THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR NETWORK Manoj Sharma |Technical Director | Symantec Corp Mark Sanders | Lead Security Architect | Venafi
1
T H R EAT S A R E H I D I N G I N E N C RY P T E D T R A F F I C O N YO U R N E T W O R KManoj Sharma |Technical Director | Symantec Corp
Mark Sanders | Lead Security Architect | Venafi
2
W H AT YO U W I L L L E A R N
• Why encryption and digital certificates are helping our adversaries
• How to architect for today and tomorrow’s SSL/TLS threatscape
• What you need to successfully run your operations
• What’s your 45 day action plan
2
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
3
S S L / T L S T H R E AT S U P D AT E
4
P R O B L E M : Σ Κ Ό Τ Ο Σ = S C O T O M A = B L I N D S P O T
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
5
5 0 - 7 5 % A N D C L I M B I N GOf enterprise network traffic is encrypted with SSL/TLS today
5
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
6
“ 5 0 % O F N E T W O R K AT TA C K S W I L L U S E S S L / T L S B Y 2 0 1 7 ”
6
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
70% of
“ 7 0 % N E T W O R K AT TA C K S W I L L U S E S S L / T L S B Y 2 0 2 0 ”
7
7
E N C R Y P T E D T U N N E L S M E A N S E C U R I T Y S Y S T E M S
C A N ’ T S E E W H AT ’ S C O M I N G
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
8
T R A D I T I O N A L S E C U R I T Y S Y S T E M S C A N ’ T K E E P U P W I T H P E R F O R M A N C E N E E D E D T O
D E C R Y P T A N D I N S P E C T S S L / T L S N E T W O R K
8
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
9
9S o u r c e : P o n e m o n I n s t i t u t e . 2 0 1 6 G l o b a l E n c r y p t i o n T r e n d s S t u d y . 2 0 1 6
D I F F E R E N C E S I N E N T E R P R I S E E N C R Y P T I O N S T R AT E G I E S B Y C O U N T R Y
10
M A LWA R E A N D O U T B O U N D S S L
11
S S L / T L S : H I D D E N D A N G E R S
11
Bad Actors are using encryption to:
• Hiding Malicious Actions and Messages
• Hiding the Initial Infection
• Hiding the Command and Control Channel
• Hiding Data Exfiltration
2987 blacklisted SSL certificates: https://sslbl.abuse.ch/
• Most (recently) are Dyre C&C, KINS C&C, Vawtrak MITM, Shylock C&C, URLzone C&C, TorrentLocker C&C, CryptoWallC&C, Upatre C&C, Spambot C&C, Retefe C&C, ZeuS MITM, etc.
* TCP Ports used by Dyre Trojan for Hidden Command & Control
- Blue Coat Labs
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
12
B A D G U Y S A R E E VA D I N G D E F E N S E S
Threat
Actors
Nation States
Cybercrime
Hactivists
Insider-Threats
Ho
st A
V
NG
FW
IDS /
IP
S
Traditional Enterprise Defenses
DLP
SIE
M
Em
ail G
ate
way
Web
Ap
plica
tio
n F
irew
all
Tra
dit
ion
al W
eb
Gate
way
Traditional
Threats
Known Threats,
Known Malware,
Known Files
Known IPs/URLs
Advanced
Threats
Novel Malware
Zero-Day
Threats
Targeted Attacks
Modern HTTPs
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
13
S S L / T L S : H I D D E N D A N G E R S
13
Users: Are they SSL Aware?
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
14
“ N E X T B I G H A C K E R M A R K E T P L A C E W I L L B E I N S T O L E N C E R T I F I C AT E S ”
14
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
15
W H AT D O Y O U T H I N K T H I N G S L O O K L I K E ?
