Analyzing Encrypted Network Traffic

The use of encryption to protect against cyber threats is growing exponentially. Unfortunately, cybercriminals also leverage encryption to hide malware, ransomware, and other attacks. 

Industry analyst firm Omdia estimates that as much as 70–80% of enterprise inbound network traffic is now encrypted, which is up approximately 20% from three years ago. As decryption is fast becoming a technical challenge, traditional information security tools cannot readily identify threats hiding in encrypted traffic. To effectively detect threats — such as botnets — hiding within encrypted traffic, protection systems that can inspect encrypted data, and recognize traffic patterns are needed.

Eric Parizo, a Senior Analyst at Omdia, said, “Encrypted traffic analysis is a critical capability that the industry needs now more than ever before and deserves consideration as a key component of a contemporary enterprise network and security portfolio.”

Encrypted Threats

There are several categories of threats related to encryption. One group includes risks such as certificate vulnerabilities. When communicating with a site, the browser will indicate if the connection is determined to be insecure or untrusted. This indication may mean the certificate is invalid, or the Certificate Authority is unreachable. 

Another category of encrypted threats includes malware that embeds its communications inside an encrypted tunnel so that it can bypass a network’s security. Examples of applications that intentionally hide their traffic and communications include Psiphon, Tor, and Ultrasurf. These applications are known to be used by bad actors to obfuscate malware. 

Lastly, there are the actual breaches of encrypted traffic. This group includes malware that steals credentials, such as Decrypting RSA with Obsolete and Weakened eNcryption (DROWN), Heartbleed,

Padding Oracle On Downgraded Legacy Encryption (PODDLE), and Factoring RSA Export Keys (FREAK). These are exploits that take advantage of encryption to construct a man-in-the-middle scenario. This malware can intercept emails, credentials, private information, and online transaction data. Once this type of attack compromises a network, it is used to inject a malicious application into a browser connection, embed a threat and exploit it later, or send the victim to a third-party website.

A Solution

Laurence Pitt, Cybersecurity Marketing and Strategy Director at Juniper Networks

Being aware that Juniper Networks is addressing the issue of threats entering under the cloak of encrypted data, Brilliance Security Magazine sat down with Laurence Pitt, Cybersecurity Marketing and Strategy Director at Juniper Networks to see what we could learn about what they are doing in this critical area of security. 

Juniper Networks is one of only a few vendors offering encrypted traffic analysis today and is differentiated because it offers network monitoring to detect malicious encrypted communication without having to decrypt the traffic. This approach provides a more efficient way for organizations to identify threats hiding in encrypted traffic tools and adds an additional layer of protection beyond traditional information security solutions.

Encrypted traffic analysis is the latest feature of Juniper ATP Cloud and SRX Series firewalls. These firewalls are now capable of detecting malicious botnet traffic that is “going dark” via encryption. This capability permits organizations greater visibility and policy control over encrypted traffic, without requiring resource-intensive SSL Decryption. For customers running Juniper SRX firewalls, it also does not require additional hardware or network changes to set up and manage.

Laurence explained that for solutions that decrypt data at the firewall, there exists a significant threat of the data being lost or exfiltrated. He asked, “So why do it? Why decrypt the data if you don’t need to? If the data can be inspected for threats without decrypting it, why introduce that additional threat?

“We only need to know whether the data is good or bad. Our system will examine where the data came from and determine if the source has a good reputation and the certificates up to date. It will ask if the handshake is normal and natural. We can examine the data to ensure it is structured as it is expected to be. If you combine all that information, you can see a clear picture of whether that data is good or not.”

Laurence went on to emphasize that because this is a cloud solution, there is no performance hit for the enterprise. 

Juniper announced encrypted traffic analysis for Advanced Threat Prevention Cloud and SRX Series firewalls in late February. They also announced the integration of SecIntel to the Mist platform for wireless access. With these additions to the Juniper Connected Security solution portfolio, Juniper delivers a complete offering to secure all traffic within an organization, whether encrypted or unencrypted, throughout all parts of the network, whether access, campus, WAN or data center.

SecIntel for Mist represents a significant step toward complete integration of wireless access into the Juniper Connected Security strategy. Mist customers can now get threat alerts detected by Juniper SRX Series Firewalls and ATP Cloud. This integration allows administrators to quickly assess security risks when users and devices connect to wireless networks. They can then take appropriate action via the Mist cloud or APIs, such as quarantining or enforcing policies.

This post is not intended to be a thorough examination of the entire family of encrypted threats, nor is it a presentation of Juniper Network’s complete line of solutions. The design of this article was to raise the awareness of this ever-growing threat category and provide at least one suitable solution. 

If you need a layer of protection to examine encrypted data so it can remain encrypted until it reaches its destination, take a look at the Connected Security Portfolio with Encrypted Traffic Analysis for Juniper Advanced Threat Prevention and SecIntel for Mist Wireless.

Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Instagram, and LinkedIn.