Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

2/14/2018
10:55 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Encrypted Attacks Continue to Dog Perimeter Defenses

Attacks using SSL to obfuscate malicious traffic finding fertile ground for growth.
Previous
1 of 8
Next

Image Source: Adobe Stock (tippapatt)

Image Source: Adobe Stock (tippapatt)

Traditional perimeter defenses are having a hard enough time keeping up with the dynamic nature of cloud and mobile connections with corporate assets. Attackers are further working to diminish the efficacy of defenses like firewalls, IPS devices, and UTM appliances with their own bag of tricks.

One of the top-growing techniques today is the use of SSL encryption to hide malicious traffic in plain sight. SSL attacks aren't new, but according to recent figures they continue on an upward trajectory of prevalence as the bad guys find them extremely useful to get around perimeter protections. 

Here's a look at this trend.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/13/2018 | 9:19:19 AM
Re: Encrypt All - See Nothing
This has been on the minds of InfoSec hackers for a few years now. Using packet lengths and times in behavioral analysis and fingerprinting the application with TLS metadata are two methods that can be successful as long as the software doing the traffic monitoring is sophisticated.

In "Identifying Encrypted Malware traffic with Contextual Flow Data" (Blake Anderson, David McGrew) for instance, the authors wrote a custom libcap-based tool to capture data features from live traffic. Some characteristics they identified as being attached to malware within the encrypted traffic included larger numbers of characters in the domain, much larger numbers of IPs per DNS request, and of course each we not found on Alexa top-N lists.

Not all features were as easily defined between traffic containing malware and not, but this paper and others since are a good sign all is not lost through the shift to HTTPs.
vuacauca
50%
50%
vuacauca,
User Rank: Apprentice
7/13/2018 | 5:55:30 AM
Due to comment spam on our site
This site has commenting guidelines and comments are reviewed by moderators before they are fully published to the web site.
hienly2017
50%
50%
hienly2017,
User Rank: Apprentice
2/26/2018 | 1:47:39 PM
Dog vs. Dodge
Should "Dodge" be used instead of "Dog" in the title of this article?
Michael Lines
50%
50%
Michael Lines,
User Rank: Author
2/15/2018 | 2:59:22 PM
Encrypt All - See Nothing
Encryption is both a blessing and a curse for security, and the increase use of encrypted channels by malware highlights the downsides. As more and more of the internal and external IP traffic shifts to encrypted 443, the ability of traditional IDS/IPS and other related tools to see the traffic and spot malicious payloads is erased. With the drive by Google and others to drive all websites to HTTPS by marking HTTP websites as unsafe, before long encrypted traffic will be the expected norm. 

With this evolution, the ability to look at where traffic is going, rather than what it contains will increasiningly be used as a means to spot malicous traffic. Whether it is connections to known C&C systems or outbound connections to foreign countries at 2am when the company has no business connections there, security tools that leverage DNS as part of behavioural traffic analysis are the next wave in the fight against those who want to infiltrate and compromize corporate systems. 
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.