Weaponising encryption


Cyber criminals’ tactics are becoming more sophisticated, with the increase in cyber attacks having a devastating impact. So far this year 93% more attacks were carried out in the first half of 2021 compared with the same period last year says, Mike Campfield, head Of EMEA operations, ExtraHop.

To protect sensitive business and personal data, many businesses are turning to strong encryption, which transforms plain text into unreadable ‘ciphertext’. Google estimates that 95% of its internet traffic uses encrypted HTTPS protocol, with most industry analyst firms concluding that between 80-90% of external network traffic is encrypted today.

While encryption might protect data, obscuring digital footprints can compromise SecOps visibility, making it difficult to tell good and malicious traffic apart without decryption. Gartner predicted that 70% of malware campaigns in 2020 used some type of encryption. Once all data is encrypted organisations are blind to attackers and unable to tell when an attack occurs and what information was stolen. By utlising decryption, organisations are able to have a greater understanding of what data has been affected and which customers were impacted.

Cyberattackers are using the lack of decryption to their advantage by hiding their activity from otherwise benign traffic. They do this by using both their encryption and broad encryption to hide within networks.

The misconceptions about encryption and decryption

There are misconceptions around both encryption and decryption that restrict their potential to be used as tools to protect user privacy. One of the most troubling is that it violates the data privacy of businesses as well as individuals.

This is not true. New technologies construct ways to strike balance between decrypting relevant data to identify hidden threats without comprising sensitive business data. It’s possible to decrypt enterprise network traffic and be compliant with GDPR, Payment Card Industry Data Security Standard (PCIDSS) and The Health Insurance Portability and Accountability Act (HIPAA) by not configuring capabilities on sensitive subnets.

Another misconception is that it slows network traffic. Again, this is false. If the decryption is done passively, it has no impact on the network traffic. Perhaps the biggest misconception and barrier for organisations, is that it is believed the encryption standards, such as The Transport Layer Security Protocol (TLS 1.3) and the tools they have in place aren’t able to decrypt at scale as businesses need to properly protect themselves.

Despite this lack of understanding, decryption is becoming a vital tool in detecting advanced threats that use encryption to get malicious payloads past cybersecurity tools.

Decrypting hidden threats

In the evolving threat landscape, it is imperative for businesses to have the ability to securely decrypt traffic to have complete visibility into their environment. As the recent Kaseya and SolarWinds attacks have demonstrated, cybercriminals are using a land and pivot strategy. This consists of the criminals creating encrypted malicious payloads software that check if a device has endpoint protection. They then move laterally throughout an organisation until they find a device without coverage and deploy the malware.

Organisations should leverage specific Network Detection and Response (NDR) capabilities to decrypt traffic to identify hidden threats safely and securely, without compromising data privacy. As without decryption, organisations are unable to see up to 60% of the Cybersecurity and Infrastructure Security Agency’s (CISA) most exploited vulnerabilities.

Decipher the way forward with decryption

Many legacy security tools such as endpoint detection and response and IDS systems do not have decryption capabilities. However, NDR technology can configure decryption within products and only apply it to traffic that it has keys for, allowing organisations to move against cyberattackers.

Decryption can enable SecOps to detect attack tactics that others cannot such as ProxyLogon, Kerberos Ticket Attacks and the recent PrintNightmare vulnerability. It also detects attacks earlier in the campaign to identify malicious payloads and prevent costly breaches.

It can also Improve the Mean Time to Respond (MTTR), by uncovering contextual meta-data via high fidelity enabling rapid detection, scoping, investigation and remediation of threats. It provides a full forensic record post-compromise, to ensure lessons are learned against future attack attempts, with the historical application of performance data.

As we enter a more sophisticated era of cybersecurity, there are new approaches for detecting threats. Cyber attackers are upping their game and without the ability to securely decrypt traffic it will soon be impossible to tell the good from the bad.

The author is Mike Campfield head Of EMEA operations, ExtraHop.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

This UrIoTNews article is syndicated fromIoT-Now