Analysis of encrypted traffic will soon be mandatory
Although much of Internet traffic today is encrypted, attackers can still exploit it. While the need to examine encrypted traffic is obvious, how to perform the decryption often remains a puzzle. Decryption of traffic can introduce performance bottlenecks and introduce potential privacy and compliance issues if the traffic is not fully protected. Finding a way to maintain performance and ensure compliance while being able to properly examine traffic becomes essential.
Encrypted traffic should be examined for potential control functions for botnets and malware that are often hidden in “secure” tunnels. Examining encrypted traffic will also help investigate various issues. Take, for example, a workstation that suddenly began to communicate using an outdated encryption algorithm. This is probably a clear sign of being compromised. Or consider users communicating with servers with untrusted certificates. The ability to analyze encrypted communications like this is becoming more critical every day for the effective enforcement of security policies.
While only half of internet traffic was encrypted in 2017, it now exceeds 80%. The era of a fully encrypted internet is already knocking on the door and, naturally, professionals in charge of security and risk management in companies are paying more attention to it. Encryption complicates the use of traditional security technologies, such as firewalls, and often makes their use impossible. If you don’t know what’s hiding in the packets, you can’t completely protect the corporate network or individual workstations from malware.
Today, the analysis of encrypted communications should be part of the network monitoring and security portfolio for every business. Some security solutions add such capability, providing the ability to analyze the header information of encrypted traffic without having to open the payload. With this feature, businesses are now able to view important details of encrypted communication, including detection of hidden malware. However, the encrypted content cannot be viewed without decryption. It is therefore important to obtain as much information as possible when the communication is not yet encrypted during the process of establishing the connection during the exchange of encryption keys and certificates.
An example of this connection setup is an SSL / TLS handshake, which is required to establish an encrypted communication during which various TLS parameters are available and visible, including the version of the TLS protocol used by the server, the encryption set, indication of server name (SNI), certificate issuer, public key, certificate validity, JA3 fingerprint, etc.
The login data can then be analyzed or used in various ways to manage the security of the organization. Based on the data, we can receive notifications of changes and events or use it for automatic alerts linked to other actions (emailing, running a user script, sending a syslog or a asynchronous notification in the form of an SNMP trap, etc.).
JA3 helps in malware detection
One of the easiest ways to detect malware and process of compromise (IoC) indicator is to scan JA3 fingerprints. Using the JA3 method, one can easily create SSL / TLS fingerprints on any platform. It is much more efficient to use JA3 fingerprints to detect malware in SSL / TLS than to monitor IP or IoC domain. It does not depend on whether the malware uses domain generation algorithms (DGA) or changes the IP addresses of each of its command and control hosts (C2), not even when it uses, for example, Twitter, to control it. Since JA3 directly detects a client application, it can detect malware based on how they communicate instead of what they communicate through. Through this, special tools such as those from Flowmon, in cooperation with the publicly available JA3 fingerprint database, can detect potential threats from specific JA3 fingerprints in encrypted communication.
How to audit security policies
Many businesses rely on HTTPS communication and certificates issued by a certification authority for a period of time to secure their internal communication or web presence. It is important to monitor the validity of the issued certificate to avoid a situation where the data remains insecure for some time. This can be elegantly resolved by analyzing the encrypted traffic, which provides, among other things, insight into the expiration of each certificate. This helps to monitor expired certificates and completely avoid the issue of expired certificates. One can also easily detect weak TLS 1.0 encryption with enough time to take all necessary corrective actions.
Some security solutions provide two-tier encrypted traffic analysis. The first focuses on cryptographic assessment, i.e. examines SSL / TLS protocol versions, cyber suite (encryption algorithms, key lengths) and certificates, while the second focuses on surveillance and security. It offers JA3 fingerprints for possible identification of malware or infected stations and ALPN for identification of encrypted communication protocols and examines SNI and many other parameters.
Businesses need to prepare for strategic change
For reliable protection against threats, companies will eventually need to integrate security tools based on behavioral analysis, artificial intelligence and analysis of encrypted communications. These tools promise to detect malware in encrypted traffic in real time without affecting network throughput or degrading application performance. It will also require changes to existing security policies to quickly stop man-in-the-middle threats or attempted corporate data theft.
New security technologies such as these will be essential not only for protective security, but also for auditing. The technologies will help detect communications that use obsolete certificates in violation of company policy, monitor the strength of encryption, or reveal data encryption vulnerabilities. Most organizations today can only get such detailed overviews at the cost of laborious and time-consuming methods.
In a way, we can apply Socrates’ saying about the unexamined life that is not worth living to network security. Unexamined traffic undermines all other important security methodologies and renders them unnecessary, offering attackers and malicious actors a way to access resources right under the nose of security inside encrypted tunnels. These require careful consideration and can be done largely without performance penalties or exposure to compliance.