Overcoming the security threat of end-to-end encryption
Simon Mullis at Venari argues that machine learning is the key to security in an encrypted world
The fundamental concept of privacy is something universally understood by everyone, with the right to be left alone, without interference or intrusion documented in the ‘The United Nations Universal Declaration of Human Rights’.
Online, this refers to the personal privacy that a user is entitled to when they display, store, or share information about themselves on the internet. And amid growing awareness of the extent to which we are we are constantly tracked, targeted, and (at times) exploited online – whether that’s big tech firms selling our information onto third party advertisers, or cyber-criminals who seek to defraud, steal our personal information – there has been growing public demand for better protection.
Privacy has become a major concern for all ages and demographics, with advocates now calling for the ubiquitous use of end-to-end encryption. And it’s fair to say that the market is listening. Google has embarked on a mission to encrypt the web.
Many of us now actively consider the small lock icon on the URL field, which flags a site as insecure if it does not provide the ‘HTTPS’ mechanism, when deciding whether to visit a new website. Though instances are becoming rarer, with Google stating that as of today 95% of all web traffic is encrypted.
Data regulations are one of the primary drivers of encryption adoption in many enterprises. In the UK GDPR, for instance, encryption is cited as an example of an appropriate technical measure for ensuring that personal data is processed securely. And where data is lost or destroyed but not encrypted, regulatory action could be pursued against an organisation.
Hidden new threat
However, end-to-end encryption is no silver bullet for data privacy. And while it undoubtedly plays an important role in affording us better online privacy, it is in turn introducing new challenges for enterprise security teams that could end up leaving our information exposed.
The same encrypted avenues that are used to protect the privacy of data are now also being exploited by cyber-criminals to inject malware into IT environments and exfiltrate data. This malicious activity is all hidden within legitimate encrypted traffic, with TLS encryption commonly used to hide aspects of intrusion, egress, and lateral movement in target networks.
Indeed, in 2020, Cisco estimated that as much as 70% of all malware campaigns would use some type of encryption to conceal malware delivery.
This presents a significant and very dangerous blind spot for security teams. End-to-end encryption renders many of the established means of detection and counter measures for malware detection ineffective.
The sheer volume of data that organisations hold, and the speed and frequency at which it is shared with different IT environments, makes it nigh impossible for teams to rely on decryption to detect all malicious activity leveraging encryption across their networks. Particularly, given more sophisticated cyber-criminals are disguising command and control traffic as a legitimate encrypted data flow, such as Dropbox or cloud storage traffic, enabling it to fly under the radar.
The recent Colonial Pipeline ransomware incident brings this threat to life. In May, the pipeline operator that provides roughly 45% of the East Coast's fuel reported that a cyber-attacker had forced the company to close down operations and "temporarily halted all pipeline operations".
DarkSide, the Ransomware-as-a-Service, which was used to attack Colonial Pipeline, leverages self-encryption to avoid detection and enables the intruders to stay under the radar while they get organised. As a result, the IT operators did not know anomalous activity was occurring on their networks until it caused the real-world effect.
This isn’t a rare event. Cisco previously estimated that by 2020, 60% of organisations would fail to decrypt HTTPS efficiently, in turn missing most targeted web malware. And the longer that an intruder is operating undetected on the network, the more havoc they can wreak.
Measure traffic to secure and safeguard privacy
The worrying fact is that the controls on most enterprise network are no longer fit for purpose. Most malware detection has just not been designed for today’s world of end-to-end encryption, as any solution that relies on decryption just cannot move fast enough to monitor the volume and speed of data at motion in an organisation.
The goal has to be the ability to identify anomalous activity without decryption. And probability is the key to this approach. Using machine learning, encryption traffic analysis (ETA) can understand the behaviour of traffic across a network and provide a precise risk score in the moment.
This not only significantly increases the rate at which malicious encrypted traffic can be detected, but the speed of detection to. Providing an alert in real time, security teams can react immediately to contain threats as they are introduced. Instead of just responding after the fact.
Security fit for an encrypted world
There is no single solution when it comes to protecting the privacy of our data. While encryption will undoubtedly play a critical role in reducing the consumer risk of enterprise data breaches, cyber-criminals are now also reaping its benefits.
We must evolve our security posture to overcome this new risk. Shifting our approach from “detect and decrypt” towards “measure and mitigate” enables security teams to understand what’s happening in the moment, so that effective action can be taken.
Simon Mullis, CTO at Venari Security.