Organizations that have not implemented controls for detecting malware hidden in encrypted network traffic are at risk of having a vast majority of malicious tools being distributed in the wild, hitting their endpoint devices.
A study of threat activity conducted by WatchGuard Technologies using anonymized data gathered from customer networks showed 91.5% of malware detections in the second quarter of 2021 involved malware arriving over HTTPS-encrypted connections. Only 20% of organizations currently have mechanisms for decrypting and scanning HTTPS traffic for malware, meaning the remaining 80% are at risk of missing nine-tenths of the malware hitting their networks daily, WatchGuard said.
Corey Nachreiner, chief security officer at WatchGuard, says one reason why more organizations have not enabled network-based HTTPS decryption controls is because of both the perceived and somewhat real complexity of this setup.
"[For] man-in-the-middle decryption to work without messing up the sanctity of the HTTPS certificates that secure that traffic, you have to set up an intermediate or root CA certificate that is part of the official certificate verification process," he says.
There are multiple ways to do this, some of which are tricky and others not as complicated.
"In short, it does take some work to do this the first time — and create exceptions so it starts working well — which is why some don't make the effort," Nachreiner says. "But we firmly believe it is worth the effort because otherwise your network security will miss a lot."
The data point on encrypted malware is one among several in a report WatchGuard released this week that highlighted troubling trends for organizations on the malware front.
WatchGuard's analysis, for instance, showed the number of script-based, or fileless, attacks in the first six months of this year alone had already reached 80% of the total for all of 2020. Data from last quarter suggested that fileless malware is on track to double in volume this year compared with 2020.
"While it's not always the case, many of these scripts can be designed to launch living-off-the-land attacks, meaning they never drop any malicious files on an endpoint," Nachreiner notes. "Rather, they continue using scripting and privileged access — the victim's or elevated credentials — to carry on with their malicious activities."
Thus, file-focused malware detection tools can miss them, he says.
Zero-Day Malware and Other Trends
Zero-day malware detections declined 9% over the previous quarter but still represented a disturbing 64% of all malware samples in the second quarter. That number is another reason signature-based AV detection tools are not enough.
"Attackers have automated malware repacking, which means the same malware can be made to look different on the surface for every victim," Nachreiner says.
Organizations increasingly need detection technologies, like machine learning models or behavioral analysis, that can proactively detect malware that looks new without having to wait for the AV vendor to publish a signature.
At a macro level, malware detections at the enterprise perimeter declined nearly 4%, even as network attack volumes surged past last quarter's volumes to another three-year high. The total number of network attacks last quarter hit 5.2 million, representing a 22.3% increase over the first quarter. The numbers highlighted a trend other vendors have noted about a change in attacker focus after the COVID-19 pandemic forced a shift to a more distributed work environment.
"We believe this is simply due to the pandemic, which has transitioned most knowledge-based employees to work from home," says Nachreiner. Since malware tends to target users wherever they receive email or browse the Web, he adds, attackers have turned their focus to remote employees.
"Now that they are doing those things from home. They are outside their organization's network perimeter, which is why we're not seeing as much malware at the perimeter," he says. That does not necessarily mean malware volumes overall have declined, he cautions. The data only indicates that endpoint security products — and not perimeter network controls — are now seeing most of the malware, Nachreiner notes.
Network attackers, meanwhile, continued to pound away on servers and services that are still at the office or in the cloud. Several security researchers have noted how many of these servers and services are somewhat less protected than before because more employees — including information security staffers — are working from home.