Story image

Assessing the rising threat of encrypted tunnels

21 Feb 2018

Article written by Venafi senior technical manager Nick Hunter

Encryption is a double-edged sword. It can be a powerful security tool or a weapon, depending on who’s controlling it. Although encryption is a vital security measure for organisations, cyber attackers are becoming increasingly proficient at accessing and hiding in the ‘tunnels’ it creates. Once attackers gain access to these encrypted highways, they are shielded and can move around an organisation undetected.

Unfortunately, many organisations are oblivious to the cyber attackers using these tunnels. According to a recent survey, nearly a quarter (23%) of security professionals don’t know how much of their encrypted traffic is decrypted and inspected.

From the outside, these tunnels simply appear to contain everyday business information, but they hide something more sinister within. Encryption offers the perfect cover for cybercriminals, and companies are vulnerable unless they take the time to check their encrypted data.

Organisations are aware this is a possibility. Approximately 90% of CIOs say they have already been attacked, or expect to be attacked, by cybercriminals hiding in encrypted traffic. But what does this really mean for organisations? Without proper insight into encrypted tunnels, cyber attackers have the opportunity to use them against a business in five key ways:

1. Accessing endpoints

Organisations create virtual networks using Internet Protocol Security (IPsec) to secure internet communications. As this often creates a tunnel from a remote site into a central site, they are an ideal entry point for cybercriminals, allowing them to explore the systems and establish a base.

This type of attack generally compromises only established network endpoints but can be the start of a more sophisticated hack.

2. Undetectable movement across networks

Large organisations connect to multiple offices and business partners using their virtual network, as they are the most flexible and adaptable option. But these are also a great way for cybercriminals to move from site-to-site within a network.

After compromising the initial internal system, cyber-criminals can use these tunnels to hide their attempts to access other devices and areas in the network. The tunnels in virtual networks are rarely inspected, allowing attackers to go undetected.

3. Privileged access to payloads

The tunnels created by Secure Shell (SSH) encryption are a goldmine for attackers. SSH keys grant administrators privileged access to applications and systems, bypassing the need for manually typed authentication credentials.

This means the tunnels are ideal for moving malicious payloads between file servers and applications undetected in compromised SSH tunnels.

4. Listening in and stealing your data

The most common forms of tunnels are layered security [Secure Sockets Layer (SSL) and Transport Layer Security (TLS)]. These tunnels provide a secure session between a browser and an application server, for example, securing web-based transactions like payments.

Attackers use man-in-the-middle attacks to eavesdrop on encrypted traffic and steal data from their victims. They can also steal data from victims by decryption information that has been secured with the key they have stolen.

5. Setting up phishing websites

Attackers often use stolen or compromised certificates to establish an identity that the victims’ browsers will trust – setting up a phishing website on the internet or an organisation’s intranet.

Victims access the malicious site and, believing they are connected to a trusted machine, share sensitive data with the attackers. Since HTTPS sessions are trusted and are therefore rarely inspected, these attacks can go undetected.

Avoiding ‘The Great Escape’ in your systems

As key and certificate use grows, so does the number of opportunities for cybercriminals – any type of encrypted tunnel can be misused in a cyber-attack. Typically, organisations manage hundreds of thousands of the keys and certificates that provide them with secure access and communications, with new ones created and revoked every day.

In fact, two-thirds (66%) of the security professionals attending RSA Conference 2017 said their organisation is planning to increase encryption use. This dramatic rise will only make the job of securing these tunnels more difficult. Simply put, organisations must secure their encrypted tunnels or risk leaving themselves at the mercy of cyber attackers.

But all is not lost as there is a way to counter this pressing threat. Organisations now have the capacity to implement centralised intelligence and automated systems, designed to ensure all security tools maintain a continuously updated list of all the relevant keys and certificates they need in order to inspect encrypted traffic.

By automatically discovering every key and certificate generated by your organisations, and integrating this data into security tools, you can finally shine a light into your encrypted tunnels.

Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.