• United States



Contributing Writer

Spike in encrypted malware poses dual challenge for CISOs

Nov 16, 20216 mins

Faced with a surge in malware hidden in encrypted traffic, CISOs are being tasked with managing technical solutions while also adhering to privacy considerations.

Encryption  >  Encrypted data / hexadecimal code
Credit: Matejmo / Getty Images

Without proper inspection, encrypted data can be a significant security threat as the volume of malware in encrypted traffic grows. Most organizations are unprepared to conduct proper traffic analysis to cope with the issue. That’s the takeaway from two sets of new research into the threat malware hidden in encrypted traffic poses to organizations.

While CISOs might be aware of the risk of malware, most of it, a whopping 91.5%, is arriving over encrypted connections, according to the latest WatchGuard Internet Security Report Q2 2021. What makes this statistic so alarming is that just 20% of organizations are equipped to monitor encrypted traffic—meaning 80% of organizations are potentially missing most malware by not decrypting traffic for security scans.

Specifically, WatchGuard found just two malware variants, XML.JSLoader and AMSI.Disable.A, accounted for more than 90% of malware detections over secure web connections. Without some method of efficient traffic analysis and having the means to identify even this a small number of variants, the threat level is high.

The sheer volume of malware delivered on encrypted traffic has also seen a huge spike. Like many areas where it has supercharged problems, the pandemic has driven a 314% increase on 2020 levels of malware hidden in encrypted traffic, according to Zscaler’s ThreatLabz: The State of Encrypted Attacks, 2021 report, which analyzed billions of threats delivered over encrypted channels in 2021.

Performance concerns and privacy considerations are the biggest reasons this malware is getting through. “Too frequently, inspection of encrypted traffic is not employed because of the performance hit. This is why so much malware enters organizations over port 443—no one is decrypting the packets to look for malware. We have to modernize our security architectures to address the performance requirements when decryption and deep packet inspection are required,” says Matt Stamper, CISO and executive advisor at EVOTEK, who is also president of the ISACA San Diego Chapter.

Stamper is in favor of conducting threat models to review different inherent risks involving malware in encrypted traffic. He also believes that security architectures must take into account that most traffic can and should be encrypted.

Stamper points to the need to scale the security architecture to match the threat. “For CISOs, it’s incumbent on them to look at risk expansively and to understand where there may be organizational blind spots, areas where our current security architecture and security monitoring practices may leave the organization unwittingly exposed,” he says.

Stamper believes that part of the defensive play is extending zero-trust principles to not trusting encrypted traffic by default. “To provide or enhance assurance, encrypted traffic should be decrypted, inspected, and triaged and done so in a manner that doesn’t undermine system and network performance,” he says. However, legacy security architecture is ill-equipped to do this at scale. It’s why organizations wanting to weed it out are “working quickly to modernize security practices to catch up with adversarial tactics,” he adds.

Start by limiting user access to data

Stephen Green, lead security architect for Unisys’s APAC region, also points to the usefulness of applying zero-trust principles, in this case, to limit users’ access to only what is needed. “Then ensure that state of the art endpoint security is applied,” Green tells CSO.

This threat isn’t new. In fact, it is cheap, easy, and accessible to attackers. What makes this threat more dangerous now is that bad actors can turn to generic cloud-based URLs, such as through Amazon S3, reducing the effectiveness of common go-to security controls like URL filtering. “It’s a significant threat for organizations that don’t have a clear plan in place to deal with this vector at multiple layers,” says Green.

CISOs should also be clear about what needs to be protected before instituting any new technical fixes, according to Green, then adopt defense-in-depth principles to layer security controls around the asset to be protected. Threat modelling can then be applied to both design and test the controls. It’s an approach that moves outward toward the threat source and continues “to layer controls, eventually getting to ‘URL filtering’, ‘SSL/TLS interception and malware scanning’ used where applicable to inspect and screen traffic on the fly,” he says.

“Each control has its weakness. For example, SSL/TLS interception is prone to breaking websites, and sometimes exceptions are put in place. This is why defense in depth via overlapping controls is so important to mitigate risk,” Green adds.

Green’s advice to CISOs looking to reduce the threat level is to consider how vulnerable the organization is to this kind of attack. As a simple equation, “Risk = threat x vulnerability,” he says. To quantify the risk CISOs must also look at the probability of it happening and the impact if it does happen. “To assess impact, ask questions like: ‘How dependent on technology is the business to operate?’ Today, that dependency is typically high. ‘How interdependent are my different technology systems?’ – i.e., will one system being attacked cause a domino effect within the organization?”

Managing the privacy considerations 

While technically possible, decrypting traffic opens other considerations, namely privacy. Here, Green says CISOs need to first seek legal advice about what is considered acceptable for decryption and review privacy principles based on the applicable countries of operation. “Implement procedures and standards spanning people and technology that align to the corporate policies, as well as to any legal and security requirements. Then regularly or continuously assure compliance with the relevant privacy laws,” he says.

When it comes to managing the privacy considerations, Evotek’s Stamper agrees that decrypting traffic can surface important privacy considerations. “Sensitive content will be visible as a result of the decryption process. That being said, there’s important context around how this would be handled and, importantly, where this would occur,” he notes.

Stamper suggests an approach that entails the CISO and the organization’s privacy officer reviewing the context and implications where encrypted traffic is indeed decrypted and inspected for security and other purposes (such as data loss prevention).

“Ideally, the triage of this traffic should occur with advanced security applications managed by a small number of well-vetted employees such that there is a ‘machine’ review of the traffic to review for malware and other issues with limited human intervention,” Stamper says.

Contributing Writer

Rosalyn Page has been writing about technology long enough to remember when the only thing to worry about was Y2K. Since then, the dot-com boom became the dot-com bubble, technology fundamentally altered our lives, and everything has become about security. With a particular interest in privacy, data, and security, Rosalyn has covered social media, AI, IoT, deepfakes, marketing tech, the cloud, enterprise tech, consumer tech, and digital transformation. Her side gig is an arts and culture blog, ‘Some Notes from a Broad’. And when not wrangling bits and bytes into words, Rosalyn enjoys low-fi hobbies like reading books, walking her Whippet Sketch, and having one too many coffees at her favourite café.

More from this author