Decrypt your network traffic, improve your security

Most traffic traversing the internet today is encrypted, to protect any sensitive business or personal information it might be carrying. Google estimates 95 percent of website traffic is encrypted using Hypertext Transfer Protocol Secure (HTTPS), and most industry analysts estimate 80-90 percent of all internet traffic is encrypted.

This very high level of encryption does much to ensure consumer privacy and protect organisations, but it is a two-edged sword. Just as it protects legitimate data from prying eyes, so too it protects malicious data from scrutiny by IT security tools, and cybercriminals have been quick to adopt encryption to hide the data that enables their nefarious activities.

A July 2021 cybersecurity advisory issued jointly by the FBI, the US Government’s Cybersecurity & Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC) and the Australian Cyber Security Centre (ACSC) found encrypted protocols were used to mask lateral movement and other advanced tactics in 60 percent of attacks against the 30 most exploited network vulnerabilities. In other words, organisations are blind to 60 percent of CISA’s most exploited vulnerabilities.

Security researchers have also found sophisticated emerging attack techniques with line-rate decryption to be one of the most commonly abused Microsoft protocols, such as SMBv3, Active Directory Kerberos, Microsoft Remote Procedure Call (MS-RPC), NTLM, LDAP, WINRM, in addition to TLS 1.3.

Encryption has been used in some of the biggest recent cyber attacks, including Sunburst, Kaseya and ProxyLogon. Encrypted ransomware is also wreaking havoc in organisations unable to detect such traffic in their east-west traffic corridor.

This extent to which bad actors are leveraging encryption has precipitated surging demand for new ways to detect threats in encrypted traffic. It is possible to analyse encrypted traffic for malware, but this method is not foolproof. Decryption can be used to detect activity resulting from a compromise, including ransomware campaigns that exploit PrintNightmare, a critical vulnerability in the Windows print spooler.

Organisations have been cautious about embracing decryption fearing it could compromise data privacy and security, impact performance and incur high compute costs. However, there are ways to decrypt traffic and avoid these consequences. Let’s examine some of the common misconceptions around decryption.

Myth 1: Decryption Weakens Security

 Truth: There are two main kinds of decryption: out-of-band and in-line. Out-of-band decryption sends de-identified and tokenised data to the cloud for machine learning. No cleartext data is ever sent across the network, so full security is maintained.

Inline decryption, also known as SSL interception or man-in-the-middle (MitM), is an older approach and can be compromised. Attackers can perform downgrade attacks, re-encrypting messages using weaker cipher suites. And organisations can face complications with certificate management.

Myth 2: Decryption Violates Privacy Laws & Compliance Standards

Truth: Decrypting enterprise network traffic does not violate privacy regulations or laws. However, decryption capabilities cannot be configured on sensitive subnets to avoid violating compliance frameworks such as GDPR, PCI DSS and HIPAA. Organisations must take care to avoid recording data that is subject to these frameworks and ensure only authorised users have access to packet-level data covered by these frameworks.

Myth 3: Encrypted Traffic Cannot Be Accessed by Attackers

 Truth: Deprecated encryption protocols such as SSL and TLS 1.0 and 1.1 may leave traffic vulnerable to sniffing and decryption by sophisticated attackers.

Myth 4: Encrypted Traffic Provides No Benefit to Attackers

Truth: While most companies use encryption to ensure the privacy of their data, cybercriminals have also become adept at using the same technology to cover up their tracks. However their use of encryption can be countered.

Ultimately, decryption enables the early detection of an attack by revealing the malicious payload, and it reduces response times because it provides valuable context that supports rapid detection, scoping, investigation and remediation of threats.

The bottom line is to inspect all your traffic at scale without negatively impacting the performance of your systems or creating a compliance nightmare.  You’ll then be able to provide consistent security for all users and locations to ensure everyone has the same level of security all the time, whether they are at home, in the office or on the go.

Rohan Langdon
Rohan Langdon is Vice President, Australia and New Zealand at ExtraHop.