Fighting blind: The convergence of modern applications, SSL and advanced threats
Fighting blind: The convergence of modern applications, SSL and advanced threats

Modern attackers, by necessity, have become highly adaptable and customised to avoid traditional security, producing threats that are more sophisticated than ever.

An online culture of ‘share everything' compounds the issue, with social media providing many opportunities to exploit unsuspecting users by offering a wealth of mis-leading links, scripts, ads and images.

Responding to the risks, the most popular online applications adopted SSL to encrypt online traffic and protect the user, but what this move fails to acknowledge is that it also makes such traffic invisible to the company at large.

A port-based firewall is bypassed by SSL, meaning that any malicious traffic routed through these applications risks being given a free ride. The challenge faced by the security practitioner therefore, is to fight an enemy that they cannot see.

The indiscernible threat

Recent analysis of live enterprise networks has shown the reach of SSL is exploding as total enterprise bandwidth is being consumed by applications that can run SSL or hop ports. The use of SSL is only expected to increase as popular social media applications, such as Twitter and Facebook, have adopted SSL as a default protection for all traffic via HTTP to improve privacy for their user communications. On a wider scale however, it makes it easier for hidden malware to multiply.

Ubiquitous use of SSL makes it easy for an attacker's traffic to blend in with normal user traffic and traverse the network without suspicion. This characteristic is true for outbound as well as inbound traffic, with a variety of bots and malware being known to use these channels for the management of a botnet or an ongoing intrusion.

Despite SSL providing a moderate improvement in privacy for the users by default, the process makes the overall enterprise far more vulnerable to organised attacks, lost data and compromised systems, posing some major challenges for enterprise security.

The issue is not restricted to HTTPS either. Any application can use SSL across any port as a means of security. The places for hackers to hide therefore appear almost infinite.

A block on performance

Palo Alto Networks' 2013 Application Usage and Threat Report, which tracks the prevalence of applications of all types, including those with the potential to circumvent security, found that 26 per cent of enterprise applications use SSL in some way, shape or form and 85 of them did not use standard SSL ports.

In a six-month study of more than 3,000 enterprise networks worldwide, SSL represented five per cent of all bandwidth and the sixth highest volume of malware logs within known applications.

In addition to being a significant source of malware logs, SSL is obscuring the traffic from network security solutions such as intrusion prevention systems (IPS) and anti-malware solutions.

The ramifications for enterprise security are clear: If you can't control traffic that is SSL-encrypted, then you are leaving a clear path open for malware to get into and out of your network. I've singled out social media applications here, because they remain a common point of infection between enterprise networks and targeted botnets through enticement – a video or a picture is used to encourage the 'click here, but organisations lacking the ability to enforce security on any SSL encrypted communications are fairly blind to this potentially malicious traffic.

Defending the unknown

The broadened use of SSL has ironically taken a bad security situation and made it worse by encrypting the very channels hackers are using to attack the network. Now, attackers can simply ride within the SSL connection between the application and the user. This provides a near-perfect platform for an attacker with a wealth of targets, a full complement of attack vectors, and built-in cloaking from security solutions.

To defend the unknown, the enterprise security teams must find ways to selectively identify, decrypt and inspect high-risk SSL traffic without hampering network performance. Enterprises need to control SSL traffic through policies that allow decryption and inspection of the SSL traffic – again the main culprits include social networking, web-based email, micro-blogging and instant messaging sites.

Decrypting outbound SSL enables other key features that end up incomplete without it, including control of circumventors, application function control, scanning of allowed applications and control of applications sharing the same connection.

Another key element for IT teams to carefully examine includes recognition and decryption of SSL on any port, policy control over decryption, and the necessary hardware and software elements to perform SSL decryption across tens of thousands of simultaneous connections.

Needless to say, the use of SSL is critical for enterprises as well as potential attackers. Ultimately, the responsibility of defending the unknown relies on enterprises to exert control over the applications that represent the highest of risk and closely identify any gaps in IT that hackers could potentially infiltrate.

Alex Raistrick is director for Western Europe at Palo Alto Networks