Using TLS to Avoid Detection is On the Rise

istock 1249114648

Leave it to industrious cybercriminals to find new ways to exploit old tools. The latest nefarious strategy is using TLS (Transport Layer Security) to avoid detection.

New research from Sophos finds 46% of malware communicating with a remote system over the Internet is utilizing TLS encryption to conceal communications and evade detection. That is more than a 100% increase in TLS-based malware communications compared to 23% in 2020, according to Sophos telemetry analysis.

TLS, also known as HTTPS, is a form of network traffic encryption that has grown in use over recent years, according to Dan Schiappa, Sophos Chief Product Officer. TLS has historically served as the underpinning for VPN technology. Due to its popularity and ability to retain privacy, however, HTTPS now represents an estimated 98% of web page visits. To no surprise, cyber criminals understand this and are using it to their advantage to hide in plain sight and evade detection while they drop malware and steal data.

“Now that TLS comprises so much of the Internet’s traffic, most companies don’t inspect it,” said Schiappa. “In the old days, if they were to use an encrypted tunnel, that would have been flagged. Now that it’s pretty much ubiquitous – it’s like looking for a needle in a pile of needles.”

This makes detecting malware attacks using this strategy just that much harder – and cyber criminals recognize that.

“Once a hacker gains access to a network they want to be as stealthy as possible,” said Schiappa. “Once they find a way in, they need to communicate with command and control. The gaping hole for businesses is when they don’t have network security capabilities to inspect that traffic and they are opening up fast path for attackers to communicate.”

While a typical firewall has visibility into traffic, most companies don’t have the ability to inspect traffic without hindering firewall performance, said Schiappa. Consequently, most organizations just simply turn it off – leaving them wide open to problems and breach.

Sophos Firewall and its XGS Series appliances can help with visibility into TLS traffic and inspection issues without impacting firewall performance.

“With XGS we have introduced extreme processor,” said Schiappa. “You get the capabilities of inspecting that traffic without impacting the firewall.”

Sophos Firewall includes native support for TLS 1.3 and provides a user interface that will show if traffic has caused issues, and how many users were affected. Admins can exclude problematic sites and applications without impacting levels of protection. With faster decrypt and inspect, as well as fast pass capabilities, Firewall allows admins to identify the network flow that is critical to inspect versus those you can skip.

Learn more at


Copyright © 2021 IDG Communications, Inc.