Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

2/14/2018
10:55 AM
Connect Directly
Twitter
RSS
E-Mail

Encrypted Attacks Continue to Dog Perimeter Defenses

Attacks using SSL to obfuscate malicious traffic finding fertile ground for growth.
1 of 8

Image Source: Adobe Stock (tippapatt)

Image Source: Adobe Stock (tippapatt)

1 of 8
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/13/2018 | 9:19:19 AM
Re: Encrypt All - See Nothing
This has been on the minds of InfoSec hackers for a few years now. Using packet lengths and times in behavioral analysis and fingerprinting the application with TLS metadata are two methods that can be successful as long as the software doing the traffic monitoring is sophisticated.

In "Identifying Encrypted Malware traffic with Contextual Flow Data" (Blake Anderson, David McGrew) for instance, the authors wrote a custom libcap-based tool to capture data features from live traffic. Some characteristics they identified as being attached to malware within the encrypted traffic included larger numbers of characters in the domain, much larger numbers of IPs per DNS request, and of course each we not found on Alexa top-N lists.

Not all features were as easily defined between traffic containing malware and not, but this paper and others since are a good sign all is not lost through the shift to HTTPs.
vuacauca
50%
50%
vuacauca,
User Rank: Apprentice
7/13/2018 | 5:55:30 AM
Due to comment spam on our site
This site has commenting guidelines and comments are reviewed by moderators before they are fully published to the web site.
hienly2017
50%
50%
hienly2017,
User Rank: Apprentice
2/26/2018 | 1:47:39 PM
Dog vs. Dodge
Should "Dodge" be used instead of "Dog" in the title of this article?
Michael Lines
50%
50%
Michael Lines,
User Rank: Author
2/15/2018 | 2:59:22 PM
Encrypt All - See Nothing
Encryption is both a blessing and a curse for security, and the increase use of encrypted channels by malware highlights the downsides. As more and more of the internal and external IP traffic shifts to encrypted 443, the ability of traditional IDS/IPS and other related tools to see the traffic and spot malicious payloads is erased. With the drive by Google and others to drive all websites to HTTPS by marking HTTP websites as unsafe, before long encrypted traffic will be the expected norm. 

With this evolution, the ability to look at where traffic is going, rather than what it contains will increasiningly be used as a means to spot malicous traffic. Whether it is connections to known C&C systems or outbound connections to foreign countries at 2am when the company has no business connections there, security tools that leverage DNS as part of behavioural traffic analysis are the next wave in the fight against those who want to infiltrate and compromize corporate systems. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19740
PUBLISHED: 2019-12-12
Octeth Oempro 4.7 allows SQL injection. The parameter CampaignID in Campaign.Get is vulnerable.
CVE-2019-19746
PUBLISHED: 2019-12-12
make_arrow in arrow.c in Xfig fig2dev 3.2.7b allows a segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type.
CVE-2019-19748
PUBLISHED: 2019-12-12
The Work Time Calendar app before 4.7.1 for Jira allows XSS.
CVE-2017-18640
PUBLISHED: 2019-12-12
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CVE-2019-19726
PUBLISHED: 2019-12-12
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from th...