I recently moderated a discussion between Cygilant’s Dr. Ben Harrison, Global SOC & Security Operations and Barac CEO, Omar Yaacoubi, on the good, bad and ugly of encryption. Here are some of the questions asked of our experts.
You can watch the webinar below to see why encryption may be your latest threat.
Q: Encrypted malware still must be unencrypted before it can perform it illegal/illegitimate purposes. Can this be prevented by recognizing the originating IP address as a source of malware?
Omar: No it cannot. With the use of the cloud, we see a surge and peak into commanded control and malware activity using IP addresses that are not blacklisted. Attackers can switch their IP addresses using AWS, Azure or any other website where you can acquire your IP address. As a result, IP addresses change all the time so keeping up with IP blacklisting is impossible. You need to look at the traffic itself, not the IP address.
Ben: Malware is not one thing, and there are so many different types which behave differently. While we are aware of many known servers which malware uses for command and control, in today’s environment with the ability to quickly spin up AWS boxes or communicate via intermediate platforms like usenet or Twitter, malware that’s any good will use those channels to hide its communications. In this scenario, what are your options? If you see a connection posting a Twitter message, you cannot look inside the encrypted traffic to know whether it’s legitimate or nefarious. That’s why you use a solution like Barac, where you can look at the metadata, then examine the patterns to see if any anomalies exist. Cygilant cybersecurity services can then review the anomalies, and investigate more deeply to know if the Tweet is a problem.
Q: When does 1.3 become mandatory?
Ben: People have said before that this will be “soon”, but the reality is it will become mandatory. It is already mandatory for some PCI and SOC standards, which will expand over time. It will primarily be driven by Google, Facebook, and the major Internet vendors, etc. because when they start implementing 1.3 you will have TLS V1.3 encrypted traffic on your network. It’s the big tech giants that dictate policy currently – E.g. When the default installation of Apache, NGINX, or your virtual boxes enable these by default, that’s when it will be default anywhere.
The financial aspect will also drive this. Google already uses the security of your website in its page ranking. If you are using the latest tech, you’ll rank hirer. If your site looks suspicious, you’ll rank lower. For many in the sales market, that will be the driver.
Q: What level in the network layer does Barac get metadata from?
Omar: We get the metadata from Layer 2 – everything related from the handshake to the TCP headers that are not encrypted. Once the handshake is done, we collect all the metadata (the hello client, hello server, and more), and put it back together to rebuild the traffic between the client and the server. While rebuilding, we look at different attributes including time to respond, how it responded, bytes distribution and more.
Q: How long is the detection if you are using metadata?
Omar: Detection is under a second using Barac.