Removing the blindfold to inspect encrypted communications
- By (ISC)2 Government Advisory Council Executive Writers Bureau
- Sep 28, 2015
Given the growing number of system and application vulnerabilities, zero-day attacks, and high-profile hacks and data breaches, the need to inspect and monitor communications in and out of enterprise networks might seem obvious.
Unfortunately, many organizations have visibility into only a portion of that suspicious or malicious traffic. Their security tools and analysts are essentially blind to encrypted communications, which makes them unable to identify and defend against malicious activity, data exfiltration and other threats such as viruses, worms or other malware.
If you are responsible for information security, it is crucial that you take steps to remove the blindfold. By understanding the challenges with cryptographic protocols, organizations can embrace encrypted communications while ensuring that they have the necessary visibility to inspect and protect corporate systems and data.
The Secure Sockets Layer protocol released in 1995 provides communication security between two hosts within a network or across the Internet. It was initially used to secure e-commerce and online banking over public networks. Now SSL and its successor, Transport Layer Security, are increasingly being adopted because of their simplicity and flexibility. SSL/TLS is used to secure most cloud-based applications, web-based email and many other online services.
Although these cryptographic protocols protect end-user data and solve many security problems related to data integrity and confidentiality, they also create blind spots within the network that are only getting larger.
In 2016, more than two-thirds of North America's Internet traffic will be encrypted, according to Sandvine, a Canadian networking equipment company. Although encryption was previously cost-prohibitive or added enough overhead to limit its value where its use was not critical, that is no longer the case, and companies are now designing their websites to use encryption by default.
In June, the Office of Management and Budget issued a memorandum that requires secure connections across all federal websites and web services. Further, the Let's Encrypt service from the Internet Security Research Group will likely accelerate adoption of encryption on commercial and personal sites with the goal of delivering SSL/TLS everywhere by providing a free, automated and open-source certificate authority.
With the continued expansion of encrypted Internet communications, it's important to understand the challenges, impacts and risks they can create. Blind spots could be ignored if they are known to be of no value, but that is not the case with encrypted communications. In fact, Gartner says that by 2017 more than half the network attacks targeting enterprises will use encrypted traffic to bypass controls, and most advanced persistent threats already use SSL/TLS encryption.
Specifically, adversaries can use encryption to deliver malicious software if security controls can only scan decrypted traffic. They can also use encrypted communications to exploit vulnerable end-user applications such as web browsers, PDF viewers, Microsoft Office products, Flash or Java.
After a successful infection, SSL and TLS can mask the command and control functions that adversaries use to maintain communications with compromised systems within the target network. The exfiltration of credentials or other sensitive information can be hidden within the same SSL/TLS-encrypted sessions. If those communications are not decrypted for inspection, systems and employees responsible for monitoring and defending against that type of event cannot effectively spot compromises.
To optimize and standardize the security of external Internet connections to federal agencies, OMB established the Trusted Internet Connections initiative in 2007. The associated TIC Reference Architecture identifies mandatory critical and recommended capabilities based on evolving technologies and threats, including a specific requirement for encrypted traffic inspection. That requirement, which can be seen in the TIC Reference Architecture v2.0, states that any TIC access provider (TICAP) must have "a documented procedure or plan that explains how it inspects and analyzes encrypted traffic" and must include "defensive measures taken to protect TICAP clients from malicious content or unauthorized data exfiltration when traffic is encrypted."
As a critical and mandatory requirement, no federal agency should be without such procedures and plans for inspecting encrypted traffic.
To effectively identify and implement procedures for inspecting encrypted communications in and out of a corporate network, it is important that the process is appropriately planned, communicated and coordinated with stakeholders. Here are six key recommendations for providing the necessary visibility into encrypted communications.
1. Identify encrypted traffic flow
Before attempting to choose or implement a solution, identify where and how encrypted traffic flows in and out of the network. The location and amount of encrypted communications and the types of encryption protocols used must be understood to ensure appropriate visibility and correctly develop a solution that minimizes degradation of performance.
Although web and email communications are primary threat vectors, do not forget about file transfers and other communications with external trusted and untrusted partners.
2. Existing technologies can help but might not be enough
Existing technologies such as web and email gateways, proxy devices and application load balancers might have the ability to decrypt encrypted communications. However, those tools are often designed to monitor and analyze specific traffic and could degrade network performance when attempting to also handle decryption of large amounts of data.
More important, those technologies are usually not optimized to support a visibility architecture in which decrypted communications can also be made available to other network- and endpoint-monitoring tools, such as intrusion detection and prevention system sensors, data loss-prevention systems and advanced forensics.
3. Obtain top-level support and work closely with legal counsel
Although warning banners should already include appropriate language informing users that their rights to privacy are limited when using agency systems and networks, inspection of encrypted communications can often be a sensitive subject. Thus, it is imperative that policies be backed by organizational leaders and legal counsel to ensure support and compliance with corporate and government regulations.
4. Prepare for exceptions
Although the goal is to have the ability to decrypt and inspect all encrypted communications, there will be exceptions, and it is critical that processes and procedures are established to support those exceptions. For example, some proprietary encrypted voice and video communications might not function properly if interrupted by a decryption and inspection process between the client and server. Similarly, client-side certificates often create complications that many SSL/TLS decryption technologies cannot handle.
Additionally, exceptions might be required for particularly sensitive data, such as health care, banking/financial or law enforcement/legal information. Even if such data is inspected with system tools, it might not be appropriate for the IT staff to be able to read it or store and maintain it.
5. Confirm and convey certificate validity
A critical component of establishing encrypted communication is confirming the validity of the external system by exchanging and validating certificates. It is important that SSL/TLS decryption technologies do not put clients at increased risk by requiring them to validate the legitimacy of the site to which they are connecting. The inspection capability should perform the validation of external certificates and convey the results of the validation to the client.
6. Decryption is not enough
Remember that decrypted data is only valuable if it is made available to appropriate inspection technologies and is properly analyzed to identify threats. Therefore, officials must ensure that appropriate staff and technologies have access to the decrypted data required to defend the enterprise.
As noted by FBI Director James Comey, "The development and robust adoption of strong encryption is a key tool to secure commerce and trade, safeguard private information, promote free expression and association, and strengthen cybersecurity," but it also creates a problem that law enforcement calls "going dark." Therefore, it is critical that encryption technologies be maintained while ensuring the necessary visibility and inspection to defend the enterprise.
As attacks that use encrypted traffic to bypass controls continue to increase, agencies should remove any blindfold that limits network visibility.