Many adversaries to enterprise cybersecurity are using sophisticated encryption tactics to bypass defences and infiltrate networks. Enterprises are trying to fight back by employing HTTPS and using SSH, as well as other advanced protocols for data exfiltration. SSH, for example, is often used for remote management access because it performs well. But, when nearly 70 percent of all enterprise traffic is encrypted, understanding what’s hiding inside that traffic is imperative. So, what can you do to inspect that traffic?
The first step is to come up with an enterprise threat model so that you can easily look at and assess a threat, then outline the techniques that your adversaries are going to use. For example, The Mitre corporation developed one that they call attack matrix and as you go through and look at the attack matrix it will outline techniques that are used for exfiltration of data, command and control for remote adversaries to control malware. When you look at this and then look across at your own network you may see that you have a firewall, an IDS and an advanced threat protection, which is all good to have. However, if 60-70% of the traffic you get is encrypted then what use are these security measures at monitoring this? Enterprises need a plan in place to monitor encrypted traffic as well.
The next step involves utilising an advanced data exfiltration protocol, such as SSH. SSH is great and is oftentimes used for remote management access because it performs so well. RDP, Remote Desktop Protocol, is another protocol that many enterprises utilise to great effect so, in order to figure out what is best for your enterprise it’s important to consider your threat enterprise model that was discussed above. How does your model aim to inspect traffic and which software are you utilising? Some programs out there only allow you to focus on one protocol at a time while other can inspect everything from SSH to RDP to HTTPS. Which software your enterprise is using will affect what steps you need to take to monitor encrypted traffic.
If you’ve followed everything so far then you should be utilising an IPS, IDS, ATP and be using something akin to the Mitre attack template to evaluate your cybersecurity, which may seem like a lot, but as any cybersecurity expert will tell you: ‘there is no such thing as too much protection.’ So what type of issues might you need to still account for?
Well let’s assume you have a next-generation firewall and you are performing decryption at then suddenly you hit a performance bottleneck. This bottleneck would likely be caused by advanced threat protection detecting problems that are different than what your next-generation firewalls going to detect, which will be different than your IDS, and so on. All these programs detecting different problems all at the same time will likely incur latency because these are all happening at once. However, there are single devices out there that can do all of these tasks solo which will help improve performance, reducing the chance of a bottleneck creating less of a chance that your users are going to even be aware that you’re performing this inspection.
You may also have the issue of employee negligence or ignorance among your IT staff. Last year a report from the Ponemon Institute found that 37% of enterprises hand over their encryption duties to their cloud providers, taking an off-hand approach and rely on someone one else to do such an important job for them. Then separately a survey by Venafi found that 23 percent of their respondents had no idea how much of their encrypted traffic is decrypted and inspected. By passing off responsibility to an outside business and not properly tracking encryption in the business, many enterprises are opening themselves up outside threats, even if they have the latest technology.
To conclude, with at least 70 percent of all traffic encrypted it is important that enterprises are aware of everything that is hiding amongst this traffic or they risk cyber threats sneaking through. In order to achieve this, a good cyber threat model is needed as well as utilising an advanced data exfiltration protocol, like SSH. It is imperative that once you have the model in place that you have some technology that can help to easily manage it all and not be met with a performance bottleneck. Finally, it is key that all of the staff in your IT department is fully aware of exactly what is encrypted and heavily monitoring it as frequently as possible. With all of this in place, your enterprise should be fully prepared to keep your business safe from threats hiding within encrypted traffic.