A recent Zscaler study found that in 2022, more than 85% of attacks now use encrypted channels across various stages of the kill chain, up 20% from the previous year. By using forged or compromised keys and certificates, attackers can create malicious tunnels into your network where they hide while they conduct surveillance, install malware and ultimately exfiltrate valuable data. The same Zscaler study also found that nearly 90% of all cyberthreats that affect users and organizations come from malware that downloads a malicious payload via a link shared in an email or infected websites.
This type of attack is particularly nefarious because the tunnels that attackers use appear to contain everyday business communications unless they are inspected. In the Equifax breach, an expired certificate disabled TLS inspection devices and left the door open to encrypted tunnels created by attackers over several months. But let’s face it, even with fully functional security systems, how many organizations inspect 100% of their network traffic?
What are encrypted tunnels?
Tunneling is a method of transporting arbitrary networking data over an encrypted connection. It can be used to add encryption to legacy applications. It can also be used to implement VPNs and access intranet services across firewalls.
For example, when you connect to the internet with a VPN, it creates a connection between you and the internet that surrounds your internet data like a tunnel, encrypting the data packets your device sends. However, the tunnel can’t be considered private unless it’s accompanied with encryption strong enough to prevent attackers.
Another example is an SSH tunnel. SSH is used for secure remote logins and file transfers over untrusted networks. It also provides a way to secure the data traffic of any given application using port forwarding, basically tunneling any TCP/IP port over SSH. This means that the application data traffic is directed to flow inside an encrypted SSH connection so that it cannot be eavesdropped or intercepted while it is in transit. This capability makes SSH a particularly desirable target for cybercriminals.
How are encrypted tunnels used
The relative vulnerability of encrypted tunnels depends on a variety of factors, such as the security of their protocols, their attributes and an organization’s overall awareness of how tunnels are being used. Below, I’ve outlined the types of encrypted tunnels that cybercriminals most often employ and how they may contribute to an attack.
1. Use IPsec Tunnels to Gain Initial Access
Organizations use Internet Protocol Security (IPsec) to create a VPN that secures internet communication across an IP network. Because IPsec tunnels are frequently used to set up a tunnel from a remote site into a central site, they are an ideal infiltration tool for cyber criminals. An IPsec/L2TP tunnel is most often used during the discovery and incursion attack phases. The tunnel is used to gain initial access to an organization, perform reconnaissance and establish a beachhead. This type of attack generally compromises only established VPN endpoints, because creating a new tunnel would require the attacker to penetrate perimeter layer defenses to gain access to the VPN administrative console—a much more technically complex task.
2. Pivot within Site-to-Site VPN Tunnels
Large organizations use a site-to-site VPN to connect their main location networks to multiple offices and business partners. Because they are the most flexible and adaptable option, they are a perfect tool for moving quickly from site to site within an extended network. Attackers use site-to-site tunnels after they have compromised the initial internal system as part of a pivot portion of an attack. These tunnels are ideal for the reconnaissance phase of the attack—when attackers are trying to gain access to other network segments or devices. Because of the impact to performance, site-to-site VPN tunnels are rarely inspected, which allows attackers to go undetected while using them.
3. Move Payloads through SSH Tunnels
The SSH, or Secure Shell, protocol is the most convenient way to administer remote servers and applications. SSH keys are increasingly sought after by attackers because they grant administrators privileged access to applications and systems. By authenticating each machine via stored servers and client keys, SSH allows them to securely connect to each other, bypassing the need for manually typed authentication credentials. That’s why SSH tunnels are an easy way for attackers to pivot across network segments and devices. They are also ideal for moving malicious payloads undetected between file servers and applications because attackers can transfer concealed malware in compromised SSH tunnels. Often, SSH tunnels are used to exfiltrate data from a file server because copying files is a routine, automated task used to transfer data between machines, and, since the data is encrypted, it’s thought to be safe.
4. Falsify Machine Identities in SSL and TLS Tunnels
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the most common forms of tunnels. SSL/TLS tunnels provide a secure session from any PC browser to an application server and are used to secure web-based transactions, such as banking or payments. Attackers create false identities and steal data from their victims, so they can use man-in-the-middle attacks to eavesdrop on encrypted traffic. Or they can use stolen keys to decrypt a session to steal data from victims.
5. Create Phishing Sites Using SSL and TLS Tunnels
Another very common attack is to set up phishing websites, either on the internet or on organizations’ intranets. Attackers use stolen or compromised certificates to establish an identity that the victims’ browsers will trust. The victims connect to the malicious site, establish encrypted sessions and, because they believe they are connected to a trusted machine, begin to send sensitive data to the attackers. Since HTTPS sessions are trusted and are rarely inspected by layered security technologies, these attacks often go undetected.
“Encryption offers the perfect cover for cyber criminals. Without the proper visibility, many security solutions are useless against the increasing number of attacks hiding in encrypted traffic,” notes Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “The problem is that attackers lurking in encrypted traffic make quick responses even more difficult. This is especially true for organizations without mature inbound, cross-network, and outbound inspection programs. This overconfidence makes it very clear that most security professionals don’t have the strategies necessary to protect against malicious encrypted traffic.”
How to protect encrypted tunnels
The most effective way to prevent attacks on encrypted tunnels is to orchestrate TLS/SSL inspection, which provides critical visibility into TLS data streams. To do this, you must have access to the private keys for the thousands of systems on which you are monitoring traffic. Supporting TLS inspection at this scale requires the ability to automatically and securely transfer and install private keys on TLS inspection devices. In addition to TLS inspection, you should consider monitoring the entitlements and usage of your SSH keys.
Any type of encrypted tunnel can be misused in a cyber attack. Virtual Private Networks (VPNs) are the most recognizable example of encrypted tunnels and are understood to be vulnerable, but many organizations do not realize that SSL/TLS and SSH tunnels are also susceptible. As a result, most organizations don’t provide adequate oversight for the full range of tunnels that travel into and out of their networks. Does yours?
(This post has been updated. It was originally published by Nick Hunter on August 15, 2017.)