Analysts estimate that over half of all network attacks leverage encryption. By using forged or compromised keys and certificates, attackers create malicious tunnels into your network where they hide while they conduct surveillance, install malware and ultimately exfiltrate valuable data.
This type of attack is particularly nefarious because the tunnels that attackers use appear to contain everyday business communications unless they are inspected. In the Equifax breach, an expired certificate disabled TLS inspection devices and left the door open to encrypted tunnels created by attackers over several months. But let’s face it, even with fully functional security systems, how many organizations inspect 100% of their network traffic?
Tunneling is a method of transporting arbitrary networking data over an encrypted connection. It can be used to add encryption to legacy applications. It can also be used to implement VPNs and access intranet services across firewalls.
For example, when you connect to the internet with a VPN, it creates a connection between you and the internet that surrounds your internet data like a tunnel, encrypting the data packets your device sends. However, the tunnel can’t be considered private unless it’s accompanied with encryption strong enough to prevent attackers
Another example is an SSH tunnel. SSH is used for secure remote logins and file transfers over untrusted networks. It also provides a way to secure the data traffic of any given application using port forwarding, basically tunneling any TCP/IP port over SSH. This means that the application data traffic is directed to flow inside an encrypted SSH connection so that it cannot be eavesdropped or intercepted while it is in transit. This capability makes SSH a particularly desirable target for cybercriminals.
The relative vulnerability of encrypted tunnels depends on a variety of factors, such as the security of their protocols, their attributes and an organization’s overall awareness of how tunnels are being used. Below, I’ve outlined the types of encrypted tunnels that cybercriminals most often employ and how they may contribute to an attack.
“Encryption offers the perfect cover for cyber criminals. Without the proper visibility, many security solutions are useless against the increasing number of attacks hiding in encrypted traffic,” notes Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “The problem is that attackers lurking in encrypted traffic make quick responses even more difficult. This is especially true for organizations without mature inbound, cross-network, and outbound inspection programs. This overconfidence makes it very clear that most security professionals don’t have the strategies necessary to protect against malicious encrypted traffic.”
The most effective way to prevent attacks on encrypted tunnels is to orchestrate TLS/SSL inspection, which provides critical visibility into TLS data streams. To do this, you must have access to the private keys for the thousands of systems on which you are monitoring traffic. Supporting TLS inspection at this scale requires the ability to automatically and securely transfer and install private keys on TLS inspection devices. In addition to TLS inspection, you should consider monitoring the entitlements and usage of your SSH keys.
Any type of encrypted tunnel can be misused in a cyber attack. Virtual Private Networks (VPNs) are the most recognizable example of encrypted tunnels and are understood to be vulnerable, but many organizations do not realize that SSL/TLS and SSH tunnels are also susceptible. As a result, most organizations don’t provide adequate oversight for the full range of tunnels that travel into and out of their networks. Does yours?
This blog was originally posted by Nick Hunter on August 15, 2017.