Gigamon VP How to Eliminate TLS and Break the Considerations for a Decryption and Encryption Method
Basam Khan, VP of Product and Technical Marketing Engineering, Gigaman
Many people who work in IT still have the mentality that encrypted traffic means safe traffic. This is a dangerous generalization. Encrypted traffic means personal, and personal communication is not the equivalent of secure communication.
The use of encryption by security parties for legitimate privacy and security purposes continues to grow – and unfortunately, for a worse purpose. While most network-based analytics tools benefit from inspecting decrypted traffic, the risk increases rapidly with each tool that receives clear text traffic, as the tool itself can be compromised. Decryption is not a binary decision and there are several options for decryption.
Furthermore, in order to deal with significant blind spots such as Transport Layer Security (TLS), security teams should consider a decryption and encryption method. The most important step your organization takes is to document and communicate your approach and to guide the decision making process.
Encryption and decryption
Good
Network traffic encryption is important to protect the network from unauthorized access and data theft. By encrypting your network traffic, you can prevent others from being able to see or steal data that passes through your network. In addition, the growing adoption of TLS encryption helps protect against “man-in-the-middle” attacks and other malicious activity.
Bad guy
With its increasing adoption, threat actors are leaning towards encryption as their default method of handling and cannot be detected. From commands and controls, to malware insertion, to data exfoliation – encryption allows opponents to work without fear of being caught. Additionally, encryption allows for a longer period of time and inserts encryption malware into the host as much as possible to pay a ransom, doubling sensitive data and intellectual property for extortion. Most current tools, including the Suricata and Snort rules, are useless against encrypted payloads
Ugly
There are several key challenges to consider when decrypting network traffic. First, decrypting data can open up privacy concerns. In addition, decrypting traffic may violate consent requirements or even require redesigning network and datacenter infrastructure. Finally, decrypting traffic reduces the central processing unit (CPU) – intensive and significant strain and bandwidth on the equipment used to decrypt it.
By understanding these challenges, companies can better plan and mitigate them.
Monitor TLS traffic with Network Identification and Response Solutions (NDRs)
Modern Network Identification and Response (NDR) solutions can only work on encrypted traffic using Secure Socket Layer (SSL) / TLS traffic metadata, such as:
- Server Name Indication (SNI) Certificate Attributes: Helps to identify suspicious features such as when the entity was registered, who owns the entity and randomness, name / typoscatting and unusual top-level domains.
- Cipher Suite – JA3 / JA3S: Helps to find “Hello” connections to suspicious encrypted sessions Identification-based solutions that rely solely on IP addresses and known bad domains are often ineffective; These two areas may change at any time or the malware may constantly change its command-and-control infrastructure. JA3 and JA3S, the hash of how the encrypted connection was established, are less likely to change – therefore, frequent JA3 changes and unknown JA3s are suspicious.
- Practical Messenger: Helps to identify user agents (e.g., browsers). This data can be effective in distinguishing between automated systems used for web advertising and marketing purposes, versus worse purposes.
- Certificate Information: Think about when the certificate was issued. A few days before the expiration date, the issue is considered to be the same as the expiration date of 10 years ago.
While it is possible to identify encrypted traffic metadata, these strategies have their limitations. For the level of threat you want to detect, NDRs need to work with both the traffic metadata and the entire contents of the packet, which provides access to the Unified Resource Identifier (URI), parameters, response code, user-agent, request and response body, files. , And much more. With this rich data set, penetration analysis over Hypertext Transfer Protocol (HTTP) can be made much easier. Therefore, the combination of encrypted traffic metadata and decrypted payload analysis provides the maximum number of data points for threat identification.
Preference for decryption
Do nothing
While it may be easy for some companies to say “don’t do this”, traffic decryption may not be an option. This could be due to compliance requirements, corporate policy, tool overload, current datacenter architecture, cost or other reasons.
If this is your path, your most important step is to communicate the causes and risks associated with this approach.
Decryption by each tool
This is the easiest method because most tools will have a built-in decryption feature. You just turn it on, and the tool will work for you. There are three things to consider when using this method.
- If a tool is placed inline, it becomes a single point of failure. If the tool goes down, the whole flow will break.
- This method will not work with TLS 1.3, which requires a “man-in-the-middle” inline deployment.
- This is the most expensive method. Decryption is a resource-intensive function that can dramatically reduce tool performance and throughput.
Dedicated decryption appliance
Another option is to use a standalone device that decrypts the traffic and forwards it to all other devices. A decade ago, it was more common, but people stopped using it because decrypting traffic is not the ultimate goal. The ultimate goal is to securely monitor network traffic.
Centralized decryption and smart traffic broking
Visibility Cloth (also known as packet broker) provides the security, flexibility and cost-effectiveness needed to decrypt traffic:
- Allowing for a centralized “once decrypt, multi-tool” deployment model
- Adhere to any policy regarding plain text access
- Offer personally identifiable (PII) data masking
- Maintain IP and URL “blacklist” where sensitive traffic from trusted sites is encrypted, such as employee personal banking and healthcare websites
- Eliminate the need for physical wiring changes when changing decryption policies
- TLS 1.3 support via an inline deployment, using both inline tools and out-of-band traffic tools
Finally, it is a good idea to review the National Security Agency (NSA). TLS decryption advice. This advisor advocates for a centralized decryption model.
Wrap everything together through increased visibility
On a larger scale, network visibility is important – among other security vulnerabilities – to eliminate the blind spots that come with TLS. Visibility can be effective in tasks such as decrypting data, which can be further selected based on the type of traffic, destination equipment, and industry-specific requirements. Such capabilities give parties the flexibility to configure data in any way and support the necessary action to quickly change the configuration if policies change.
No matter which decryption method you choose, it is important to communicate the reasons and trade-offs with the top team management. The key security decision makers in your organization need to understand the impact of decrypting network traffic and feel integrated with your team approach. Otherwise, you may not have the support when that day comes.
About the author
Basam Khan is the Vice President of Product and Technical Marketing Engineering at Gigaman. He brings 20 years of product management experience for security, cloud and collaboration technology companies. Prior to Gigaman, he held executive positions at ControlUp, AppSense, PostPath, Cloudmark and Portal Software. Basam can be found LinkedIn, TwitterAnd on our company’s blog https://blog.gigamon.com/author/bassam-khan/.
Notice of fair use: Under the “fair use” law, other authors may restrict the use of the original author’s work without permission. 17 In accordance with US Code § 107, certain use of copyrighted material “for the purposes of criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not a copyright infringement.” As a matter of policy, fair use is based on the belief that parts of copyrighted material are free to be used for the purpose of public comment and criticism. The privilege of fair use is perhaps the most significant limitation of the copyright owner’s exclusive rights. Cyber ​​Defense Media Group is a news reporting company that reports cyber news, events, information and much more on our website Cyber ​​Defense Magazine at no charge. All images and reporting are done exclusively under the fair use of US copyright law.
