Unfortunately, the uncomfortable truth is that cyberattacks are now a permanent feature of modern business, and they are increasingly sophisticated. Consequently, businesses of all sizes now believe it is essential to encrypt the flow of data, regardless of whether this data can be considered sensitive or not.
Encryption consists of securing streams of data by translating plain text into cipher text, thus preventing it being read. As a result, business create, by design, a level of opacity.
Philippe Gillet is the CTO and co-founder of Gatewatcher.
This creates two problems. Firstly, the business quickly hits a point where security restricts operations and the ability to quickly react. Secondly, it has opened up a possibility for criminals to use encrypted traffic to slip under radar and infiltrate the network.
The latest version of the TLS 1.3 encryption protocol has turned this issue into a pressing problem, as it is becoming more and more complicated to decrypt network traffic. A solution has become a problem.
Security leaders therefore face the question of is it necessary to decipher all network flows in order to detect new threats? There are four main considerations to be taken into account to answer this question.
Factor 1: The difference between private and professional encryption
The need for – and nature of - encryption within the professional sector is different from that of private individuals. Encryption of the private sphere typically centers on guaranteeing the confidentiality of the activities of an individual on the Web. This objective is typically to maintain the integrity of their private browsing, or the security of their data during a purchase on the Internet.
Conversely, a company has differing needs because encryption is not always an option. To maintain good technological health, a company must instead focus on keeping control over all activities within its network. This does not necessitate encryption.
A business can use different protocols from those of the private sphere, where DoH is prohibited and DNS requests are monitored, to control and store its history. Given the demands of compliance it is more important to control network activity instead of simply entrusting security to encryption.
Factor 2: Attacks that pass through encrypted channels
IT security professionals must always assume the worst case scenario. In this case, that means an adversary that is smart enough to ‘fully encrypt the attack’. But this assumption can prevent a proper understanding. If we look at attacks as a whole, in reality, few flows are encrypted. Based on the modus operandi of actual attacks, we can see at what moment the flows become (potentially) encrypted.
Whether in the context of a phishing attempt, the exploitation of a vulnerability, or even the use of lateral movements, most attacks start with rarely encrypted or even unencrypted flows. During phishing attacks, the malicious binary will usually be exposed, especially with regards to the DNS requests necessary for downloading.
The truth is that attacks are rarely made stealthy ‘going forward’. It is only once attackers have fully mastered control of the infrastructure that they can become stealthy and cover their tracks.
Factor3: Decryption tools see everything
There are a large number of technologies involved in decryption such as the Network Packet Broker (NPB); firewall; TAP SSL; PROXY; Agent/EDR; WAF; load balancers and more.
However, each of these technologies has its specificities and has a variable effectiveness relative to the environments in which they operate. They are not omniscient. They cannot decipher everything according to each situation.
A lot of this misconception is the result of vendor hype claiming that they offer a panacea. Yet, even here, container and content are often confused in the decryption process. Today, companies often make the mistake of focusing on decrypting the container, especially HTTPS, in the majority of cases.
But criminals understand and exploit this preference. They now only encrypt the content of the data (payload), making it inaccessible and unusable, with no technology capable of decrypting the content.
Factor 4: Metadata is not enough to detect threats
Metadata is the vanguard of detecting encrypted, malicious streams. Given the richness of information on offer, metadata is a potential gold mine for organizations wishing to analyze the flow that crosses their network.
By studying the statistics and frequencies of occurrence of patterns, communication peaks, and others, Machine Learning algorithms are able to provide extremely relevant information and generate alerts through metadata analysis. For example, a criminal investigation service can recover essential information about the encrypted exchanges of cybercriminals.
Whilst no security professional will entrust their operations to just one approach, metadata are perfectly sufficient to investigate and analyze the network flow because encryption is no longer an obstacle to identifying a potential threat. Criminals cannot encrypt their behavior and this behavior itself leaves tracks.
To establish a effective cybersecurity strategy, it is important to recognize the factors that can blind decision-making. Just as encryption is not a silver bullet, the use of malicious encryption does not hinder the detection of a potential cyber threat.
Of course, when dealing with the latter, it is necessary to know how to implement decryption tools and in which environment to integrate them, but firstly, it is important to address the misunderstandings around the technology, removing the myths around encryption, be it malicious or otherwise.
