Organizations can no longer afford to overlook encrypted traffic

Whether you’re a small business operating out of a single office or a global enterprise with a huge and distributed corporate network, not inspecting the encrypted traffic entering and leaving can be a costly mistake, as cybercriminals are increasingly using TLS (Transport Layer Security) in their attacks.

Case in point: in Q1 2020, 23 percent of malware detected by Sophos used TLS to disguise malicious communications. Only a year later, that percentage has nearly doubled (45%)!

TLS encryption: For better and for worse

The widespread use of TLS encryption prevents criminals to steal or tamper with sensitive data and to impersonate legitimate organizations online. Unfortunately, it can also allow malware to fly under the radar and hide from enterprise IT security teams and the tools they use.

“A large portion of the growth in overall TLS use by malware can be linked in part to the increased use of legitimate web and cloud services protected by TLS—such as Discord, Pastebin, Github and Google’s cloud services—as repositories for malware components, as destinations for stolen data, and even to send commands to botnets and other malware,” noted Sean Gallagher, Senior Threat Researcher at Sophos.

“It is also linked to the increased use of Tor and other TLS-based network proxies to encapsulate malicious communications between malware and the actors deploying them.”

The company has also witnessed an increase in TLS use in manually deployed ransomware attacks, partly because the attackers use modular offensive tools (e.g., Metasploit, Cobalt Strike) that leverage HTTPS.

In general, though, the majority of the detected malicious encrypted communications was from droppers, loaders and other malware whose function is to download additional malware to the infected system, meaning that decrypting, inspecting and recognizing the nature of that traffic early on is key to keeping corporate systems and networks safe.

But despite obvious benefits, many organizations are reluctant to perform deep-packet inspection of their ingoing and outgoing network traffic. They have privacy concerns, worries that this practice will lead to a degraded user experience, and believe it to be too complex to handle. Mostly, though, they are worried their firewall simply can’t handle it.

For those, Sophos offers a solution that was many years in the making: a new series of firewall appliances that offer TLS inspection capabilities at up to five times the speed of other models currently available on the market. The new appliances accelerate trusted traffic that doesn’t need to be scanned and concentrate its high- speed streaming deep-packet inspection on the rest.

Meeting the need for speed, accuracy, and flexibility

The recently unveiled Sophos XGS Series firewall appliances can inspect TLS traffic across all protocols and ports, as various malware is known to use non-standard IP ports for communication.

As Gallagher noted, “TLS can be implemented over any assignable IP port, and after the initial handshake it looks like any other TCP application traffic.”

The XGS Series also includes native support for TLS 1.3 and new Xstream flow processors for accelerating trusted traffic and improving the overall performance for important business applications. The latter are also software programmable.

“We wanted to make sure that the processing unit is not something that can only be coded once. This means that you can get firmware updates from us that can change the way the chip scans and looks for certain types of packets (and therefore it can accelerate those packets based on the new changes) or, alternatively, you can program certain policies yourself to take advantage of offload,” Daniel Cole, Senior Director of Product Management at Sophos, told Help Net Security.

Another advantage of these new firewall appliances is their modularity – you can mix and match ports and interface count to adapt connectivity preferences through Flexi Port expansion bays.

“You’re a customer and your network is growing. Maybe you had one switch and 20 users, and now you have a hundred users and five switches, and some of those are 10 Gigabit switches with interfaces for your VLAN trunking. Or perhaps you want to do 4G LTE backup. In any case, Flexi Port modules allow you to upgrade your current hardware model so, in effect, they protect your initial investment,” Cole pointed out.

The XGS Series appliances are FIPS compliant, easy to set up and easy to manage through the Sophos Central cloud management platform. They can also be independent of the platform, for example when they are used by institutions that are required to keep their networks air-gapped. Those appliances can be updated with signatures that are regularly downloaded either manually or through a script.

But most Sophos customers prefer to put their firewalls online and hook them into Sophos Central, Cole says, for better visibility, management, and reporting.

Finally – and most importantly – the XGS Series appliances deliver superlative zero-day threat protection, identifying and stopping advanced known and potential threats (including ransomware).

The capability is powered by the device’s Xstream architecture, Sophos’ threat intelligence and ML-based logic (via SophosLabs Intelix), and threat data (via SophosLabs).

“A lot of network security companies don’t have access to the level and breadth of data that Sophos can collect from the endpoints of the world – and we’ve been collecting and analyzing different types of malware, from different landscapes, petabytes and petabytes of data for the last 30 years,” Cole noted.

By pairing that wealth of threat intelligence with quick results provided by Intelix after detonating suspicious files in a sandbox, he’s confident that the XGS Series of appliances is best-in-class when it comes to zero-day protection.