Leveraging Encrypted Traffic to Detect Attacks
It is a growing problem that increases security analyst frustration and boosts business risk simultaneously. Encrypted traffic blocks threat detection.
Your team knows someone breached the organization’s environment, but the investigation and scoping hit a wall.
“I can’t do my job because I can’t see what’s going on,” Joe Hladik of the LiveAction ThreatEye team regularly hears. “And the reason they can’t see is encryption.”
Encrypted Network Traffic Continuing to Increase
Google says 95% of internet traffic is now encrypted, and that number continues to rise.
And rising along with encryption levels? Challenges for cybersecurity teams.
“Now there’s an active attacker in my environment, but I’m not going to see the analysis of the data or have a real-time understanding of what’s going on.”
So how can today’s analysts leverage encrypted data to give them actionable insights during an attack? Let’s look at an exciting possibility.
Encrypted Traffic Analysis Detects Attacks
Gartner is seeing rapid adoption of Network Detection and Response (NDR) platforms to solve this encryption challenge. And within the NDR space, a specific approach stands out.
“Being able to detect malicious content without decrypting the traffic is quickly becoming important to buyers, not because they are discovering this gap anew, but because they are discovering the availability of this capability… and this will soon be considered mandatory functionality for NDR buyers.” – Gartner
Detecting Threats Within Encryption
On the forefront of detecting threats without decryption is Joe Hladik, Director of the LiveAction NDR platform, ThreatEye NV. He explains how this approach uncovers what defenders need.
“Scoping an attack is one of the primary exercises to employ during any incident that occurs. You need to understand the external attack vector to identify the point of ingress and then continue scoping to monitor and determine the impact on the internal network environment.
Current encryption measures make it difficult to gather the context of the occurring activity. Organizations often employ decryption measures that are expensive and lead to additional vulnerable areas to gain the context they need to monitor and investigate.
We provide context and visibility regardless of the network traffic being encrypted. We developed Machine Learning analyzers trained to detect nefarious activity. Examples include phishing, ransomware indicators, and a library of behavioral analytics gathered over time to identify anomalous activity within a network environment.
We fill in the context gap through event correlation. This context would otherwise be missing when analyzing encrypted traffic.”
Instead, ThreatEye NV uses Encrypted Traffic Analysis (ETA), which analyzes behavior to reveal attackers in your network. Software probes generate high-fidelity metadata, and long-term behavior analysis creates a detailed baseline. Our Event Correlation Engine (ECE) then pulls everything together. Read more, here.
“We are solving investigation management for analysts and the contextual problem of scoping a compromise,” Hladik says.
More: Finding Cyberthreats Within Encryption
You can now detect advanced threats despite encryption because of Encrypted Traffic Analysis. There is no reason to break encryption or require packet inspection to achieve security objectives. Now you can choose to analyze traffic behavior instead.
For more on this topic, download the white paper: Removing Encryption as a Barrier to Investigation.