Corporate Partners

Are bad guys hiding in your “Secure” traffic?

• The world has changed

• Threat taxonomy

• Why decrypt SSL traffic?

• What to decrypt

• Where to decrypt it

• Use cases

• Privacy issues

• Recommendations

Corporate Partners

Source: # Netcraft.com, #2 http://www.internetworldstats.com, #3 http://smithsonian.yahoo.com & #4 IDC

1996 2015

Websites

Internet access

Internet users

Internet browsers

Search engines

75,000# to 650,000#3

28.8 to 33.6 Kbps

36 million#4

Netscape Navigator, IE3

Google.com didn’t exist Screen resolution 640 x 480

1 billion (Sep 2014) #

Up to 100 Mbps

3 billion#2

Firefox 37.01, Opera, Chrome, Safari, IE11

The World has Changed

Lycos, LookSmart, Hotbot, Yahoo!, Altavista, Infoseek, WebCrawler

Google, Bing, Yahoo!, DuckDuckGo, Baidu, Rambler, Naver etc…..

Corporate Partners

Removable Media Density

1996 2015

100

MB

720K

to 1.4

MBUp to 1TB USB3.0

Corporate Partners

Communication

1996 2015

Corporate Partners

Storage Density

1996 2015

660

MB

Up to 6 TB

Corporate Partners

1996 20152003

Stateful Firewalls

SIEM

IDS IPS HIPS

WAFUTM

Data Analytics

DLP

PC VIRUS

SPAM

INTERNET VIRUS

WORMS

DDoS

TROJANS

PHISHING SPYWARE

RANSOMWARE

MALVERTISING

WATERING HOLE

MOBILE ATTACKS

APT

1998 2000 2005 20102007

SSL Decryption

Security Changed, Threats Changed

Corporate Partners

Threat TaxonomyThe who and what!

Corporate Partners

Creative Exploiter

• Curious about systems and how they work

• Likes a challenge or puzzle to unlock

• Not necessarily malicious

Target: Any system, anything

Corporate Partners

John Draper

*Images from http://www.webcrunchers.com

Corporate Partners

Script Kiddie

• Typically using code developed by others

• Often lacks detailed programming skills

• Often students

Motivation: (Peer) recognition / bragging rights

Target: Universities, Schools, Websites, Devices

connected to the Internet

Corporate Partners

Corporate & Industrial Espionage

• Sponsored by individuals, organisations and

in some cases governments

Motivation: To obtain trade secrets or other

information for a competitive advantage

Target: Organisations in the same or similar

sectors / market segment. High Tech / R&D

Corporate Partners

The Insider – The bad side

• Disgruntled employee (current or former)

• Typically opportunistic, some are well planned

Motivation: Revenge, getting what they think they

deserve, solving a financial problem, the desire to

feel important

Target: Any organisation

Corporate Partners

The Insider – The moral dilemma

• Current or former employee

Motivation: Ethical, social, religious or moral

obligation to society and the broader community.

Correcting a mistake, providing governance where

none exists or providing transparency.

Target: Any organisation (typically government)

Corporate Partners

The Insider – The moral dilemma

Whistle-blowers

Mark Felt Frank Serpico

Edward

Snowden

Thomas Drake

Chelsea Manning

Jesselyn Radack

Corporate Partners

Hacktivism

• Data extraction and publication

• Distributed Denial of Service

• Doxing

• Seeks very public recognition to be considered

successful

Motivation: Political or social

Target: Any corporation, government or individual

Logo source: Anonymous

Corporate Partners

Corporate Partners

Corporate Partners

• 1200 emails .sa (Saudi Arabia)

• 251,831 Sydney (3rd highest City)

• 213,847 Melbourne

• 118,857 Brisbane

• 88,754 Perth

• 700 Australian government officials and police

• 15,000 .gov / .mil

Corporate Partners

Cyber Vigilante

• DIY justice

• Companies / individuals “hack back”

Motivation: Political, social justice and compliance

with social norms “the norm police”

Target: Corporations, governments, individuals,

and attackers

Corporate Partners

Nation Sponsored

• The new and until recently, hidden landscape

in warfare

Motivation: Seeks access to sensitive business

/ diplomatic data to gain a tactical advantage

Target: Any organisation with intellectual

property, research and development data &

strategic infrastructure.

Corporate Partners

Organised Crime

• Various organisational structures

• Outsources, just like legitimate organisations

• Expanding into new markets (carbon credits)

Motivation: Money, control and power

Target: Financial sector, end users of financial

services & home users

Corporate Partners

Terrorist Groups (Cyber Terrorists)

• Aim is to disrupt daily life

• Will go to any means necessary

Motivation: Ideologically driven from a religious,

political or cultural perspective

Target: Critical infrastructure, key systems, uniforms

& the general population

Corporate Partners

Imp

act

/ M

oti

vati

on

Available Resources

Destroy

Hurt

Annoyance

Low Medium High

Creative Exploiter

Cyber Terrorists

Hacktivism

TheInsider

Cyb

er

Vig

ilan

teOrganised Crime

Nation Sponsored

Scri

pt

Kid

die

“50% of network attacks will use SSL by 2017 to

bypass controls”

Corporate Partners

Internet users encrypting their online

communications has doubled in

North America, and quadrupled in

Latin America and Europe over just

the past year.

Sandvine, “Global Internet Phenomena Report,” May 2014.

