WavebreakmediaMicro - Fotolia
Malware in nearly half of cyber attacks in the past 12 months has been sneaked into organisations under the cover of encryption, a study has revealed.
The demand for data privacy in the post-Snowden era is driving the use of encryption, but that has security and other implications for business.
Just as organisations are increasingly using encryption to keep their network data confidential, so cyber criminals are using the technology to mask their activities.
The hidden threat in encrypted traffic exists because SSL (secure socket layer) encryption hides everything, including malware, from most security tools, according to the study by A10 Networks and the Ponemon Institute.
This means the encryption technology that is crucial to protecting sensitive data in transit, such as web transactions, emails and mobile apps, can also allow malware hiding inside that encrypted traffic to pass uninspected through an organisation’s security framework.
Encryption is also being used by cyber attackers to send information out of targeted organisations, largely undetected.
“The Hidden Threats in Encrypted Traffic study sheds light on important facts about the malicious threats lurking in today’s corporate networks,” said Larry Ponemon, chairman and founder of the Ponemon Institute.
“Our goal is to help organisations better understand the risks to help them better address vulnerabilities in their networks,” he said.
The report is based on a survey of more than 1,000 IT and IT security practitioners in the US, Canada, Europe, Middle East and Africa who are involved in preventing or detecting web-based attacks.
Evasion via encryption
While 80% of respondents said their organisations had been hit by a cyber attack in the past year, nearly half said their attackers had used encryption to evade detection.
The trend is expected to grow in parallel with the greater legitimate use of encryption. Inbound encrypted traffic is expected to rise from 39% to 45% next year, and outbound encrypted traffic from 33% to 41%.
When asked about malware hiding outbound data within encrypted traffic, 74% said this was highly likely but only 16% thought their organisation could identify and mitigate SSL-encrypted malware attack before data exfiltration.
When asked if traffic from an SSL-secured malware server could be spotted by their intrusion prevention system (IPS), 79% of respondents said it is highly likely this could occur in their organisation; only 17% thought their organisation has the ability to mitigate such an attack.
When asked if an attacker could mask outbound communications or stolen data from a command and control server, two-thirds said it is highly possible. Only 26% thought their organisation could spot such behaviour and prevent data loss.
Read more about encryption
- Seven more security suppliers join Blue Coat encrypted traffic management programme amid fresh warnings of attackers using encryption to hide malicious activity.
- The Wikimedia Foundation calls on all sites to join its move to encrypt all connections by default.
- Encryption provides an additional layer of protection to hide cyber attackers’ traffic, resulting in a preference for https.
- A US government https-only standard directive requires all federal websites accessible to the public to encrypt all data exchanges.
Strategic way forward
“IT decision-makers need to think more strategically,” said Chase Cunningham, director of cyber operations at A10 Networks. “Instead of focusing on doing everything right 100%, IT leaders can be more effective by doing a few things very strategically with the best technology available.”
Some 75% of respondents said their networks are at risk from malware hidden inside encrypted traffic, and roughly two-thirds admitted that their company is unprepared to detect malicious SSL traffic, leaving them vulnerable to costly data breaches and the loss of intellectual property.
The main reasons cited for not inspecting decrypted web traffic were a lack of enabling security tools (47%), insufficient skills and resources (45%), and degradation of network performance (45%).
To address the problem, A10 Networks has developed an SSL inspection tool (Thunder SSLi) designed to have minimal impact on network performance.
“It is also designed to complement and work with common existing tools to enable them to inspect traffic in the clear,” said Duncan Hughes, systems engineering director EMEA for A10 Networks.
“While there is always going to be some performance impact, SSLi minimises that impact significantly to make it practical to deploy and easy to manage,” he told Computer Weekly.