Fighting the Hidden Threat of Encryption
-Warrior Maven Video Report Above - AI-Enhanced Cybersecurity
Barac – Warrior Maven Contributor
By Omar Yaacoubi, CEO and Co-founder, Barac (www.barac.io)
The DoD has been criticized in the past for failing to use widespread data encryption to protect unclassified emails sent to and from military personnel. It wasn’t until last year that it relented and finally adopted encryption as the default for mail.mil emails. Its reluctance was due to the inability of its existing cybersecurity solutions to protect against the growing problem of malware hidden in encrypted traffic.
One of the DoD’s most vocal critics in this area has been Senator Ron Wyden who wrote to the Director of Defence Information Systems Agency back in March 2017 stating: “I write concerning the security of unclassified military email and to urge Defence Information Systems Agency (DISA) to enable STARTTLS, an encryption technology widely used across the federal government and the private sector, to better protect email communications.”
Recognizing the need to act, and partly as a result of Senator Wyden’s efforts, in July last year the DoD’s mail.mil email service did, finally, adopt encryption as a default. The reason for the delay was explained by Major General Sarah Zabel, vice director of DISA, who, in response to Senator Wyden, pointed out that if encryption were enabled many of its detection methods would be rendered ineffective. A significant problem when, as Zabel explained, “DISA currently rejects over 85% of all DoD email traffic coming from the Internet on a daily basis due to malicious behaviour.”
This highlights a strange contradiction. While in many ways the growth of encryption is a good thing for security, it also creates a backdoor for hackers and threat actors to hide from traditional detection tools. As the use of encryption grows, so does the problem of stopping threat actors that are hidden in the encrypted data.
This is a growing problem. Air Force policy, for example, now requires that all email containing sensitive information, including Personally Identifiable Information (PII), must be digitally signed and encrypted. As a result of the rising reported amount of PII breaches, the Air Force has mandated the blocking of all unencrypted messages with PII or PII-like information from transiting Air Force networks via email.
Decryption cannot keep up with the technical challenges
Inspecting encrypted traffic imposes critical performance limitations on nearly all firewall and IPS devices available on the market today. Generally speaking, examining encrypted traffic puts an enormous strain on a security device. Using ciphers to decrypt and inspect SSL/TLS traffic correctly is extremely CPU-intensive.
According to recent test results from NSS Labs, very few security devices can inspect encrypted data without severely impacting network performance. On average, the performance hit for deep packet inspection is 60 percent, connection rates dropped by an average of 92 percent and response time increased by a whopping 672 percent. Even more concerning, not all the products tested were able to support the top 30 cipher suites, meaning that some traffic that appeared to be analysed wasn't being processed by some of the security devices at all. This explains why most security vendors do not publish their SSL/TLS inspection numbers.
This is a widespread and growing problem. There is no sign that traffic volume is going to slow down, nor that the percentage of network traffic being encrypted and needing specialized inspection is going to taper off. As DISA pointed out, uninspected traffic cannot be allowed to flow freely through the network. At the same time, no organization wants to be the victim of its own denial-of-service outage caused by its security tools no longer being able to meet the network’s performance requirements.
Encrypted Cognitive Analytics
While the DoD clearly found its own way to address the problem of checking encrypted emails for malware when it switched to STARTTLS last year, more elegant solutions now exist that make this process easier... Using behavioural analytics and AI, it is possible to scan and stop malware in real time, without the need for decryption.
A new technique known as Encrypted Cognitive Analytics has been developed that analyses metadata, rather than the data itself, to detect attacks hidden in encrypted traffic in real time without the need for decryption. The key to this is the discovery that every attack has its own SSL metadata signature between the user and the server. By inspecting this metadata, rather than the contents, of encrypted traffic, and combining this with machine learning and behavioural analytics, it is possible to detect signs of attacks and malware or abnormality on encrypted traffic, without the need for decryption. By collecting the right data and by doing data transformation and feature calculations, unique signatures and abnormalities can be detected with very high accuracy. The beauty of this approach is that no decryption means the process can be undertaken in real time, with limited impact on network performance.
Furthermore, Encrypted Cognitive Analytics enables malware attacks to be detected more accurately on both normal and encrypted traffic by using metadata analytics and interflow metadata to collect, analyse and store IN and OUT packets inside of a flow. Analysing network and SSL metadata using artificial intelligence, anomalies can be spotted within both encrypted and unencrypted communications with a high accuracy rate in real time.
Encrypted Cognitive Analytics enables the creation of new types of data elements or telemetry that are independent of protocol details, such as the lengths and arrival times of packets within a flow. Importantly, these data elements apply equally well to both encrypted and unencrypted flows meaning all traffic types can be included and monitored.
This is an exciting new way to improve cybersecurity and protect against the rapidly growing threat of malware hidden in encrypted traffic. The tremendous performance improvements that arise because there is no need to decrypt the traffic yield significant benefits. Using artificial intelligence to identify malicious patterns in encrypted traffic sidesteps the decrypt/re-encrypt approach entirely and provides efficient, accurate security without the operational impact of the translations into and back out of cleartext.
More Weapons and Technology -WARRIOR MAVEN (CLICK HERE)--