According to research by Zscaler, malicious SSL attacks have been increased by 260% in 2020, including a rise in encrypted attacks. A 500% increase in ransomware attacks was recorded among the encrypted attacks. On the brighter side, the use of SSL and TLS to launch attacks is the acknowledgment that legitimate websites and system traffic is encrypted.
The Secure Socket Layer (SSL) protocol has been here for more than 20 years. There was the need to drive and protect deeper interactions online with the World Wide Web’s widespread adoption. The development of a standard to help secure communications was necessary and timely. Attackers are leveraging SSL to deploy hidden attacks. The use of encryption is now posing a significant threat to businesses as criminals use industry-standard encryption to bypass detection and carry out attacks. Like all other popular trends or widely used technologies, there are always efforts by criminal elements to exploit the technology through security threats. The SSL protocol has not been spared and hence a large number of vulnerabilities and attacks. Some of the attacks have been highly publicized, whereas other attacks have happened under the radar.
Due to the increased exploitation of vulnerabilities, users have been forced to update or move to newer and secure versions of the protocol. In other scenarios, users have been forced to migrate to Transport Layer Security (TSL), the replacement protocol.
Malicious actors are finding novel ways to benefit from the widespread adoption of SSL. There has been a new wave of cyber threats whereby SSL is used to hide and further complicate attack traffic detection at the application level and within networks.
According to Deepen Desai, the CISO and vice-president of security research at Zscaler, cybercriminals leverage encrypted channels across the full attack cycle. At the initial delivery stage, there are compromised sites, emails with links, and malicious websites using SSL/TLS. On the other end, payload delivery entails payloads hosted in cloud storage services such as AWS, Dropbox, and Google Drive. The ability to hide malicious traffic within legitimate traffic means that attackers can progress through an attack’s initial stages without detection. It becomes even more challenging to differentiate between legitimate and malicious access where the attacker’s tool kit leverages existing system services. Some attackers use encryption modules supplied by operating systems and popular cloud storage systems such as GitHub, Pastebin, or S3 buckets, making detection hard. In other instances, attackers have used SSL encryption over port 443 to exfiltrate data from specific targets.
Businesses should install and use inspection certificates on all endpoints to help carry out SSL inspection. However, organizations should understand that decrypting and reading outbound traffic is just one step in protecting against these attacks.
Inspection of encrypted traffic is a critical component of any defense strategy. However, the conventional security tools such as next-generation firewall will fail to provide the capacity and performance to effectively decrypt, inspect, and re-encrypt traffic. Since inspecting all SSL traffic can severely affect performance and productivity, most organizations will allow encrypted traffic without an inspection, especially from trusted cloud service providers. Failure to inspect all encrypted traffic makes the organization vulnerable to hidden phishing attacks and malware with devastating results. Inspection of all encrypted traffic may be too big a task for your business. There are hurdles to an in-depth examination of TLS/SSL traffic that must be surmounted, including legal and data privacy requirements.
An excellent place to start is for businesses to use internal DNS systems to implement their network policies. The DNS system will help to segment the network based on usage profiles and access privileges. For example, segments dedicated to cloud-based storage systems can be limited only to the machines with legitimate requirements to access cloud storage. The focus of businesses should be on detection on the network, which is both a layer of protection and an opportunity to prevent infection and detect abnormal user behavior.
SSL attacks are becoming popular since it requires just a small number of packets to complete denial of service attack on big businesses. SSL’s choice is based on the fact that a single SSL session handshake uses 15 times more resources on the server-side. The effect is that the attack increases in size exponentially without having to add extra bots or bandwidth. The amplification ability makes small attacks have crippling damage.
Other SSL-based threats may include:
- Encrypted SYN floods: The attacks are quite similar to the non-encrypted SYN flood attacks in that they consume and exhaust resources by completing the SYN-ACK handshake. The distinguishing feature with these attacks is encrypted traffic and forced use of SSL handshake resources that complicates the challenge faced by IT security teams.
- SSL Renegotiation: The attack initiates a regular SSL handshake and immediately starts renegotiating the encryption key repeatedly to exhaust server resources.
- HTTPS Floods: Usually part of a multi-vector attack campaign that generates bug numbers of encrypted HTTP traffic. The encrypted traffic presents a significant challenge to resolving the attack.
- Encrypted Web Application Attacks: Another trend in the multi-vector attack campaigns has been switching to web application logic attacks. These non-DoS attacks, when encrypted, will go undetected hence causing wanton damage.
The real challenge with the rising cases of malicious use of SSL encryption is that many of the available DDoS attack protection measures are insufficient. The general protection against DDoS attacks is specific to a type of attack. Effective solutions must provide full attack vector coverage and be highly scalable to meet the ever-expanding demands. SSL and TSL protection must be supported by identifying and isolating suspicious encrypted traffic without affecting legitimate users.