Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Most industry analyst firms conclude that between 80-90 percent of network traffic is encrypted today. Jeff Costlow, CISO at ExtraHop, explains why this might not be a good thing.
Strong encryption is critical to protecting sensitive business and personal data. Google estimates that 95 percent of its internet traffic uses the encrypted HTTPS protocol, and most industry analyst firms conclude that between 80-90 percent of network traffic is encrypted today. This is a significant step forward for data integrity and consumer privacy.
However, organizations with a commitment to data privacy aren’t the only ones who see value in obscuring their digital footprint in encrypted traffic. Cybercriminals have been quick to weaponize encryption as a means to hide their malicious activity in otherwise benign traffic.
Gartner shared that 70 percent of malware campaigns in 2020 used some type of encryption. And Zscaler is blocking 733 million encrypted attacks per month this year, an increase of 260 percent over 2019.
Infosec Insiders Newsletter
According to a Joint Cybersecurity Advisory issued by the FBI, CISA, the U.K. National Cyber Security Centre and the Australian Cyber Security Centre, encrypted protocols are used to mask lateral movement and other advanced tactics in 60 percent of attacks using the 30 most exploited network vulnerabilities. Put another way, organizations are blind to 60 percent of CISA’s most exploited vulnerabilities.
Security researchers have also found sophisticated emerging attack techniques with line-rate decryption of the most commonly abused Microsoft protocols, such as SMBv3, Active Directory Kerberos, Microsoft Remote Procedure Call (MS-RPC), NTLM, LDAP, WINRM, in addition to TLS 1.3.
All of this has catalyzed the need for a new approach when it comes to detecting threats within encrypted traffic: namely, decryption. Decryption can detect post-compromise activity that encrypted traffic analysis (ETA) misses, including ransomware campaigns that exploit the PrintNightmare vulnerability.
Today, it’s nearly impossible to tell the good from the bad without the ability to decrypt traffic securely. The ability to remain invisible has given cyberattackers the upper hand. Encrypted traffic has been exploited in some of the biggest cyberattacks and exploit techniques of the past year, from Sunburst and Kaseya to PrintNightmare and ProxyLogon. Attack techniques such as living-off-the-land and Active Directory Golden Ticket are only successful because attackers can exploit organizations’ encrypted traffic. Ransomware is also top of mind for enterprises right now, yet many are crippled by the fact that they cannot see what is happening laterally within the east-west traffic corridor.
Organizations have been wary to embrace decryption due to concerns around compliance, privacy and security, as well as performance impacts and high compute costs. But there are ways to decrypt traffic without compromising compliance, security, privacy or performance. Let’s debunk some of the common myths and misconceptions.
Truth: There are two main kinds of decryption: Out-of-band and in-line. Out-of-band decryption sends de-identified and tokenized data to the cloud for machine learning. This means it never sends any cleartext data across the network, so there are no additional security concerns.
Inline decryption, also known as SSL interception or man-in-the-middle (MitM), is an older approach that can result in organizations experiencing additional complications with certificate management, and attackers may perform downgrade attacks where messages are re-encrypted using weaker cipher suites.
Truth: Decryption of enterprise network traffic does not violate privacy regulations or laws. However, some decryption capabilities cannot be configured on sensitive subnets to avoid violation of compliance frameworks such as GDPR, PCI DSS and HIPAA. Organizations must proactively avoid recording data relevant to compliance frameworks, and have user access controls to ensure that only authorized users have access to packet-level data.
Truth: Deprecated encryption protocols such as SSL and TLS 1.0 and 1.1 may leave traffic vulnerable to sniffing and decryption by sophisticated attackers.
Truth: While most companies use encryption to ensure the privacy of their data, cybercriminals have also become adept at using the same technology to cover up their tracks.
The benefits of decrypting network traffic are many. First, decryption enables the detection of attacks earlier in an attack campaign because malicious payloads are no longer hidden. Second, decryption improves mean time to response because it provides valuable context to ensure rapid detection, scoping, investigation and remediation of threats. And finally, decryption allows a full forensic record for post-compromise investigations.
Jeff Costlow is the CISO at ExtraHop
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite
Share this article:
The Variation Swatches plugin security flaw lets attackers with low-level permissions tweak important settings on e-commerce sites to inject malicious scripts.
Kaspersky researchers suspect that the cyberattackers may be a subgroup of the politically motivated, Palestine-focused Gaza Cybergang.
The insurer won’t pay for ‘acts of cyber-war’ or nation-state retaliation attacks.   
security-person9000 on
security-person9000 on
clearly shocked on


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
Pankaj Gupta, Senior Director at @Citrix, outlines how distributed denial of service attacks have become increasing… https://t.co/djwhuUE82e
2 weeks ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source