When to Decrypt and What to Decrypt For Cyber Security

Monday, August 7, 2017
When to Decrypt

This is part of a Black Hat interview with Hardik Modi, Vice President Threat Intelligence that originally ran on https://www.blackhat.com/sponsor-interview/05262017.html#fidelis

Question: There's been a push to encrypt everything on the Internet in recent years. How are threat actors exploiting the trend and what security capabilities are needed to stop them?

Threat Expert’s View: It's certainly true that the use of network encryption has risen rapidly over the past few years on the Internet at large. A very broad range of threat actors have taken advantage of the easy availability of signed certificates from trusted certificate authorities (CAs). They use these certificates to deceive users by appearing to be from popular sites like Paypal and to encrypt the delivery of malware and command-and-control communications.

The barriers to acquiring a trusted certificate have lowered over the years. There's been a transition away from self-signed certificates - which were trivial to spot - to the use of trusted certificates.

In terms of capabilities, I have long believed that enterprises need to actively manage encrypted traffic. It is preferable to decrypt that traffic for analysis at trust boundaries. This needs to be done in a safe manner. Vendors and users that implement decryption technology and processes need to be aware of the significant responsibility that comes with such decryption. But it's my opinion that enterprises should absolutely use their right to inspect traffic on their networks with the goal to protecting their cyber environment.

But whether or not they decrypt, organizations also need to manage certificate use within the environment. The CA breaches of 2011 should have taught us that even certificates deemed trusted at a given moment are potentially masking malicious activity. Therefore, broad and pervasive and preferably historical visibility into all manner of certificates used in the environment is hugely valuable. This includes network traffic but also includes executables and popular applications. Such data is valuable in an incident response scenario. However, from an active protection standpoint, organizations will want the ability to apply threat intelligence to such certificates, especially since researchers are publishing known malicious certificate details.