Encryption has become a staple on how we keep ourselves secure and privately online, especially with our financial transactions today. What is not given much coverage is the fact that the same technology that safeguards our data and keeps ourselves private is accessible as well by the cybercriminals beyond ransomware. The media hyped the spread of ransomware since 2017, where user data were locked by encryption and the decryption key must be purchased by the victim from the ransomware’s authors (the ransom payment). What was not reported is the use of cybercriminals of the same encryption technology for the purpose of evading detection.
“Back in the days, users were trained to look for the green padlock sign in the web browser, as a symbol of privacy, trust and security. However, that is no longer a reliable strategy. Users need to be trained to look for additional indicators, like whether the organization’s name is appearing next to the green padlock sign. The URL itself before they choose to enter their credentials. The users need to be more aware of the page that they are visiting,” explained Deepen Desai, Zscaler’s Head of Security Research.
The malware trend of using encrypted communication to and from its command and control servers use TLS 1.2, no different from a bank website communicating with its clients through a secure webpage. According to SonicWall, a network solutions vendor, a typical firm receives 1,276 yearly attacks on the average without realizing it. These covert attacks came from a TLS encrypted attacker, which bypasses traditional network monitoring tools.
“Because there are so many [ports] to monitor, traditional proxy-based firewalls can’t mitigate attacks over non-standard ports (for both encrypted and unencrypted traffic). Ports 80 and 443 are standard ports for web traffic, so they are where most firewalls focus their protection,” said SonicWall security engineer.
Many organizations deploy domain-based filtering solutions for their networks, usually means no one can download an executable or any type of file regardless of thisparticulardomain.com. However, malware authors are already aware of this filtering technique, hence many of them now use mainstream file storage and transfer service to host their malware payload, like Google Drive, Mega, Dropbox, Box etc. These domains cannot be blocked by domain-based filtering, as they are usually considered as whitelists sites for many organizations.
“My general recommendation is for every modern enterprise to have a balanced SSL inspection policy, as part of their overall security strategy. You don’t need to open up all TLS connections. You could exclude destinations going to healthcare, or finance, or government websites, but everything else you should inspect,” added Desai.
Prevention is the ultimate defence strategy against outside interventions, be it malicious hackers or phishers that set their site to the corporate information and customers data that employees hold. The best way for doing this is to set aside money to fund the cybersecurity awareness of the employees, as they are the primary frontliners with the security for any firm. Automation and high-level monitoring of systems can supplement it, including the capability to probe encrypted traffic internally.
Related Resources :