The NSA recently issued an advisory to enterprises that adopt ‘break and inspect’ technologies to gain visibility over encrypted traffic, warning them of the potential risks of such an approach. In fact, decrypting and re-encrypting traffic through a proxy device, a firewall, intrusion detection or prevention systems (IDS/IPS) that that doesn’t properly validate transport layer security (TLS) certificates, for instance, will weaken the end-to-end protection provided by the TLS encryption to the end-users, drastically increasing the likelihood that threat actors will target them in man-in-the-middle attack (MiTMP) attacks, Bleeping Computer reported.
“This is why companies like Corelight invest into features like SSH Inference to inform defenders while protecting privacy,” explained Richard Bejtlich, principal security strategist at Corelight. “Our new sensor feature profiles Secure Shell traffic to identify account access, file transfers, keystroke typing, and other activities, all while preserving default encryption and without modifying any endpoint software. I believe security teams will have to increasingly incorporate these sorts of solutions, rather than downgrading or breaking encrypted traffic,” he continued.
Corelight, in fact, has just recently unveiled the new capabilities of its network traffic analysis (NTA) solutions for cybersecurity, the Corelight Encrypted Traffic Collection (ETC). ETC will empower threat hunters and security analysts with rich and actionable insights for encrypted traffic, without the need to ‘break and inspect’.
Effectively able to read the network’s ‘body language,’ the tool will single out the behaviour of malicious activity even when decryption is not an option. Rather than simply detecting threats, the data that ETC can provide will allow enterprises to make critical, informed security decisions.
Capabilities
Availing itself of both Corelight’s Research Team packages and the curated packages from the open-source Zeek community, ETC will provide:
● SSH client brute force detection – supports threat hunting for Access techniques by revealing when a client makes excessive authentication attempts.
● SSH authentication bypass detection – reveals when a client and server switch to a non-SSH protocol, a tactic used in Access attempts.
● SSH client keystroke detection – reveals an interactive session where a client sends user-driven keystrokes to the server, which may be an indication of Command and Control activity.
● SSH client file activity detection – reveals a file transfer occurring during the session where the client sent a sequence of bytes to the server or vice versa, which could indicate either Staging or Exfiltration activity.
● SSH scan detection – accelerates threat hunting for Access techniques by inferring scanning activity based on how often a single service is scanned.
● SSL certificate monitoring – extend’s Zeek’s existing certificate monitoring capabilities to help defenders limit attack surface, find vulnerabilities, and enforce internal policy.
● Encryption detection – accelerate threat hunting by finding unencrypted traffic over commonly encrypted ports/protocols as well as custom / pre-negotiated sessions.
For more technical information, you can read Corelight’s blog detailing the new capabilities.