Encrypted Cyber Attacks: Real Data Unveils Hidden Danger within SSL, TLS Traffic

By

Since the shocking announcement of serious Meltdown and Spectre vulnerabilities in early 2018, we have yet to hear of a mega-breach that would signal the start of another vicious hacking year.

Has it been luck? Are our network security defenses stronger? Or are current hacks hiding their efforts? Whatever the situation, the expectations from lessons learned in historical security events are that hacking tools will evolve and new threat vectors will emerge — year after year.

To help organizations gain confidence to make informed decisions and take calculated security actions against the latest cyber attacks, SonicWall shares its threat findings in the recently published 2018 Cyber Threat Report.

The report focuses on the ongoing battle of innovations and advancements between cybercriminals and security industries. The detailed threat information was gathered, recorded, researched and analyzed by the SonicWall Capture Labs research team so you can easily follow what’s happening in the threat landscape.

Today, we’ll underscore our observations on the good and bad of SSL/TLS-encrypted web traffic and respective encrypted threats.

The cyber battle inside encrypted traffic

For five straight years of monitoring and reporting on encrypted traffic trends, SonicWall continues to record strong growth in SSL/TLS-encrypted web connections, with a 24 percent increase over 2016. This increase accounted for 68 percent of overall web connections in 2017.

We believe the rise was attributed to the growing use of secured cloud applications and websites. Again, use of SSL/TLS encryption continues to be trending in the right direction. Companies securing websites and cloud services, to create safer web interactions, is a win for internet users and security teams.

SSL/TLS Use Increased

Despite the security advantages provided by SSL/TLS encryption, SonicWall collected real-world empirical evidence on cyber attacks executed inside of SSL/TLS-encrypted web sessions.

Using full-year data samples from a subset of SonicWall firewalls with active Deep Packet Inspection of SSL (DPI-SSL) service in 2017, we observed that an average of nearly 5 percent of all file-based malware propagation attempts used SSL/TLS encryption to avoid detection.

SonicWall Capture Labs also found, on average, 60 file-based malware propagation attempts per SonicWall firewall each day. Without the ability to inspect encrypted traffic, the typical organization would have missed over 900 file-based attacks per year hidden by SSL/TLS encryption. Remember, it takes only a single miss to create severe damage to an organization.

How to stop encrypted cyber attacks

Organizations can easily block attacks within SSL/TLS web connections. However, many have not activated existing security features — like DPI-SSL — to do so.

If you choose not to inspect encrypted traffic — or if your firewall is limited in its ability to do so — you are truly missing a critical value of your firewall.

It is possible for organizations to enjoy the security benefits of SSL/TLS encryption without providing a hidden tunnel for attackers. Here are some helpful guidelines:

  1. Understand what’s at risk. If you haven’t conducted a security audit recently, complete a comprehensive analysis to identify your risks and needs.
  2. Build a defense. Upgrade to a capable, extensible next-generation firewall (NGFW) with integrated IPS security services and DPI-SSL design that can scale performance to support future growth.
  3. Evaluate and improve. Update your security policies to defend against a broader array of threat vectors and establish multiple security defense methods to respond to both HTTP and HTTPS attacks.
  4. Create awareness. Train your staff continually to be aware of the dangers of social media, social engineering and suspicious websites and downloads, as well as various spam and phishing scams in personal and business email accounts. Start with this Phishing IQ test.
  5. Inspect digital certificates. Inform users never to accept a self-signed, non-valid certificate from unknown applications.
  6. Keep it current. Make sure all your software is up to date. This will help protect your organization from older SSL exploits that have already been neutralized.

The growth of SSL/TLS encryption can and will be a positive security trend for the global community, but it will remain a channel for malicious activity until companies recognize and address the risks.

By investing in updated solutions, and enabling SSL/TLS inspection capabilities, organizations can have the best of security and performance at the same time.

Download the 2018 SonicWall Cyber Threat Report

The cyber arms race is a challenge we face together. And it’s the core reason we’re committed to passing our findings, intelligence, analysis and research to the global public via the SonicWall 2018 Cyber Threat Report.

SonicWall Staff