It’s been a mainstay of internet security for more than 25 years, but experts are warning that Secure Sockets Layer encryption is not providing the levels of security that many people assume.
First introduced by Netscape back in 1994, Secure Sockets Layer (SSL), and later its successor TLS, was developed for the purpose of ensuring privacy and security on the internet by encrypting data in transit. The technology ensures that both a sending and receiving party are who they claim to be.
Unfortunately, SSL/TLS has given many people a false sense of security. They believe that, as long as a website URL begins with ‘HTTPS’, online safety is assured. This, it now transpires, is not the case.
The problem stems from the fact that SSL/TLS is also being used by cybercriminals to hide threats within encrypted internet traffic that can bypass detection. Worryingly, between January and September, the Zscaler security cloud blocked some 6.6 billion security threats that were hidden inside encrypted traffic. This represents an increase of nearly 260% over 2019.
The inspection challenge
For this reason, it’s important that inspection of encrypted traffic is made a key component of every organisation’s security infrastructure. The problem, however, is that traditional on-premises security tools struggle to deliver the power and capacity needed to decrypt, inspect, and re-encrypt traffic in a timely manner.
Attempting to inspect all SSL traffic is likely to bring network performance to a grinding halt. For this reason, many organisations allow at least some of their encrypted traffic to pass uninspected. Yet failing to inspect all traffic leaves them vulnerable to hidden phishing attacks, malware and other potentially costly risks.
The threats posed by criminal use of SSL/TLS come into sharp focus when you consider how widely the technology is used. According to industry research, the use of the encryption currently sits at between 75% and 80% of all internet traffic.
Attacks are evolving
As well as an increase in the volume of encrypted cyberattacks, the way in which attackers are mounting them is evolving.
One example can be seen in the way cloud storage services have become a popular means of attack. The services, offered by companies such as Google, OneDrive and Dropbox, are great for securely sharing files via SSL-based transmission on the web.
However, since cybercriminals know that most organisations are unable to inspect SSL traffic at scale, and that cloud services are generally “trusted,” they launch attacks that appear to originate from these services.
Cybercriminals upload their malware payload onto one or more of these cloud services and then distribute the URLs as part of an email spam campaign. The use of well-known services improves the chances of end users clicking the link.
Meanwhile, smartphones have also become popular targets for cybercriminals. In the same way that attackers spoof web pages, they can also create fake apps that appear legitimate.
For example, an Android banking trojan called Cerberus uses an application name and icon to mimic the legitimate Google Play application. After an unsuspecting user clicks on the fake app, it sends out a notification to gain ‘accessibility service’ permission.
The attacker assumes that many users will ‘accept’ such a notification without carefully reading it. In this case, clicking ‘Allow’ will let the app view the content of other apps displayed on the phone’s screen and perform a variety of actions without the user’s knowledge.
Preventing encrypted attacks
As can be seen from these examples, SSL/TLS encrypted traffic is not necessarily secure traffic. Just as the use of encryption has increased, so has its use among cybercriminals to hide their attacks.
As a result, the need to inspect encrypted traffic is now greater than ever. Although many organisations follow security best practices and encrypt their internet traffic, legacy tools such as next-generation firewalls often lack the performance and capacity to inspect SSL traffic at scale. As a result, all too often IT security teams allow most encrypted traffic to pass uninspected.
Also, there are strict regulations regarding how an organisation must treat data that contains personal information about its customers. Creating separate policies for how specific types of data are to be inspected and replicating it at different locations is a tedious task, so organisations tend to skip the process altogether.
There are some key steps an organisation can take to protect itself from encrypted cyberattacks. These can be undertaken without the need to slow or disrupt network traffic which would have negative flow-on impacts for users. The steps are:
- Use the cloud: Decrypt, detect, and prevent threats in all SSL traffic by using a cloud-native, proxy-based architecture that can inspect all traffic for every user without affecting network performance
- Quarantine: Make use of an AI-driven tool to quarantine unknown attacks and stop patient-zero malware. Suspicious content is automatically held for analysis, unlike firewall-based passthrough approaches
- Deliver consistent security: Empower your IT team to deliver consistent security measures for all users in all locations. This will ensure everyone has the same level of network protection at all times, whether they are working from home, the office, or on the road.
- Reduce the attack surface: Beginning from a position of zero trust, where lateral movement can’t exist, take steps to reduce your overall attack surface. By taking their approach, applications become invisible to attackers while authorised users can directly access the resources they require rather than the entire network.
While it’s clear that SSL/TLS will remain an important component of IT security infrastructures for some time to come, it’s also important to realise the risks that this imposes. With cybercriminals taking advantage of the techniques to hide their attacks, additional steps are required to ensure your organisation does not fall victim to their efforts.
By understanding why attackers are using SSL/TLS and the common techniques they are adopting to mount attacks, you can be much better prepared to counter their threats. Take the time now to evaluate your traffic inspection techniques and ensure they are up to the task.
Steve Singer is the regional vice president and country manager, Australia and New Zealand at cloud-based information security company, Zscaler.