By Greg March | SOC Platform and Security Analyst at Nettitude
Technology is at the forefront of innovation with new hardware, software and AI breakthrough announcements on a daily basis. From the creation of the first computer (ENIAC developed in 1946) to the rise of IOT smart fridges, data remains the key to the interconnected world around us.
Over recent years, the rise in cyber-criminal activity has highlighted the pressures and importance of developing secure technology - whether that is for data in transit or at rest. Transport encryption such as SSL(secure Socket Layer)/TLS(Transport Layer Security) and HTTPS (Hyper Text Transfer Protocol Security) technologies are exactly that, they provide a secure method of transporting encrypted data from one machine to another, preventing unauthorized actors from stealing private information.
Although encryption was first developed with security and privacy in mind, hackers and cyber criminals of even low sophistication levels have incorporated the advantages of encryption in their attack techniques.
If SSL/TLS encrypts data to provide a secure mechanism for transferring data over the internet why is it also a security concern? Deep Packet inspection security methods such as signature-based detection, protocol anomaly and IDS/IPS solutions all utilize packet inspection, where the data being sent between devices is inspected to ensure it is not malicious.
This is where SSL/TLS becomes a security hindrance as the data needs to be inspected however if a device performs packet inspection on encrypted data it will be unable to determine if it is legitimate or not. When combined with techniques such as domain fronting, defenders are confronted with legitimate looking TLS traffic and are unable to see the destination domain.
Addressing SSL/TLS Vulnerabilities
Now we know the importance of encryption and that hackers are also lurking within it too, how can we keep our data secure whilst preventing malicious activity? Implementing SSL/TLS inspection provides visibility of the raw traffic to both human defenders and security tools. This visibility allows for granular URL categorisation and application control so that monitoring and detection can be conducted at scale. Similarly, it enables the automatic submission and analysis of files and binaries that would otherwise not be detected. This is particularly important given the increase in the deployment of ransomware. Identifying and blocking the malicious binary before it can hit an endpoint is preferable to giving it an opportunity to execute.
This can be achieved by a dedicated proxy or by utilising the functionality of existing NG perimeter devices. By introducing a trusted device to sit in between the two communicating devices and handle the encryption on each side, the data can be safely decrypted, inspected, and re-encrypted before being sent on.
SSL/TLS decryption can be challenging to implement. Engineering and tuning require time and effort to get right – achieving the required level of inspection and protection without blocking legitimate business services. However, it is worth the effort and should be included in business IT maturity plans.
Unlike SSL/TLS that was adopted into predefined hacking techniques Ransomware was created from the ground up with encryption at its heart. Ransomware is a malicious piece of software which once executed on a system starts encrypting not only personal files but system files too. Once a number of files have been encrypted the malware then displays a ransom note to the user stating to pay a ransom to re-gain access to them. Single users aren't only at risk either, ransomware campaigns targeting financial, medical and academic institutions are on the rise too.
Using anti-virus with up-to-date virus definitions is solid starting point for preventing end point compromises. Ransomware is like all malware - once introduced or executed on a system it will leave footprints that can be used by antivirus software to identify and then subsequently take the necessary action to either remove or prevent the malware from doing further damage. Anti-Virus isn't without its limitations; basic signature-based detections and low post infection visibility can prove devastating to not just one host but a complete computer network.
Endpoint detection and response (EDR) and Endpoint Protection Platform (EPP) are the next generation security solutions to solve those gaps. They record, monitor, analyse and prevent malicious activity on an endpoint, commonly utilising cloud back-ends for aggregated correlation, cyber threat intelligence and enrichment.
No detection & prevention system can guarantee 100% protection. Application control through whitelisting offers a solid mechanism for controlling what can and can’t operate on a system. This is now a common feature in Microsoft platforms and should be employed. As with TLS decryption, it can be tricky to implement. It is always recommended to run it in monitor mode to establish what is running on a network before defining approved software lists and going to protect/block.
Finally, system Backups should always be in place, comprehensive and regularly tested to ensure that they are fit for purpose. Being able to restore a system to a usable and known safe state quickly will reduce the impact of service downtime, reduce revenue loss and the help minimise any impact to a company’s reputation.
For more info on protecting your organisation against encrypted cyber threats, contact your local Nettitude team.