Assessing the rising threat of encrypted tunnels
Article written by Venafi senior technical manager Nick Hunter
Encryption is a double-edged sword. It can be a powerful security tool or a weapon, depending on who’s controlling it. Although encryption is a vital security measure for organisations, cyber attackers are becoming increasingly proficient at accessing and hiding in the ‘tunnels’ it creates. Once attackers gain access to these encrypted highways, they are shielded and can move around an organisation undetected.
Unfortunately, many organisations are oblivious to the cyber attackers using these tunnels. According to a recent survey, nearly a quarter (23%) of security professionals don’t know how much of their encrypted traffic is decrypted and inspected.
From the outside, these tunnels simply appear to contain everyday business information, but they hide something more sinister within. Encryption offers the perfect cover for cybercriminals, and companies are vulnerable unless they take the time to check their encrypted data.
Organisations are aware this is a possibility. Approximately 90% of CIOs say they have already been attacked, or expect to be attacked, by cybercriminals hiding in encrypted traffic. But what does this really mean for organisations? Without proper insight into encrypted tunnels, cyber attackers have the opportunity to use them against a business in five key ways:
1. Accessing endpoints
Organisations create virtual networks using Internet Protocol Security (IPsec) to secure internet communications. As this often creates a tunnel from a remote site into a central site, they are an ideal entry point for cybercriminals, allowing them to explore the systems and establish a base.
This type of attack generally compromises only established network endpoints but can be the start of a more sophisticated hack.
2. Undetectable movement across networks
Large organisations connect to multiple offices and business partners using their virtual network, as they are the most flexible and adaptable option. But these are also a great way for cybercriminals to move from site-to-site within a network.
After compromising the initial internal system, cyber-criminals can use these tunnels to hide their attempts to access other devices and areas in the network. The tunnels in virtual networks are rarely inspected, allowing attackers to go undetected.
3. Privileged access to payloads
The tunnels created by Secure Shell (SSH) encryption are a goldmine for attackers. SSH keys grant administrators privileged access to applications and systems, bypassing the need for manually typed authentication credentials.
This means the tunnels are ideal for moving malicious payloads between file servers and applications undetected in compromised SSH tunnels.
4. Listening in and stealing your data
The most common forms of tunnels are layered security [Secure Sockets Layer (SSL) and Transport Layer Security (TLS)]. These tunnels provide a secure session between a browser and an application server, for example, securing web-based transactions like payments.
Attackers use man-in-the-middle attacks to eavesdrop on encrypted traffic and steal data from their victims. They can also steal data from victims by decryption information that has been secured with the key they have stolen.
5. Setting up phishing websites
Attackers often use stolen or compromised certificates to establish an identity that the victims’ browsers will trust – setting up a phishing website on the internet or an organisation’s intranet.
Victims access the malicious site and, believing they are connected to a trusted machine, share sensitive data with the attackers. Since HTTPS sessions are trusted and are therefore rarely inspected, these attacks can go undetected.
Avoiding ‘The Great Escape’ in your systems
As key and certificate use grows, so does the number of opportunities for cybercriminals – any type of encrypted tunnel can be misused in a cyber-attack. Typically, organisations manage hundreds of thousands of the keys and certificates that provide them with secure access and communications, with new ones created and revoked every day.
In fact, two-thirds (66%) of the security professionals attending RSA Conference 2017 said their organisation is planning to increase encryption use. This dramatic rise will only make the job of securing these tunnels more difficult. Simply put, organisations must secure their encrypted tunnels or risk leaving themselves at the mercy of cyber attackers.
But all is not lost as there is a way to counter this pressing threat. Organisations now have the capacity to implement centralised intelligence and automated systems, designed to ensure all security tools maintain a continuously updated list of all the relevant keys and certificates they need in order to inspect encrypted traffic.
By automatically discovering every key and certificate generated by your organisations, and integrating this data into security tools, you can finally shine a light into your encrypted tunnels.