Strong encryption is critical to protecting sensitive business and personal data. Google estimates that 95% of its internet traffic uses the encrypted HTTPS protocol, and most industry analyst firms conclude that between 80 to 90% of network traffic is encrypted today.
The bottom line is that failing to encrypt traffic can lead to incidents as we saw when a Singapore clinic suffered a leak that compromised the personal data of over 70,000 patients and clinic information and interrupted business operations.
However, organisations committed to data privacy are not the only ones who see value in obscuring their digital footprint in encrypted traffic. Cybercriminals have been quick to weaponize encryption as a means to hide their malicious activity in otherwise benign traffic.
In recent years, security researchers have seen an increase in sophisticated attack techniques leveraging encrypted channels. This often leverages commonly abused Microsoft protocols, such as SMBv3, Active Directory, Kerberos, Microsoft Remote Procedure Call (MS-RPC), NTLM, LDAP, WINRM, in addition to TLS 1.3.
All of this has catalysed the need for a new approach when it comes to detecting threats within encrypted traffic: namely, decryption. Decryption can detect post-compromise activity that encrypted traffic analysis (ETA) misses, including ransomware campaigns that exploit the PrintNightmare vulnerability.
Today, it’s nearly impossible to tell the good from the bad without the ability to decrypt traffic securely. The ability to remain invisible has given cyberattackers the upper hand. Encrypted traffic has been exploited in some of the most significant cyberattacks and exploits techniques of the past year, from Sunburst and Kaseya to PrintNightmare, ProxyLogon, and the recent high-profile Log4J attacks.
Attack techniques such as living-off-the-land and Golden Ticket attacks are only successful because attackers can exploit organisations’ encrypted traffic. Ransomware is also top of mind for businesses right now. With only 31% of Singapore businesses stating they can identify and block ransomware, just as many are crippled by the fact that they cannot see what is happening laterally within their network perimeter.
Organisations have been wary to embrace decryption due to concerns around compliance, privacy, and security, as well as performance impacts and high computing costs. But there are ways to decrypt the traffic without compromising compliance, security, privacy, or performance. Let’s debunk some of the common myths and misconceptions.
Myth 1: Decryption weakens security
Truth: There are two main kinds of decryption: Out-of-band and in-line. In-line decryption, also known as SSL interception or man-in-the-middle (MitM), is an older approach that can result in organisations experiencing additional complications and costs by deploying additional in-line interception devices accompanied by cumbersome certificate management.
Out-of-band decryption is an elegant solution with its ability to automatically gather dynamic key details (session secrets) from the encryption termination endpoint (typically the server-side). This alleviates the need to add additional deployment complexities, costs, and risks historically associated with network decryption in the enterprise.
Myth 2: Decryption violates privacy laws & compliance standards
Truth: Decryption of enterprise network traffic does not violate privacy regulations or laws, and helps organisations stay compliant with data privacy legislation. Malaysia's Personal Data Protection Act (PDPA) only goes so far as to state that user data should not be misused and misapplied.
Meanwhile, Singapore's PDPA establishes a baseline to work alongside sector-specific legislative and regulatory frameworks, encompassing the collection, use, disclosure, and care of personal data.
This puts a big responsibility on businesses to secure traffic where forensic auditing is required or to investigate incidents on critical systems — such as customer databases or systems housing valuable intellectual property.
However, this is at risk by encrypted attacks, where advanced attackers use techniques like privilege escalation and exploiting encrypted protocols to slip under the radar. These are viable means for threat actors to rapidly distribute ransomware or other malicious files without detection, as well as exfiltrate data.
This is where decryption systems that do not write decrypted payload data to disk are crucial, as they empower real-time traffic analysis that then discards session keys unless continuous packet capture is deployed. Optionally, for an approach that is safer than sharing the long-term private key with analysts, businesses can also go with solutions that allow configurations that store the session key with packets.
Myth 3: Threat detection doesn’t require decryption
Truth: Encrypted traffic has emerged as a global trend for cyberattackers to evade detection. Among others, encrypted traffic attacks can hide during both the initial intrusion and lateral movement stages and can also cloak post-compromise activity from most security detection and investigation tools.
Decryption becomes essential for organisations with public-facing websites and web services For instance, exploits such as SQL injections, cross-site scripting, and Log4J can only be effectively detected and investigated in real-time and with great detail when the traffic is decrypted, and the payload is analysed.
At the midgame stages of an attack, decryption is necessary to understand lateral movement behaviours leveraging Microsoft protocols as well as communications with critical assets such as backend database communications. The ability to decrypt network communications will bolster visibility that is just not possible without decryption.
Attackers can encrypt their connections to victims to hide their activity from firewalls, intrusion detection systems, and proxies, to laterally move across the network. Additionally, adversaries often use encryption technologies to work with applications and tools that are already on victims' machines, making secure connections from compromised devices to new targets.
Myth 4: Encrypted traffic provides no benefit to attackers
Truth: While most companies use encryption to ensure the privacy of their data, cybercriminals have also become adept at using the same technology to cover up their tracks.
The benefits of decrypting network traffic are many. First, decryption enables the detection of attacks earlier in an attack campaign because malicious payloads are no longer hidden.
Second, decryption reduces the mean-time-to-response because it provides valuable context to ensure rapid detection, scoping, investigation, and remediation of threats. And finally, decryption allows full forensic records necessary for detailed post-compromise investigations.
