The U.S. Computer Emergency Readiness Team (US-Cert) issued a warning last week stating HTTPS interception weakens TLS security. As the use of encryption for privacy has increased, the security industry has responded by intercepting and decrypting SSL sessions to perform deep-packet inspection (DPI).
Secure web gateways, firewalls, intrusion detection and prevention systems, and data loss prevention (DLP) products all perform some form of SSL intercept and decryption to perform DPI.
The primary reason why information security teams want to intercept and decrypt traffic protected by secure-socket layer (SSL) or transport layer security (TLS) encryption is to perform DPI to identify threats or malware.
However, when they do there is a security impact if SSL encryption is not performed at least as well as the browsers do. The quality of SSL encryption is inconsistent among vendors and runs the risk of creating a huge vulnerability in your secure architecture.
Even worse, users may not be aware of this interception, creating a false sense of security on their side. The client browser can only verify secure communications with the next computer with which it communicates.
Most devices think the next computer is the final destination, but it could just be a network device inspecting SSL traffic. The browser only confirms it is communicating with a system providing a certificate, not what that system is.
The way a computer validates whether it is communicating with the intended recipient is to look at the provided certificate and the system that issued it. This is hard for most users to be able to manage or understand, especially when an attacker can forge a certificate or use a stolen certificate.
Some browsers, such as Microsoft Internet Explorer, don't even allow viewing a certificate until after you have accepted it, which can make it tricky for even a security professional to determine if the connection is legitimate.
On top of potential security holes, SSL intercept and inspection has significant performance impacts on the devices using it, as tested by NSS Labs. On average, the seven next-generation firewalls tested by NSS Labs experienced a performance degradation of ~74% with 512-bit and 1,024-bit ciphers and ~81% loss with 2,048-bit ciphers. As the encryption gets better, the performance degradation gets bigger.
The whole notion of SSL intercept and inspection is to allow old-school security products to still work in a modern world where traffic is increasingly encrypted for privacy and protection. A modern approach to security doesn’t have to decrypt SSL traffic to identify threats or attacks.
The old-school method of DPI works by opening the network payloads to identify a certain type of content, such as specific data for DLP or bad payloads like malware. This occurs at the perimeter of the network where traffic flows in and out between users and Internet destinations.
The modern approach is to monitor network traffic for the unique actions and behaviors of cyber attackers instead of inspecting traffic for malicious payloads.
Vectra identifies in-progress cyber attacks without decrypting SSL/TLS traffic. Artificial intelligence – machine learning algorithms – monitors large volumes of network traffic to detect and analyze miniscule fluctuations in protocols like HTTPS, HTTP and DNS, and reveals when additional layers of command-and-control communication are hidden within them.
This detection works for all stages of the attack lifecycle including reconnaissance, lateral movement and exfiltration. With only three exceptions, all of these modern machine learning algorithms work equally well with encrypted traffic.
This modern approach to detecting cyberattacks not only provides insight to attacker behavior in encrypted traffic, it also provides security teams with a higher probability of detection across the entire attack lifecycle.
Perimeter detection security models are limited to identifying the initial intrusion and any possible outbound command-and-control communication. However, most cyber attacks occur in the network, inside the perimeter. By monitoring attacker behaviors on all hosts in the network, Vectra can see the progression of an attack.
With the old-school DPI approach at the perimeter, attackers only need to succeed once while defenders must succeed every time. With the modern use of artificial intelligence to detect attacker behaviors, even in encrypted traffic, attackers must remain perfectly hidden through all phases of the attack, but defenders only need to see part of the attack.
Christopher Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs with nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles.