Encryptionvs.Visibility:WhySecOps 

MustDecryptTrafficforAnalysis   

Abstract  Researchshowsthatenterprisesareincreasinglyencryptingtrafficinsidecorporate networks(theEast-Westcorridor),onthepublicinternet,andintheNorth-Southchannel betweenthem.Studiesalsoindicatethatattackersareintentionallyusingencryptedtraffic tohidetheirmaliciousactsmorethaneverbefore.    Inthispaper,you'lllearnaboutseveraloptionsforretainingtheneededvisibilitytodetect andrespondtothreatsinencryptedtraffic.You'llalsolearnhowExtraHopReveal(x) decryptscriticaltrafficinrealtime,outofband,withnoperformancepenalty,toenable SecOpstoseeandfightthreatsthatarehidingintheencrypteddarkspace.  

  

TableofContents 

WhyEnterpriseSOCsareRapidlyEnablingStrongEncryption 

DarkSpace:WhyDecryptionIsNecessaryforSecOpsSuccess 

TheEvolutionofCiphersandStandards:TLS1.3andDefaultPFS 

HowToDecryptTraffic:ATaleOfTwoMethods 

HowExtraHopReveal(x)Out-of-BandDecryptionWorks 

DataAcquisition 

TakingAdvantageofDecryptionWhileStillProtectingSensitiveData 

UsingandProtectingYourPrivateKeysinTLS1.3 

AccessingCriticalDatawithNeed-To-KnowDecryption 

DivingDeepwithWireShark 

HowHackersHideTheirTracksWithEncryption 

IsDecryptionNecessaryforDetectionandInvestigation? 

WhataboutTLSFingerprinting?Don'tJA3SignaturesWork? 

Whatis"EncryptedTrafficAnalysis"andDoesItWork? 

 

WhyEnterprisesAreRapidlyEnablingStrongEncryption 

Inthepast,andeventoday,manyenterprisesneglectedtoencryptthetraffictraversingthe 

east-westcorridorinsidetheirnetwork.Encryptingdatatakeswork,introducescomplexityandcost, 

andreducesthevisibilitythatsecurityoperationsteamshaveintotheirbusiness'scriticalsystems 

anddata.SecOpsteamsneedthisvisibilitytodotheirjobs,andforthisreasonmayfeelconflicted 

aboutencryptingdatainflightinsidethenetwork.  

 

However,asgeneralconcernsaboutdataprivacygrowandnewregulationsliketheEU'sGeneral 

DataProtectionRegulation(GDPR)havecomeintoeffect,theadoptionofin-flightdataencryption 

onthewebandinsidetheenterprisehasincreased.  

 

Today,themajorityofwebtrafficisencrypted,atrenddrivenbymajorwebtechnologyproviders. 

TheGoogleTransparencyReportsaysthat91%ofwebtraffictoGoogleintheUnitedStatesis 

encrypted,withsimilarlyhighpercentagesofencryptedrequestsfrommanyothercountries 

worldwide.   

 

1 

  

Datacentertrafficisalsoincreasinglyencryptedasorganizationsrespondtoregulatoryand 

customerrequirements,andmoreandmoretechnologyvendorsturnencryptiononbydefault.A 

2018Ponemonstudyfoundthatthenumberofbusinessesapplyingencryptionacrosstheir 

enterprisenetworkshasincreasedsteadilysince2005acrossallindustrysectors,from15%in2005 

to43%in2018.A2019surveyreportissuedbyEnterpriseManagementAssociates(EMA) 

indicatedthat59%ofverylargeenterprisesalreadyhadTLS1.3encryptionenabled,74%of 

respondentshadeitheralreadystartedenablingTLS1.3encryptiononinternalconnectionsorwere 

planningtowithinsixmonths.  

 

Furthermore,perfectforwardsecrecyhasbeenavailableinTLS1.2foryears,andmanyenterprises 

havealreadyenabledit.EvenifTLS1.3adoptionisslow,perfectforwardsecrecycreatesareal 

visibilitychallengeforsecurityteamstoday.  

