This week’s report on encrypted malware evading security through uninspected HTTPS. With enterprises grappling with an increasing remote workforce and how to properly secure their employees, there is a greater focus on making sure basic security measures are taken.
This is dangerous advice. Security teams tend to (ironically) be the worst at protecting data and — as a result — PITM\’ing HTTPS will invariably cause a breach (and has, just not publicly stated) in many orgs.
Orgs have also shown that they are terrible at managing certificates and the god-like certs that have to be installed and used to enable PITM of HTTPS will also invariably be protected poorly.
Infosec teams are also notoriously bad at practicing what they preach when it comes to RBAC. PITM\’ing HTTPS leaves employees open to abuse and stalking.
Finally, it\’s not really needed. Higher-fidelity detection of malicious activity on endpoints produces far greater results much faster than PITM HTTPS. Also spending money and time on DNS-based detections (which implies you\’ve blocked DoT, disabled browser-based DoH and have machine-learning-based detections for DoH-based use, which can be done with medium-fidelity) and all connections coming _from_ your network (attempts or successes) will bear far greater results then the expense, complexity, and risk of PITM HTTPS.
It’s no surprise that malware and other threats are being delivered via seemingly secure connections by hiding under the false security of HTTPS to evade traditional AV measures. When enterprises don’t perform adequate SSL inspections, they are vulnerable to malicious attacks and susceptible to malware deliveries such as the ones described in this research.
Hackers can simply host phishing links or drive-by downloads on SSL when there’s no inspection. Despite the vast majority of user initiated web visits being currently served over HTTPS, web proxies or firewall can be oblivious to incoming threats unless enterprises turn on SSL inspection.
Moving a workforce almost entirely remote only compounds the issue. As a result, VPN and SSL infrastructure is overwhelmed and so hackers are using old tricks to send malicious files and phishing links over SSL and enterprises are being blindsided.
Inspecting SSL traffic is one of the most important measures a company must put in place. Without this, attackers are able to bypass all the security measures and use the most widely used application by any user—the browser. Remote working has exacerbated this issue since people are not working from the safety of a secure enterprise network, so cloud security solutions have become critical to enable companies to implement scalable SSL inspection no matter where users are working from.