How do You Spot Malware Lurking in Encrypted Traffic?



Encryption is a valuable ally in maintaining privacy. It keeps our data safe from prying eyes. It stops people robbing our credit card details, our app usage habits, and our passwords.

It has become so vital that by February this year half of all online traffic was encrypted, according to a recent report. For some types of traffic, encryption is now a legal requirement.

By 2019, Gartner believes, more than 80 percent of enterprise web traffic will be encrypted. While this is a boon for those with privacy concerns, IT teams will face a massive influx of traffic that they cannot look inside without decryption technology.

This means encryption brings a bit of a double-edged sword -- the bad guys can use it too. Encryption can hide malware just as well as it can hide your own secrets. And that opened a whole can of worms (and Trojans, and viruses) for IT bosses.

"Gartner predicts that half of malware campaigns in 2019 will use some type of encryption to conceal delivery, command and control activity, or data exfiltration," says TK Keanini, principal engineer at Cisco, which this week launches a new product to combat the threat.

Malware makers know that, and are making the most of it. "Initial delivery of malware through encrypted web channels is becoming more frequent as HTTPS overtakes HTTP," says Gartner.

"Sites such as Facebook, Twitter, and LinkedIn all use SSL but have in the past fallen victim to threats such as likejacking, malware propagation, data leakage, and spam," comments Alan Cain, security manager at the media company Racing Post. "Because 80 percent of security systems do not recognize or prevent threats within SSL traffic, this makes encrypted malware currently the industry's biggest threat," he says.

As a result, Gartner believes that by 2020 more than 60 percent of organizations will fail to decrypt HTTPS traffic efficiently, "missing most targeted web malware." By that time, Gartner believes encrypted traffic will carry more than 70 percent of web malware, while the means to combat these threats will have suffered as support for decryption systems wanes. But this is not a problem even the largest IT teams can afford to ignore.

Until now, the common way to deal with this problem was to decrypt the traffic and look at it using devices like next-generation firewalls. The process takes time, though and requires adding additional devices to your network and with the threat landscape continuously eveolving it is becoming clear that having security integrated into your network will help to detect threats all threats – even those hidden in encrypted traffic.

How to combat a threat you cannot see, though? At Cisco, experts figured they had to look for its shadow.

Using Encrypted Traffic Analytics to Detect Threats

Although you cannot look in to encrypted traffic, Blake Anderson, a technical leader at Cisco, and David McGrew, a Fellow in the company's Advanced Security Research Group, found a unique way to watch out for hints of what might lurk within.

"Identifying threats contained within encrypted network traffic poses a unique set of challenges," admitted Anderson and McGrew in a paper called ‘Identifying Encrypted Malware Traffic with Contextual Flow Data', published last October.

It is important to monitor this traffic for threats and malware, they said, "but do so in a way that maintains the integrity of the encryption." The duo developed supervised machine learning models that take advantage of a unique and diverse set of network flow data features. "These data features include TLS handshake metadata, DNS contextual flows linked to the encrypted flow, and the HTTP headers of HTTP-contextual flows from the same source IP address within a five-minute window," they said.

The researchers studied the differences between malicious and benign traffic's use of TLS, DNS, and HTTP on millions of unique flows, and then picked out the features that were the biggest giveaways of malware.

The process was tested against real-world data to make sure it would not yield false positives. The resulting technique, called Encrypted Traffic Analytics (ETA), involves looking for telltale signs in three features of encrypted data.

The first is the initial data packet of the connection. This by itself may contain valuable data about the rest of the content. Then there is the sequence of packet lengths and times, which offers vital clues into traffic contents beyond the beginning of the encrypted flow.

Finally, ETA checks the byte distribution across the payloads of the packets within the flow being analyzed. Since this network-based detection process is aided by machine learning, its efficacy improves over time.

This week, Cisco is making Encrypted Traffic Analytics functionality available by pairing up the enhanced NetFlow from the new Catalyst® 9000 swtiches and Cisco 4000 Series Integrated Services Routers with the advanced security analytics of Cisco Stealthwatch.

Prashanth Shenoy, Cisco vice president of Marketing, Enterprise Networks, IoT, and Developer Platform, says "Cisco continues to build security into its network devices by leveraging its best of breed security portfolio. The result is a comprehensive threat defense architecture that uses the network as a sensor and enforcer to see and act on all threats."

In a nutshell, all the traffic passing through Cisco devices worldwide will now be feeding intelligence into a massive threat detection system that can detect and stop threats anywhere, anytime.

"It's like when you watch people having an argument," Shenoy says. "You may not be able to hear what they are saying but you can tell what's going on from their gestures and expressions."

Cisco is uniquely positioned to provide ETA to our existing and future customers, says Shenoy. "Being able to carry out the analysis in real time at high-speeds without slowing the traffic down is only possible with our new hardware using our newest chip sets."

Similarly, the fact that Cisco has a bigger installed base of products than any other networking vendor on the planet means the threat defense system can learn faster than it could with any other vendor.

The Cisco network working with Stealthwatch not only detects malware in encrypted traffic, but also assists with cryptographic compliance, for example by revealing TLS policy violations, uncovering cipher suite vulnerabilities, and continuously monitoring network opacity.

This means the network will be able to detect threats, helping address a key challenge of encrypted traffic on the network. "With our innovation, organizations can better use the network for compelling security applications," Keanini says.

"For the first time, utilizing machine learning to analyze metadata traffic patterns, Cisco can identify and mitigate threats even in encrypted traffic, without decryption," he says. "As a result, the new network is the only system that provides security while maintaining privacy."

Used with the permission of

Jun 2017

By: Kayla Tellers