Decrypt SSL traffic to detect hidden threats

The percentage of encrypted Internet traffic continues to grow creating a space where not only private information but also criminals can travel about undetected.

The percentage of encrypted Internet traffic continues to grow creating a space where not only private information but also criminals can travel about undetected. In the last five years, the advent of SSL traffic from major companies like Google, YouTube, and Twitter has spawned an expansive movement toward encrypting Internet traffic for enterprises as well. 

The risk in taking this security measure, though, is that while the exchange of information via the Internet is secured, bad guys can also linger unnoticed. Criminals, of course, know this and use it to their advantage, cloaking their attacks within Transport Layer Security (TLS) or Secure Sockets Layer (SSL) traffic.

Ryan Olson, director of threat intelligence unit 42, Palo Alto Networks said the concern for security professionals is that the security firewall can’t inspect the traffic. The bad guys know this, which leaves many companies trying to figure out what traffic to decrypt and how to go about decrypting.

Olson said, “The answer is not that simple. If a company decrypts everything, users are uncomfortable.” In order to secure the environment without compromising privacy, they need another layer, which means deciding from a policy perspective what they are going to encrypt and why.

“In some organizations, emails might be a threat vector, so a company might choose to decrypt that traffic, but the answer is going to differ for each company because they need to consider things from a cultural perspective as well.”

When traffic is encrypted, said Olson, it becomes this opaque glob of data. “Without being able to inspect, a criminal is hidden from those who are surveilling traffic as it would be from anyone else. You’re blind because you have no idea of what is contained inside.”

Because security teams can’t look inside the encrypted traffic, they don’t know whether it is data going out or coming in. In order to mitigate threats, security teams need to be able to see into the encrypted traffic.

Olson said, “An SSL connection occurs from browser to server. A signed certificate says ‘ok’, there’s an exchange of keys, and they encrypt all traffic from one end to the other.” The problem isn’t so much at either end, though, as it is right smack dab in the middle.

“Add a new certificate so that we can decrypt, which is only possible in a corporate environment,” said Olson. “For a security vendor to step into that traffic, they need to terminate traffic at two points. For example, a user browser reaches out to Google, a firewall captures the traffic and terminates the connection. We decrypt, inspect, re-encrypt, and then make a connection up to Google.”

In doing this, the company is still in control of the infrastructure they put in place. Olson said, “You can find a balance. Encrypt the traffic that doesn’t have a large impact on privacy. It’s a hot button topic, especially for enterprises because at the end of the day, it’s their network, their data, their computer. They are in a position to say they are allowed to surveil that data.” 

Finding the balance means gaining some visibility into their network by determining how much traffic is SSL encrypted and not able to be inspected. “Everybody should ask how much traffic they want encrypted about their network. Have a conversation with users and talk about the value of SSL encryption and how they can do it without compromising privacy," said Olson.

In a recent webinar from A10 & Infonetics Research: Putting a Stop To Hidden Threats in SSL Traffic, Kasey Cross, security evangelist, A10 Networks said, “Your organization could be infected right now and you may not even be aware of it.”

Some security professionals think that they can detect threats by decrypting traffic on their firewall, but Cross said, “You really need to take into account your entire ecosystem and the fact that all of those products need to look at SSL traffic. You need to come up with a way to provide that SSL visibility to all of these product.”

The entire security ecosystem from DDoS prevention to SIEM or data loss prevention tools needs to look at traffic, including that encrypted traffic, said Cross. The trick is finding the way to provide that visibility efficiently, said Cross, “Because you don’t want to decrypt the traffic at every point or you are going to suffer really bad performance.” 

Günter Ollmann, chief security officer, Vectra said, “The ability to inspect traffic is very helpful in being able to recognize loss and greatly reduce threats at the network level, but the security threats of SSL traffic are no different from any other major threats.”

While encryption does make it more difficult to detect or identify threats, Ollmann said, “If adequate logging is turned on, that logging will provide an evidence trail of the threats and activities that occurred during the attack. The SSL piece is again a metadata artifact, but the post attack investigation would focus on the logs themselves.”

Man-in-the-middle decryption offers an additional level of visibility, but Ollmann said, “Network monitoring and forensics is playing and will continue to play a larger part in identifying and mitigating these threats.”

While they can’t see the communication and they can’t see the data inside the transit, the other attributes about source information that security professionals can obtain, such as timing, frequency, and duration, can be used at a network level to detect threats. 

There are virtually no performance hits to encrypting traffic, said Ollmann, but there are many business benefits. 

“I think if I’m the CSO or the head of IT for an organization, I would be working on the assumption that at some point all of my traffic will be encrypted,” Ollmann said. 

Right now enterprises have three options for dealing with their hidden threats in SSL.  Block encrypted traffic all together, SSL termination using man-in-the-middle to inspect traffic, or the third, Ollman continued, is for the enterprise to install a number of software agents on the computer itself. 

Ollmann said, "Those technologies operating on the computer itself are seeing traffic before its being encrypted so that the encryption no longer matters.” The problem with this option is that in a malware attack, the first thing it does is turn those things off.

Placing emphasis on protecting end points in order to mitigate encryption threats is a problem, said Ollmann said, “Because all of those agents assume processing power and slow down machines. With BYOD there are so many devices and operating systems that the breadth of devices that need to be protected is growing at a faster rate than vendors have the ability to provide software that are capable of protecting.”

It’s a constant battle with a real live enemy on the other side. In order to build the best defense, Ollmann said, “They should look in their environment and assume they will no longer have visibility into the data layer of their network traffic.”

Join the CSO newsletter!

Error: Please check your email address.

More about A10 NetworksCSOGoogleInfonetics ResearchPalo Alto NetworksTransportTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts