lolloj - Fotolia

Encrypted traffic security analysis a top priority for 2016, says Dell Security

Decryption and inspection strategies are necessities, with nearly 65% of all internet traffic encrypted, says the latest threat report from Dell Security

Acquiring the capability to analyse encrypted traffic should be a top priority for businesses in 2016, according to Dell Security.

The company’s latest annual threat report reveals that a continued surge in SSL/TLS encryption is giving cyber criminals more opportunities to conceal malware from firewalls.

The report is based on data collected in 2015 from the Dell SonicWALL Global Response Intelligence Defense (Grid) network and feeds from more than one million firewalls and tens of millions of connected endpoints, Dell SonicWALL network traffic and other industry sources

Decryption and inspection strategies are a clear necessity, said the report, with nearly 65% of all internet traffic encrypted – leading to under-the-radar hacks affecting hundreds of millions of users in 2015.

Using SSL or TLS encryption, the report said skilled attackers can cipher command and control communications and malicious code to evade intrusion prevention systems (IPS) and antimalware inspection systems.

This tactic was used in a crafty malvertising campaign in August 2015 to expose as many as 900 million Yahoo users to malware by redirecting them to a site that was infected by the Angler exploit kit.

“Many organisations are blind to encrypted traffic, and if they are unable to analyse 65% of traffic, that means the risk is effectively 65% greater,” said Florian Malecki, international product marketing director, network security at Dell Security. 

“We are seeing an increase in attacks hidden in encrypted traffic, so it is vital that companies have the capability to look into that traffic at the company gateway,” he told Computer Weekly.

Read more about next-generation firewalls

Deep packet inspection

More websites and services are encrypting traffic, which means that, while security is being increased on the one hand, on the other cyber attackers are exploiting the fact that many organisations have firewalls that are blind to encrypted traffic, said Malecki.

According to Dell Security data, there was a sharp rise in the use of encrypted internet traffic throughout 2015, with an average increase of 53% each month over the corresponding month in 2014.

However, according to Dell Security, organisations can enjoy the security benefits of encryption without providing a tunnel for attackers by upgrading a next-generation firewall with integrated SSL deep packet inspection to inspect clear text traffic as well as encrypted traffic.

“Taking this approach enables organisations to tap into antivirus, antispyware, intrusion detection and intrusion prevention, and content filtering at the gateway,” said Malecki.

This challenge is likely to increase in the coming year, he said, because the volume of encrypted traffic is ever-increasing, with 99% of traffic likely to be encrypted in the next five years.

“Small, medium and large organisations alike really need to ensure they have the capability to analyse encrypted traffic,” he said.

The rise of Android malware

According to the report, the market increase in the number of malware attacks, the continued rise of Android malware, and the evolution of exploit kits to stay one step ahead of security systems that were observed in 2015 are also likely to continue in 2016.

Malware attacks nearly doubled to 8.19 billion in 2015, with apps for the Android mobile operating system being prime target, putting a large proportion of smartphones at risk globally, the report said.

In 2015, Dell SonicWALL saw a range of new offensive and defensive techniques that attempted to increase the strength of attacks against the Android ecosystem.

Read more about ransomware

The popularity of Android-specific ransomware accelerated throughout 2015, a new Android malware emerged that stored its malicious contents on a Unix library file, rather than the classes.dex file that security systems typically scan, and the financial sector continued to be a prime target for Android malware, with a number of malicious threats targeting banking apps on infected devices, the report said.

“Even though the release of the Android 6.0 (Marshmallow) operating system in October 2015 included a slew of new security features, we can expect cyber criminals to continue finding ways to circumvent these defences,” said Patrick Sweeney, vice-president of product management and marketing at Dell Security.

“Android users should exercise caution by only installing applications from trusted app stores like Google Play, keeping their eye on the permissions being requested by apps, and avoid rooting their phones,” he said.

Securing corporate mobile devices

Malecki said the threat of mobile malware is limited to the mobile workforce, with a growing number of office workers using their mobile devices to access corporate IT systems.

“The challenge facing all organisations is how to secure the corporate side of a personal device without compromising the personal side of the device, and at the same time preventing malware from the personal side infecting corporate systems,” he said.

Read more about mobile security

In general, the report said malware attempts continued a strong upsurge throughout 2015, causing damage to government agencies, organisations, companies and even individuals.

Dell SonicWALL noticed a sharp rise in both the number and type of malware attacks, with 64 million unique malware samples, compared with 37 million in 2014, representing an increase of 73%, indicating attackers are putting more effort each year into infiltrating organisational systems with malicious code.

The combination of Dyre Wolf and Parite topped network traffic through 2015, while other long-lasting malware included TongJi, a widely used JavaScript by multiple drive-by campaigns in which malware downloads silently and automatically when a user visits an infected website; Virut, a general cybercrime botnet active since at least 2006; and the resurgence of Conficker, a well-known computer worm targeting Microsoft Windows operating system since 2008.

The threat vectors for malware distribution are almost unlimited, ranging from classic tactics like email spam to newer technologies including wearable cameras, electric cars, and internet of things (IoT) devices,” said Sweeney.

“In today’s connected world, it’s vital to maintain 360 degrees of vigilance, from your own software and systems, to your employees’ training and access, to everyone who comes in contact with your network and data,” he said.

Tactics to conceal exploit kits

According to the report, exploit kits evolved with alarming speed, heightened stealth and novel shape-shifting abilities.

In 2015, Dell SonicWALL noted a rise in the use of exploit kits, with the most active ones being Angler, Nuclear, Magnitude and Rig.

The overwhelming number of exploit kit options gave attackers a steady stream of opportunities to target the latest zero-day vulnerabilities, including those appearing in Adobe Flash, Adobe Reader and Microsoft Silverlight, the report said.

The report shows that cyber criminals used a number of new tactics to better conceal exploit kits from security systems, including the use of anti-forensic mechanisms; URL pattern changes; and steganography to conceal a file, message, image, or video within another file, message, image, or video.

“Exploit kit behavior continued to be dynamic throughout the year,” said Sweeney with Spartan effectively hiding from security systems by encrypting its initial code and generating its exploitative code in memory rather than writing to disk.

“Exploit kits only have power when companies do not update their software and systems, so the best way to defeat them is to follow security best practices, including keeping up with updates and patches; employing up-to-date, host-based security solutions including next-generation firewalls and intrusion prevention services (IPS),” he said.

The report further predicts that the number of zero-day Adobe Flash viruses will drop gradually because major browser vendors no longer support Adobe Flash, that malicious threats will target Android Pay through the vulnerabilities of Near Field Communication (NFC) using malicious Android apps and point-of-sale (POS) terminals, and that malicious entities will target cars equipped with Android Auto, possibly using ransomware where victims must pay to exit the vehicle, for example.

Read more on Hackers and cybercrime prevention