Decrypt SSL traffic to detect hidden threats

The percentage of encrypted Internet traffic continues to grow creating a space where not only private information but also criminals can travel about undetected.

flashlight barn farmer
Credit: Don O'Brien

The percentage of encrypted Internet traffic continues to grow creating a space where not only private information but also criminals can travel about undetected. In the last five years, the advent of SSL traffic from major companies like Google, YouTube, and Twitter has spawned an expansive movement toward encrypting Internet traffic for enterprises as well. 

The risk in taking this security measure, though, is that while the exchange of information via the Internet is secured, bad guys can also linger unnoticed. Criminals, of course, know this and use it to their advantage, cloaking their attacks within Transport Layer Security (TLS) or Secure Sockets Layer (SSL) traffic.

Ryan Olson, director of threat intelligence unit 42, Palo Alto Networks said the concern for security professionals is that the security firewall can’t inspect the traffic. The bad guys know this, which leaves many companies trying to figure out what traffic to decrypt and how to go about decrypting.

Olson said, “The answer is not that simple. If a company decrypts everything, users are uncomfortable.” In order to secure the environment without compromising privacy, they need another layer, which means deciding from a policy perspective what they are going to encrypt and why.

“In some organizations, emails might be a threat vector, so a company might choose to decrypt that traffic, but the answer is going to differ for each company because they need to consider things from a cultural perspective as well.”

When traffic is encrypted, said Olson, it becomes this opaque glob of data. “Without being able to inspect, a criminal is hidden from those who are surveilling traffic as it would be from anyone else. You’re blind because you have no idea of what is contained inside.”

Because security teams can’t look inside the encrypted traffic, they don’t know whether it is data going out or coming in. In order to mitigate threats, security teams need to be able to see into the encrypted traffic.

Olson said, “An SSL connection occurs from browser to server. A signed certificate says ‘ok’, there’s an exchange of keys, and they encrypt all traffic from one end to the other.” The problem isn’t so much at either end, though, as it is right smack dab in the middle.

“Add a new certificate so that we can decrypt, which is only possible in a corporate environment,” said Olson. “For a security vendor to step into that traffic, they need to terminate traffic at two points. For example, a user browser reaches out to Google, a firewall captures the traffic and terminates the connection. We decrypt, inspect, re-encrypt, and then make a connection up to Google.”

In doing this, the company is still in control of the infrastructure they put in place. Olson said, “You can find a balance. Encrypt the traffic that doesn’t have a large impact on privacy. It’s a hot button topic, especially for enterprises because at the end of the day, it’s their network, their data, their computer. They are in a position to say they are allowed to surveil that data.” 

Finding the balance means gaining some visibility into their network by determining how much traffic is SSL encrypted and not able to be inspected. “Everybody should ask how much traffic they want encrypted about their network. Have a conversation with users and talk about the value of SSL encryption and how they can do it without compromising privacy," said Olson.

In a recent webinar from A10 & Infonetics Research: Putting a Stop To Hidden Threats in SSL Traffic, Kasey Cross, security evangelist, A10 Networks said, “Your organization could be infected right now and you may not even be aware of it.”

Some security professionals think that they can detect threats by decrypting traffic on their firewall, but Cross said, “You really need to take into account your entire ecosystem and the fact that all of those products need to look at SSL traffic. You need to come up with a way to provide that SSL visibility to all of these product.”

The entire security ecosystem from DDoS prevention to SIEM or data loss prevention tools needs to look at traffic, including that encrypted traffic, said Cross. The trick is finding the way to provide that visibility efficiently, said Cross, “Because you don’t want to decrypt the traffic at every point or you are going to suffer really bad performance.” 

Günter Ollmann, chief security officer, Vectra said, “The ability to inspect traffic is very helpful in being able to recognize loss and greatly reduce threats at the network level, but the security threats of SSL traffic are no different from any other major threats.”

While encryption does make it more difficult to detect or identify threats, Ollmann said, “If adequate logging is turned on, that logging will provide an evidence trail of the threats and activities that occurred during the attack. The SSL piece is again a metadata artifact, but the post attack investigation would focus on the logs themselves.”

Man-in-the-middle decryption offers an additional level of visibility, but Ollmann said, “Network monitoring and forensics is playing and will continue to play a larger part in identifying and mitigating these threats.”

While they can’t see the communication and they can’t see the data inside the transit, the other attributes about source information that security professionals can obtain, such as timing, frequency, and duration, can be used at a network level to detect threats. 

There are virtually no performance hits to encrypting traffic, said Ollmann, but there are many business benefits. 

“I think if I’m the CSO or the head of IT for an organization, I would be working on the assumption that at some point all of my traffic will be encrypted,” Ollmann said. 

Right now enterprises have three options for dealing with their hidden threats in SSL.  Block encrypted traffic all together, SSL termination using man-in-the-middle to inspect traffic, or the third, Ollman continued, is for the enterprise to install a number of software agents on the computer itself. 

Ollmann said, "Those technologies operating on the computer itself are seeing traffic before its being encrypted so that the encryption no longer matters.” The problem with this option is that in a malware attack, the first thing it does is turn those things off.

Placing emphasis on protecting end points in order to mitigate encryption threats is a problem, said Ollmann said, “Because all of those agents assume processing power and slow down machines. With BYOD there are so many devices and operating systems that the breadth of devices that need to be protected is growing at a faster rate than vendors have the ability to provide software that are capable of protecting.”

It’s a constant battle with a real live enemy on the other side. In order to build the best defense, Ollmann said, “They should look in their environment and assume they will no longer have visibility into the data layer of their network traffic.”

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.