Hiding malware in encrypted network traffic is a tactic increasingly employed by bad actors to conceal attacks. By one estimate, 60% of cyberattacks carried out in 2019 would leverage encryption, and that was predicted to increase another 10% in 2020. Having an understanding of how your security solutions can recognize or prevent threats within SSL traffic is therefore extremely important, particularly since many such tools don’t provide that ability. In this blog, we’ll outline the ways in which security solutions can work with encrypted network traffic.
Security Challenges of Encrypted Network Traffic
We all understand one of the goals of encrypting network traffic: to protect the confidentiality and privacy of sensitive data in motion. However, encryption also poses a challenge to most network security products —if these products cannot inspect the payload of connections, they lose their ability to detect and respond to threats.
The Rise of Encrypted Data
The use of encryption on the Internet has risen dramatically, which on the whole is a good thing. For example, the Google Transparency Report shows that the percentage of encrypted web traffic on the Internet has steadily increased, from around 50% in 2014 to between 80% and 90% today, with 96% of the world’s top 100 sites defaulting to HTTPS.
Although the percentage of encrypted traffic on “the inside” — within the networks and data centers of organizations — is lower, initiatives such as zero-trust network architectures will likely increase the number of organizations embracing encryption to secure internal data. Thus, it is important to understand how network security products can deliver visibility and protection in the presence of nearly ubiquitous encrypted traffic.
Encrypting traffic prevents network security products from inspecting payloads. This means that they can neither leverage signatures to detect known threats nor extract objects (like files or documents) before submitting them to an artifact analysis product for deeper analysis. While this changes the effectiveness of network-based products, it does not mean that network security is obsolete. Users still need the complete coverage, the context, and the certainty that only the network can provide. However, users need another solution to obtain this critical perspective on network traffic.
Overcoming the Challenges of Encrypted Network Traffic
NSX Network Detection and Response detects and contains sophisticated threats. It does so by applying unsupervised Machine Learning (ML) to network traffic in order to detect anomalies; by using supervised ML to create classifiers of malicious network activity; and by leveraging the threat intelligence of the VMware Threat Analysis Unit to scan traffic for known malware payloads.
NSX Network Detection and Response employs two methodologies to deal successfully with encrypted communication: decrypting network traffic and analyzing encrypted traffic.
Analyzing Encrypted Traffic
Even when there is no access to decrypted traffic and payloads, NSX Network Detection and Response provides significant protection against malicious activity. To achieve this, it inspects and uses traffic (connection) metadata and leverages the following three detection techniques: anomaly detection, threat intelligence and indicators of compromise, and encrypted traffic analysis. There are many indications of anomalous or malicious activity attackers cannot hide inside an encrypted flow, and NSX Network Detection and Response has the ability to detect them.
Decrypting Network Traffic
Organizations have many reasons to inspect network traffic content, ranging from compliance to policy enforcement and security. For example, organizations may monitor outgoing data to detect the presence of sensitive information, ensure that employees only visit acceptable websites from their work computers, and understand if a compromised host connects to command and control (C&C) sites. To meet these objectives, many organizations have deployed instrumentation points that break open encrypted connections and allow security products to analyze payloads. NSX Network Detection and Response supports these instrumentation points.
Additional Details
As we move towards a more encrypted world, both inside and outside our networks, making sure your security products are able to continue to detect and respond to threats is essential. Learn more about NSX Network Detection and Response and how it can help stop both encrypted and unencrypted threats.
