topic Re: Malware in encrypted traffic in Tech Talk

Malware in encrypted traffic

iluom — Sun, 06 Jan 2019 06:31:05 GMT

Can anyone suggest ...

How to detect or prevent malware in encrypted traffic without depending on a security tool

I am aware that Cisco comes with Encrypted Traffic Analytics (ETA), which monitors network packet metadata to detect malicious traffic even if its encrypted , but i would like to know any other suggestions for detection and prevention control

Thanks

Re: Malware in encrypted traffic

Curiousmind18 — Sun, 06 Jan 2019 13:35:05 GMT

Awesome question! Sadly the answer isn't so simple. Seems to me that you are looking at it from a defend the perimeter view point, which in my experience should be modified more to incident response. The issue is that encrypted traffic or even malformed frames can contain partial malware avoiding the devices, one suggestion would be to put in an ips behind the device the encrypted tunnel ends, so it could scan frames coming in from the unencrypted side, I'll do some due dilligence on this as well don't want to give crappy advice lol

Re: Malware in encrypted traffic

sergeling — Sun, 06 Jan 2019 23:37:32 GMT

You could also choose to decrypt traffic at edge firewall, or at the IPS/web proxy in the middle.

Do take consideration on the additional resource overhead it will put on the device so it wont affect its original function.

Re: Malware in encrypted traffic

denbesten — Mon, 07 Jan 2019 01:42:44 GMT

With the majority of web and Internet traffic encrypted, you are right to be concerned about it being an avenue to malware.

Most web proxy filters (Bluecoat, Zscaler) and firewalls will also filter web pages that are from known bad sites without decryption. Unless you are willing/able to decrypt the communications (e.g using man-in-the-middle techniques) you are pretty much limited to site-level reputation filtering, (e.g. known bad site, young DNS registration, caught hosting malware, etc). With decryption, it becomes possible to delve deeper, such as allowing chat, but to denying file transfer; and also to AV scan individual files. For example, Facebook is "social networking", but with decryption, you get the ability to allow chat while blocking file transfer.

Also useful is to watch for hosts going to known malware"phone home" sites. This gives an indication of which hosts may already be infected and need remediation.

Re: Malware in encrypted traffic

Pista — Mon, 07 Jan 2019 12:25:44 GMT

For now, I have only seen Cisco ETA really working when it comes to encrypted traffic analysis. Although some other vendors claimed the ability to detect 0-day threads (e.g. Darktrace or Greycortex) from our testing the best results came from Cisco Stealthwatch with ETA.

Some other options tough are able to do partial job in malware protection as well. But the majority of the function is based on reputation database for destination IPs/domains... (what is unable to discover malware communicating to twitter or instagram for example).

So aside the Cisco ETA, you basically have another two good options:

1. enhance end-point protection, where the communication is initiated and the payload is processed unencrypted (Cisco AMP for endpoints does great job as it is tracking all operations and communication of the endpoint and the infection can be even discovered afterwards and you posses great data for retrospective analysis).
2. implement decryption at proxy in order to inspect payload.

Re: Malware in encrypted traffic

iluom — Mon, 07 Jan 2019 16:17:57 GMT

solution at the end point / proxy seems a good choice but, decrypting the traffic has a an impact in terms of time, performance and cost and in some areas is simply not possible because the necessary cryptographic keys aren't available.

The aspect of this approach, however, is that it may infringe the privacy policy.

Re: Malware in encrypted traffic

OS22783 — Mon, 07 Jan 2019 17:17:19 GMT

As others here have mentioned decryption at the edge device is a great way to accomplish this. If you go this route keep the following things in mind:

* there is an impact to the througput/speed (although we have found it to be unnoticeable with the properly sized hardware)

* You will want to take into consideration things that you should *not* decrypt (HIPPA, etc)

* Thick client apps that use certificate pinning / hard coded certs will not play nice and will end up requiring exceptions

Re: Malware in encrypted traffic

rslade — Mon, 07 Jan 2019 19:31:52 GMT

> iluom (Newcomer I) posted a new topic in Tech Talk on 01-06-2019 01:31 AM in the

> Can anyone suggest ... How to detect or prevent malware in encrypted traffic

As Cohen pointed out (in 1983), there are really only three ways to detect
malware, and each of them relies on being able to do some examination.

So, basically, unless you can get people to encrypt in a homomorphic manner, the
answer is no.

(I suppose I should qualify that: activity monitoring and change detection could
provide some alerts, but only "after the fact" ...)

> without depending on a security tool

That'd be interesting. You'd have to explain that one to me.

> I am aware that Cisco comes with
> Encrypted Traffic Analytics (ETA), which monitors network packet metadata to
> detect malicious traffic even if its encrypted

You (or Cisco) would have to explain *that* one to me, as well. I suppose it could
rely on blacklisting of sites for source traffic or something ... Then again, I
suppose some kind of signature based IDS might be involved, if you are looking for
"malicious traffic" as opposed to malware ...

======================
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

Re: Malware in encrypted traffic

denbesten — Mon, 07 Jan 2019 20:45:24 GMT

Re: Malware in encrypted traffic

Pista — Mon, 07 Jan 2019 21:40:15 GMT

How ETA works: https://www.networkworld.com/article/3246195/lan-wan/how-cisco-s-newest-security-tool-can-detect-malware-in-encrypted-traffic.html

Obviously not able to inspect actual payload, but uses metadata to do the magic. Don't think about it as a sole protection, rather an enhancement to infrastructure defense.

