SSL visibility: decrypt and conquer

As internet traffic is increasingly encrypted, so the need to inspect encrypted traffic grows as that's where the malware will be says Ron Symons, adding that the time to invest in such systems is now.

Ron Symons, regional director, A10 Networks
Ron Symons, regional director, A10 Networks

Companies have long had to be on their guard against data breaches, but for consumers the threats have often felt removed – something ‘out there' rather than close to home.

2015 may have seen a sense of false security for many consumers, but 2016 is bringing a new wave of hidden threats. Since Edward Snowden's big reveal back in 2013, operations on the Secure Socket Layer (SSL) have become increasingly popular with application owners and hackers alike, offering high levels of security, confidentiality and integrity. Seen as one of the most effective ways to ensure privacy online, SSL is also propagated by initiatives like ‘Let's Encrypt', the free and automated certificate authority provided by the Internet Security Research Group. In a world where information feels increasingly vulnerable, encryption seems to hold the key to a strong defence.

The unfortunate inverse of this, however, is that encryption also allows hackers to conceal their exploits from security devices such as firewalls, intrusion prevention systems and data loss prevention platforms. Decrypting SSL will cause many of these products to degrade system performance, while others simply cannot decrypt SSL traffic at all due to their location in the network. Ironically, movements like Let's Encrypt make it even easier for hackers to generate SSL certificates to sign malicious code or to host malicious HTTPS sites.

To counter the threat posed by SSL encryption, organisations actually need to decrypt and inspect inbound and outbound traffic. As part of these efforts, a dedicated SSL inspection platform can enable third-party security devices to eliminate the blind spot in corporate defences.

To get a better idea of what businesses are facing, let's look at three ways malware developers use encryption to escape detection:

1. Zeus Trojan

First identified in 2007, Zeus Trojan is one of the many types of malware that incorporates encryption. It continues to be one of the most prevalent and dangerous financial malwares around, responsible for compromising approximately four million PCs in the US alone as of December 2014. The Zeus attack toolkit is widely used by countless criminal groups, enabling them to develop variants that are even more sophisticated. This has led to the formation of peer-to-peer botnet Gameover Zeus, which leverages encryption for both malware distribution and command and control (C&C) communications.  

2.   Command and control updates from social media sites

Some new malware strains use social networks, such as Twitter and Facebook, and web-based email for command and control communications. For instance, malware can receive C&C commands from malicious Twitter accounts or comments on Pinterest, which encrypt all communications. To detect these botnet threats, organisations need to decrypt and inspect SSL traffic, otherwise security analysts might view access to client machines through social media sites as harmless.

3.   Remote access Trojan (RAT)

A German security research team recently discovered a remote access Trojan (RAT) that receives C&C commands through online email accounts, such as Gmail and Yahoo Mail. Additionally, what's more surprising, consultants at Shape Security discovered at least one Icoscript strain which receives C&C updates from Gmail draft messages. The malware works by attempting to evade detection by not quite sending emails. With both Gmail and Yahoo Mail encrypting traffic, malware developers use this to evade detection. Organisations must therefore decrypt and inspect traffic to email sites, or malware will pass them by.

What now?

At present encrypted traffic makes up a third of all global internet activity. That number is set to rise sharply in the coming months, however, as internet giants like Netflix move their operations onto SSL. The upshot of this will be that encryption becomes the default method of distributing malware and carrying out hacks. Whether malicious files posted on social media or malware on email, the coming year is going to see a noticeable spike in encrypted attacks.

For businesses, now is the time to invest in inspection solutions which can pick up these threats before they enter the network – or risk falling foul of an invisible enemy.

Contributed by Ron Symons, regional director, A10 Networks