Cyberthreats are constantly evolving and as technology advances, so do the tactics used by cybercriminals. As cybercriminals target browsers, protocols, and applications, it is crucial for businesses to have proper encryption. And as websites and apps more widely adopt Transport Layer Security (TLS) today to secure online security, cybercriminals are now making it a priority to leverage TLS to obfuscate the contents of malicious communication.
Encryption provides privacy not security
TLS is the encryption standard used on the internet today. It is designed to provide confidentiality and authenticity by encrypting the communication between two parties and verifying that the server is who it claims to be, based on its certificate and who issued it.
However, while TLS provides privacy, it does not provide any security or assurance of the content. Businesses can have a perfectly valid encrypted and ‘secure’ connection to a site that actually hosts malicious content. That is why it is critical to inspect encrypted traffic.
Encryption is one of the strongest weapons that malware authors can leverage. As mentioned, cybercriminals can take advantage of encryption to obfuscate their codes. They can also leverage it to prevent users (in the case of ransomware) from being able to access their files, and for securing their malicious network communication. In fact, encrypted traffic is a huge security risk because it renders firewalls blind to what is flowing through the network, preventing them from identifying and blocking malicious content.
Out of all the malware that has made some kind of network connection, our research found that nearly a quarter (23 per cent) of malware families use encrypted communication. Unfortunately, most organisations have firewalls that lack scalable decryption capabilities, and are unable to inspect encrypted traffic without causing applications to break or degrade network performance. These threats are also overlooked by security teams due to the performance and complexity concerns.
Fighting chaos in encrypted data
It might seem to be a given that all businesses would inspect encrypted traffic. However, it is reported that while 82 per cent of global companies surveyed agree that decryption inspection is necessary, only 3.5 per cent of them are decrypting their traffic to properly inspect it. Businesses are not decrypting their network traffic for several reasons, including concerns about firewall performance, lack of proper policy controls, and poor user experience.
The reality is that most organisations need to carefully balance performance, privacy, and security. It remains a necessity for companies to employ network security systems that can provide critical visibility to this blind spot while eliminating frustrating latency and compatibility issues.
Moreover, TLS is a complex protocol with different certificates needing to be exchanged. There are several TLS versions and many applications and web services that do things differently. This presents enormous challenges for any security solution that attempts to inject itself into this process for the purpose of inspecting and securing the content that is exchanged.
TLS is here to stay
As cyberthreats continue to evolve, no industry is safe from cyberattacks as the volume of attacks continue to grow year after year. Most recently, the FBI revealed that criminals have netted US$3.5 billion from cybercrimes based on reports they received in 2019.
As we approach 100 per cent network traffic encryption, we are expecting the cost of cybercrime to only increase in the future. At the same time, hackers will continue to exploit encryption in their cyberattacks.
To minimise the security risk from encrypted network traffic, you should:
- Inspect network traffic and check the TLS certificate details of https communications
- Pay significant attention to unusual or unexpected volumes of https traffic to unknown domains or using invalid or forged TLS certificates – this is crucial especially during financial transactions or when personal or sensitive information are being entered into browsers;
- Invest in a network security product that can perform the different kinds of TLS communication inspections and can communicate and coordinate with your anti-virus product, VPN, firewalls, and/or your IDS/IPS to halt suspicious or known malicious network communications.
 Sophos: Nearly a quarter of malware now communicates using TLS