Join Us at Our Upcoming Events Events
Skip to Main Content

3 Levels of Encrypted Traffic Analysis for Security

Gaining visibility into encrypted network traffic, for security and performance, is arguably more crucial than ever. Privacy demands drove encryption to record levels, and encryption blocks threat detection through traditional approaches.

Now Encrypted Traffic Analysis (ETA) breaks down this barrier to investigation and gives power (and visibility) back to network defenders, regardless of encryption.

What is Encrypted Traffic Analysis?

The ETA approach is most common in Network Detection and Response (NDR) platforms, which continually ingest data at wire speed and use AI-powered machine learning to rapidly analyze network behaviors for threats.

Gartner Senior Director Security Analyst Nat Smith recently explained which types of organizations are implementing Network Detection and Response tools:

“NDR has embraced AI more than I’ve seen in almost any other technology…AI is the heart and soul of NDR, and buyers recognize that. For buyers that are looking for security that’s going to be edgy, and kind of take me to places that I haven’t been before and embrace that concept of new technology, then AI in NDR is a great place for them.”

However, if you are evaluating NDR platforms, be aware there are three levels of ETA, and security vendors are at widely varying stages of maturity. Let’s look at what is possible with each group.

What are the 3 levels of Encrypted Traffic Analysis?

Let’s briefly explore each level of ETA and some examples of capabilities that come with each stage of maturity.


  • Level 1: Traffic Analysis

At this stage, you can analyze the information available on the network transactions, like IP addresses, ports, and protocols. Each machine has a protocol fingerprint based on the services it utilizes or provides. 

With this level of analysis, you can also look at the pattern of life or time of day details of traffic to detect the unusual and potentially malicious. Level 1 can also help defend against “low and slow” attacks and small data transfers happening over time, often linked to data exfiltration.

  • Level 2: Certificate Analysis

Defending against TLS fingerprinting is an example of what’s possible if your NDR has level two ETA analysis.  

The encryption software libraries used by malware often differ from the encryption libraries used by browser, apps, and other legitimate software. When beaconing activity identifies a suitable command host, an encrypted C2 protocol initiates a secure connection using these same libraries. These events create a distinctive signature that can be identified on the network. Level two also protects against tunneling attacks, including DNS tunneling.  

  • Level 3: Deep Packet Dynamics

At this highest level of Encrypted Traffic Analysis, security teams easily detect attackers attempting to hide within encryption and the moves of insider threats as well.

One example is related to command and control (C2) communications. Due to the specific nature of the C2 orders, the number and size of the packets exchanged over this connection often have characteristic signatures that distinguish them from typical web traffic. Here, real-time analysis of packet traits can yield signature deviations that point to C2 activity. 

Another example is the ability to detect data exfiltration to the cloud. Each cloud application has a highly recognizable packet dynamics fingerprint tied to typical use. This makes it possible to uncover the work of a potential threat actor (or insider) whose behavior deviates from normal network traffic baselines.

These are just a few citations of what is possible with ETA.

The NDR platform with all three levels of ETA

LiveAction’s NDR platform, called ThreatEye, automatically delivers all three levels of encrypted traffic analysis and is on the cutting edge of advanced threat detection.

“In our approach, what we do is we look at traffic traits and characteristics. And we look at 150 plus different ways that traffic can be measured without looking at the contents. So it’s equally effective on unencrypted traffic and encrypted traffic. To invest in a security platform that isn’t looking at or is unable to detect threats within encrypted traffic will actually put you at a disadvantage long term.” – Thomas Pore, Director of Product, LiveAction

This notion is especially true considering that more than 90% of malware arrived within encryption during Q2, 2021. Our latest white paper examines the risk of using outdated tools against evolving threats.

Perhaps it’s time to explore NDR platforms that continuously monitor your environment. Network defenders gain visibility into all network traffic, for security and performance, with ThreatNV