Secure Communications
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
16
T H I S I S W H AT I T REA L LYL O O K S L I K E
Secure Communications
Server Authentication
Secure Communications
Server Authentication
Client-side Server Authentication
Client-side Authentication
SSL Keys & Certificates
SSL & SSH Keys & Certificates
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
17
M O R E K E Y S , M O R E C E R T I F I C A T E S , M O R E E N C R Y P T I O N
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
18
A R C H I T E C T I N G F O R S S L / T L S T H R E AT S
19
A R C H I T E C T U R E G A P A N A LY S I SToday Ready for Threats
Role of Decryption Non-Existent/Tactical Strategic
Inspection Points Few
Performance Struggling Wirespeed
Outbound Decryption: Internal trusted root CA
Inbound Decryption: all keys & certs available
Few All available
Inbound Decryption: keys &certs securely distributed
Email, flash drive, file server Encryption distribution w/o people
19
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
20
B A L A N C I N G C O M P L I A N C E A N D D ATA P R I VA C Y
20
2) Assure custody and integrity of encrypted data
LEAD TO REQUIREMENTS
1) Manage what type of information is decrypted
DATAPRIVACY
CONCERNS
RISK OFADVANCED
THREATS
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
21
I N B O U N D A N D O U T B O U N D T R A F F I C
Inbound SSL Decryption Web & Email Servers,
Customer Web Portals
Web, Email & Portal Servers
Security Solution
Internet
IPS & IDS
AV
DLP
APM
SIM & SIEM
Forensics
Outbound SSL DecryptionEncrypted Email,
Social Networks, CRM, etc.
Clients
Internet
IPS & IDS
AV
DLP
APM
SIM & SIEM
Forensics
Security Solution
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
22
P K I A R C H I T E C T U R E F O R I N S P E C T I O N
Inbound Outbound
Enterprise Root
SSL DecryptionIntermediate
www… app.. v125..
google.com outlook.com dropbox.com
STATIC
STATIC
GENERATED ON THE FLY
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
23
A R C H I T E C T U R E F O R V I S I B I L I T Y
23
GATEWAY /FIREWALL
CLIENT
CORPORATE SERVERS
SSL VISIBILITY APPLIANCE
CLIENT
GLOBAL INTELLIGENCE NETWORK
Encrypted trafficDecrypted traffic
INTERNET SERVER
NG IPS
SANDBOX
SECURITY ANALYTICS
❶
❹❸❷
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
24
S S L B L I N D S P O T S I N A C T I O N : D ATA I N F I LT R AT I O N + E X F I LT R AT I O N U S I N G S S L• Malware Infiltration and Data Exfiltration
using Wireshark
• Compare pcaps from identical operations with and without SSL Inspection enabled in the network.
• Download from a file magnetic* from sourceforge.net (HTTP Download)
• Download a known file using HTTPS: Infiltration
• Upload sensitive data using HTTPS: Exfiltration
24
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
25
25
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
26
S S L B L I N D S P O T S : D ATA E X F I LT R AT I O N E X P E R I M E N TSymantec DLP Network Prevent Details:• Base OS: MS Windows 2012 R2
• DLP Network Prevent Software Version: 14
• DLP Network Prevent configured to monitor HTTP and HTTPS ports.
SSL Inspection Device:Hardware Mode:SV800 / Software Version 3.8.2-409
Experiment:
1. Upload sensitive data using HTTP
2. SSL Inspection Disabled: Upload sensitive data using HTTPS
3. SSL Inspection Enabled: Upload sensitive data using HTTPS
26
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
NOTE: SYMANTEC DOES NOT CLAIM THEY CAN INSPECT SSL TRAFFIC ON THEIR NETWORK DLP PRODUCTS
27
27
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
28
E C O N O M I C S O F S S L D E C R Y P T I O N
• Cost of No-Action=Infection=Intrusion=Breach=$
• Direct
• Low performance -> higher cost to reach needed throughput
• Incomplete support for latest ciphers creates unseen blindspots
• Indirect
• Time and effort to identify, gather, distribute, and update keys & certificates
28
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
29
O N G O I N G O P E R AT I O N S
30
M A I N TA I N I N G D E C R Y P T I O N
• Capture new keys and certificates (including those generated outside of IT security)
• Update renewed, rekey keys and certificates throughout SSL/TLS chain (e.g. firewall, load balancer, WAF, etc.)
