In the most recent Zscaler report, “2021 State of Encrypted Attacks,” covering January to September 2021, it was revealed that SSL/TLS encryption is increasingly being leveraged by cybercriminals. ThreatLabZ, Zscaler’s research team, uncovered uncomfortable encryption trends such as malware hiding in encryption, abuse of cloud storage, and a rise in mobile attacks. The report scrutinizes the attack chain and provides an analysis on browser exploits, ransomware and malware. At the end of this report, suggestions for preventing encryption threats are put forth.
ThreatLabZ collects this data from enterprise traffic and the over 160 billion daily transactions crossing the Zscaler cloud platforms.
What 2021 taught us about encryption threats
Zscaler analyzed encrypted traffic across their cloud environment for the first nine months of 2021 to identify hidden encryption attack trends. Their findings are summarized below:
- 314% increase in SSL-based threats, up from 260% in 2020, as advanced by an increase in collaboration applications due to remote working trends.
- Attacks on tech companies increased by 2,344% year-over-year; attacks on retail and wholesale companies increased by 841%
- While healthcare was the #1 most targeted industry in 2020, threats have fallen off precipitously, along with attacks against government organizations, as a result of increased attention from law enforcement.
- Malware is up 212% and phishing is up 90%, reflecting a broader shift in the attack trends with ransomware gaining popularity.
As the rate of encrypted SSL/TLS attacks rises exponentially, it is virtually impossible to catch all nefarious traffic passing over a corporate network. That is why it is important to transition away from traditional security models such as next-generation firewalls and adopt a more agile method of decrypting, inspecting and re-encrypting the data that passes over our networks. At this time, many enterprises are not equipped to do so, but there are solutions.
Encryption attack trends
SSL/TLS encryption is used globally to protect most of the internet traffic. As the rates of encryption for legitimate traffic increase, so do those for malicious traffic as well. Zscaler blocked over 20.7 billion threats over the reported period, an increase of 314% year-over-year.
Encryption offers multiple benefits to attackers: not only is encrypted traffic less likely to be inspected by security teams, but encrypted files are much harder to fingerprint, allowing malware to slip by undetected.
Technology and retail sectors are increasingly targeted
Attacks on technology companies saw a staggering 23x increase and now account for more than half of the attacks being observed. The significant dependency of other industries on technology for just about every business function gives attackers a lot of attack surface to exploit. This has been exacerbated by the sudden need to support remote workers with everything from remote connectivity to teleconferencing, SaaS-based apps and public cloud workloads.
Tech companies are also attractive targets due to their role in the supply chain of other companies. A successful supply-chain attack can give attackers access to hundreds or even thousands of downstream victims, as seen in the cases of Kaseya, SolarWinds, and others.
The retail and wholesale sectors also had an extremely bad year, with over an 8x increase in attack rates, up from 3.5% in 2020 to 11% of attacks in 2021.
Malware was the top category of attacks in 2021, accounting for 91% of the cases. Malware is typically downloaded from an infected link, either in an email or on a website. While most organizations have some form of protection against malware, attackers are advancing their techniques, creating new malware variants that can bypass fingerprinting technologies. Organizations that don’t inspect their encrypted traffic won’t have visibility into malware—even well-known variants—until after it has entered their systems.
Phishing continues to be a top tactic, in which users are baited into clicking links in emails containing hidden malware. All email and file sharing services are vulnerable to the attacks, but the popularity of Microsoft 365 made it by far the top target in 2021, with over 15 million attack attempts blocked by the Zscaler platform.
Attackers use encrypted channels not only to infiltrate systems, but also to exfiltrate data. The most commonly exfiltrated data types are Personal Identifiable Information (PII) like tax identifiers and Social Security Numbers. Credit card and financial information is the next-most popular target, followed by intellectual property and medical data.
Attackers increasingly use encrypted traffic channels to attempt human-driven attacks by exploiting encrypted applications. ThreatLabz found that 70% of SSL-enabled applications are targeted by criminals. These web applications are facing credential attacks, with email apps being popular targets for stuffing stolen credentials.
Smartphones and tablets continue to be popular targets for attackers to exploit through the use of fake applications. After initial infection, many of the new and prevalent mobile malware variants use SSL network communication for their command-and-control activities, including fetching payloads or receiving commands for doing malicious activities and data exfiltration. Malware families like Hydra, Joker, and the newly discovered GriftHorse are found to be leveraging SSL for their post-infection activities.
Zero trust can stop encrypted threats
What can be done to stem the tide of rising encrypted attacks? Zero trust strategies and architectures are the most effective means of protecting your organization from rapidly evolving cyberthreats. The Zscaler report offers several helpful suggestions:
- Inspect all encrypted traffic for every user as part of a holistic zero trust security strategy.
- Utilize AI-driven quarantine measures to detain suspicious payloads for analysis. This trumps older firewall-based approaches.
- Create a uniform security control strategy across all locations, users and devices.
- Operate under a zero-trust model to eliminate lateral movement, establish role-based access and limit your attack surface by making apps invisible to attackers.
The Zscaler report suggests a “multi-layered, defense-in-depth strategy that fully supports HTTPS inspection” to fully protect your enterprise from lurking encrypted threats. To achieve this, security control measures that can perform at-scale and employ default automation are becoming increasingly necessary to fend off attack. However, blind spots in encrypted traffic impact the security controls that businesses depend on to protect themselves.
It is essential for organizations to inspect cloud SSL/TLS traffic to protect against threats utilizing encrypted traffic. But to do this at scale, you’ll need to orchestrate the TLS machine identities to make them readily available to the TLS inspection system for decryption. So, proper machine identity management is a must. Without proper visibility, many security solutions are useless against the increasing number of attacks hiding in encrypted traffic. For maximum protection, you must have full visibility into all of your machine identities and automate as much as possible.