Thursday, 2 May 2024

The Hidden Danger of Encrypted Traffic

One method to protect data is to encrypt it. However, 93% of malware hides behind encryption. So how should organisations deal with the threat from encryption?

With companies storing an increasing amount of sensitive information, it's crucial that we take proactive measures to protect that data. One method to protect data is to encrypt it, so that it is undecipherable to anyone who does not have the encryption key.


Tech Target explains, “Encryption is the process of applying complex algorithms to data and then converting that data into streams of seemingly random alphanumeric characters.” In this way, encryption keeps your data safe, whether in storage or in transit. As such, data encryption has become a cornerstone of cyber security. 


How much data is encrypted?

The introduction of encryption has been hailed as cyber security success. Initially, it was only credit card transactions and password authentication data that were encrypted. Today, half of all websites use HTTPS. And, according to Cisco, 82 percent of all data traffic is now encrypted.

The logic is that, if this encrypted data was intercepted, it would be indecipherable without the encryption key. However, recent studies have revealed that data encryption has some drawbacks. 

A 2023 WatchGuard Threat Lab report found that 93 percent of malware hides behind encryption. Because this malware is hidden behind encryption, it makes it harder for IT and cyber-security professionals to prevent its dissemination. In solving one problem, it seems, encryption has created another.


The scale of the data encryption problem

There are a number of ways that malicious actors use encryption. This ranges from command and control communications through to the exfiltration of data. 

For example:

•   Common botnets such as Sality, Necurs, and Gamarue use encryption in command and control communications for malicious activities, such as spreading malware, sending spam, and performing denial of service attacks.

•    Common RATs, such as Orcus RAT and RevengeRAT, use encryption to mask the communications which allow them to control and monitor the compromised system remotely.

•    Malicious crypto-mining activities which compromise computers to use their compute power encrypt their communications between the compromised machine and the miners’ server.

•    Banking trojans are another type of malware which is known to use encryption. This way, they can exfiltrate data with less risk of discovery.

Dark Reading found that the countries most targeted by encrypted attacks are the US, India, South Africa, the UK and Australia. From a sectorial perspective, manufacturing and healthcare are most likely to be victim of phishing via encrypted channels.


Can you inspect encrypted data to identify and block malware?

Some organisations suggest that the best way to deal with the increasing threat of encryption hiding malicious activity is to unencrypt the data for inspection, before allowing it to transit your network.

However, given the increasing volumes of encrypted data flowing through your network, this is unlikely to be a satisfactory solution. It will slow down traffic and require a great deal of compute resources to do this. 

What’s more, by inspecting all encrypted traffic, you risk creating data privacy issues. Data Center Knowledge warns, “You gain additional visibility, but guess what could be in there? PII and sensitive information. You can create more problems for yourself if you mishandle that sensitive data. I’ve seen anecdotes of security teams going wrong if they were logging something they shouldn’t have been.”


How should organisations deal with the threat from encryption?

We obviously don’t want to stop encrypting data in transit or at rest for data governance and GDPR compliance reasons. So how do we protect ourselves from malware hiding behind encryption?

Instead of attempting to de-encrypt and inspect everything, a multi-layer cyber-security approach based on zero-trust principles will give you enhanced protection without creating data governance or network performance problems.

Dark Reading suggests that in today's landscape most attacks leverage SSL or TLS encryption, which is resource-intensive to inspect at scale, while legacy firewalls resource limitations make them poorly suited to this task. This creates a critical need for organisations to implement cloud-native architectures that support full inspection of encrypted traffic in alignment with zero-trust principles.

These cyber-security layers should include:

•    A cloud-based web application firewall

•    Edge firewalls, especially around key systems

•    Network detection and response tools

•    Scanning encrypted traffic for known “fingerprints” of encrypted traffic which contains malware (and sandboxing anything suspicious)

•    Endpoint protection and management tools

•    Policies and procedures, e.g. which prevent unnecessary outbound traffic 

•    A zero-trust approach in policy and architecture.


What now?

If you would like advice about any of the issues or solutions discussed in this article, please reach out to the Grant McGregor team. 

Call us: 0808 164 4142

Message us:

Further reading

You can find additional information about cyber security on our blog:

•    How long would it take your organisation to detect a data breach?

•    Server 2012 is end of life: Act now!

•    Do your backups include this important information?

•    How secure are your network peripherals?

•    What is a watering hole attack? And how can you protect against it?

•    Is your organisation doing enough on supply chain security?

•    How to minimise the risk from phishing

•    AI’s new role in cyber security

•    DrayTeks end of life! And why you need Next Gen Firewalls