Outlining the threat landscape for encrypted connections
- Encrypted network traffic provides security to data transfers on the internet, enabling the exchange of personal and confidential data.
- With encryption techniques evolving, hackers have also improved their methods to encrypt threats to prevent detection.
Encryption is the process of converting plaintext to ciphertext to ensure only the intended recipients have access to the actual data. An algorithm is used to encode the data, and the same algorithm is used at the receiving end to decode the data. Encryption is classified into two types, symmetric key and public key.
The threat landscape
Encryption has been observed to be used by malicious actors to cover their command-and-control (C2) activities, giving them more time to inflict damage on the infected systems. There is a rising trend of threat incidents observed to be masked in the encrypted traffic.
- Ransomware is delivered through encrypted communication, such as email and social networking sites. It communicates with its C2 server through an encrypted network and renders files on the infected system inaccessible because of encryption. Notorious examples include Ryuk and WannaCry ransomware.
- Encrypted websites that host malicious threats are being used by hackers.
- Banking trojans monitor web traffic using a proxy or using their C2 server. These trojans use encryption to prevent the detection of this traffic.
- RATs and botnets have also been observed to use encryption to hide their communications with C2 servers.
- Cryptocurrency miners must maintain a TCP connection between computers and its server to operate. Because of the length of these connections and the risk of detection, bad actors encrypt the connections.
Detecting malicious encrypted traffic
With attackers also encrypting their traffic, it is important for organizations to deploy tools and techniques to spot malicious encrypted traffic.
- Network anomaly detection tools help monitor the traffic for suspicious activities.
- Traffic fingerprinting is a technique that looks for activities matching those mapped with malicious actors. However, the success rate of this technique may not be very high as the hackers may add a random data package to deviate from the expected fingerprint.
- DNS protection technologies can also help by blocking connections with malicious domains.