Cyber criminals hide malware in encrypted traffic to do their dirty deeds

Businesses need to analyze HTTPS traffic on their networks to search for and destroy not-so-obvious threats

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

When you bank or shop online, a robust form of encryp­tion pro­tects your data from being spied on or altered by an inter­lop­er sit­ting at a keyboard.

It is called HTTPS, for Hyper­text Trans­fer Pro­to­col with an ‘S’ added to indi­cate secu­ri­ty. HTTPS has been around since 1994, used pri­mar­i­ly to pro­tect trans­ac­tions on bank­ing and shop­ping sites. But it has only been in the past few years that HTTPS has sud­den­ly caught on as the go-to means for encrypt­ing our social media ban­ter as well as our vis­its to gov­ern­ment, health care and media websites.

Relat­ed pod­cast: Machine learn­ing keeps mal­ware from seep­ing in

Today, rough­ly 42 per­cent of web vis­its are to pages that use HTTPS, accord­ing to Mozil­la. That’s large­ly made up of vis­its to Google, Face­book, Twit­ter and oth­er such prop­er­ties. Even so, a recent Google report shows rough­ly 80 per­cent of non-Google pages still do not deploy HTTPS by default, and the con­sen­sus in the secu­ri­ty com­mu­ni­ty is that even wider use of HTTPS would be very good for security.

Except for one wrin­kle. An iron­ic tes­ta­ment to the effi­ca­cy of HTTPS is com­ing from none oth­er than … cyber criminals.

Hack­ers have dis­cov­ered that HTTPS is tai­lor-made for cloak­ing their cyber attacks. A report from A10 Net­works and the Ponemon Insti­tute shows per­haps as much as half of the cyber attacks aimed at busi­ness­es in the past 12 months used mal­ware hid­den in encrypt­ed traffic.

Third­Cer­tain­ty recent­ly sat down with Corey Nachrein­er, chief tech­nol­o­gy offi­cer at Watch­Guard Tech­nolo­gies, to dis­cuss this twist­ed devel­op­ment. Text edit­ed for clar­i­ty and length.

Third­Cer­tain­ty: How have the bad guys moved to take advan­tage of the encryp­tion trend?

Corey Nachreiner, WatchGuard Technologies chief technology officer
Corey Nachrein­er, Watch­Guard Tech­nolo­gies chief tech­nol­o­gy officer

Nachrein­er: Sim­ply put, they’ve always loved to be able to find tricky ways to get mal­ware into our net­works. In the past, we’ve had many secu­ri­ty appli­ances and tech­nolo­gies that allow us to scan traf­fic for any sort of net­work attacks. But the prob­lem is, as we’re mak­ing it eas­i­er for any­one to use HTTPS, the bad guys see it as a hid­den spot in the net­work, and a great mal­ware deliv­ery mechanism.

3C: So what types of mal­ware are they push­ing through?

Nachrein­er: It would be a sim­ple Tro­jan, like for instance, ran­somware. It could be Cryp­toWall. It could be the lat­est bot­net Tro­jan, the lat­est vari­ant of Citadel. They’re now start­ing to push that mal­ware over an encrypt­ed ver­sion of the web com­mu­ni­ca­tion. That means all the mech­a­nisms you’ve had in place to catch that mal­ware as it was going over the net­work are no longer effective.

Relat­ed video: Ran­somware is big business

3C: Is the secu­ri­ty com­mu­ni­ty responding?

Nachrein­er: The good news is that there are mod­ern net­work secu­ri­ty solu­tions, what we call HTTPS deep-pack­et inspec­tion. But this is a rel­a­tive­ly new tech­nol­o­gy. It has been out for about four or five years, but to many of the orga­ni­za­tions out there that don’t have this HTTPS inspec­tion capa­bil­i­ty, they’re miss­ing around half the attacks out there.

3C: How does this affect me, if I’m a com­mu­ni­ty bank, or a region­al business?

Nachrein­er: First you should sup­port encrypt­ed traf­fic in your net­work infra­struc­ture. It does take more resources, but we’re eas­i­ly at the point where most net­work gear can now do that. The sec­ond thing you need to do is inspect HTTPS traf­fic on a net­work lev­el. Oth­er­wise, you may miss the lat­est Cryp­toWall ran­somware vari­ant if it comes in an encrypt­ed communication.

More sto­ries relat­ed to ran­somware and security:
Admit­ting there are secu­ri­ty prob­lems with encryp­tion is the first step toward a solution
Ran­somware ram­page takes aim at busi­ness targets
Let’s Encrypt’ seeks to fos­ter trust in web traffic