Skip to main content

Uncovering the hidden risks in encrypted data

(Image credit: Image source: Shutterstock/SkillUp)

The rapid growth in encrypted traffic is changing the security landscape. As more organisations become aware of the need to protect their data a greater number of services and applications are using encryption as a primary method of securing information. However, encryption is also becoming a big problem. As more companies adopt better encryption practices, cyber criminals are using the benefits of encryption to evade detection and hide their malicious activities. Ironically, they are using cryptographic protocols (such as SSL/TLS) to deliver malicious attacks.

A study conducted by the Ponemon Institute revealed that malware in nearly half of the cyberattacks in the past 12 months used encrypted traffic as cover for entry, and this trend is expected to grow in correlation with the increase in the legitimate use of encryption.

Encrypted traffic will represent 80 per cent of all traffic in 2019 and, according to Zscaler, about 60 per cent of malicious payloads using SSL/TLS for command and control (C&C) activity come from banking Trojan families such as Zbot, Vawtrak and Trickbot. Another 12 per cent are infostealer Trojan families such as Fareit and Papra. A quarter of payloads come from ransomware families.

SSL attacks also put significant computing stress on the network and application infrastructures they target. Decrypting and re-encrypting SSL traffic increases traffic processing requirements - in many cases beyond the functional performance of applications used for attack mitigation. Most devices are inline, stateful and unable to handle SSL encrypted attacks, making them vulnerable to SSL floods.

Visibility into encrypted traffic is not the only challenge related to SSL/TLS. In a recent survey of industry practitioners most were unconvinced about the ability of current solutions to decrypt, inspect and then re-encrypt traffic. This is a serious problem because SSL-based attacks take many forms including encrypted SSL floods, SSL renegotiation, HTTPS floods and encrypted web application attacks.

The problem with encryption

According to a survey by Venafi, 87 per cent of CIOs believe their security defences are less effective since they cannot inspect encrypted network traffic for attacks, and 90 per cent of CIOs have or expect to suffer from a breach in which encrypted traffic is used to hide the attack.

Based on Gartner, there are solutions for the SSL problem but these are not without their own drawbacks. Gartner says that any organisation launching a web traffic decryption project will face many challenges that will impact speed to adoption. These include:

Organisational: Decrypting HTTPS creates privacy challenges for monitored employees. Local regulations or enterprise culture might hinder the decryption project or create internal tensions.

Technical: The use of decryption architecture might degrade the user experience, introducing poor performance and unexpected blocking of legitimate business applications.

Budgetary: The average cost per user of network security controls will increase dramatically because of the decryption costs, but the overall organisational perception of value might be low.

Additionally, those solutions that can carry out some level of decryption tend to rely on limiting the rate of request, which also results in legitimate traffic being dropped, which is far from ideal. Also, many solutions require the customer to share actual server certificates. This requirement complicates implementation and certificate management and forces customers to share private keys for protection in the cloud.

A new approach is needed

The good news is that a new wave of solutions is now emerging, helping to solve the SSL detection problem with a different, more effective approach. These analyse metadata using machine learning and behavioural analytics to detect attacks hidden in encrypted traffic in real time without the need for decryption.

It has been discovered that every attack has its own SSL metadata signature between the user and the server. By collecting the right data and by doing data transformation and feature calculations, unique signatures and abnormalities can be detected with very high accuracy. This approach is innovative and unique and is opening a new era of SSL threat detection.

Using a technique known as Encrypted Cognitive Analytics attacks can be detected more accurately on both normal and encrypted traffic by using metadata analytics and interflow metadata to collect, analyse and store IN and OUT packets inside of a flow.

Encrypted Cognitive Analytics enables the creation of new types of data element or telemetry that are independent of protocol details, such as the lengths and arrival times of packets within a flow. Importantly, these data elements apply equally well to both encrypted and unencrypted flows meaning all traffic types can be included and monitored.

Metadata Traffic Analytics: a new approach for encrypted traffic analytics

A crucial part of this new way of securing encrypted and unencrypted data is Metadata Traffic Analytics - the key element of this approach, enabling encrypted data to be analysed without the need for decryption.

In essence, Metadata Traffic Analytics uses a cognitive platform to provide encrypted traffic visibility that accurately detects cyber threats in real time without the need for decryption.  It does this by analysing network and SSL metadata using artificial intelligence to spot anomalies within encrypted (and unencrypted) communications with a high accuracy rate in real time.

It involves collecting the IN and OUT metadata, packets and information from inbound and outbound traffic, reconstituting the sequence packet message in real time between IP addresses, calculating new features as packets are received and sending the whole message to the cognitive platform.

The analytics platform uses a combination of machine learning and behavioural analytics (in real time) on the packet message sequence as collected by the pre-processing engine. Each sequence is scored and categorised to ascertain if it is normal or abnormal activity, or an early sign of known malware.

Using these techniques, there is no need to decrypt the traffic, instead artificial intelligence is used to pinpoint malicious patterns in encrypted traffic to help identify threats and improve incident response. The benefits include the ability to detect attacks in real time, have visibility into encrypted traffic, high accuracy and reduced false positives and the ability to collect and analyse more than 100 million events per second.

Omar Yaacoubi, founder, Barac (opens in new tab)
Image source: Shutterstock/SkillUp

Omar Yaacoubi is the founder of Barac, which he set up in 2016 to detect malware hidden within encrypted traffic. Previously, he designed cybersecurity and anti-fraud solutions for global enterprises.