cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Champion

Re: Malware in encrypted traffic

> Pista (Newcomer I) posted a new reply in Tech Talk on 01-07-2019 04:40 PM in the

> How ETA works:
> https://www.networkworld.com/article/3246195/lan-wan/how-cisco-s-newest-security
> -tool-can-detect-malware-in-encrypted-traffic.html

OK, yeah, basically stateful inspection on packet headers only.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Be a scribe! Your body will be sleek, your hand will be soft. You
are one who sits grandly in your house; your servants answer
speedily; beer is poured copiously; all who see you rejoice in
good cheer. Happy is the heart of him who writes; he is young
each day. - Ptahhotep, Vizier to Isesi, 5th Dynasty, 2300 BC
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Community Champion

Re: Malware in encrypted traffic

 

ETA solutions look for patterns in the traffic, read un-encrypted metadata, flag suspicious packets, and so on --- but if the traffic isn't actually decrypted for full inspection, there's no guarantee that it's devoid of malware.

 

@iluom, if implementing decryption at an intermediate device --- such as a proxy --- raises privacy concerns, you could attempt to tailor it. For example, I've added an exception to our privacy policy for the inspection of data coming into our organization's network. (I confess, I work in KSA where employee privacy isn't of so much concern)

 

At the end of the day, preventing such attacks --- or at least reducing their impact --- calls for an approach with defense-in-depth. You should have preventive and detective measures implemented at the perimeter, the end-points, and the entire networks, with the solutions integrated with one-another.

 

If a perimeter device using ETA doesn't detect malware, & it gets decrypted on a user's system, an end-point security system there can quarantine the malware &isolate the system, as well as relay information to integrated systems to take actions at the network level.

 

With a layered approach, you have some assurance that should malware get past one layer, it still has to get through others.

 

We can't always depend on employee awareness here --- someone who sees his system acting strangely may just lean back and start using his smart phone rather than call Support --- so the solution should also be properly configured to alert the IT Security team.

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Community Champion

Re: Malware in encrypted traffic

Interesting that most have concentrated on a single vendor Cisco.  If you look carefully within Government circles within their policies and controls, often they mandate TLS decryption for web traffic and also Identity and Access Portals.   So to give you some examples:   Identity Security Access Manager (ISAM) for Business - has a web proxy, called WebSeal, which has proxies for both mobile and web services, which has an inbuilt layer 4 to layer 7 WAF, which by using the server digital certificate, can decrypt and check the incoming and outcoming traffic, before it allowed into the organisations web servers/farm etc.  

 

Other vendors use F5 with its Advanced Security Module, which has good layer 4 to layer 7 TLS inspection capabilities in virtual or physical formats. 

 

However, from experience, you need plenty of testing, non production and Proof of Concepts, going because often the claims of manufacturers, has to be verified and tested carefully - sometimes their claims do not add up in reality. 

 

Regards

 

Caute_cautim

Newcomer I

Re: Malware in encrypted traffic

surely there are many vendors offering "man in the middle" decryption and inspection. but the original question was about ability to detect malware within encrypted traffic...

Community Champion

Re: Malware in encrypted traffic

In that case you will always need the ability to decrypt the incoming transmission, and you may have re-encrypt it again by policy, before it is forwarded on to the final destination.  Normally, one would have an assured solution, as it normally has to hold a copy of the private key for decryption purpose.  Normally the solution has  normally a proxy or an SSL/TLS forwarding capability with layer 4 to layer 7 inspection capabilities.

 

Regards

 

Caute_cautim