The latest set of statistics from the Let's Encrypt project reveals that during January the number of HTTPS sites requested by Firefox users tipped over 50 percent for the first time.
The knee-jerk reaction is to applaud this achievement as showing that the security message is increasingly understood. That green padlock, or whatever variation your browser client of choice uses, indicates that the page you are accessing has been delivered via HTTPS. Nothing less and certainly nothing more; it's not a guarantee that the content is safe or the page is no threat to your security.
Things are never that clear cut in the world of cyber-crime and, as last year's Hidden Threats in Encrypted Traffic report revealed, almost half of cyber attackers used encrypted traffic to evade detection.
So, are the kinds of encrypted tunnels created using HTTPS helping the bad guys, and how can enterprises best secure data from attackers hiding in encrypted traffic? SC Media has been investigating.
We started by looking at how threat actors typically use something like HTTPS as part of an attack scenario.
"HTTPS creates encrypted tunnels that go in and out of our organisations. Security controls can't look inside unless they are enabled to do so,” Kevin Bocek, VP security strategy at Venafi, reminds us, continuing “cybercriminals exploit the inability to look inside of encrypted HTTPS tunnels to launch their attacks…”
Martin Ellis, security consultant at SureCloud, pointed out, “HTTPS is also commonly used for data exfiltration, both by attackers who have gained access to data on your network and malicious users inside your network.”
Then there are the watering hole attacks, warns William Culbert, director of solutions engineering at Bomgar, “giving the impression of navigating a secure site over HTTPS but unknowingly the user clicks on a link or views flash content that downloads and executes malware.”
Thinking a little more laterally, those who would deny you service are targeting the SSL handshake mechanism by sending garbage data to the SSL server or abusing functions related to the SSL encryption key negotiation process. “SSL attacks are popular because they are asymmetric,” Pascal Geenens, Radware's EMEA security evangelist explains. “Each SSL session handshake consumes 15 times more resources from the server than it does from the client.”
And we had better not forget the threat de jour this last year, ransomware. “HTTPS is well suited to masking ransomware,” says Andrew Avanessian, vice president at Avecto, “as attackers can use encrypted tunnels to transport payloads to disks, as well as call back to command and control centres, meaning that both parts of the attack are obscured."
So, to sum up the attack process we leave it to Tom Roberts, Senior Consultant for Pen Test Partners who insisted, “If the recognised steps of hacking are Reconnaissance, Scanning, Gaining Access, Maintaining Access and Covering Tracks, then encryption is a tool that can cover the last three."
So, how can enterprises best secure themselves against attackers hiding in encrypted traffic? Kevin Bocek cut straight to the chase and told SC Media, “From today to the future, enterprises must be able to both inspect all of their incoming and outgoing encrypted traffic, and know which digital certificates can be trusted."
Which Corey Nachreiner, chief technology officer at WatchGuard Technologies doesn't think is too difficult from a network level. “You need security appliances that can do HTTPS deep inspection,” Nachreiner said, adding, “Many gateway security appliances can decrypt and re-encrypt SSL traffic as it passes through the perimeter.”
Chris Hodson, EMEA CISO at Zscaler, plays devil's advocate and points out that “decrypting traffic has a significant time, performance and cost impact and in some areas is simply not possible because the necessary cryptographic keys aren't available”. And Amichai Shulman, CTO and co-founder of Imperva, reminds us that “as BYOD takes a bigger chunk of enterprises devices, this (web gateway appliances) is less likely to work.”
Then of course there are certificates and ciphers to consider. "Enterprises should check their certificates and ensure they are using the most up to date ciphers,” insists Adam Brown, manager of security solutions at Synopsys. He added: “SSL is no longer considered secure and organisations should use TLS 1.2."
Not everyone agrees. Craig Young, Security Researcher at Tripwire points to a recent paper published by a team of researchers and industry experts which estimated that only five to 10 percent of HTTPS internet connections worldwide are likely being intercepted for security inspection. If that wasn't bad enough, Young warns, “this study also found that most of the TLS interception products they evaluated have a terrible effect on security by removing safeguards such as strong encryption and certificate validation while also introducing vulnerabilities due to poorly designed custom TLS stacks."
It's not all bad news though, as enterprises still can see what domains and IP addresses the traffic is going to and from.
"That is one of the reasons it is so valuable to log DNS and web proxy traffic," Tim Helming, director of product management at DomainTools, said. "By enriching data about domains and IPs, security teams can build maps of threat infrastructure."
And blocking traffic to a malicious IP or domain is effective whether or not the traffic is encrypted.