Times are extremely restless for security teams as they face highly motivated adversaries, and the onslaught of very active and progressive cyber-attacks. Today’s hacking techniques are stealthy, unpredictable in nature and waged by skillful attackers capable of developing innovative ways of circumventing security defenses. One new and more popular way that is becoming a status quo among malware writers today is the malicious use of encryption. Using encryption methods such as Transport Layer Security (TLS) or Secure Sockets Layer (SSL), attackers now cipher malicious payloads and command and control communication to evade detection. I offer some helpful tips to overcome these threats.
Based on a small sample of threat data recently collected by NSS Labs’ BaitNETTM test environment1, it shows the malicious use of encryption soared nearly 13,000% in 2016 compared to 2014. Moreover, information gathered by Virus Total and SSL BlackList reveals the number of malware families using encryption increased almost 5,700%, and command and control communications involving these malware families leaped 20,000% in Q4 of 20152. Although the sample size may be small considering it came from a single test harness, it does accurately reflects the tens of millions of systems of tens of thousands of organizations making TLS/SSL connections that are subjected to the unseen harm caused by encrypted threats.
Organizations that choose not to (or whose firewall is limited in its ability to) inspect encrypted traffic are missing a lot of the value of their security systems. When there is no visibility, they are unable to view what is inside that traffic, spot malware downloads, identify ransomware and see the unauthorized transmission of privileged information to external systems. With the rise of encrypted attacks threatening mobile devices, endpoint systems and data center applications, it is imperative that organizations quickly establish a security model that can decrypt and inspect encrypted traffic and neutralize the danger of hidden threats. Otherwise, they cannot stop what they cannot see.
To make matters more problematic, the majority of current firewalls are inadequate in their ability to handle encrypted threats because decrypting and inspecting encrypted traffic can create performance problems. The two key areas of TLS/SSL that affect inspection performance are establishing a trusted connection and decryption/re-encryption for secure data exchange. Both are very complex and compute intensive because each TLS/SSL session handshake consumes 15 times more compute resources3 from the firewall side than from the client side. Most firewall designs today do not provide the right combination of inspection technology, hardware processing power and scalability to handle the exponential increase in computing capacity required. Therefore, they often collapse under the heavy load and eventually disrupt business operations. According to NSS Labs, the performance penalty on a firewall when TLS/SSL inspection is enabled can be as high as 74% with 1024b ciphers and 81% with 2048b ciphers4. In other words, your firewall performance degrades to an unusable level.
These important points should spark serious security conversations for security teams, and give them the opportunity to educate their leadership team and/or board about encrypted threats, as well as why inspecting TLS/SSL traffic must be one of the top priority to the breach prevention strategy. To defeat encrypted threats effectively, the security system must be able to perform in a way that does not infringe on privacy and legal matters, while not becoming a choke point on their network that will cause any network and service disruption. The right solution begins with the right inspection architecture as the foundation, because not all firewall inspections perform equally in the real world. Security teams would want to avoid any post-deployment surprises by doing their full due diligence when shortlisting firewall vendors. Slowly and thoroughly, you would want to conduct a proof-of-concept (POC) and validate the right firewall that demonstrates the desire security efficacy and performance without any hidden limitations.
For more detail information, read our Executive Brief titled, “Solution Brief: Best practices for stopping encrypted threats.”