On the one hand, that's good for security. The more things are encrypted, the harder it is for attackers to steal data, eavesdrop on communications, and compromise systems.
On the other hand, the same encryption that can be used to protect people, data, and systems is also used by cybercriminals and state actors to protect their people, data, and systems.
According to a report released by Zscaler last fall, 80% of attacks now use encrypted channels – up from just 57% the previous year.
In fact, criminals are ahead of enterprises in their use of encryption.
According to the Ponemon Institute's 2021 global encryption trends survey, 50% of organizations have a consistently-applied encryption strategy. Another 37% have a limited encryption strategy, applied to a limited number of applications or data types.
Network encryption and privacy
Encrypted traffic is less likely to be inspected by security teams, and makes malicious files harder to detect.
According to a SANS security operations center survey released in October, only 22% of companies inspect all encrypted traffic, while 45% do no interception at all and 30% have TLS interception implemented but don't do anything with the information.
The most common reason for not monitoring traffic? Corporate concerns about regulations and privacy. However, none of the companies who were inspecting encrypted traffic reported any legal issues.
"There's a light and a dark side to any technology you bring in to crack encrypted communications," said Zach Jones, senior director of detection research at NTT Application Security. "When you crack that open, maybe you can gain additional visibility, but guess what could be in there? PII and sensitive information. You can create more problems for yourself if you mishandle that sensitive data. I've seen anecdotes of security teams going wrong if they were logging something they shouldn’t have been."
Defending against encrypted malicious traffic requires that companies have controls in place on inbound traffic to keep malware and attackers out, on outbound traffic to prevent exfiltration of data, and on internal traffic to prevent attackers from moving laterally through networks.
Inspecting inbound traffic
Legacy systems can easily become bottlenecks, slowing down traffic and impacting employees and customers.
Today, organizations are moving to cloud-native proxies that inspect inbound traffic before it hits corporate networks, filtering out malicious messages before they can clog the pipes.
According to a WatchGuard report released this January, companies that inspected incoming encrypted traffic said that 70% of malware came in over an encrypted connection.
But even though inspection capabilities are built into WatchGuard's Firebox security product, most customers don't turn it on, the company said. "Having a firewall without configuring it to inspect for zero day malware or configuring to inspect encrypted connections doesn’t use the full advantage offered by a firewall and leaves big security holes in your network perimeter if not fixed."
In a similar report released the previous quarter, WatchGuard reported that only 20% of customers were scanning encrypted traffic – while 91% of attacks came in via that channel.
For example, attackers have been encrypting traffic to avoid detection of Log4Shell attacks, reported threat researchers at ExtraHop.
Mike Manrod, CISO at Grand Canyon Education, said that he faced just this issue. The organization provides shared tech services to Grand Canyon University in Phoenix, Arizona, as well as other educational institutions – more than 100,000 users in total.
Dealing with Log4Shell's encrypted communications required three levels of defense, Manrod told Data Center Knowledge.
First, there was a cloud-based web application firewall, which stopped 90% of the attacks, he said, without creating issues with performance latency.
"But not all traffic can go through the cloud WAF," he added.
So another 9% of the Log4Shell attacks were stopped by the edge firewall.
That still leaves a small number of attacks that got through both layers of protection, and here network defenses came into play, Manrod said. The company uses network detection and response tools from Corelight and decryption tools from Gigamon and Citrix Netscaler, among others.
"It's always unwise for any security leader to declare with certainty or overconfidence, but we had a great deal of success with that multi-layer strategy," he said.
There are privacy issues when it comes to inspecting traffic, Manrod said, but this is where organizations need to define policies about what they do and do not want to see: "There are things you never want to decrypt," he said.
For example, if enterprise users are allowed to access personal banking or health care sites on work devices, or other things of very personal nature, those might be off-limits.
But many other communications that are not typically inspected should be, Manrod said. For example, when attackers compromise enterprise software, the back channels those applications use for their own internal communications or updates can be problematic.
That's what happened with SolarWinds: "There's a tendency to trust vendor-supplied updates, and a tendency to allow them too much communication out, which attackers have compromised in multiple supply chain attacks."
Inspecting outbound traffic
If more enterprises had edge firewall policies that prohibited outbound communications to anywhere except explicit locations, the Solar Winds attack would have been blocked, Manrod said.
And decrypting outbound communications should be even easier than inbound ones, he added. "You control your endpoints and what certificates are deployed on them and what policies are in place."
According to the Zscaler report, attackers use encrypted channels to exfiltrate data, like stolen personal and financial information, and to connect to command-and-control servers.
"Many IT administrators allow full outbound internet access from internal machines, which is a risk to the network," explained Matthew Parsons, director for network and security product management at Sungard Availability Services.
He recommends that data center cybersecurity managers lock down all outbound internet traffic so servers can't send data offsite, and use internal servers for pushing patches and updates.
"For the servers that do need to initiate outbound access to the Internet, configure them to only be able to access specific patching IPs or domains," Parsons told Data Center Knowledge. "And, as a best practice, utilize a proxy for enhanced visibility and control over outbound traffic."
Watching lateral movements
East-to-west, lateral traffic is a bigger problem than either inbound or outbound communications, Grand Canyon's Manrod said.
"Attackers are good at using cryptography and atypical communication methods," he said. "Or using expected communication methods and living off the land."
With internal communications between two pieces of malware, both ends of the communication channel are under the attacker's control, so they can use strong encryption to hide messages. Of course, just the fact that suspicious processes are sending secret messages to one another inside your network could be a sign that something fishy is going on.
Most traffic inspection tools are designed to monitor incoming and outgoing traffic – not internal traffic on the network.
Constantly encrypting and decrypting traffic at every step can create network bottlenecks and cause performance problems. At the same time, ignoring network encryption creates a significant visibility issue for security teams.
Zero-trust architectures and network segmentation are currently the go-to answers to the problem of lateral movement, but some vendors are starting to offer centralized SSL decryption solutions that reduce processing and management overhead.