Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

2/14/2018
10:55 AM
Connect Directly
Twitter
RSS
E-Mail

Encrypted Attacks Continue to Dog Perimeter Defenses

Attacks using SSL to obfuscate malicious traffic finding fertile ground for growth.
2 of 8

SSL-Encrypted Attacks on the Rise
The most recent research that offers a benchmark for the proportion of cybercriminal traffic that's encrypted comes by Ponemon Institute last year. That study found that about 41% of cyberattacks use SSL encryption to evade detection. More recent statistics elsewhere offer evidence that this proportion is likely growing.
This week, a 
study from Zscaler showed that SSL-encrypted attacks increased by 30% in the last six months. The firm says that it now blocks an average of 800,000 SSL-encrypted traffic transactions per day containing advanced threats, compared to 600,000 per day in the first half of 2017.

Image Source: Adobe Stock (DOC RABE Media)

SSL-Encrypted Attacks on the Rise

The most recent research that offers a benchmark for the proportion of cybercriminal traffic that's encrypted comes by Ponemon Institute last year. That study found that about 41% of cyberattacks use SSL encryption to evade detection. More recent statistics elsewhere offer evidence that this proportion is likely growing.

This week, a study from Zscaler showed that SSL-encrypted attacks increased by 30% in the last six months. The firm says that it now blocks an average of 800,000 SSL-encrypted traffic transactions per day containing advanced threats, compared to 600,000 per day in the first half of 2017.

Image Source: Adobe Stock (DOC RABE Media)

2 of 8
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/13/2018 | 9:19:19 AM
Re: Encrypt All - See Nothing
This has been on the minds of InfoSec hackers for a few years now. Using packet lengths and times in behavioral analysis and fingerprinting the application with TLS metadata are two methods that can be successful as long as the software doing the traffic monitoring is sophisticated.

In "Identifying Encrypted Malware traffic with Contextual Flow Data" (Blake Anderson, David McGrew) for instance, the authors wrote a custom libcap-based tool to capture data features from live traffic. Some characteristics they identified as being attached to malware within the encrypted traffic included larger numbers of characters in the domain, much larger numbers of IPs per DNS request, and of course each we not found on Alexa top-N lists.

Not all features were as easily defined between traffic containing malware and not, but this paper and others since are a good sign all is not lost through the shift to HTTPs.
vuacauca
50%
50%
vuacauca,
User Rank: Apprentice
7/13/2018 | 5:55:30 AM
Due to comment spam on our site
This site has commenting guidelines and comments are reviewed by moderators before they are fully published to the web site.
hienly2017
50%
50%
hienly2017,
User Rank: Apprentice
2/26/2018 | 1:47:39 PM
Dog vs. Dodge
Should "Dodge" be used instead of "Dog" in the title of this article?
Michael Lines
50%
50%
Michael Lines,
User Rank: Author
2/15/2018 | 2:59:22 PM
Encrypt All - See Nothing
Encryption is both a blessing and a curse for security, and the increase use of encrypted channels by malware highlights the downsides. As more and more of the internal and external IP traffic shifts to encrypted 443, the ability of traditional IDS/IPS and other related tools to see the traffic and spot malicious payloads is erased. With the drive by Google and others to drive all websites to HTTPS by marking HTTP websites as unsafe, before long encrypted traffic will be the expected norm. 

With this evolution, the ability to look at where traffic is going, rather than what it contains will increasiningly be used as a means to spot malicous traffic. Whether it is connections to known C&C systems or outbound connections to foreign countries at 2am when the company has no business connections there, security tools that leverage DNS as part of behavioural traffic analysis are the next wave in the fight against those who want to infiltrate and compromize corporate systems. 
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3667
PUBLISHED: 2019-12-11
DLL Search Order Hijacking vulnerability in the Microsoft Windows client in McAfee Tech Check 3.0.0.17 and earlier allows local users to execute arbitrary code via the local folder placed there by an attacker.
CVE-2019-19719
PUBLISHED: 2019-12-11
Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
CVE-2019-19720
PUBLISHED: 2019-12-11
Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file.
CVE-2019-19707
PUBLISHED: 2019-12-11
On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets.
CVE-2019-19708
PUBLISHED: 2019-12-11
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.