Story image

Assessing the rising threat of encrypted tunnels

21 Feb 2018

Article written by Venafi senior technical manager Nick Hunter

Encryption is a double-edged sword. It can be a powerful security tool or a weapon, depending on who’s controlling it. Although encryption is a vital security measure for organisations, cyber attackers are becoming increasingly proficient at accessing and hiding in the ‘tunnels’ it creates. Once attackers gain access to these encrypted highways, they are shielded and can move around an organisation undetected.

Unfortunately, many organisations are oblivious to the cyber attackers using these tunnels. According to a recent survey, nearly a quarter (23%) of security professionals don’t know how much of their encrypted traffic is decrypted and inspected.

From the outside, these tunnels simply appear to contain everyday business information, but they hide something more sinister within. Encryption offers the perfect cover for cybercriminals, and companies are vulnerable unless they take the time to check their encrypted data.

Organisations are aware this is a possibility. Approximately 90% of CIOs say they have already been attacked, or expect to be attacked, by cybercriminals hiding in encrypted traffic. But what does this really mean for organisations? Without proper insight into encrypted tunnels, cyber attackers have the opportunity to use them against a business in five key ways:

1. Accessing endpoints

Organisations create virtual networks using Internet Protocol Security (IPsec) to secure internet communications. As this often creates a tunnel from a remote site into a central site, they are an ideal entry point for cybercriminals, allowing them to explore the systems and establish a base.

This type of attack generally compromises only established network endpoints but can be the start of a more sophisticated hack.

2. Undetectable movement across networks

Large organisations connect to multiple offices and business partners using their virtual network, as they are the most flexible and adaptable option. But these are also a great way for cybercriminals to move from site-to-site within a network.

After compromising the initial internal system, cyber-criminals can use these tunnels to hide their attempts to access other devices and areas in the network. The tunnels in virtual networks are rarely inspected, allowing attackers to go undetected.

3. Privileged access to payloads

The tunnels created by Secure Shell (SSH) encryption are a goldmine for attackers. SSH keys grant administrators privileged access to applications and systems, bypassing the need for manually typed authentication credentials.

This means the tunnels are ideal for moving malicious payloads between file servers and applications undetected in compromised SSH tunnels.

4. Listening in and stealing your data

The most common forms of tunnels are layered security [Secure Sockets Layer (SSL) and Transport Layer Security (TLS)]. These tunnels provide a secure session between a browser and an application server, for example, securing web-based transactions like payments.

Attackers use man-in-the-middle attacks to eavesdrop on encrypted traffic and steal data from their victims. They can also steal data from victims by decryption information that has been secured with the key they have stolen.

5. Setting up phishing websites

Attackers often use stolen or compromised certificates to establish an identity that the victims’ browsers will trust – setting up a phishing website on the internet or an organisation’s intranet.

Victims access the malicious site and, believing they are connected to a trusted machine, share sensitive data with the attackers. Since HTTPS sessions are trusted and are therefore rarely inspected, these attacks can go undetected.

Avoiding ‘The Great Escape’ in your systems

As key and certificate use grows, so does the number of opportunities for cybercriminals – any type of encrypted tunnel can be misused in a cyber-attack. Typically, organisations manage hundreds of thousands of the keys and certificates that provide them with secure access and communications, with new ones created and revoked every day.

In fact, two-thirds (66%) of the security professionals attending RSA Conference 2017 said their organisation is planning to increase encryption use. This dramatic rise will only make the job of securing these tunnels more difficult. Simply put, organisations must secure their encrypted tunnels or risk leaving themselves at the mercy of cyber attackers.

But all is not lost as there is a way to counter this pressing threat. Organisations now have the capacity to implement centralised intelligence and automated systems, designed to ensure all security tools maintain a continuously updated list of all the relevant keys and certificates they need in order to inspect encrypted traffic.

By automatically discovering every key and certificate generated by your organisations, and integrating this data into security tools, you can finally shine a light into your encrypted tunnels.

Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Tech community rocked by deaths of Atta Elayyan and Syed Jahandad Ali
Both men were among the 50 killed in the shooting in Christchurch last Friday when a gunman opened fire at two mosques.
NZ ISPs block internet footage of Christchurch shootings
2degrees, Spark, Vodafone and Vocus are now blocking any website that shows footage of the mosque shootings.
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.
Flashpoint: APAC companies must factor geopolitics in cyber strategies
The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC.
Expert offers password tips to aid a stress-free sleep
For many cybersecurity professionals, the worries of the day often crawl into night-time routines - LogMeIn says better password practices can help.