Spotting threats hidden by encryption

By Patrice Puichaud, Senior Director EMEA, SentinelOne.

  • 5 years ago Posted in
In an increasingly uncertain world, more organisations and end users alike are turning towards encryption to protect their data online. Indeed, research from non-profit digital rights organisation Electronic Frontier Foundation (EFF) found that more than half of web traffic was encrypted using HTTPS at the start of 2017.

Concern about privacy is an obvious motivation for rising encryption usage, but authentication and integrity are an important focus as well. For example, with the constant threat of deception from cyber criminals, it is essential that users can ascertain that they really are communicating with their bank rather than a spoof. Likewise, the burgeoning era of “fake news” means it is becoming more important to be confident that online information sources are genuine. The use of HTTPS is a crucial method of allowing users to know that they are receiving information from a real organisation rather than an imposter.

However, as with most tools, encryption is not limited to benign purposes and is increasingly used by threat actors in their attacks. Just as encryption protects ordinary web users’ data from prying eyes, criminals rely on it to hide their malicious activity.

Encrypted channels are used for covert command and control channels, allowing the attacker to take over the target system. Through the very same channel, they may download and install additional malicious payloads and tools to further their attack. By the same token, encrypted channels are also used to remove valuable data from a victim’s site. In short, whether criminals are infiltrating or exfiltrating, it provides an easy way to hide within the noise of other genuine encrypted traffic.

The challenges of monitoring encryption

Attempting to monitor and control encrypted traffic to prevent malicious activity presents a number of major challenges for an organisation. One option is to apply “man-in-the-middle” controls, which effectively break the privacy chain by decrypting, inspecting and then re-encrypting data.

However, this is a fundamental compromise of data privacy and could also provide a point of attack if attackers discover that a device has access to otherwise encrypted information. This approach also adds latency to the traffic, especially if the man-in-the-middle device is trying to handle intercepts for large quantities of traffic from multiple channels.

With these issues in mind, some organisations choose to let some or even all encrypted communications to pass through unmonitored for the sake of user privacy. Certainly, there are valid concerns around companies examining personal banking traffic and other confidential information, for example. However, this approach can still lead to unmanaged risks if that channel is compromised in some way. Encrypted communications cannot be safely ignored due to the preference for threat actors to use the same channels to bypass inspection controls.

Moving detection to the endpoint

One of the most effective solutions to monitoring encrypted traffic without breaking the chain is to examine the traffic at the point of origin before it is encrypted, or on the receiving end after it has been decrypted. Essentially this means visibility on the endpoint itself, whether it is a laptop, desktop, server, or any other kind of device.

This approach will maintain the end-to-end privacy through the external networks. In addition, the individual processors on the devices are effectively sharing the load that would otherwise be concentrated on a gateway device. Coupled with the fact there is no need to repeatedly carry out additional encryption or decryption, and there will be a significant reduction in traffic latency.

Alongside being able to identify malicious activity hiding in encrypted traffic, it is also important that a firm is able to act swiftly to deal with any threats before they can do significant damage. Automated mitigation plays an important role in keeping the dwell time of an attack at an absolute minimum and closing the window of opportunity for the hacker. Having visibility of encrypted communications will provide the related behaviours and resulting indicators that allow for this rapid response. 

Response time can also be significantly improved by moving away from simply looking for objects we already know to be malicious, and moving to scalable detection methods based on malicious behaviours instead. It’s much more difficult for threat actors to create entirely new and unknown behaviours than it is to create a new object.

By combining these techniques with the ability to inspect traffic before and after it is encrypted on the endpoint, organisations can ensure they are able to catch malicious activity over encrypted channels, without infringing on the privacy of legitimate users.

By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.