Cyber criminals hide malware in encrypted traffic to do their dirty deeds
Businesses need to analyze HTTPS traffic on their networks to search for and destroy not-so-obvious threats
By Byron Acohido, ThirdCertainty
When you bank or shop online, a robust form of encryption protects your data from being spied on or altered by an interloper sitting at a keyboard.
It is called HTTPS, for Hypertext Transfer Protocol with an ‘S’ added to indicate security. HTTPS has been around since 1994, used primarily to protect transactions on banking and shopping sites. But it has only been in the past few years that HTTPS has suddenly caught on as the go-to means for encrypting our social media banter as well as our visits to government, health care and media websites.
Related podcast: Machine learning keeps malware from seeping in
Today, roughly 42 percent of web visits are to pages that use HTTPS, according to Mozilla. That’s largely made up of visits to Google, Facebook, Twitter and other such properties. Even so, a recent Google report shows roughly 80 percent of non-Google pages still do not deploy HTTPS by default, and the consensus in the security community is that even wider use of HTTPS would be very good for security.
Except for one wrinkle. An ironic testament to the efficacy of HTTPS is coming from none other than … cyber criminals.
Hackers have discovered that HTTPS is tailor-made for cloaking their cyber attacks. A report from A10 Networks and the Ponemon Institute shows perhaps as much as half of the cyber attacks aimed at businesses in the past 12 months used malware hidden in encrypted traffic.
ThirdCertainty recently sat down with Corey Nachreiner, chief technology officer at WatchGuard Technologies, to discuss this twisted development. Text edited for clarity and length.
ThirdCertainty: How have the bad guys moved to take advantage of the encryption trend?
Nachreiner: Simply put, they’ve always loved to be able to find tricky ways to get malware into our networks. In the past, we’ve had many security appliances and technologies that allow us to scan traffic for any sort of network attacks. But the problem is, as we’re making it easier for anyone to use HTTPS, the bad guys see it as a hidden spot in the network, and a great malware delivery mechanism.
3C: So what types of malware are they pushing through?
Nachreiner: It would be a simple Trojan, like for instance, ransomware. It could be CryptoWall. It could be the latest botnet Trojan, the latest variant of Citadel. They’re now starting to push that malware over an encrypted version of the web communication. That means all the mechanisms you’ve had in place to catch that malware as it was going over the network are no longer effective.
Related video: Ransomware is big business
3C: Is the security community responding?
Nachreiner: The good news is that there are modern network security solutions, what we call HTTPS deep-packet inspection. But this is a relatively new technology. It has been out for about four or five years, but to many of the organizations out there that don’t have this HTTPS inspection capability, they’re missing around half the attacks out there.
3C: How does this affect me, if I’m a community bank, or a regional business?
Nachreiner: First you should support encrypted traffic in your network infrastructure. It does take more resources, but we’re easily at the point where most network gear can now do that. The second thing you need to do is inspect HTTPS traffic on a network level. Otherwise, you may miss the latest CryptoWall ransomware variant if it comes in an encrypted communication.
More stories related to ransomware and security:
Admitting there are security problems with encryption is the first step toward a solution
Ransomware rampage takes aim at business targets
Let’s Encrypt’ seeks to foster trust in web traffic