How can you spot Malware lurking in encrypted traffic?

Encryption is an important tool in maintaining privacy. It protects our data from prying eyes. It prevents people from stealing our credit card information, app usage habits, or passwords.
According to a recent report, encryption has become so important that half of all internet traffic was encrypted by February 2012. Encryption is now a legal requirement for certain types of traffic.
Gartner predicts that more than 80 percent enterprise web traffic will be encrypted by 2019. This is a great benefit for privacy-conscious individuals, but IT departments will be confronted with a huge influx of traffic they cannot access without encryption technology.
This means encryption can be used by both good guys and bad guys. Encryption can conceal malware as well as your secrets. This opened up a whole new world of worms (and trojans and viruses) for IT managers.
Gartner predicts that half the malware campaigns in 2019 will use encryption to conceal delivery or command and control activity or data exfiltration,” said TK Keanini (principal engineer at Cisco), who launched a new product this week to combat the threat.
Malware makers are aware of this and are taking advantage of it. Gartner says that initial delivery of malware via encrypted web channels is increasing as HTTPS takes over HTTP.
“Sites like Facebook, Twitter, LinkedIn, and Google all use SSL, but have in the past fallen prey to threats like likejacking, malware spread, and spam,” says Alan Cain, Security Manager at Media company Racing Post. He says that encrypted malware is the industry’s greatest threat because 80 percent of security systems fail to recognize and prevent threats in SSL traffic.
Gartner predicts that more than 60% of organizations will not be able to decrypt HTTPS traffic effectively by 2020, “missing most targeted malware.” Gartner predicts that encrypted traffic will contain more than 70% of web malware by 2020, and that the support for decryption systems will diminish. This is a problem that even the most powerful IT departments cannot ignore.
This problem was previously solved by decrypting the traffic and looking at it with next-generation firewalls. This process is slow and requires additional devices to be added to your network. With the constantly changing threat landscape, it is becoming obvious that security integrated into your network will help you detect all threats, even those hidden in encrypted traffic.
But how do you combat a threat that you can’t see? Cisco experts realized that they needed to search for the shadow of the threat.
Encrypted Traffic Analytics to Detect Threats. Although you can’t look into encrypted traffic, Blake Anderson, a technical leader at Cisco and David McGrew (a Fellow in the company‚Äôs Advanced Security Research Group), found a unique way of looking out for clues that might be lurking within.
“Identifying threats within encrypted network traffic poses unique challenges,” Anderson and McGrew admitted in a paper titled ‘Identifying Encrypted Malware Trace with Contextual Flow data’ published last October.
They stressed that it is important to monitor traffic for malware and threats, but do so in a way that preserves the integrity of encryption. The two developed supervised machine-learning models that took advantage of a unique and varied set of network flow data features. They stated that these data features included TLS handshake metadata, DNS context flows linked to encrypted flows, and the HTTP headers for HTTP-contextual flow from the same source IP within a five minute window.
The researchers compared malicious and benign traffic’s use TLS, DNS, HTTP on millions of unique flows and then identified the most obvious signs of malware.
To ensure that it did not produce false positives, the process was tested against real-world data. The resulting technique, Encrypted Traffic Analysis (ETA), looks for telltale signs in three elements of encrypted data.
The first packet is the initial data packet for the connection. This packet may contain valuable information about the rest. The sequence of packet lengths, times and times provides vital clues to traffic contents beyond the encrypted flow.
ETA then checks the byte distribution among the payloads of packets in the flow being analyzed. This network-based detection process is enhanced by machine learning. Its effectiveness improves over time.
Cisco will make Encrypted Traffic Analytics available this week by pairing the enhanced NetFlow from Cisco’s new Catalyst(r), 9000 swtiches, and Cisco 4000 Series Integrated Services Routers together with the advanced security analysis of Cisco Stealthwatch.
Prashanth Shenoy is the vice president of Marketing, Enterprise Networks and IoT at Cisco. He says that Cisco continues to improve security in its network devices by leveraging its best-of-breed security portfolio. The result is a comprehensive threat defence architecture that uses the network to detect and respond to all threats.
In a nutshell: all traffic passing through Cisco devices around the world will now be feeding intelligence to a massive threat detection network that can detect and stop any threats, anywhere, anytime.
Shenoy explains, “It’s almost like watching people argue.” “You may not be hearing what they are saying, but you can see what their gestures and expressions mean.”
Shenoy says Cisco is uniquely positioned in order to provide ETA for our customers, both current and future. “Our new hardware with our newest chip is the only way to be able to perform the analysis in real-time at high speeds without slowing down traffic.

Author: Victoria