reveals the number of malware families using encryption increased almost 5,700%, and command and control communications involving these malware families leaped 20,000% in Q4 of 20152.  Although the sample size may be small considering it came from a single test harness, it does accurately reflects the tens of millions of systems of tens of thousands of organizations making TLS/SSL connections that are subjected to the unseen harm caused by encrypted threats.

Organizations that choose not to (or whose firewall is limited in its ability to) inspect encrypted traffic are missing a lot of the value of their security systems.  When there is no visibility, they are unable to view what is inside that traffic, spot malware downloads, identify ransomware and see the unauthorized transmission of privileged information to external systems.  With the rise of encrypted attacks threatening mobile devices, endpoint systems and data center applications, it is imperative that organizations quickly establish a security model that can decrypt and inspect encrypted traffic and neutralize the danger of hidden threats.  Otherwise, they cannot stop what they cannot see.

To make matters more problematic, the majority of current firewalls are inadequate in their ability to handle encrypted threats because decrypting and inspecting encrypted traffic can create performance problems.  The two key areas of TLS/SSL that affect inspection performance are establishing a trusted connection and decryption/re-encryption for secure data exchange.  Both are very complex and compute intensive because each TLS/SSL session handshake consumes 15 times more compute resources3 from the firewall side than from the client side.  Most firewall designs today do not provide the right combination of inspection technology, hardware processing power and scalability to handle the exponential increase in computing capacity required.  Therefore, they often collapse under the heavy load and eventually disrupt business operations.  According to NSS Labs, the performance penalty on a firewall when TLS/SSL inspection is enabled can be as high as 74% with 1024b ciphers and 81% with 2048b ciphers4.   In other words, your firewall performance degrades to an unusable level.

These important points should spark serious security conversations for security teams, and give them the opportunity to educate their leadership team and/or board about encrypted threats, as well as why inspecting TLS/SSL traffic must be one of the top priority to the breach prevention strategy.  To defeat encrypted threats effectively, the security system must be able to perform in a way that does not infringe on privacy and legal matters, while not becoming a choke point on their network that will cause any network and service disruption.  The right solution begins with the right inspection architecture as the foundation, because not all firewall inspections perform equally in the real world.  Security teams would want to avoid any post-deployment surprises by doing their full due diligence when shortlisting firewall vendors.  Slowly and thoroughly, you would want to conduct a proof-of-concept (POC) and validate the right firewall that demonstrates the desire security efficacy and performance without any hidden limitations.

For more detail information, read our Executive Brief titled, “Solution Brief: Best practices for stopping encrypted threats.”

Read Solution Brief

1 https://www.gartner.com/imagesrv/media-products/pdf/radware/Radware-1-2Y7FR0I.pdf
2 https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/

Ken Dang
Product Marketing, Network Security | SonicWall
Ken Dang has well over 12 years of technology product management and product marketing experience creating and directing product development and launch strategies for new product introductions. He is specialized in the network and information security, data management, data protection, disaster recovery and storage industry. Ken is currently the Product Marketing Manager principally responsible for managing and driving the product marketing lifecycle for SonicWall’s enterprise firewall and policy and management product lines.

You might also like

SonicWall and our Channel Partners Team to Deliver New High-Value Security Professional Services to Fight the Bad Guys
Read more
6 Ways Malware Evades Detection – And How to Stop Them
Read more
Innovate More, Fear Less at CETPA 2017 with SonicWall for Your School Network
Read more
RSA Conference 2018: Live on Facebook
Read more
Is Your K-12 Network Ready to Innovate More? Learn How SonicWall Blocks Ransomware and Encrypted Threats at ISTE 2017
Read more


Leave a reply