Since Edward Snowden’s revelations of sweeping internet surveillance by the NSA, the push to encrypt the web has been unrelenting.
Bolstered by Google’s various initiatives (e.g., its prioritizing of websites that use encryption in Google Search results, making Chrome mark HTTP sites as “not secure,” and tracking of worldwide HTTPS usage), CloudFlare’s Universal SSL offer and the advent of Let’s Encrypt, nearly seven years later various sources put the percentage of encrypted internet traffic between 80% and 90% across all platforms.
That’s good news for end users who wish their interactions with various websites to be safe from eavesdropping by third parties – whether they be hackers, companies or governments.
But with the sweet comes the sour: criminals are exploiting users’ erroneous belief that a site with HTTPS in its URL can be considered completely safe to trick them into trusting phishing sites.
According to SophosLabs, nearly one-third of malware and unwanted applications enter the enterprise network through TLS-encrypted flows.
Also, nearly a quarter of malware now communicates over HTTPS connections, making it more difficult for businesses to spot active infections within their networks, especially because – a recent survey has revealed – only 3.5% of organizations are actually decrypting their network traffic to properly inspect it.
Why so few? What’s stopping them? The number one reason is that they are concerned about firewall performance, but they also cite privacy concerns, degraded user experience (websites not loading properly) and complexity as important factors for their decision to not do it.
Covert malicious activity
Malware that communicates via TLS-secured connections includes well-known and nasty malware families like TrickBot, IcedID and Dridex.
The use of transport-layer encryption is just one of the methods for keeping the malware’s existence on compromised systems secret, but it helps it covertly download additional modules and configuration files and send the collected data to an outside server.
“We’ve also observed that, increasingly, more malicious functions are being orchestrated from the command and control server, rather than implemented in the malware binary, and the C2s make decisions about what the malware should do next based on the exfiltrated data, which increases the volume of network traffic,” Sophos researcher Luca Nagy pointed out.
“Malware authors also want to empower their binaries with newer features and refresh them more often, which also increases the need for secure network communication, to prevent network-level protection tools from discovering an active infection inside the network every time it downloads an updated version of itself.”
Performance before protection? It doesn’t have to be
Some respondents in the previously mentioned survey were also unaware of the need to decrypt network traffic, even though it’s (or should be) common knowledge that malware often uses encrypted connections for communication.
Connections to “safe” destinations like financial websites may, perhaps, be exempted from inspection, but most other encrypted traffic coming in and going out of the corporate network should be decrypted and analyzed.
The problem with this is that many firewall offerings are not up to the task of inspecting a huge volume of encrypted sessions without causing applications to break or degrade network performance.
Not all, though: Sophos’ XG Firewall, with its new “Xstream” architecture, was architected from the ground up with performance in mind, allowing users to decrypt and see all traffic at a performance level that is just about wire speed.
A new firewall for your traffic decryption needs
“With Sophos XG Firewall, IT managers can immediately deploy TLS inspection without concerns over performance or breaking incompatible devices on the network, and they can turn it on for different parts of the network with flexible policy setting options,” Dan Schiappa, chief product officer at Sophos, told Help Net Security.
“We’ve created the ability to inspect all TLS traffic across all protocols and ports, eliminating enormous security blind spots. Sophos XG Firewall scans all TLS encrypted traffic – not just web traffic. This is important because criminals are constantly trying to avoid attention and use non-standard communication ports to evade detection.”
Other new features include support for TLS 1.3 (which many other solutions don’t have); FastPath policy controls that accelerate performance of SD-WAN applications and traffic, including Voice over IP, SaaS and others, to up to wire speed; and an enhanced Deep Packet Inspection (DPI) engine that dynamically risk-assesses traffic streams and matches them to the appropriate threat scanning level.
Schiappa also said that they’ve wired data science and threat intel much deeper than ever before: AI-enhanced threat intelligence from SophosLabs provides insights needed to understand and adjust defenses to protect against a constantly changing threat landscape.
Finally, user-friendliness should not be discounted: Sophos XG Firewall is simple to use and manage on a single cloud-based platform – Sophos Central – where organizations can easily layer and manage multiple firewalls as well as synchronize their security applications.