Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

2/14/2018
10:55 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Encrypted Attacks Continue to Dog Perimeter Defenses

Attacks using SSL to obfuscate malicious traffic finding fertile ground for growth.
Previous
1 of 8
Next

Image Source: Adobe Stock (tippapatt)

Image Source: Adobe Stock (tippapatt)

Traditional perimeter defenses are having a hard enough time keeping up with the dynamic nature of cloud and mobile connections with corporate assets. Attackers are further working to diminish the efficacy of defenses like firewalls, IPS devices, and UTM appliances with their own bag of tricks.

One of the top-growing techniques today is the use of SSL encryption to hide malicious traffic in plain sight. SSL attacks aren't new, but according to recent figures they continue on an upward trajectory of prevalence as the bad guys find them extremely useful to get around perimeter protections. 

Here's a look at this trend.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/13/2018 | 9:19:19 AM
Re: Encrypt All - See Nothing
This has been on the minds of InfoSec hackers for a few years now. Using packet lengths and times in behavioral analysis and fingerprinting the application with TLS metadata are two methods that can be successful as long as the software doing the traffic monitoring is sophisticated.

In "Identifying Encrypted Malware traffic with Contextual Flow Data" (Blake Anderson, David McGrew) for instance, the authors wrote a custom libcap-based tool to capture data features from live traffic. Some characteristics they identified as being attached to malware within the encrypted traffic included larger numbers of characters in the domain, much larger numbers of IPs per DNS request, and of course each we not found on Alexa top-N lists.

Not all features were as easily defined between traffic containing malware and not, but this paper and others since are a good sign all is not lost through the shift to HTTPs.
vuacauca
50%
50%
vuacauca,
User Rank: Apprentice
7/13/2018 | 5:55:30 AM
Due to comment spam on our site
This site has commenting guidelines and comments are reviewed by moderators before they are fully published to the web site.
hienly2017
50%
50%
hienly2017,
User Rank: Apprentice
2/26/2018 | 1:47:39 PM
Dog vs. Dodge
Should "Dodge" be used instead of "Dog" in the title of this article?
Michael Lines
50%
50%
Michael Lines,
User Rank: Author
2/15/2018 | 2:59:22 PM
Encrypt All - See Nothing
Encryption is both a blessing and a curse for security, and the increase use of encrypted channels by malware highlights the downsides. As more and more of the internal and external IP traffic shifts to encrypted 443, the ability of traditional IDS/IPS and other related tools to see the traffic and spot malicious payloads is erased. With the drive by Google and others to drive all websites to HTTPS by marking HTTP websites as unsafe, before long encrypted traffic will be the expected norm. 

With this evolution, the ability to look at where traffic is going, rather than what it contains will increasiningly be used as a means to spot malicous traffic. Whether it is connections to known C&C systems or outbound connections to foreign countries at 2am when the company has no business connections there, security tools that leverage DNS as part of behavioural traffic analysis are the next wave in the fight against those who want to infiltrate and compromize corporate systems. 
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4031
PUBLISHED: 2019-10-16
IBM Workload Scheduler Distributed 9.2, 9.3, 9.4, and 9.5 contains a vulnerability that could allow a local user to write files as root in the file system, which could allow the attacker to gain root privileges. IBM X-Force ID: 155997.
CVE-2019-17626
PUBLISHED: 2019-10-16
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
CVE-2019-17627
PUBLISHED: 2019-10-16
The Yale Bluetooth Key application for mobile devices allows unauthorized unlock actions by sniffing Bluetooth Low Energy (BLE) traffic during one authorized unlock action, and then calculating the authentication key via simple computations on the hex digits of a valid authentication request. This a...
CVE-2019-17625
PUBLISHED: 2019-10-16
There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron, such...
CVE-2019-17624
PUBLISHED: 2019-10-16
In X.Org X Server 1.20.4, there is a stack-based buffer overflow in the function XQueryKeymap. For example, by sending ct.c_char 1000 times, an attacker can cause a denial of service (application crash) or possibly have unspecified other impact.