Re: Malware in encrypted traffic

rslade — Mon, 07 Jan 2019 23:18:52 GMT

> Pista (Newcomer I) posted a new reply in Tech Talk on 01-07-2019 04:40 PM in the

> How ETA works:
> https://www.networkworld.com/article/3246195/lan-wan/how-cisco-s-newest-security
> -tool-can-detect-malware-in-encrypted-traffic.html

OK, yeah, basically stateful inspection on packet headers only.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Be a scribe! Your body will be sleek, your hand will be soft. You
are one who sits grandly in your house; your servants answer
speedily; beer is poured copiously; all who see you rejoice in
good cheer. Happy is the heart of him who writes; he is young
each day. - Ptahhotep, Vizier to Isesi, 5th Dynasty, 2300 BC
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Malware in encrypted traffic

Shannon — Mon, 07 Jan 2019 23:19:09 GMT

ETA solutions look for patterns in the traffic, read un-encrypted metadata, flag suspicious packets, and so on --- but if the traffic isn't actually decrypted for full inspection, there's no guarantee that it's devoid of malware.

@iluom, if implementing decryption at an intermediate device --- such as a proxy --- raises privacy concerns, you could attempt to tailor it. For example, I've added an exception to our privacy policy for the inspection of data coming into our organization's network. (I confess, I work in KSA where employee privacy isn't of so much concern)

At the end of the day, preventing such attacks --- or at least reducing their impact --- calls for an approach with defense-in-depth. You should have preventive and detective measures implemented at the perimeter, the end-points, and the entire networks, with the solutions integrated with one-another.

If a perimeter device using ETA doesn't detect malware, & it gets decrypted on a user's system, an end-point security system there can quarantine the malware &isolate the system, as well as relay information to integrated systems to take actions at the network level.

With a layered approach, you have some assurance that should malware get past one layer, it still has to get through others.

We can't always depend on employee awareness here --- someone who sees his system acting strangely may just lean back and start using his smart phone rather than call Support --- so the solution should also be properly configured to alert the IT Security team.

Re: Malware in encrypted traffic

Caute_cautim — Fri, 11 Jan 2019 03:06:27 GMT

Interesting that most have concentrated on a single vendor Cisco. If you look carefully within Government circles within their policies and controls, often they mandate TLS decryption for web traffic and also Identity and Access Portals. So to give you some examples: Identity Security Access Manager (ISAM) for Business - has a web proxy, called WebSeal, which has proxies for both mobile and web services, which has an inbuilt layer 4 to layer 7 WAF, which by using the server digital certificate, can decrypt and check the incoming and outcoming traffic, before it allowed into the organisations web servers/farm etc.

Other vendors use F5 with its Advanced Security Module, which has good layer 4 to layer 7 TLS inspection capabilities in virtual or physical formats.

However, from experience, you need plenty of testing, non production and Proof of Concepts, going because often the claims of manufacturers, has to be verified and tested carefully - sometimes their claims do not add up in reality.

Regards

Caute_cautim

Re: Malware in encrypted traffic

Pista — Fri, 11 Jan 2019 08:57:45 GMT

surely there are many vendors offering "man in the middle" decryption and inspection. but the original question was about ability to detect malware within encrypted traffic...

Re: Malware in encrypted traffic

Caute_cautim — Sat, 12 Jan 2019 03:42:46 GMT

In that case you will always need the ability to decrypt the incoming transmission, and you may have re-encrypt it again by policy, before it is forwarded on to the final destination. Normally, one would have an assured solution, as it normally has to hold a copy of the private key for decryption purpose. Normally the solution has normally a proxy or an SSL/TLS forwarding capability with layer 4 to layer 7 inspection capabilities.

Regards

Caute_cautim

Re: Malware in encrypted traffic

iluom — Sat, 06 Apr 2019 06:55:49 GMT

WAF (Web Application Firewalls) may help to address this issue

These firewalls are specific enough that they know the way the application should be behaving
and can detect even the smallest unusual activity and bring it to a stop. In addition, WAFs
can also provide protection against such network-based attacks as DoS or DDoS attacks.

Reverse and Forward Proxy would help.

any comments please??

Re: Malware in encrypted traffic

Caute_cautim — Sat, 06 Apr 2019 07:00:50 GMT

Yes, you could do it that way - there also other means, via having a front web application proxy or Mobile aware proxy, with one way key decryption or as you state forward or reverse proxy as well. Also there is appears to be another method - using a cloud based web application API, which some vendors provide as a stop gap, to keep PCI DSS issues arising i.e. TLS V1.0 issues and preventing access and related vulnerabilities.

This is more like a stop gap approach, rather than a permanent, but often see it taken up as a solution, which appears to become the norm,

Regards

Caute_cautim

Re: Malware in encrypted traffic

Shannon — Sat, 06 Apr 2019 10:51:25 GMT

@iluom wrote:

WAF (Web Application Firewalls) may help to address this issue

@iluom, what / whom do you ultimately want to protect from the malware? Whatever solution you employ, it will have to be able to decrypt the traffic --- unless that isn't permitted by your organization's policy.

Keep in mind that a WAF is meant to protect a Web Application itself, and not end-users / end-points.

Re: Malware in encrypted traffic

rslade — Sat, 06 Apr 2019 17:56:04 GMT

> iluom (Contributor I) posted a new reply in Tech Talk on 04-06-2019 02:55 AM

> WAF (Web Application Firewalls) may help to address this issue These
> firewalls are specific enough that they know the way the application should be
> behaving and can detect even the smallest unusual activity and bring it to a
> stop.

Application level firewalls get really complicated really quickly. Some may have a heuristic activity monitoring component, but only something with an added host-based sensor component is actually going to detect resultant unusual activity.