When it comes to IT security, many Australian organisations understand the role played by encryption. By encrypting data, both at rest and in transit, it’s possible to protect sensitive materials from prying eyes.
The significant benefits offered by encryption are resulting in it gaining broad adoption. According to the Google Transparency Report[1], 95% of internet traffic is Hypertext Transfer Protocol Secure (HTTPS) which involves the use of an encapsulating encryption protocol – typically Transport Layer Security (TLS).
SSL/TLS encryption
TLS is an encryption technology that establishes a trusted connection between a web server and a client, and can be thought of as a tunnel with traffic flowing through it. Only the server and client can see the traffic inside the tunnel because those devices have what’s known as a shared session key.
An adversary who tries to intercept HTTPS traffic will be unable to view the content of that traffic because they don’t have the session key. In this way, strong security is maintained.
TLS can encrypt a wide range of protocols and is used for traffic that traverses both the public internet and enterprise networks. One example is lightweight directory access protocol, or LDAP, which is an authentication protocol that shuttles user credentials between a Windows domain controller and network devices. Some organisations even implement LDAPS, which is LDAP traffic secured within a TLS connection.
AD and Kerberos encryption
In Microsoft Active Directory (AD) environments, Kerberos and NTLM are protocols that provide user validation and authentication mechanisms. Kerberos implements its own encryption mechanism, and both NTLM and Kerberos can be configured to leverage TLS as a means of ensuring the security of data as it traverses the network.
Without these protocols, user credentials and authentication tickets sent across the network are vulnerable to attack. AD services rely on these protocols to authenticate and authorise users, which means that most connections between AD-joined clients and servers should be encrypted.
The role of decryption in security
While encryption is clearly important when it comes to improving network security, decryption also has a role to play.
This becomes clear when you consider things from the perspective of a potential adversary, whose goals are to compromise targets and move laterally across a network while avoiding detection.
By encrypting their connections to victims, they can hide their malicious activity from a variety of technologies such as firewalls, intrusion detection systems (IDS), and proxy devices. Furthermore, adversaries often work with applications and tools already available on their victims’ machines, using established encryption technologies.
Due to the use of encryption in this way, a target organisation can find itself blind to a range of attacks, including:
- Vulnerability exploits: These include attacks such as SQLi, XSS, and CVE. These types of attacks often rely on malicious HTTP payloads or headers, which can be concealed within an encrypted connection.
- Command-and-control traffic: A compromised device could communicate with an external attacker-controlled server through an encrypted connection. This type of malicious traffic may contain exfiltrated data, malware, or malicious commands.
- Database attacks: Cybercriminals who launch attacks on databases can hide their malicious database queries within encrypted communications.
- Stolen or forged Kerberos tickets: Adversaries who have obtained stolen administrative credentials can forge Kerberos tickets which serve as authorisation mechanisms within the AD environment.
- Living-off-the-land attacks: Once inside an organisation’s IT infrastructure, an adversary can use the same tools that Windows administrators use to make changes to devices.
For these reasons, effective analysis of network traffic requires the ability to decrypt it. Decryption also allows security teams to collect forensic evidence that can help with investigations.
The best way to achieve this is by deploying a Network Detection and Response (NDR) platform. NDR provides visibility into database traffic and the encrypted portion of Kerberos, MS-RPC, and other Microsoft protocols.
Without the decryption capabilities that an NDR platform provides, adversaries have a significant advantage over IT security teams. Putting such a platform in place does much to level the playing field.
[1] https://transparencyreport.google.com/https/overview?hl=en