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
31
• Higher security than TLS 1.2
• Only supports use of handshake mechanisms that provide Perfect Forward Secrecy
• RSA key exchange not supported
• Most existing ciphers are no longer supported
• Only support AEAD cipher suites• AES-GCM, AES-CCM and CHACHA
• Most handshake messages are encrypted
• Higher speed
• Faster session establishment
• Fewer round trips before pass data• Standard is 1 round trip time (RTT)
compared with 2 in TLS 1.2• Option for 0 RTT with the ability for the client
to send early data though with weaker security until the handshake completes
• Downgrade attack detection
• Allows client to detect if server did support 1.3 but used 1.2 because it was tricked into thinking the client doesn’t support 1.3
W H AT U S E R B E N E F I T S D O E S T L S 1 . 3 O F F E R
33
• It prevents MITM devices from beingable to look at decrypted data
• More difficult but not impossible
• It will require new clients (browsers)
• Already implemented in browsers
• There is no possibility to do Passive decrypt for TLS 1.3
• Must be a bump in the wire
• SSLV does not support TLS 1.3
• We do already as you will see
• You cannot downgrade a session
• You can if you fully terminate TCP and TLS (i.e. full TLS proxy)
• It will be years before TLS 1.3 is implemented by major sites
• Once standard roll out will be fast for many large TLS sites on the Internet
• Google, Facebook, Cloudflare, CDNs all ready to roll
• Enterprise sites, particularly financial services are likely to take longer to adopt
M Y T H S A N D FA C T S A B O U T T L S 1 . 3
34
4 5 D AY A C T I O N P L A N
35
35
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
• Outbound: HR and Legal must be consulted to ensure user privacy is respected and preserved.
• Inbound: Obtaining keys/certificates, how will you keep them secure, how will you keep them updated
• Map your SSL footprint = Risk Exposure
• Decrypt once feed many v/s decryption in many places in network
• Performance impact of decryption on existing network/security devices
• Local regulations and compliance requirements
YO U R 4 5 D AY A C T I O N P L A N
36
M A P Y O U R I N B O U N D S S L / T L S F O O T P R I N T
Where and how many SSL/TLS enabled entities? What are all systems involved in SSL/TLS through DMZ? (e.g. firewall, load balancer, WAF, etc.)
What are the security controls that need visibility in to encrypted traffic?
How will you track keys and certificates? How frequently are they renewed and rekeyed?
36
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
Who and how many are responsible for each key and certificate?
How will you get them? How will you transfer keys and certificates?
How will you update keys and certificates?
37
M A P Y O U R O U T B O U N D S S L / T L S F O O T P R I N T
% of Total North-South Traffic is SSL/TLS encrypted
• SSL Versions seen on the networks• SSL Versions have known vulnerabilities.
• SSL: Bad; TLS: Good
• BP: Do not allow known bad protocols
• Certificate Status• Valid certificate v/s invalid certs
• Should not see any traffic with invalid certificate.
• BP: Do not allow “not-valid” cert traffic
SSL/TLS traffic that isn’t on port 443 Non-SSL traffic that is using port 443
• Protocol versions in-use
• Ciphers used• Strong v/s Weak cipher suites
• Logjam/Freak/Heartbleed
• BP: Do not allow connections with weak ciphers
• Top N• SSL Sites by Request
• Users of SSL/TLS Traffic
• North-South communication
37
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
38
Manoj Sharma |Technical Director | Symantec Corp
Mark Sanders | Lead Security Architect | Venafi [email protected]
THANK YOU