cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
iluom
Contributor II

Malware in encrypted traffic

 

Can anyone suggest ...

How to detect or prevent malware in encrypted traffic without depending on a security tool 

 

I am aware that Cisco comes with Encrypted Traffic Analytics (ETA), which monitors network packet metadata to detect malicious traffic even if its encrypted , but i would like to know any other suggestions for detection and prevention control

 

Thanks

Chandra Mouli, CISSP, CCSP, CSSLP
18 Replies
Curiousmind18
Newcomer II

Awesome question! Sadly the answer isn't so simple. Seems to me that you are looking at it from a defend the perimeter view point, which in my experience should be modified more to incident response. The issue is that encrypted traffic or even malformed frames can contain partial malware avoiding the devices, one suggestion would be to put in an ips behind the device the encrypted tunnel ends, so it could scan frames coming in from the unencrypted side, I'll do some due dilligence on this as well don't want to give crappy advice lol
sergeling
Contributor I

You could also choose to decrypt traffic at edge firewall, or at the IPS/web proxy in the middle.

 

Do take consideration on the additional resource overhead it will put on the device so it wont affect its original function.

denbesten
Community Champion

With the majority of web and Internet traffic encrypted, you are right to be concerned about it being an avenue to malware.

 

Most web proxy filters (Bluecoat, Zscaler) and firewalls will also filter web pages that are from known bad sites without decryption.  Unless you are willing/able to decrypt the communications (e.g using man-in-the-middle techniques) you are pretty much limited to site-level reputation filtering, (e.g. known bad site, young DNS registration, caught hosting malware, etc).  With decryption, it becomes possible to delve deeper, such as allowing chat, but to denying file transfer; and also to AV scan individual files.  For example, Facebook is "social networking", but with decryption, you get the ability to allow chat while blocking file transfer.

 

Also useful is to watch for hosts going to known malware"phone home" sites.  This gives an indication of which hosts may already be infected and need remediation.

Pista
Newcomer I

For now, I have only seen Cisco ETA really working when it comes to encrypted traffic analysis. Although some other vendors claimed the ability to detect 0-day threads (e.g. Darktrace or Greycortex) from our testing the best results came from Cisco Stealthwatch with ETA.

Some other options tough are able to do partial job in malware protection as well. But the majority of the function is based on reputation database for destination IPs/domains... (what is unable to discover malware communicating to twitter or instagram for example). 

So aside the Cisco ETA, you basically have another two good options:

1. enhance end-point protection, where the communication is initiated and the payload is processed unencrypted (Cisco AMP for endpoints does great job as it is tracking all operations and communication of the endpoint and the infection can be even discovered afterwards and you posses great data for retrospective analysis).
2. implement decryption at proxy in order to inspect payload.

iluom
Contributor II

solution at the end point / proxy seems a good choice but, decrypting the traffic has a an impact in terms of time, performance and cost and in some areas is simply not possible because the necessary cryptographic keys aren't available.

The aspect of this approach, however, is that it may infringe the privacy policy.

Chandra Mouli, CISSP, CCSP, CSSLP
OS22783
Newcomer II

As others here have mentioned decryption at the edge device is a great way to accomplish this. If you go this route keep the following things in mind:

 

* there is an impact to the througput/speed (although we have found it to be unnoticeable with the properly sized hardware)

* You will want to take into consideration things that you should *not* decrypt (HIPPA, etc)

* Thick client apps that use certificate pinning / hard coded certs will not play nice and will end up requiring exceptions


___________________________
CISSP, OSCP
rslade
Influencer II

> iluom (Newcomer I) posted a new topic in Tech Talk on 01-06-2019 01:31 AM in the

>   Can anyone suggest ... How to detect or prevent malware in encrypted traffic

As Cohen pointed out (in 1983), there are really only three ways to detect
malware, and each of them relies on being able to do some examination.

So, basically, unless you can get people to encrypt in a homomorphic manner, the
answer is no.

(I suppose I should qualify that: activity monitoring and change detection could
provide some alerts, but only "after the fact" ...)

> without depending on a security tool

That'd be interesting. You'd have to explain that one to me.

>    I am aware that Cisco comes with
> Encrypted Traffic Analytics (ETA), which monitors network packet metadata to
> detect malicious traffic even if its encrypted

You (or Cisco) would have to explain *that* one to me, as well. I suppose it could
rely on blacklisting of sites for source traffic or something ... Then again, I
suppose some kind of signature based IDS might be involved, if you are looking for
"malicious traffic" as opposed to malware ...

======================
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
denbesten
Community Champion

 
Pista
Newcomer I

How ETA works: https://www.networkworld.com/article/3246195/lan-wan/how-cisco-s-newest-security-tool-can-detect-mal...

Obviously not able to inspect actual payload, but uses metadata to do the magic. Don't think about it as a sole protection, rather an enhancement to infrastructure defense.