Five threats hiding in SSL traffic

Ever since Edward Snowden’s revelations in 2013, SSL encryption has become all the rage with application owners. Disclosures in 2014 that governments were injecting surveillance software in web traffic further heightened security measures within organisations. This in turn has lead to the rise of attacks hiding in SSL traffic.

Encryption today accounts for roughly one third of all Internet traffic. It’s expected to reach two thirds of all traffic this year when Internet powerhouses like Netflix transition to SSL.

While sixty seven per cent of internet traffic will be encrypted in 2016, encryption has other, more serious, ramifications. It makes network security tools blind to application traffic. Solutions like next-generation firewalls, intrusion prevention, and advanced threat protection platforms cannot inspect packets and mitigate threats when traffic is encrypted. By 2017, it is estimated that half of all attacks will use encryption to bypass controls.

Encrypted traffic has become the 'go-to' way of distributing malware and executing cyberattacks. To detect malicious activity, organisations should decrypt and inspect SSL traffic. Otherwise, malware could be passing them by. But first, let’s look at the common threats lurking on an encrypted network.

Malware sent as attachments in email and instant messaging apps

Web and mobile applications such as Skype, Whatsapp, and Snapchat have default encryption on all incoming and outgoing messages. Similarly, most web-based email programmes like Gmail and Yahoo Mail automatically encrypt traffic with the intention of protecting user privacy and data transfer between servers. However, this inevitably creates a blind spot in the corporate defences when security applications fail to detect malware disguised as secured packets.

Malware distributed via social media

Facebook, Twitter, and LinkedIn all use SSL but have lately fallen victim to emerging threats such as likejacking, malware propagation, data leakage, and spam. Koobface is one example of a Facebook based malware campaign. The network worm was notorious for the speed at which it was able to spread malware amongst multiple users, by using social engineering techniques on Facebook messages.

Web application and DDoS attacks

Since the majority of websites support encryption for compliance purposes, attackers can now use SSL to bypass controls and infiltrate into the corporate network. Increasingly, DDoS attacks are leveraging SSL vulnerabilities to overwhelm servers by performing HTTPS flood or SSL renegotiation attacks to take down the web server.

Insider abuse for data exfiltration hidden in SSL

Web-based emails and file sharing services have default encryption settings, which means that insiders can discreetly send sensitive data and files outside of the organisation without being detected by data loss prevention products. Ironically, while employees are the greatest asset in any organisation, they can also be the biggest threat.

C&C communications and malware-based data theft

Malware-infected machines communicate to command & control servers via SSL. Recent examples include China’s APT1, Zeus, Shylock, KINS and CryptoWall, which all use SSL traffic to spread malicious malware. As malware becomes more advanced, hackers can now use social media, file sharing and email websites to exfiltrate data. By the time organisations detect a data leak, the damage is already done.

How can you eliminate the blind spot?

To counter the threat posed by SSL encryption, organisations need to decrypt and inspect inbound and outbound traffic with a dedicated SSL inspection platform that enables third-party security devices to eliminate the blind spot in corporate defences.

Visibility is the first step. Organisations can deploy SSL inspection platforms to decrypt SSL traffic and forward it to third-party security devices for analysis. For outbound traffic, organisations own the end points but not the SSL certificates and keys. An SSL inspection platform can decrypt traffic when configured as a transparent forward proxy or an explicit proxy.

Decrypting inbound traffic destined for internal application servers is different to decrypting outbound traffic because organisations own the SSL keys. There are two main ways to decrypt inbound SSL traffic sent to internal servers:

  • Reverse proxy mode: SSL traffic is terminated on the SSL inspection devices and sent in clear text to inline or non-inline security devices. This mode is also referred to as 'SSL offload'.
  • Passive non-inline or inline mode: SSL traffic is decrypted using a copy of the server SSL keys. SSL traffic is not modified by the SSL inspection platform except (potentially) to block attacks.

Whether sharing a malicious file on a social networking site or attaching malware to an email or instant message, many attacks will be cloaked in SSL. It’s time organisations invest heavily in data protection and don’t forget to decrypt and inspect all SSL traffic.

Duncan Hughes, A10 Networks

Image Credit: Igor Zh / Shutterstock