Perimeter

2/14/2018
10:55 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Encrypted Attacks Continue to Dog Perimeter Defenses

Attacks using SSL to obfuscate malicious traffic finding fertile ground for growth.
Previous
1 of 8
Next

Image Source: Adobe Stock (tippapatt)

Image Source: Adobe Stock (tippapatt)

Traditional perimeter defenses are having a hard enough time keeping up with the dynamic nature of cloud and mobile connections with corporate assets. Attackers are further working to diminish the efficacy of defenses like firewalls, IPS devices, and UTM appliances with their own bag of tricks.

One of the top-growing techniques today is the use of SSL encryption to hide malicious traffic in plain sight. SSL attacks aren't new, but according to recent figures they continue on an upward trajectory of prevalence as the bad guys find them extremely useful to get around perimeter protections. 

Here's a look at this trend.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
7/13/2018 | 9:19:19 AM
Re: Encrypt All - See Nothing
This has been on the minds of InfoSec hackers for a few years now. Using packet lengths and times in behavioral analysis and fingerprinting the application with TLS metadata are two methods that can be successful as long as the software doing the traffic monitoring is sophisticated.

In "Identifying Encrypted Malware traffic with Contextual Flow Data" (Blake Anderson, David McGrew) for instance, the authors wrote a custom libcap-based tool to capture data features from live traffic. Some characteristics they identified as being attached to malware within the encrypted traffic included larger numbers of characters in the domain, much larger numbers of IPs per DNS request, and of course each we not found on Alexa top-N lists.

Not all features were as easily defined between traffic containing malware and not, but this paper and others since are a good sign all is not lost through the shift to HTTPs.
vuacauca
50%
50%
vuacauca,
User Rank: Apprentice
7/13/2018 | 5:55:30 AM
Due to comment spam on our site
This site has commenting guidelines and comments are reviewed by moderators before they are fully published to the web site.
hienly2017
50%
50%
hienly2017,
User Rank: Apprentice
2/26/2018 | 1:47:39 PM
Dog vs. Dodge
Should "Dodge" be used instead of "Dog" in the title of this article?
Michael Lines
50%
50%
Michael Lines,
User Rank: Author
2/15/2018 | 2:59:22 PM
Encrypt All - See Nothing
Encryption is both a blessing and a curse for security, and the increase use of encrypted channels by malware highlights the downsides. As more and more of the internal and external IP traffic shifts to encrypted 443, the ability of traditional IDS/IPS and other related tools to see the traffic and spot malicious payloads is erased. With the drive by Google and others to drive all websites to HTTPS by marking HTTP websites as unsafe, before long encrypted traffic will be the expected norm. 

With this evolution, the ability to look at where traffic is going, rather than what it contains will increasiningly be used as a means to spot malicous traffic. Whether it is connections to known C&C systems or outbound connections to foreign countries at 2am when the company has no business connections there, security tools that leverage DNS as part of behavioural traffic analysis are the next wave in the fight against those who want to infiltrate and compromize corporate systems. 
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11358
PUBLISHED: 2019-04-20
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2019-11359
PUBLISHED: 2019-04-20
Cross-site scripting (XSS) vulnerability in display.php in I, Librarian 4.10 allows remote attackers to inject arbitrary web script or HTML via the project parameter.
CVE-2018-20817
PUBLISHED: 2019-04-19
SV_SteamAuthClient in various Activision Infinity Ward Call of Duty games before 2015-08-11 is missing a size check when reading authBlob data into a buffer, which allows one to execute code on the remote target machine when sending a steam authentication request. This affects Call of Duty: Modern W...
CVE-2019-11354
PUBLISHED: 2019-04-19
The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for QtApplication QDesktopServices ...
CVE-2019-11350
PUBLISHED: 2019-04-19
CloudBees Jenkins Operations Center 2.150.2.3, when an expired trial license exists, allows Cleartext Password Storage and Retrieval via the proxy configuration page.