SSL Encrypted Traffic – A Growing Threat


Security is rapidly changing. Not only are organizations under pressure to deliver outstanding business solutions, but IT admins must also ensure that employees and their data are protected on all fronts. In the era of BYOD, the Internet of Things and application overload, admins are facing security threats that were not an issue 10, five, or even two years ago.

Over the last few years, there has been a lot of talk about using SSL to hide attacks, but only recently have we started seeing these attacks in the wild. Attacks encrypted by SSL pose risks to organizations’ of all sizes; no one is exempt. According to NSS Labs, about one third of the traffic coming into the corporate networks today is SSL encrypted, though in some verticals it can be as high as 70 percent.

As organizations continue to struggle with SSL encrypted traffic and the need to decrypt it, it is essential to consider the following:
SSL in itself is not the only threat
The recent Heartbleed vulnerability identified in the OpenSSL implementation has shaken the confidence of the online world. It is widely believed that this incident will lead to scrutiny of different encryption implementations by the research world, resulting in more secure SSL. Case in point are the more recent vulnerabilities identified and patched by the OpenSSL project in June 2014. While we continue to rely on the research community to stabilize the foundation of SSL, the data encrypted using SSL can also pose a threat to organizations of all sizes. Until recently, SSL encrypted attacks were not something that could be detected and blocked within a single appliance – rather, organizations were forced to install a separate box to decrypt SSL, adding cost and complexity. Because of this, SSL traffic is often ignored, allowing attackers to sneak past network defenses without worry.
Cyber criminals use SSL to disguise malware call-backs and downloads
SSL can create blind spots that can reduce security because network security products may not be able to monitor traffic effectively. Attackers are clever and capitalize on real life events that have wide media coverage, like the Boston marathon attack, looking at what people are eager to be involved in. For example, spam gets sent out as an attachment that contains malware, when the user clicks on the attachment the malware is installed on the computer. The malware will then use SSL to disguise its ‘call back’ so it can download additional data to be used in the attack. The initial infection is typically a small program that downloads a larger toolkit, which the malware uses to provide the attacker with access. SSL is used to hide that download.
Advanced malware uses SSL to hide command and control traffic
Since most organizations today do not decrypt and inspect SSL traffic, modern cyber criminals have taken advantage and started using SSL encrypted communications as the perfect vector for sending command and control (CnC) traffic to and from compromised systems. Many forms of advanced malware today often utilize SSL to cover its tracks when extracting information from private networks making discovery much more difficult for information security teams.
Real world throughput is a combination of SSL encrypted traffic and clear text traffic
Most industry analysts look at SSL traffic and Clear text traffic separately, which doesn’t show the complete picture. In most real-world deployments there will never be a time when there is 100 percent SSL encrypted or 100 percent Clear text traffic. To have an accurate reading of performance, organizations must first analyze the amount of SSL and Clear text traffic on their network then apply the ratio to vendor performance claims.

About chainsoff.

Intelligence Media Service, Monitors and Analyzes Extremists’ activities, including and not limited to: The Muslim Brotherhood, Kurdish Terrorism, Syrian Politics, Jabhet Al-Nusra, Hezbollah, Cyber Crime, and Taliban activities in Syria. Well known for her deep knowledge on Terrorism. Open Source Exploitation expert in the discovery, collection, and assessment of foreign-based publicly available information, also known as Open Source Intelligence (OSINT), HIMNT
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s