Encryption is a good and necessary tool for private communications these days. Even when we are not using VPN technologies (which you should be ANYTIME you are mobile or away from a trusted network), encryption is kicking in automatically for many of our web-based connections and transactions.
The growth of web security using TLS has increased the number of tough decisions that security practitioners must make when this kind of traffic is flowing into their networks.
The options were originally just an allow or deny decision…as it is not possible to inspect it.
As this traffic grew, tools were developed so that if you had the ‘keys’ for decrypting the traffic, it could be diverted, decrypted, analyzed, re-encrypted if clean and passed along. This was both computationally expensive for many, and assumed that they also had no issue with the privacy concerns. After all…what is the point of encryption if it can’t stay that way end to end?
This also did not address the growing issue of malware using this same encryption to hide itself. The challenge here of course is that you would never have the keys for decrypting this traffic since it obviously originates outside your control. That would bring us back to the binary decision of ‘allow or deny’ when encountered.
The big question remains: how can we inspect that which we cannot see?
One of our team members helped put this explanation together from the always entertaining Aasif Mandvi.
A couple of Cisco researchers were able to combine their own analytical brains and what I would imagine to be, an incredible level of focus, to reveal that there were indeed unique patterns. Patterns available from the non-encrypted portions of our communication that could allow one to make confident inferences as to the legitimacy of the traffic.
Lauren and I had a chance to meet both Blake Anderson and Dave McGrew after reading through ‘some’ (it’s deep), of their research published in 2016. I found it easier to digest key points from what Blake revealed in two blogs that emerged from this work.
The first one here sets up the growing challenge of how we make security decisions for traffic that is increasingly ‘hiding in plain sight’ through the use of TLS and encryption. Blake lays out how and where the increase in malware flows are making use of the TLS protocol. He also lays out how differences began to reveal themselves. Differences that are happening in the unencrypted portion of the packet that could be used to ID it as malicious.
This traffic collection and analysis continued for what was a total of about 2 years when he released this June 2017 entry Detecting Encrypted Malware Traffic (Without Decryption) describing some of these additional patterns discovered. This was all very incredible work and I love when stories like these surface…so many things are developed by smart people in Cisco and I never get to hear or tell that story. To make all this useful and practical for customers however, meant figuring out how this could all come together in a more turnkey fashion.
Two things had to happen. Cisco needed to enhance the data generated by typical NetFlow exporting devices with TLS metadata that is more capable of identifying malicious, encrypted traffic. This became additional elements within a NetFlow record. They also developed a set of rules and machine learning classifiers based on these enhanced NetFlow records that could differentiate malicious or benign activity without decryption or deep packet inspection.
Encrypted Traffic Analytics (ETA) delivers Cryptographic Compliance and Malicious traffic detection in encrypted sessions without decryption. The analysis is being done as part of Cisco’s Stealthwatch Enterprise. This was our preffered security analysis tool already and it made for a natural home for ETA.
The data sources were first rolled out with the new Catalyst 9000 series of switches…Cisco’s biggest new family of switches ever launched. Subsequent updates and improvements continue to rollout however and ETA is also supported on ASR 1000 Series Aggregation Services Routers, 4000 Series Integrated Services Routers (ISR 4K) and Cloud Services Router (CSR) 1000V Series.
Please enjoy our episode featuring Encrypted Traffic Analytics as we hosted the talented TK Keanini who now leads much of our analytic work…and you will know why when you hear him. Lauren welcomes Sandeep Agrawal in the lab to see exactly how this all comes to together visually as he demonstrates what this could look like for you.
Thank you for reading and watching.
Follow the show @techwisetv