Omar Yaacoubi, CEO and Co-founder, Barac (www.barac.io) writes for Defence Online and examines the dangers of encrypted malware and how artificial intelligence could play a significant role in combatting its threat.
Cybersecurity and data protection have become a top priority in the UK. Fear of exploitative ransomware attacks, high profile data breaches, sophisticated nation state attacks and the threat of rogue insiders mean the Government must constantly question and re-assess the country’s cyber resilience. Complicating the matter further is the nation’s increasing interconnectedness where the growing number of IOT devices and introduction of smart city initiatives, for example, are creating new vulnerabilities and widening the threat landscape.
Indeed, the MOD spent £165m on its Cyber Programme in 2018. This followed on from the Government’s £1.9 billion pledge to fund cybersecurity as part of its 2016-2021 National Cyber Security Strategy, which began with the formation of the National Cyber Security Centre in 2016. In fact, the NCSC have since developed a ‘cyber fitness’ tool that could make the UK one of the safest places in the world to be online.
Furthermore, in his speech at CYBERUK this year, GCHQ director, Jeremy Fleming’s stated the UK needed to initiate a new form of security in order to be considered a ‘Cyber Power’, which would include protecting “the digital homeland”, fostering “public trust” and having the ability “to project cyber power to disrupt, deny or degrade our adversaries.” To achieve this, he intends to bring cybersecurity expertise and policy making closer together.
The Government is right to take a more proactive approach, especially in the wake of some high-profile, high-impact attacks such as the 2017 WannaCry incident, the careless abandonment of the unencrypted Heathrow USB stick containing invaluable security data, and the more recent WhatsApp vulnerability. The 2019 Cyber Security Breaches survey also found that spyware or malware attacks, including ransomware, were identified by 27% of businesses over the past year, and Accenture found that the average number of security breaches in 2018 was up 11% to 145 at an average cost of $13m.
As part of the Government’s efforts to ensure a more cyber secure UK, the introduction of encryption and stricter compliance regulations such as GDPR for businesses and organisations, including local and central government departments and the military, has indeed meant more data privacy and security. But encryption is a double-edged sword.
A new cyber threat
The rising use of encryption in an effort to safeguard privacy and data has also ironically and unintentionally given hackers the perfect place to hide a new type of threat: encrypted malware.
Hackers have found a new attack vector and are hiding their malicious code amongst regular encrypted traffic, exploiting the impenetrable data that makes encryption so attractive. This is a growing concern with Vanson Bourne finding that 90% of organisations had experienced – or expect to experience – a network attack using the commonly deployed Secure Sockets Layer (SSL) encryption or its successor, Transport Layer Security (TLS) encryption by the end of the year.
Whilst SSL/TLS is now commonplace, with up to 93% of websites now using it to secure data, research also found that encrypted malware attacks were up 27% in 2018, with more than 2.8 million attacks detected worldwide in 2018.
These encrypted malicious payloads are nearly impossible to detect with traditional methods since they are hidden amongst regular encrypted traffic traversing a network. Many organisations, therefore, turn to decryption to see inside encrypted traffic to search for and stop this hidden malware from reaching its destination; but it comes with many flaws.
Decryption can’t keep up
In order to spot this hidden malware, the traffic has to inspected, and since it is encrypted, this means it first needs to be decrypted. Not only does this decryption process – where traffic has to be decrypted, inspected, the ‘bad’ traffic stopped and the ‘good’ traffic forwarded to its intended destination – put an enormous strain on a security device as using ciphers to decrypt and inspect SSL/TLS traffic correctly is extremely CPU-intensive, but it could also be putting organisations in breach of the very regulations that are intended to protect sensitive data.
Firstly, the effect on network performance will only be exacerbated as traffic volumes continue to grow. The reality is that there are very few devices which can inspect encrypted data without it negatively impacting network performance. According to a recent NSS Labs test, the performance hit for deep packet inspection is 60%, connection rates dropped by an average of 92% and response time increased by 672%. Since uninspected traffic cannot be allowed to flow freely through the network and no organisation wants to suffer from its own denial-of-service outage as a result of security tools no longer being able to content with the network’s performance requirements, this is a concerning problem.
What’s more, even when an organisation has the capabilities to inspect all of their traffic through decryption, they could still face another problem. In decrypting all the traffic to find the malicious code, all data, even sensitive data, could appear in plain text. This not only makes the data vulnerable to further attack, but could also putting that organisation in breach of compliance regulations.
Where do organisations turn to then, in order to find the malware, without affecting network performance or putting data at risk?
AI is the way forward
By looking to emerging technology and solutions such as behavioural analytics and AI, it is possible to scan and stop encrypted malware in real time, without the need for decryption.
A new technique known as Encrypted Cognitive Analytics has been developed that analyses the traffic metadata, rather than the data itself, to detect attacks hidden in encrypted traffic. It has been discovered that every attack has its own SSL metadata signature between the user and the server and that by inspecting encrypted traffic metadata and combining this with machine learning and behavioural analytics, it is possible to detect signs of attacks and malware or abnormality on encrypted traffic, without the need for decryption, with very high accuracy, in real time, and with limited impact on network performance.
This is an exciting new way to improve cybersecurity and protect against the rapidly growing threat of malware hidden in encrypted traffic and goes a way to fulfilling the UK Government’s objective to become a Cyber Power with the most secure online access.
If you would like to join our community and read more articles like this then please click here.
The post How AI can combat the rising threat of encrypted malware appeared first on Defence Online.