Hackers on the cutting-edge are using HTTPS to dodge detection

Companies must be diligent in defending their digital assets from emerging exposure

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Encryp­tion is a two-edged sword. Over the past few years the tech sector—led by Google, Face­book and Twitter—has imple­ment­ed a form of encryp­tion to help secure vir­tu­al­ly all of our online search­es, social media ban­ter and mobile apps.

When you search for some­thing or use social media online, a robust form of encryp­tion pro­tects your data from being inter­cept­ed. It is called HTTPS, for Hyper­text Trans­fer Pro­to­col with an ‘S’ added to indi­cate security.

HTTPS has been used since 1994, pri­mar­i­ly to pro­tect online finan­cial trans­ac­tions. But now the tech giants are high­ly moti­vat­ed to keep con­sumers’ trust lev­el high in the murky inter­net. So they are lead­ing the charge to spread HTTPS usage far and wide. And, gen­er­al­ly speak­ing, that’s a very good thing.

Many gov­ern­ment, health care and media web­sites have now jumped on the HTTPS band­wag­on, in no small part due to the post-Edward Snow­den-era demand for pri­va­cy. There’s still a long way to go. But even wider busi­ness use of HTTPS to pro­tect sen­si­tive data is inevitable.

Relat­ed: Snow­den shares pri­va­cy views at Pri­va­cy XChange Forum 2016

But here is where the sword cuts the oth­er way: Hack­ers have dis­cov­ered that HTTPS is a per­fect mech­a­nism for help­ing them dodge detection.

A recent report from A10 Net­works and the Ponemon Insti­tute shows per­haps as much as half of the cyber attacks aimed at busi­ness­es in the past 12 months used mal­ware hid­den in encrypt­ed traffic.

Back­door for criminals

Because fire­walls, anti­mal­ware suites and intru­sion detec­tion sys­tems have not been tuned to this trick, the effect is that crim­i­nals are using HTTPS to sub­vert pow­er­ful tech­nol­o­gy that has tak­en decades for the good guys to dis­perse widely.

Most advanced sand­box­ing tech­nolo­gies and behav­ior ana­lyt­ics tools are not cur­rent­ly con­fig­ured to detect and neu­tral­ize HTTPS-cloaked mali­cious traf­fic. Thus tech­nol­o­gy that com­pa­nies have spent bil­lions to install is being sub­vert­ed by cyber crim­i­nals’ use of HTTPS.

Kevin Bocek, Venafi vice president of security strategy and threat intelligence
Kevin Bocek, Venafi vice pres­i­dent of secu­ri­ty strat­e­gy and threat intelligence

Sad­ly, enter­prise spend­ing on sexy secu­ri­ty sys­tems is com­plete­ly inef­fec­tive to detect this kind of mali­cious activ­i­ty,” says Kevin Bocek, secu­ri­ty strate­gist at Venafi, a sup­pli­er of encryp­tion-relat­ed tech­nolo­gies. “A cyber crim­i­nal using encrypt­ed traf­fic is giv­en a free pass by a wide range of sophis­ti­cat­ed, state-of-the-art secu­ri­ty controls.”

The A10/Ponemon report out­lines how crim­i­nals are using HTTPS to go unde­tect­ed as they car­ry out phish­ing and ran­somware cam­paigns, take con­trol of net­work servers and exfil­trate data. Of the more than 1,000 IT and IT secu­ri­ty prac­ti­tion­ers sur­veyed, some 80 per­cent acknowl­edged that their orga­ni­za­tions had sus­tained a cyber attack in the past year, and near­ly half said their attack­ers had used encryp­tion to evade detection.

Read­ing the con­tents of web traffic

The good news is that there is tech­nol­o­gy already on the mar­ket that can look one lev­el deep­er into net­work traf­fic to spot mali­cious, or sus­pi­cious, HTTPS con­tent. The tech­nique is called HTTPS deep-pack­et inspection.

This is rel­a­tive­ly new tech­nol­o­gy that has been out for about four or five years now,” says Corey Nachrein­er, chief tech­nol­o­gy offi­cer at Watch­Guard Tech­nolo­gies. “There are many orga­ni­za­tions that don’t have this HTTPS inspec­tion capa­bil­i­ty yet, so they’re miss­ing around half the attacks out there.”

This is just one more exam­ple of why busi­ness­es of all sizes need to stay abreast of how cyber crim­i­nals inno­vate to stay one step ahead.

Busi­ness­es must set up defense

Small and mid­size busi­ness­es should begin look­ing into adding HTTPS pro­tec­tion. This can be done direct­ly on premis­es or via a man­aged secu­ri­ty ser­vices provider. For SMBs, there are many cred­i­ble secu­ri­ty ven­dors out there wor­thy of review. But you have to com­mit to doing the due diligence.

Large enter­pris­es face a big­ger chal­lenge. HTTPS uses Trans­port Lay­er Secu­ri­ty (TLS) and its pre­de­ces­sor Secure Sock­ets Lay­er (SSL) to encrypt traf­fic. This revolves around the issu­ing and man­ag­ing of encryp­tion keys and dig­i­tal cer­tifi­cates at a scale that can stir con­fu­sion in big companies.

The chal­lenge of gain­ing a com­pre­hen­sive pic­ture of how encryp­tion is being used across the enter­prise and then gath­er­ing the keys and cer­tifi­cates that turn on HTTPS is daunt­ing for even the most sophis­ti­cat­ed orga­ni­za­tions,” Venafi’s Bocek says. “Insuf­fi­cient resources and auto­mat­ed con­trols are cre­at­ing a near­ly insane situation.”

Again, the good news is that tech­nol­o­gy to effi­cient­ly address this emerg­ing expo­sure is avail­able. First comes aware­ness of the prob­lem, fol­lowed by con­tin­u­al due dili­gence by com­pa­ny deci­sion-mak­ers to defend their organization’s dig­i­tal assets.

More sto­ries relat­ed to encryption:
Cyber crim­i­nals hide mal­ware in encrypt­ed traf­fic to do their dirty deeds
Let’s Encrypt’ seeks to fos­ter trust in web traffic
Admit­ting there are secu­ri­ty prob­lems with encryp­tion is the first step toward a solution
Encryp­tion must be strong, used prop­er­ly to reli­ably pro­tect data


Posted in Cybersecurity, Data Security, Featured Story