Encryption has become key to many cyber defense strategies, with organizations looking to more securely protect their data and privacy, as well as meet stricter compliance regulations including Europe’s GDPR and the California Consumer Privacy Act. Its use is unsurprisingly on the rise, with Gartner estimating that over 80% of enterprise web traffic was encrypted in 2019 and Google currently offering the HTTPS protocol as standard to 94% of its customers, putting the company well on its way to its goal of 100% encryption this year.
From WhatsApp’s end-to-end encrypted messages to secure online banking, encryption is everywhere. Cryptographic protocols Secure Socket Layer (SSL) and its successor, Transport Layer Security (TLS), ensure organizations protect the important data on their networks while remaining compliant. Though some authorities believe they should have backdoor access to this content, tech giants and whistleblowers alike have condemned the idea, with Facebook stating it would “undermine the privacy and security of people everywhere,” and Edward Snowden claiming it would be “the largest […] violation of privacy in history.”
However, for all its privacy and data protection benefits, encryption has unintentionally created a new threat: encrypted malware. Cybercriminals are using the very aspects that make encryption so appealing for their own means and increasingly leveraging cryptographic protocols to provide cover for their attacks. As more companies adopt encryption, hackers will have even more places to hide.
2019: The Year of Encrypted Malware
Many organizations have had firsthand experience of encrypted malware attacks. Here are just some of 2019’s higher-profile attacks that hid among encrypted traffic flows between compromised network servers and command and control centers, as a way to avoid being detected by IDS and other anti-malware solutions:
- Emotet – This attack saw the deadly botnet resurface in September 2019 after a four-month dormant period, disguising itself as Edward Snowden’s recently released book, “Permanent Record,” to launch spear-phishing email campaigns.
- TrickBot – This infamous banking trojan reappeared in 2019 with a new trick up its sleeve: disabling Windows Defender. After infecting nearly 250 million Gmail accounts with new cookie-stealing abilities, its next 17-step attempt to steal banking credentials was to disable the Window’s anti-virus software.
- Ryuk – Along with Sodinokibi, Ryuk was one of last year’s most prolific and profitable ransomware campaigns. At the end of 2019, having moved into enterprise extortion, payments for the ransomware reached an all-time high of $780,000, according to Coveware.
- Sodinokibi – The successor of GandCrab, this ransomware-as-a-service was the most prevalent type of ransomware in 2019, targeting managed service providers through software vulnerabilities. In May, it exploited the Oracle zero-day flaw and demanded over a $2,000 ransom to decrypt the files it had secured. Highly evasive, Sodinokibi uses TOR or HTTPS to hide its activity.
Emotet, TrickBot and Ryuk have also been dubbed a “triple-threat,” with Emotet and TrickBot trojans being used to deliver Ryuk ransomware, causing even more damage to the affected organizations.
The biggest issue with encrypted malware attacks—and the primary reason the above examples were so “successful”—is that they are nearly impossible to detect, with many commonly deployed solutions offering woefully inadequate protection.
Decryption Can’t Handle It
The challenge for organizations looking to spot and stop encrypted malware attacks is being able to see inside their encrypted data flows. To achieve this, many organizations decrypt the traffic entering and leaving their networks, before scanning it for threats and then re-encrypting it. While in principle this technique should work, the decryption approach comes with a whole host of issues.
First, it raises concerns around compliance. Since all encrypted traffic has to decrypted to be inspected, there is a very real risk that some sensitive information will, for a brief time at least, be visible in plaintext. Secondly, there are the huge financial costs and latency issues to consider with costs growing and network performance being severely impacted by the amount of data that has to be processed—a problem that will only grow in correlation with an increase in encrypted data.
A more recent—and potentially bigger—problem is that decryption will no longer be possible thanks to the introduction of TLS 1.3. This cryptographic protocol, ratified by the IETF in 2018, includes stronger encryption and streamlined authentication processes, but also flags any decryption attempt as a man-in-the-middle attack, immediately terminating the session and preventing malicious traffic from being detected. Even the NSA has warned of the problems associated with TLS Inspection, issuing a cyber advisory on the subject.
This inability to see inside encrypted traffic traversing an organization’s network is worrying, to say the least, with 87% of CIOs believing their security defenses are less effective because they cannot inspect encrypted network traffic for attacks, according to Venafi. As a new decade begins, organizations need to be wary of relying on traditional methods of detecting this new attack vector and not depend on decryption alone to solve the problem. If 2019 is any indication, then hidden malware isn’t going anywhere.
A New Approach to Encryption
Gartner predicts that over 70% of malware campaigns in 2020 will use some type of encryption. Whether this includes new strains of Emotet or Ryuk, or completely new threats, organizations need to be prepared.
In particular, they must look at alternative methods of protecting their networks and consider more modern solutions. Rather than rely on anti-malware scanners that are unable to see inside encrypted traffic or count on decryption to sort the bad data from the good, organizations should look at AI and machine learning techniques that analyze encrypted traffic at a metadata level. These methods don’t require decryption, so as well as avoiding compliance issues by avoiding looking at traffic content, there are also no problems with latency or with navigating TLS 1.3.
This proactive and neater approach to malware detection will be an essential tool as encrypted malware becomes an even greater threat.