The Undercover Attacker: The Threat of Encryption
When we think of the undercover threats to critical infrastructure, our minds probably jump to spies and secret agents. Not necessarily Golden Eye scenes of Bond scaling a dam, but certainly espionage. Yet the more common risk of undercover, malicious activity to critical infrastructure is much more subtle.
Protecting data through encryption
Regulations worldwide are driving massive uptake in end-to-end encryption to ensure compliance and support customer data privacy while in transit and at rest. 62% of the top 1000 global websites now support TLS 1.3, a standard that helps to ensure full end-to-end encryption.
This is essential for critical infrastructure, where encryption plays a particularly critical role in securing the industrial control systems and the communication channels used to send and receive the sensitive data that keeps things functioning. Consider an electricity grid, for example, data flows between distribution providers, operations, service providers, as well from its consumers with the rise in smart meters.
However, whilst encryption helps to ensure privacy and regulatory compliance, attackers still breach an organisation’s perimeter and are increasingly hiding malicious activity within legitimate encrypted network traffic.
Flaws in the secure communications
TLS encryption is often used to hide the intrusion, egress, and lateral movement in target networks. In 2021 Cisco actually estimated that 70% of all malware campaigns would use encryption to conceal malware delivery.
This presents a significant and challenging blind spot for security teams. Encryption renders many of the conventional means of detection ineffective. Indeed, most methods still rely heavily on decryption and relatively rudimentary analysis to detect when traffic might be deviating from expected patterns.
Indeed, the sheer volume of data being created and stored, not to mention the speed and frequency at which it moves between internal and external IT environments, makes relying on decryption as the primary means of detecting encrypted malicious traffic an insurmountable task. Particularly given the sophisticated cybercriminals that typically target critical infrastructure are more than capable of disguising command and control traffic as a legitimate data flow, such as cloud storage traffic.
Encrypted attacks on critical infrastructure
This tactic is one that is actively being used as part of attacks on critical infrastructure. Take the Colonial Pipeline ransomware incident from May 2021, where the pipeline operator reported that a cyberattack had forced the company to close its operations, temporarily halting all pipeline operations. Vast swathes of the US were impacted by the impact on the provider of 45% of the East Coast’s fuel.
Despite the organization protecting its data with strong encryption standards, attackers were able to enter the network through a legitimate, encrypted path and thus rendered many of the countermeasures ineffective. With the operators unaware of any anomalous activity on their networks, the intruders had all the time they needed to assess the system and get organised. This meant the adverse impact of the attack was far greater than in a typical ransomware incident - where the intrusion can be detected within days, and security teams can limit the extent of disruption and damage.
This poses a particularly dangerous proposition for critical infrastructure, as major disruptions to these kinds of systems can have devastating, societal consequences. We’re not just talking about disturbance to business services, resulting in share prices falling and customer trust evaporating. Instead, these attacks have the ability to threaten the health, safety, security and economic well-being of the public – whether that be the loss of power to households, traffic lights not working, people being unable to contact emergency services or preventing access to safe drinking water. It’s therefore imperative that security teams can detect aggressors as quickly as possible.
Detection without decryption
These attacks are no longer cutting edge from the intruder, so the defender needs to be as well equipped. In the first three quarters of 2021 alone, threats over encrypted channels increased by 314% from the previous year. And if organisations continue to use the same failing detection techniques to uncover malicious activity on their network, the rate of attack using encrypted traffic will continue to grow at this rate or higher.
The only way that organisations can hope to keep up in this environment is if they can monitor for malicious activity in their traffic without relying on decryption. To achieve this, security teams need to shift their approach towards behavioural analysis for detection, guaranteeing greater certainty about what is happening within encrypted traffic flows.
A combination of machine learning, artificial intelligence, and behavioural analytics can help to scan and analyse encrypted traffic without needing to decrypt it. By accurately understanding the abnormalities between normal and anomalous behaviour, significantly increases the rate and speed at which malicious activity concealed in encrypted traffic can be detected, whilst ensuring data remains private. Security teams can then react immediately to contain threats. Rather than responding after the fact.
This not only keeps the length of a hostile presence to a minimum, but it helps teams to understand a great deal of information about an encrypted session: identifying malware infections, communications instructing the malware on what to do next, and attempts to exfiltrate information. It can also understand when a legitimate user might be engaging in unscrupulous behaviour.
Critical infrastructure security teams need to quickly wake up to the reality that a decryption-led approach is no longer sufficient in protecting against the cyber threat landscape. Whilst encryption is essential in keeping data safe in transit and at rest, they mustn’t leave themselves open to attackers hiding on their networks. Instead, behavioural analytics will need to be widely adopted in order to keep reaping the benefits of increased encryption without losing critical visibility.