Encrypted Traffic Analysis: Mitigating Against The Risk Of Encryption

By   Simon Mullis
Chief Technology Officer , Venari Security | Aug 22, 2022 05:36 am PST

All global organisations are now responsible for preserving and maintaining the privacy of clients, employees and other forms of business-critical data. Governments and regulators are also mandating organisations to implement best-practice encryption, with financial ramifications for data leaks. This has subsequently driven a massive uptake in end-to-end encryption to ensure compliance and the support of customer data privacy while in transit and at rest.  

TLS 1.3 – the current standard that ensures strongly encrypted communications – is now widely by 62% of the top 1,000 internet websites. Nevertheless, some aspects of applying strong encryption are poorly understood – and this is becoming a growing issue for security teams. 

Data is put at risk when organisations have an inadequate configuration of encryption protocols. However, in many cases, companies in highly regulated industries do not have a full view of what is or isn’t encrypted and whether they meet the standards set by regulators and governments. This is sometimes due to legacy infrastructure, but it is often because nobody ‘owns’ encryption within an enterprise. Therefore, ultimately no one ends up as accountable.  

Encrypted communications challenge many organisations, even those implementing strong encryption standards across the board. The sheer volume of encrypted traffic they must contend with makes it impossible for security teams to gain visibility through decryption alone. Instead, we need to find new ways to analyse and understand this traffic, as organisations cannot mitigate the cyber risk in the areas of their network they can’t see.  

Reducing the risk of encrypted traffic 

We are increasingly seeing attackers that breach an organisation’s perimeter hide malicious activity within legitimate encrypted network traffic. This introduces a substantial blind spot for security teams. In the first three quarters of 2021 alone, attacks over encrypted channels increased by 314% from the previous year. These attacks aren’t cutting edge, but the lack of visibility into encrypted traffic gives intruders free licence to operate on private networks. So, active decryption and inspection could be the answer. However, significant costs and complexity are created by trying to decrypt vast traffic volumes and modern-day encryption protocols use Perfect Forward Secrecy, which forces strong encryption between the client and server. 

Attackers now use encrypted communications to hide, breach organisations and laterally move around once a beachhead has been established. The challenge now is how to spot suspicious encrypted communications within the enterprise.    

The only way organisations can hope to reduce this risk is if they can measure and understand the encrypted communication on the network traffic without relying on decryption. To achieve this, security teams need to shift their approach towards a deeper analysis of encrypted communications, guaranteeing greater certainty about what is happening within encrypted traffic flows.  

Encrypted Traffic Analysis (ETA) is an emerging method of identifying and detecting suspicious or anomalous behaviour hidden in encrypted traffic without decryption. It uses a combination of artificial intelligence, machine learning, and behavioural analytics to analyse encrypted traffic without decryption. It ultimately improves encrypted network traffic visibility while causing no impact on latency or privacy infringement. It also understands the behaviour of traffic across networks and provides alerts in near real-time, allowing security teams to react immediately rather than after the fact. This significantly increases the rate at which suspicious activity can be identified in encrypted traffic, thereby reducing business risk.  

The network visibility gained by employing an ETA platform can also help organisations to ensure that their encrypted estate is as secure as they intend. Many organisations will use static analysis to understand the certificate, but this approach does not provide critical information required on what is actively negotiated and used for the individual sessions. 

Learning to measure and mitigate  

There is no immediate solution to entirely protecting the privacy of our data. However, the shift to using best practices and strong encryption will most definitely play a crucial role in minimising employee and customer risk of enterprise data breaches.  

Visibility is a virtue in this new encrypted world, so organisations must start to implement a ‘measure and mitigate’ approach rather than one of ‘detect and decrypt’. Thus, this will allow enterprises to understand what is happening at this present time and better detect activity on their encrypted networks.