Network encryption is a game changer for security teams as it makes it more difficult to identify malicious traffic. It may even paralyze some people and cause others to dismiss network security monitoring altogether.
But does it have to be this way? During a recent SANS webcast entitled Alternative Network Visibility Strategies for an Encrypted World hosting Zeek/ Bro experts, Matt Bromiley said, “(Encryption) just means I have to change my analysis techniques and change the way I approach these particular datasets as well.”
You see, across the world security analysts* are struggling with their lost of plaintext application data they grew accustomed to. When answers were laid before an analyst’s feet it was easier to say, “Yep, this is compromised.” Teams find it especially difficult when the organization has limited or no access to the device itself or its logs, which is often the case when an organization has guests, decentralized or shadow IT, appliances, or IoT on the network.
A traditional investigative approach will usually fail in the face of hidden data. Because this is such a significant problem, I previously wrote another post about network security and encryption.
Matt Bromiley is right, encryption changes how we monitor the network and approach investigations.
Parallels with US legal investigations
Being a fan of shows like Forensic Files, I notice parallels to how law enforcement and security analysts approach reports of something bad. Let me suggest a few similarities between how security teams can generally investigate encrypted network traffic and how US law enforcement investigates a crime.
Rarely do officers watch a crime take place but usually arrive after the fact. It’s up to detectives to piece together what happened with limited evidence. Sometimes culprits leave the direct evidence at the scene, but other times they hid it. Officers must first find probable cause (usually presented before a judge) before they can legally intrude on a person’s rights such as when making an arrest or searching private property they believe contains evidence of a crime.
Similarly, security analysts should adjust to this process of investigation. Analysts usually arrive on the scene after an alert or when threat hunting, sometimes finding concrete evidence but because of encryption often they don’t. They need to gather evidence to prove probable compromise. When they find probable compromise, they can then change the direction of the investigation to get the direct evidence they need, perhaps by contacting a system owner or instituting containment and forensics procedures. I often find when I approach people with evidence of probable compromise, they are much more receptive to my recommended course of action.
Cybersecurity units also have the advantage of a risk assessment to determine whether to pursue an investigation further or not. Your confidence of probable compromise might be high for someone’s IoT thermometer, but low for your domain controller.
How does one find evidence to prove probable compromise? There are many good educational resources for finding bad behavior in encrypted traffic including the SANS webinar mentioned above, the Pluralsight course Security Event Triage: Detecting Network Anomalies with Behavioral Analysis by Aaron Rosenmund, and whatever tool-specific training available to you. Some specific suggestions include looking at context details–IP addresses, domains, SSL certificates, traffic behavior, anomalies, etc. Cross-check the information you gather with intelligence sources such as threat intel, open-source intelligence (OSINT), your organization’s inventory, and your log history.
I believe analysts can use this investigation approach to find not just compromises, but also vulnerabilities, misconfigurations, poor practices, anything that increases the risk of an organization or violates policy.
Probable compromise and decryption
I can’t talk about encryption without mentioning decryption. Decrypting network traffic of corporate assets is becoming more common, which of course provides easier access to application data. However, security personnel will still run into encrypted traffic such as when the organization does not own or control the asset.
To find malicious activity in encrypted traffic, security analysts must adjust their investigation approach to first finding probable compromise using contextual information before proceeding to a process to discover direct evidence. As the trend towards encrypted traffic and limited endpoint visibility continues, cybersecurity teams must pivot to if they want to stay defensible against the latest attack techniques.
*Although I specifically mention security analysts, it applies to other security team members as they often have to put on the analyst hat.