Cryptography is a tool like any other. It can be used to help, and it can be used to harm. My kitchen knives can be used to cut food or as weapons. A campfire can burn a house down, but it can also protect outdoor adventurers from hypothermia. It’s all about how you use it.
Absolutely all of your data in transit should be encrypted, whether on the internet or within your internal networks. That’s fortunately accepted wisdom in the cybersecurity industry now. When properly implemented and managed, TLS can be one of the best ways to encrypt your data in transit. Even the most recent version, TLS 1.3, is well supported in web browsers and other types of client software these days. Unfortunately, cyber attackers know that too.
The malware of today
Malware is rapidly evolving and the threats that exist now are often quite different from ten years ago. Fileless malware, which only runs in the memory of its target, is on the rise. It takes more than just antivirus signatures to detect malware now. Network anomaly detection is frequently needed in order to detect malware. And more and more malware now is modular. The first few pieces of malicious code may simply forge a connection between the target and the cyber attackers’ command and control servers. Then the command and control servers can send modules to the target that can act as spyware, illicitly mine cryptocurrency, become ransomware, or do many other awful things. I first saw modular malware on Android devices, but now all major platforms are affected, including Windows, macOS and iOS.
With all of those different malware components being sent between command and control servers and infected machines, more and more data is sent through networks. That means more and more data that IDS, IPS, and antivirus software can examine in order to detect anomalies. So cyber attackers are getting smarter. They’re encrypting their data in transit in order to evade detection. According to findings from Sophos Labs, over the past six months 23% of the malware they’ve examined that makes network connections now uses TLS to encrypt its traffic.
"cyber attackers are getting smarter...they're encrypting their data in transit"
From Sophos’ blog:
“To see what the current state of the art (of malware) is, we reviewed a representative sampling of malware analyses we’ve made over the past six months. The analyses included details about whether the malware connected to one or more machines on the internet; For simplicity’s sake, we consider that sample to be a “TLS user” for the purposes of this research when the sample communicated over port 443/TCP (the standard port used for TLS-encrypted HTTPS communications) during the analysis.
"A lot of network security systems will miss malware that uses TLS encryption"
Out of all the malware that made some kind of network connection during their infection process, about 23% communicated over HTTPS, either to send or receive data from the C2, or during installation when they may use HTTPS to conceal the fact that they are retrieving malicious payloads or components.”
That’s alarming news. A lot of the network security systems that entities ranging from small businesses to large enterprises use will miss malware that uses TLS encryption.
What about TLSI?
What can organizations do to deal with this new danger? One useful measure could be implementing TLS inspection (TLSI) functionality. I explained how TLSI works here a few months ago:
“Typically, TLSI is conducted with proxy nodes. Forward proxies inspect TLS packets being sent from internal networks to external networks, usually the Internet. Internal proxies can inspect traffic within an internal network, such as a WAN or LAN. A proxy has its own machine identities and it can use them to decrypt TLS packets so that firewalls, intrusion detection systems, and intrusion prevention systems have cleartext they can examine. Proxies can then re-encrypt packets with the use of new certificates as needed in the flow of network traffic. When a TLS session has TLSI at some point, it becomes a ‘TLS chain’ of two independently negotiated TLS connections.”
It can be feasible for enterprise networks to implement TLSI, whether your networks are on premises, in the cloud, or both. In fact, enterprises can scale these efforts and radically increase the efficiency of TLSI by orchestrating the availability of TLS machine identities to inspection systems. But I don’t think it’s feasible for consumer LANs to implement TLSI themselves. Perhaps ISPs could help to provide TLSI to protect their customers from TLS-using malware while they’re accessing the internet from home.
TLS is an absolutely necessary tool to help protect your data from man-in-the-middle attacks, and to help protect your networks from being intercepted by cyber attackers. Unfortunately, TLS can also be a tool for the bad guys. We must be on our toes and keep two steps ahead of them.