While the use of HTTPS encryption is on the rise, the same is unfortunately true of attackers using it to mask their operations, according to a new report.
In fact, there has been a 30 percent rise in SSL encrypted advanced threats in just the last six months, says Zscaler's ThreatLabZ's bi-annual Secure Sockets Layer (SSL) trends report.
The company claims that an average of 800,000 SSL encrypted transactions per day are being blocked currently, compared to 600,000 threats daily in the first half of 2017. HTTPS and SSL encryption has been widely encouraged by big internet players, notably Google, (which announced today that it is listing HTTP sites as not secure) as a means to make the internet in general a more secure place. The search giant has been preferring websites that default to SSL for some time in search results, which has also galvanised adoption.
According to Google's Transparency Report, the percentage of pages loaded over HTTPS in Chrome in the US was nearly 80 percent in December, while on 1 December, 2017, Mozilla reported that 66.5 percent of all pages loaded on Firefox were using HTTPS.
“Web properties are quickly adopting SSL/TLS to curb privacy concerns, but without inspection of encrypted traffic, enterprises run the risk of an attack. Yet, SSL inspection can cause significant performance degradation on security appliances. A multi-layer defence-in-depth strategy that fully supports SSL/TLS inspection is essential to ensure enterprises are secure”, noted Deepen Desai, senior director, security research, Zscaler, in a blogpost.
The company also noted a 300 percent increase in phishing attacks delivered over SSL in 2017, which followed two major strategies - either compromising a legitimate SSL-protected domain to host malware, or to leverage a newly registered domain with similar but incorrect addresses mimicking well-known brands such as DocuSign, Microsoft, Apple and Dropbox. The distribution of the types of malicious payloads remained consistent with the first half of 2017: 60 percent were Banking Trojan families, including Dridex, Emotet, Trickbot, Zbot, etc.; 25 percent were comprised of ransomware families; 12 percent were comprised of Infostealer Trojan families, including Fareit, Papras, etc; and the last 3 percent were smaller families.
Mark Kedgley, CTO NNT told SC Media UK: “It's a significant jump for encryption exploits and it should make everyone revise their confidence in intelligent perimeter defences, they simply aren't going to be as effective as they may have been in the past. It also shows why layered foundational security controls will always be essential, with change control and system integrity at the core”.
The researchers also dug deeper into the types of SSL certificates involved in malicious activity, and found that while the majority were legitimate domains that had been compromised, there were also cases where free short-lived certificates were leveraged by bad actors. Of these, a sample of more than 2800 domain validated (DV), organisation validated (OV) and extended validation (EV) certificates issued in November and December yielded the information that DV certificates are the most frequently abused, being used in 74 percent of the cases in which SSL content was blocked.
Of the certificates inspected, 55 percent had a validity period of less than 12 months, with 35 percent of those having a validity period of three months or less.
Tim Bandos, Director of Cyber-security, Digital Guardian told SC Media UK: “"SSL encryption is a staple of the internet. The volume of data for malware to hide itself in is increasing, and payoffs are becoming simpler to achieve and more lucrative, so it's not surprising to see this spike in encrypted attacks.
“There has been a significant rise in the offering of free or low-cost SSL certificates to encourage a more widespread adoption of data encryption, which has unfortunately allowed cybercriminals to leverage it for nefarious purposes. The best strategy for defence against such attacks is a multi-layered one. Any solution must sit inline, so it can react automatically and in real-time, must pass decrypted traffic through security tools such as forensics devices and network gateways for immediate inspection and be capable of processing large volumes of traffic quickly. It's important to remember that simply decrypting the traffic may not immediately uncover any malware or sensitive data contained within, and will undoubtedly also require a set of “eyes-on-glass” to analyse and interpret any suspicious or anomalous activity for further verification.”