Read Time: 4 Minutes
Encryption is integral to securing online communications. That’s why it’s becoming more widely used by websites and online services. But encryption is a bit of a double edged sword. Just ask anyone that’s had their computer or mobile phone locked by ransomware. Being unable to decrypt information, especially when you should rightfully have access to it, puts you at a serious disadvantage.
F-Secure Researcher Artturi Lehtiö delved into this topic recently at Virus Bulletin’s VB2015 conference. Lehtiö gave a presentation (you can see his accompanying report here) on how attackers are using third party services as command and control infrastructure for attacks. Many popular third party services (Twitter, for example) use SSL encryption to protect the traffic running through their network, which is what any responsible service provider does.
Lehtiö’s research highlights an unfortunate side effect this security measure has for companies. It essentially prevents many security tools (such as firewalls) from being able to inspect or filter potentially malicious or unwanted traffic. Basically, attackers are using this layer of SSL encryption to hide their attacks.
“If I had to put it in a nutshell, I’d say that attackers are using certain third party services to help them fly under the radar of corporate security,” said Lehtiö in a written statement. “Many online services use encryption to prevent data from being intercepted and stolen while in transit, but the downside of this is that security measures like firewalls aren’t able to identify malicious traffic. It’s a real challenge for companies, and my research has shown how attackers like The Dukes capitalize on this advantage in their attacks.”
Lehtiö’s paper documents instances where The Dukes were able to use Twitter to coordinate the spread of malware, and Microsoft OneDrive to extract data stolen from their targets. Instances like these demonstrate the efficacy of turning SSL encryption from a security benefit into a threat.
So how can companies go about inspecting SSL traffic to prevent attackers from using these third party services as resources for attacks? F-Secure Senior Researcher Jarno Niemelä has a few pieces of advice on the matter.
“Organizations that use outbound traffic decryption need to be very careful in selecting the solution that they use for decryption,” said Niemelä. “In order to be able to decrypt outbound traffic, the decryption solution needs to implement an SSL man-in-the-middle. Basically this means that all end points need to have a CA certificate which can be used to generate a man-in-the-middle certificate for any service.”
The simplest way to do this is for a particular vendor to generate one master CA certificate for all the devices or software they sell. Unfortunately, this is also the most dangerous for companies, as it essentially means that anyone able to reverse engineer the device/software will obtain the key and be able to access anything using the same device/software. So Niemelä says this option should be out of the question for any organization.
Niemelä says a better way of going about this is to generate a unique certificate per organization. This would mean that an attacker would have to target the organization specifically in order to break its encryption (as opposed to a particular vendor’s devices/software), meaning the organization could exert greater influence over their security. “This is a better approach, but those decryption keys need to be guarded like Fort Knox, and this may cause more problems than it solves,” said Niemelä
However, like many other cybersecurity challenges, the most effective solution remains concentrating on endpoints. Generating unique certificates for each device that needs it would protect an organization from exposing their entire network in the event a particular device is compromised. “This approach ensures the only way to abuse the decryption privileges granted by the certificate requires a total compromise of the device in question, in which case the traffic decryption is a moot point,” said Niemelä.
Furthermore, prioritizing endpoint protection can eliminate the need to decrypt outbound SSL traffic entirely, as reliable endpoint protection will detect the malware attackers are trying to control by running malicious traffic through SSL encrypted third party services. And visibility over both endpoints and networks will often give informed IT administrators the resources they need to disrupt attacks.
“It’s often enough to know that clients are behaving oddly, like by uploading massive amounts of documents to third party services that aren’t being used for company backups,” said Niemelä. “You don’t need to decrypt anything to see this as you can tell just from the amount of traffic generated by a certain client, so it’s a good option for companies that don’t want to risk messing around with encryption.”