How attackers can take advantage of encrypted tunnels
Many organizations are not actively examining the encrypted traffic in their network. According to a Venafi survey, roughly a quarter (23%) of security professionals don’t know how much of their encrypted traffic is decrypted and inspected.
“As organizations encrypt more traffic and machine identity usage skyrockets, so do the number of opportunities for cyber criminals,” said Nick Hunter, senior technical manager for Venafi. “Any type of encrypted tunnel can be exploited in a cyber attack, and most organizations manage hundreds of thousands of keys and certificates each day. This use will only grow, and the dramatic increase of keys and certificates will only make the job of securing encrypted tunnels more difficult. Ultimately, organizations must secure their encrypted tunnels or risk being at the mercy of cyber attackers.”
Venafi security experts point out that without proper insight into encrypted tunnels, cyber attackers can use them against businesses in the following five ways:
Undetected movement across networks
Most large organizations use virtual networks to connect with multiple offices and business partners. However, the encrypted tunnels in virtual networks are rarely inspected, allowing attackers to go undetected. Cyber criminals can use these tunnels to move from site-to-site.
Eavesdropping on confidential traffic to steal data
The most common types of tunnels are found in layered security, such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). These tunnels provide a secure session between a browser and an application server. However, attackers may create man-in-the-middle attacks to eavesdrop on encrypted traffic and steal data from their victims.
Access to endpoints
To secure internet communication, organizations create virtual networks using Internet Protocol Security (IPsec). This often creates a tunnel from a remote site into a central site, creating an ideal entry point for cyber criminals. This type of attack typically compromises only established network endpoints, but it can be the start of a more sophisticated attack.
Setting up phishing websites
Attackers often use stolen or compromised certificates to establish a phishing website that a victim’s browser will trust. Users may then unwittingly share sensitive data with cyber attackers. Since HTTPS sessions are trusted – and rarely inspected – these attacks typically go unnoticed.
Privileged access to payloads
The tunnels created by Secure Shell (SSH) encryption are lucrative targets for attackers. SSH keys grant administrators privileged access to applications and systems, bypassing the need for manually typed authentication credentials. Unfortunately, this also means the compromised SSH tunnels can create an ideal environment for moving malicious payloads between file servers and applications.
“On a positive note, there are ways organizations can confront this threat,” concluded Hunter. “Businesses must establish a baseline of machine identities that are trusted, regularly scan for untrusted identities and take a proactive approach to securing all machine identities. To do this, organizations need to centralize and review gathered intelligence and use automation to frequently rotate keys and certificates as often as they require a username and password to be changed. This can ensure all security tools organizations rely on maintain a continuously updated list of the relevant keys and certificates they need to inspect in their encrypted traffic. By protecting these machine identities and by integrating this data into security tools, security professionals can finally begin to shine a light into encrypted tunnels.”