Overcoming threat detection blindspots

null

We rely on encryption to protect our data, but it can also be a hideout for malware and a massive blind spot for threat detection. So how can security teams combat these hidden threats, given that half of all web traffic is encrypted and this volume is expected to rise?  

We spoke to Tony Rowan, Chief Security Consultant at SentinelOne, about some of the biggest challenges facing teams detecting threats and how it’s possible to overcome these challenges without the need for decryption. 

Recent reports and research have outlined that there’s been a rise in security blind spots created by encrypted traffic – why is this? 

The move to encryption for web traffic isn’t just about privacy. Much of it is to do with authentication and integrity. For example, its vital that you know you really are communicating with your bank rather than some spoofed website. Equally, in the era of “fake news”, you need confidence that your information source is genuine. Because of this, the encrypted volume will rise as more and more sites use HTTPS to ensure their users are confident that they are receiving information from the real “you”.   

As more organisations – and the Internet – move towards encrypted traffic, what can we expect to see with this type of attack? 

The encrypted channels will be used for covert command and control channels, allowing the attacker to take over the target system. Through the very same channel, they may download and install additional malicious payloads and tools to further their attack. Encrypted channels are, and will be, used to remove valuable data from victims’ sites. In essence, it allows them to have relatively easy communications hidden within the noise of the other genuine encrypted traffic. 

How can improved network visibility prevent an organisation from becoming the next cybersecurity headline?

Only by establishing effective analysis and monitoring of all encrypted channels can an organisation be confident that they have the visibility they need to differentiate between malicious and genuine traffic. 

It’s all about threat hunting and having that deep visibility into what is on the network. The more traffic we can identify means we can better classify malicious behaviour and the better our security databases will be.   

How can organisations make it so they have visibility into this encrypted traffic?  

Many organisations trying to monitor and control that encrypted traffic are faced with a huge dilemma. They can leave the traffic alone and maintain the privacy of the communication, or they can apply “man-in-the-middle” controls which effectively break that privacy chain. On balance, they cannot afford to ignore the encrypted communications as many threat actors are also using the encrypted channels as an effective method of bypassing inspection controls. In many cases, they select and allow certain communications to go through unmonitored for the sake of user privacy. 

For example, should a company be examining personal banking traffic from its users? However, even this approach could lead to some unmanaged risks where that channel is compromised in some way. On this basis, there is a strong argument to support the idea that you should examine the traffic at the point of origin before it is encrypted or after it has been decrypted. In other words, you need visibility on the endpoint itself be it a laptop, desktop or server. 

How can automation contribute to the successful identification of encrypted malware? 

Automation is a key element in ensuring that a situation, once detected, is dealt with quickly before significant damage is done. It is hugely important that the dwell time of an attack is limited to the absolute minimum, ensuring that their window of opportunity is closed rapidly through automated mitigation. If you have visibility into those encrypted communications, you are able to see the related behaviours and resulting indicators that will allow you to respond rapidly. 

What are the benefits of being able to identify encrypted malware attacks without having to first go through a ‘device in the middle’ decryption process? 

Firstly, a device in the middle is breaks the security model as the communications are encrypted, inspected and then re-encrypted. This is a fundamental compromise of the data privacy and could be a point of attack in itself as the attackers know that these devices have access to otherwise encrypted information.   

Additionally, this adds latency to the traffic, especially if the “man-in-the-middle” device is trying to handle intercepts for large quantities of traffic from multiple channels. If we can see the traffic locally on the device before it is encrypted or after it has been decrypted, then the end-to-end privacy through the external networks is maintained. In addition, the individual processors on the devices are effectively sharing the load that would otherwise be concentrated on a gateway device. Add to this the fact that they are not carrying out any additional encryption or decryption and you get a huge reduction in traffic latency.  

How can organisations get better at protecting against these evolving threats? 

Relying on old methods and old approaches clearly isn’t working. The attackers evolve rapidly, sharing techniques through friendships or salesmanship. We must defend our information assets by adapting as quickly – if not faster than – the attacker.   

One significant evolution is to move away from simply looking for objects that we already know to be malicious and moving to scalable detection methods based on behaviours that we know to be malicious. Creating completely new and unknown behaviours is much harder to do than simply creating a new unknown object. Essentially, organisations need to be able to deploy scalable security solutions that are capable of prevention, detection and response. In more detail that is: 

  • preventing the things that we know are bad  
  • detecting the unknown attacks through behavioural analysis  
  • having the means to automatically mitigate the threat to prevent long dwell times  
  • investigate through forensics  
  • apply further remediation as required based on that forensic information  
  • report on the activities  
  • search for other indicators of activities that could somehow have been missed 

Tony Rowan, Chief Security Consultant for SentinelOne 

Image Credit: BeeBright / Shutterstock