Byron V. Acohido
It was just a few short years ago that the tech sector, led by Google, Mozilla and Microsoft, commenced a big push to increase the use of HTTPS – and its underlying TLS authentication and encryption protocol.
Related: Why Google’s HTTPS push is a good thing
At the time, just 50 % of Internet traffic used encryption. Today the volume of encrypted network traffic is well over 80% , trending strongly toward 100%, according to Google.
There is no question that TLS is essential, going forward. TLS is the glue that holds together not just routine website data exchanges, but also each of the billions of machine-to-machine handshakes occurring daily to enable DevOps, cloud computing and IoT systems. Without TLS, digital transformation would come apart at the seams.
However, the sudden, super-saturation of TLS, especially over the past two years, has had an unintended security consequence. Threat actors are manipulating TLS to obscure their attack footprints from enterprise network defenses. The bad guys know full well that legacy security systems were designed mainly to filter unencrypted traffic. So cyber criminals, too, have begun regularly using TLS to encrypt their attacks.
TLS functions as the confidentiality and authenticity cornerstone of digital commerce. It authenticates connections that take place between a smartphone and a mobile app, for instance, as well as between an IoT device and a control server, and even between a microservice and a software container. It does this by verifying that the server involved is who it claims to be, based on the digital certificate issued to the server. It then also encrypts the data transferred between the two digital assets.
At this moment, threat actors are taking full advantage of a TLS encryption gap. The level of sophistication and scope of harm in play is vividly illustrated by criminal activity at the leading edge. For instance, the Russian Turla hacking ring was recently spotted spreading an innovative Trojan, called Reductor, designed to alter the way Chrome and Firefox browsers handle HTTPS connections. The Turla ring has been able to compromise TLS handshakes so as to give themselves the ability to identify, intercept, and decrypt TLS traffic from any computer they infect.
But it’s not just the elite hackers causing concern. The TLS gap is so wide open that threat actors of average skill are also having a field day; they are using tried-and-true tools and techniques to steal, spoof and otherwise abuse digital certificates.
“Criminals have been known to simply hack into a website that is already configured to use TLS and simply piggyback on their infrastructure,” says Chester Wisniewski, principal research scientist at Sophos, a longstanding supplier of network security systems, based in Oxford, England. “Certificates are now being made freely available from Let’s Encrypt, so there is less reason than in the past for threat actors to buy or steal certificates. Still, sometimes impersonating a legitimate, known certificate can assist with blending into the environment the threat actor wants to hide in.”
Surge of encrypted attacks
The good news is that the cybersecurity community has begun to respond. Sophos moved into the advance guard today by launching a new version of its XG Firewall with “Xstream” architecture that is specifically designed to efficiently reduce a company’s exposure to malicious encrypted network traffic. The new firewall is capable of inspecting encrypted traffic and detecting encrypted attacks, on the fly, without onerous performance penalties, Sophos says.
We’re at an early stage of mitigating TLS-facilitated attacks. History tells us that the TLS gap will eventually narrow. But that’s obviously going to take some time. This is a vast new tier of exposures, and legacy systems never get changed overnight. Sophos’ new XG Firewall is a good start to the improved technologies that are needed. But it’s going to take more than tech advances. Shifts in processes and security culture must be brought to bear, as well. In the meantime, we very well may be in for a long run of major network breaches aided and abetted, if not directly carried out, by encrypted attacks.
I had a terrific discussion about this with Sophos’ Wisniewski. Here are a few excerpts of that interview, edited for clarity and length:
LW: For context, can you outline the major moves and counter moves made by threat actors vs. companies over the past, say, 15 years?
Wisniewski: Early on, companies had basic perimeter firewalls blocking traffic from known bad IP addresses. To subvert those early firewalls, threat actors began distributing malware that caused an infected computer to ‘call home’ to centralized command and control infrastructure. Then came next-gen firewalls, which were designed to inspect the content of traffic; the bad guys countered by employing high degrees of polymorphism. Then came real time sandbox inspection to detonate potential threats, which was countered by elaborate schemes to test and confirm that the delivered malware landed on a real computer, not a test bed.
LW: What were the key drivers behind the sharp overall rise in encrypted traffic in the past few years?
Wisniewski: I believe it was mostly driven by Edward Snowden’s disclosures about the secret NSA PRISM project designed to spy on Internet communications, at scale. This drove privacy-concerned companies to take encryption more seriously, and it drove Google and others to more aggressively use their muscle to force the world to come along with what they wanted to do.
LW: To what extent do legacy TLS inspection tools fall short?
Wisniewski: Simply having a capability is very different from being able to effectively deploy it. Most solutions today are too slow and complicated for enterprises to seriously consider enabling. Quality solutions need to have as little impact as possible, as well as the flexibility to only inspect what is necessary.
LW: What’s going to happen over the next couple of years?
Wisniewski: Clearly criminals will continue to use and abuse encryption to attempt to cover their tracks, conceal their thefts and hold our data hostage. While many companies have the technology to inspect TLS traffic, they often don’t bother, as most products are complicated to deploy, seamlessly, in complex environments. With certificates being available at little to no cost, I imagine we will see a steady increase in TLS adoption by criminals, similar to what we saw for legitimate purposes in the years following Snowden’s leaks.
Q: Assuming it remains true that there is no silver bullet, what does the way forward look like?
Wisniewski: As attacks continue to increase in sophistication, it is critical to have layers of defense and to compartmentalize information. This requires combining prevention with an eagle eye for detecting anything you might have missed. The ability to respond quickly and decisively is crucial. As always, this balancing act is forever changing, so having simple, reliable tools allows for the flexibility necessary to stay on top of the latest threats.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)