Corporate Partners

SSL Trends & Statistics

Weekly

Top 50 Most Visited sites - 69% HTTPS

Top 10 Most Visited Sites – 100% HTTPS

Daily

750M Domain / IP rating requests - HTTP

110M Domain / IP rating requests – HTTPS

30K Unique / Unknown Executable Applications - HTTPS

Corporate Partners

SSL Trends & Statistics

Weekly

• 1.1M Sites Classified Potentially Unwanted Software

24% - Enterprise Users 76% - Consumer Users

• +40,000 Requests Newly-Classified Malicious HTTPS Sites

• 100,000 Requests to Command and Control HTTPS Sites

35% from Enterprise Users

Corporate Partners

Let’s Look at it another way from other sources

(Source: Alexa.com)

Or, 14 of the top 15 English Websites use only HTTPS

Corporate Partners

Encryption masks data exfiltration

Not necessarily malicious...

Corporate Partners

Basics of SSL

2

1

1. Request key exchange

3

4

2. X.509 Cert containing public key

3. Confirms Cert with Certificate Authority

4. Random symmetric key, encrypted with the server’s

public key.

Corporate Partners

So why don’t people Decrypt?

Perception that volume of

encrypted traffic is insignificant

Performance considerations

Workload considerations

Privacy considerations

Corporate Partners

What to Decrypt?

Webmail Content needs to be inspected to be scanned by the defense in depth

security deployment.

Social Media Common channels of malware infection or sensitive content leakage.

Web Browsing Search engines and general web application traffic which is SSL enabled

by default. To enforce acceptable use policies and protect data.

File Sharing A popular medium for sensitive files to be leaked or malicious file to be

downloaded.

SaaS Enforce tighter policies, strong likelihood these contain sensitive data (HR,

CRM etc.).

“To net it out, if an application has access to protected or critical data you

should decrypt and inspect its traffic” Mike Rothman, Analyst and President, Neurosis

Corporate Partners

Where to Decrypt?

• SSL/TLS decryption and re-encryption is processor intensive

• While some security solutions provide SSL decryption and/or encryption as an optional feature, it is rarely enabled

• Typical performance decreases over 50%*

Intrusion

Prevention

Next Gen

FirewallForensics *NSS Labs Analyst Brief: Significant SSL Performance Loss

Leaves Much Room for Improvement, John W. Pirc

Corporate Partners

Where to Decrypt?

FirewallApplication classification requires

visibility into network packets

Inline for ingress & egress

Performance degradation

Secure Web

GatewayFiltering policy enforcement

Integration with anti-malware

Can decrypt SSL

Performance degradation

DLPDetection of sensitive data requires

visibilityNo decryption capabilities

IPSSignature matching requires

visibility into network/app data

Limited decryption capabilities

Dedicated

SSL Decryption

Device

Decrypt & encrypt very fast

Policy-based actions

Categorisation support

High performance

Able to feed multiple security

devices

Additional infrastructure

Corporate Partners

Use Cases - Enforcing Policy

• Impossible to enforce policies when you can’t see traffic– Implications for

• Firewalls

• Web security gateways

• Intrusion detection & prevention (IPS / IDS)

• Data loss prevention (DLP)

• Network-based malware sandboxing

• Major considerations– Throughput & user experience

– Granular implementation of policies (protocol, user/group, application, and web site category)

Corporate Partners

Use Cases - Monitoring and Forensics

• In this case we are not re-encrypting or quickly discarding data

– Goal may be to derive meta data for analysis, or complete

record of data flow

• Decrypted traffic may become data at rest

• Introduces many issues that require consultation from HR,

legal groups

• Risk analysis needs to be performed on these policies

Corporate Partners

Issues Under Australian Law

In both cases, organisations can ensure

compliance with:

Transparent and clearly communicated

policies.

Effective controls in technology to

implement policies.

HopgoodGanim: SSL visibility: A legal

analysis, Hayden Delaney

Telecommunications (Interception

and Access) Act 1979

Decrypting SSL traffic without

users’ or customers’ knowledge is

arguably “interception”.

Privacy Act 1988

Contains “Australian Privacy

Principles” which govern

collection, use and disclosure of

private information - implications

for decrypting “private” traffic.

Corporate Partners

Recommendations -Technology

Dedicated devices solve many of the

technology issues associated with encrypted

traffic management

– Performance is critical!

– Single point of decryption

Policy-based enforcement

– Using Host categories, IP addresses, CA

status, Subject/Domain Name and more

– Decides to decrypt or not based on category of

service being accessed over SSL

More than just HTTPS

– All ports

– Protocols

– Cipher suites

Corporate Partners

Recommendations - Policy

Consultation! This is not only a security

conversation

– Security teams

– Human resources

– Legal

– Executive stakeholders

Transparent communication about the

inspection of traffic and collection of use of

data in

– Employment agreements

– Freely available policy documents

Access and process controls

– Access to tools

– Access to data

Consult some more!

Corporate Partners

Additional Resources

Gartner: Security Leaders Must Address

Threats From Rising SSL Traffic, Jeremy

D'Hoinne, Adam Hils

Neurosis, L.L.C.: Security and Privacy on

the Encrypted Network

HopgoodGanim: SSL visibility: A legal

analysis, Hayden Delaney

The Visibility Void: Attacks through

HTTPS a vulnerability for enterprises

Damien.Manuel@bluecoat.com