In the most recent Zscaler report, “2020 State of Encrypted Attacks,” covering January to September of last year, it was revealed that SSL/TLS encryption is increasingly being leveraged by cybercriminals. ThreatLabZ, Zscaler’s research team, uncovered uncomfortable encryption trends such as encryption hiding in malware, abuse of cloud storage, and a rise in mobile attacks. The report scrutinizes the attack chain and provides an analysis on browser exploits, ransomware and malware. At the end of this report, suggestions for preventing encryption threats are put forth.
ThreatLabZ collects this data from enterprise traffic and the over 120 billion daily transactions crossing the Zscaler cloud platforms.
What last year taught us about encryption threats
Zscaler analyzed encrypted traffic across their cloud environment for the first nine months of 2020 to identify hidden encryption attack trends. Their findings are summarized below:
- 80% of all internet traffic is now encrypted
- 260% increase in SSL-based threats, as advanced by an increase in collaboration applications due to Covid-19
- Healthcare is the #1 most targeted industry
- 30% of SSL-based attacks hide in cloud-based file-sharing services (AWS, GoogleDrive, OneDrive, Dropbox)
- A 5-times increase in encrypted ransomware attacks
Increasingly, using a secure SSL/TLS posture is becoming standard practice for cybercriminals, as well as typical internet practitioners. There are two main advantages for adversaries to using SSL encryption to masquerade their malicious actions:
- Malware can hide undetected in an encrypted file.
- Even the malware can be encrypted to alter its “fingerprint” and pass by traditional cybersecurity models undetected.
As the rate of encrypted SSL/TLS attacks rises exponentially, it is virtually impossible to catch all nefarious traffic passing over a corporate network. That is why it is important to transition away from traditional security models such as next-generation firewalls and adopt a more agile method of decrypting, inspecting and re-encrypting the data that passes over our networks. At this time, many enterprises are not equipped to do so, but there are solutions.
Encryption attack trends
- Healthcare sector targeted
SSL/TLS attacks have increased across all industries, but none so much as healthcare. This is due largely to the presence of legacy systems, still in use due to lengthy FDA approval times, which lack centralized visibility, policy enforcement and security controls—leaving the systems open to attack. Out of over 1.69 billion encrypted attacks within the healthcare industry analyzed in this report, 84.2 percent utilized malicious URLs. Following this were IPS blocks (7.6%), botnet attacks (3.8%), phishing schemes (2.8%) and spyware/adware attacks (1.4%).
- More sophisticated threats
One reason contributing to the success of URL attacks is the sophistication employed by cybercriminals in disguising their websites to look like real ones. They are increasingly using homograph attacks (replacing an “I” with a “1” such as in “gmai1.com”) and domain squatting, registering one of these fake, but similar, domains to deliver malware and serve as vehicles for attack. We also know that the use of SSL/TLS encryption among malicious sites is becoming almost ubiquitous, requiring continuous monitoring and automated security controls to keep up.
- Cloud storage attacks
Attackers are leveraging the fact that enterprises don’t have the bandwidth to scan all encrypted traffic and therefore often “trust” all incoming traffic from major cloud service providers. The presence of wildcard certificates makes this all the more possible. One method of attack is to drop a downloader file full of malware into a cloud service and email out the URLs in a spam campaign. Because attackers are entering the trust-chain at such a high level, their malicious URLs (“sent” from trusted cloud providers) defy typical email security measures such as firewalls and anti-spam. Last year, 2 billion SSL threats originating from cloud service providers were blocked by Zscaler alone within a 6-month period.
- Mobile attacks
Mobile attacks are on the rise as cybercriminals impersonate apps, or even the app store, to create fake applications people will trust. By simply hitting “Accept” as so many of us carelessly do, users often allow permissions to be given to a sinister program which then can scan legitimate applications for credentials—such as your banking apps, email and two-factor authentication. It then exfiltrates this data and often implants itself further, installing additional malware and making itself difficult—or impossible—to revoke or uninstall.
Analyzing the attack chain
Several of the most prevalent methods of attack were marked and analyzed in Zscaler’s report: phishing, corporate phishing, browser exploits, ransomware and malware.
Over 193 million phishing attempts were caught by Zscaler alone between January and September 2020, with manufacturing being the hardest hit. This is due, in part, to the weakness of having different IT infrastructures at different facilities. Nearly 40% of all phishing attempts during that period were targeted towards manufacturing.
- Corporate phishing
Just as companies “trust” major cloud service providers, consumers trust large name-brands - and cybercriminals take advantage of that trust. They will spin up fake websites, direct you to them via email scams and steal your credentials. “Tech support” ploys are popular, and the most phished brand, according to Zscaler, was Microsoft.
- Browser exploits
Attackers manipulate weaknesses in an OS to alter browser settings without the knowledge of the user. Over 658,000 browser attacks were blocked last year, with manufacturing and finance being the top two targets. As stated in the report, “[a]s in other industries, without unified controls and centralized visibility and policy enforcement, security is incomplete and cybercriminals continue to exploit these holes.”
A new trend has emerged recently among ransomware attacks. Before encrypting the pilfered data, the ransomware will now exfiltrate the data unchanged, as a true data hostage. The theory is that even if enterprises have sufficient backups to mitigate the attack, a ransom will be paid to keep information confidential.
Emotet and TrickBot were the two most prevalent malware families flagged by Zscaler last year, with over 2.6 billion malware attacks blocked worldwide. This is by far the most prevalent form of encrypted attack, with the benefit of longevity as installed malware can lay dormant (command-and-control ability) until further command to exfiltrate data and execute malicious attacks with continuous access to the user’s system.
Preventing encrypted threats
What can be done to stem the tide of rising encrypted attacks? The Zscaler report offers several helpful suggestions:
- Inspect all encrypted traffic for every user,as encrypted threats can lie undetected and pass over overwhelmed and incomplete security controls.
- Utilize AI-driven quarantine measures to detain suspicious payloads for analysis. This trumps older firewall-based approaches.
- Create a uniform security control strategy across all locations, users and devices.
- Operate under a zero-trust model to eliminate lateral movement, establish role-based access and limit your attack surface by making apps invisible to attackers.
In addition, security control measures that can perform at-scale and employ default automation are becoming increasingly necessary to fend off attack. Cybercriminals are taking advantage of every available threat vector and exploiting the weaknesses of legacy strategies that rely on manual processes, outdated firewalls and non-cloud native security solutions.
The Zscaler report suggests a “multilayered, defense-in-depth strategy that fully supports SSL inspection” to fully protect your enterprise from lurking encrypted threats. However, blind spots in encrypted traffic impact the security controls that businesses depend on to protect themselves.
It is essential for organizations to inspect cloud SSL/TLS traffic to protect against threats utilizing encrypted traffic. But to do this at scale, you’ll need to orchestrate the TLS machine identities to make them readily available to the TLS inspection system for decryption. So, proper machine identity management is a must. Without proper visibility, many security solutions are useless against the increasing number of attacks hiding in encrypted traffic.For maximum protection, you must have full visibility into all of your machine identities and automate as much as possible.