Transport layer encryption may foil security tools if not properly decrypted for inspection just to reduce latency and complexities.
Cyberthreats are constantly evolving, and as technology advances, so do the tactics used by cybercriminals. Proper encryption is used as a form of protection against attacks on browsers, protocols and applications. And as more websites and apps adopt Transport Layer Security (TLS) to tighten online security, cybercriminals are now making it a priority to leverage TLS to obfuscate the contents of malicious communication.
Encryption provides privacy
TLS is the encryption standard used on the internet today. It is designed to provide confidentiality and authenticity by encrypting the communication between two parties and verifying that the server is legitimate, based on its certificate and who issued it.
However, while TLS provides privacy, it does not always provide any content security or assurance of that the content is not malicious. For example, businesses can have a perfectly-valid encrypted and ‘secure’ connection to a site that actually hosts malicious content. That is why it is critical to inspect encrypted traffic.
Ironically, encryption is one of the strongest weapons that malware authors can leverage. As mentioned, cybercriminals can take advantage of encryption to obfuscate their codes. They can also leverage it to prevent users (in the case of ransomware) from being able to access their files, and for securing their malicious network communication. In fact, encrypted traffic is a huge security risk because it renders firewalls blind to what is flowing through the network, preventing them from identifying and blocking malicious content.
Out of all the malware that has made some kind of network connection, our research found that nearly a quarter (23%) of malware families use encrypted communication. Unfortunately, most organizations have firewalls that lack scalable decryption capabilities, and are unable to inspect encrypted traffic without causing applications to break or without degrading network performance. These threats are also overlooked by security teams due to performance and complexity concerns.
Fighting chaos in encrypted data
It might seem to be a given that all businesses would inspect encrypted traffic. However, it is reported that while 82% of global companies surveyed agree that decryption inspection is necessary, only 3.5% are decrypting their traffic to properly inspect it. Businesses are not decrypting their network traffic for several reasons, including concerns about firewall performance, lack of proper policy controls, and poor user experience.
The reality is that most organizations need to carefully balance performance, privacy, and security. Nevertheless, it remains a necessity for companies to employ network security systems that can provide critical visibility to this blind spot while eliminating frustrating latency and compatibility issues.
Moreover, TLS is a complex protocol requiring different certificates to be exchanged. There are several TLS versions and many applications and web services that do things differently. This presents enormous challenges for any security solution that attempts to inject itself into this process for the purpose of inspecting and securing the content that is exchanged.
TLS is here to stay
As cyberthreats continue to evolve, no industry is safe from cyberattacks. The volume of attacks will continue to grow year after year. Most recently, the FBI revealed based on reports that criminals have netted US$3.5bn from cybercrimes in 2019.
As we approach 100% network traffic encryption, the cost of cybercrime will only increase in the future. At the same time, hackers will continue to exploit encryption in their cyberattacks.
To minimize the security risk from encrypted network traffic, organizations should:
- Inspect network traffic and check the TLS certificate details of https communications.
- Pay significant attention to unusual or unexpected volumes of https traffic to unknown domains or using invalid or forged TLS certificates—this is crucial especially during financial transactions or when personal or sensitive information are being entered into browsers.
- Invest in a network solutions that can perform the different kinds of TLS communication inspections, and communicate and coordinate with your anti-virus, VPN, firewalls, and/or your IDS/IPS solutions to halt suspicious or known malicious network communications.