Businesses have been moving their data and computing to the cloud. The COVID-19 pandemic has accelerated the move to the cloud. Security teams need to have a complete view of everything to spot any attacks and stop them before becoming a disaster.
Strong network traffic encryption is critical to protecting sensitive business and personal data. Up to 90 percent of network traffic is encrypted today, and estimates from Google indicate that 95 percent of its internet traffic uses the encrypted HTTPS protocol. These statistics present a step forward for data integrity and consumer privacy. Businesses and organizations need to obscure their digital footprint using encrypted traffic. The commitment is not only a responsibility for companies that need to ensure data privacy.On the other hand, cybercriminals have weaponized encryption by hiding malicious activities in benign traffic. According to a cybersecurity report, 70 percent of malware campaigns in 2020 used some form of encryption. The Joint Cybersecurity Advisory issued by the FBI, CISA, the U.K National Cyber Security Centre, and the Australian Cyber Security Centre highlighted that encrypted protocols mask lateral movement and other advanced tactics in 60 percent of attacks. Threat actors continue to devise ways to use a victim's systems or an enterprise's encryption to provide the perfect cover for an attack.
A Case for Network Traffic Decryption
As hackers continue to leverage encrypted channels to access and traverse enterprise networks, secure traffic decryption is critical to assessing potential threats. The situation has called for adopting a new approach in detecting threats. Decryption will help detect post-compromise activity missed in the encrypted traffic analysis. Most organizations are focused on ransomware, but the main challenge is that they can't see what is happening laterally. Encrypted channels increase the attack surface, reduce visibility gaps, and increase challenges to security teams. In the past year, encrypted traffic has been exploited in significant cyberattacks such as Kaseya and Sunburst. Threat actors have had the upper hand by remaining invisible. Cybercriminals have used techniques such as living-off-the-land and Active Directory Golden Ticket to exploit the encrypted traffic of organizations.
Without the ability to correctly decrypt traffic, it would be near impossible to distinguish between good and evil. Security experts find it challenging to sift through the noise, and encryption doesn't make it easier to determine what poses a threat. Most companies only focus on 50% of security in the battle, ensuring pervasive encryption but falling short on decryption and monitoring.
Organizations are wary of embracing decryption, fearing the issues of privacy, compliance, high compute costs, security, and performance impacts. However, there are ways in which businesses can decrypt the traffic without messing with compliance, privacy, performance, and security standards.
Most organizations tend to ignore the majority of alerts. It is one of the poorly kept secrets in cyber-security operations. Many incidents or alerts are not investigated because traffic is encrypted or just because of the sheer effort to decipher an incident. Another contributing factor is the overwhelming number of alerts. The widespread problem is captured in a Trend Micro survey of 2,303 IT security professionals, and decision-makers reveal that 51% of respondents indicated that their teams were overwhelmed by the sheer volume of alerts. Another 55% were not confident in prioritizing and responding to alerts and incidents. Another 43% responded by saying that they dealt with problems by turning off alerts.
Decryption may take any of two forms – in-line decryption and out-of-hand decryption. Out-of-band decryption is used to send de-identified and tokenized data to the cloud for machine learning purposes. No clear-text data is sent across the network through out-of-band decryption, eliminating additional security concerns. In-line decryption is the oldest approach in network traffic decryption which brings about additional complications associated with certificate management. Threat actors can also perform downgrade attacks when messages are re-encrypted using weaker cipher rules. In-line decryption is also referred to as man-in-the-middle or SSL interception.
Having an efficient decryption system is critical to improving the security of organizations. You must have the right people by finding the proper credentials, access controls, and looking at the correct information. Keep in mind that not all data is to be decrypted. You need to look at the correct information to make a quick triage and get a brief understanding of traffic through your network. Moving into the future, technology such as machine learning will support assisted investigation of alerts and incidents at scale.
Businesses need to jump into understanding and addressing challenges rather than running away from them. Companies must commit to increased traffic inspection to increase the likelihood of catching malicious activity. The decryption of enterprise network traffic must not violate privacy regulations or laws. In other instances, decryption isn't configured on sensitive subnets to avoid breaking compliance frameworks such as GDPR, PCI DSS, and HIPAA.
In conclusion, decryption will improve security, especially for enterprise data, irrespective of where it resides. Decryption allows for detecting attacks earlier in an attack campaign since malicious payloads are exposed. Secondly, decryption will improve the meantime-to-response since security teams will have a valuable context to ensure rapid detection, scoping, investigation, and remediation of threats. Lastly, decryption will provide a complete forensic record which comes in handy in post-compromise investigations.