SSL Based Cyber-attacks Increase by 400% Over the Last Year

A new report found that last year there had been a 400% increase in SSL-based phishing threats, criminals are increasingly using encryption as part of their toolkit to evade detection and launch malware. When data is encrypted, it cannot be accessed and exploited by unauthorised users. If you are sending sensitive information over the internet or using portable devices to store sensitive information it is essential to encrypt the data. Using this formula criminals are using encryption protocols like Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to disguise malware, conceal malicious traffic and carry out phishing scams because these encryption protocols secure all application data, whether it is legitimate or malicious. This allows threats to blend in with legitimate traffic, essentially using a defenders security tactics against them.

Criminals use the SSL/TLS protocols as a tool to obfuscate their attack payload. A security device like a SIEM or multi-layered anomaly detection tool may be able to identify a cross-site scripting or SQL injection attack in plaintext, but if the same attack is encrypted using SSL/TLS, the attack will go through unless it has been decrypted first for inspection. In addition, holes and vulnerabilities have been found within the SSL/TLS protocol itself. As an internet protocol, SSL/TLS is vulnerable to bugs and exploits, such as renegotiation flaws, the POODLE vulnerability, Beast, Crime and Heartbleed.

The way to detect and mitigate against this type of attack is not to suspend the encryption of data in motion, as this protects a company’s data and provides a level of protection and obscurity to malicious content entering the network. What is needed is a tool set that can provide SSL/TLS inspection capabilities, giving defenders the ability to examine potentially malicious content before it causes harm in the network. This is especially important as internet traffic is moving toward encrypted channels, which highlights how agile cybercrime truly is; the rate at which criminals adapt and take advantage of vulnerabilities is impressively scary.

This type of threat will mean different things to different types of organisations, security vendors like Telesoft scan for this type of threat at carrier scale for mobile operators, Internet Service Providers and large enterprise, meaning Terabytes of encrypted data has to be examined in order to detect potential incoming threats. These attacks are persistent, so the ability to able to do this in real-time is also critical in order to provide 360⁰ network protection. The way in which Telesoft provides this functionality is via the FlowProbe, this NetFlow Probe (IPFIX, SFlow & JFlow) uses flow data for network flow monitoring. The Probe extracts fields from the certificate which is reported in the SSL/TLS flow records for behaviour analysis, anomaly detection and alerting using Telesoft’s TDAC analysis suite. Using tools like the FlowProbe and TDAC gives defenders in security operations teams (SecOps) the ability to put in place a strong encryption inspection strategy providing accurate network security monitoring and visibility.