DarkSpace:WhyDecryptionIsNecessaryforSecOpsSuccess 

Encryptionisontherise,andit’sagoodthingforprivacy.Butit’salsoaboontohackers.Encryption, 

bothinsidecorporatenetworksandonthepublicinternet,createsdarkspaceandblindspotsthat 

attackersusetohidetheiractivitiesfromsecurityteams. 

 

Cybercriminalshavetakenthecueandareincreasinglyhidingtheirmaliciousactivitiesinside 

encryptedtraffic.The2018AnnualCybersecurityReportfromCiscoshowedthat70%ofthe 

malwarebinariestheysampledtookadvantageofencryptednetworktrafficinsomemanner.The 

Symantec2017InternetSecurityThreatReportfounda60%increaseinmalwarethatspecifically 

usedSSLtoencryptitsowncommunications.Furthermore,attackersarelearningto"liveoffthe 

land"byusingexistingsystemsandtechnologyinsidetheirtargetnetworkstomovelaterallyand 

escalateprivileges.Encryptionisvitalforsecurityandprivacy,butitcanbeadouble-edgedsword 

whenattackersareabletohidetheirmaliciousactionsinlegitimate-seemingencryptedtrafficusing 

approvedcapabilitiesintheirtargetnetworks. 

 

Forallthesereasons,visibilityintoencryptedcommunicationsisessentialfordetectingmalicious 

accesspatternstodatabases,storage,andAPIs,aswellasinternalauthenticationactivityassociated 

withlateralmovement,datastaging,andprivilegeescalation.Analyzingthedecryptedcontentsof 

transactionsacrossthenetworkallowsforfasteridentificationandremediationofthreatsbeforea headline-makingdatabreachhappens.Ontheotherhand,decryptingtrafficindiscriminatelycan 

introducetheriskofhavingsensitivedataincleartext,easierforhackerstosteal,andmayviolate 

regulationsforbusinessesthathandlePCIorHIPAAregulateddata,orbusinessessubjecttoGDPR.  

TheEvolutionofCiphersandStandards:PerfectForwardSecrecy &TLS1.3 

Notonlyisencryptiongrowingmoreprevalent,butencryptionitselfischanginginwaysthat 

introducechallengesforvisibility.InMarchof2018,IETFratifiedTLS1.3asthenewstandard 

2 

  

encryptionprotocolfornetworkcommunications.Themostimpactfulaspectofthisupdateisthe 

requirementofPerfectForwardSecrecy(PFS).PreviousversionsofTLSallowedtheuseofthenow 

deprecatedRSAciphersforkeyexchange,andallowedserversandclientstouselong-termprivate 

keysfromwhichindividualsessionkeyscouldbederived.Thismeantthatiftheprivatekeyfora 

serverorclientwascompromisedatanypoint,allofthatdevice'scommunicationsovertheperiodof 

timethekeywasinusewouldbevulnerabletomaliciousactors.PFS,usingEllipticCurve 

Diffie-HellmanEncryption,createsanephemeralsessionkey,or"secret,"foreachconversation.The 

ephemeralsecretisonlyusedforthatconversation,andcannotbederivedfromtheprivatekeyof 

eithertheserverortheclient.Evenifanattackercompromisedasessionsecret,itwouldonly 

decryptthatsession.Othersessionswiththesameserverwouldstillbesecure.Forhackerstryingto 

steallargedatabasesofintellectualpropertyormillionsofcreditcardnumbers,thispresentsa 

significantchallenge. 

 

Unfortunately,thesamechallengeispresentedtoSecOpsteamswhoneedvisibilityintotheirtraffic 

inordertodetectandinvestigatethreats.ThischallengeisnotlimitedonlytoTLS1.3.Any 

environmentwithperfectforwardsecrecyenabled,regardlessofTLSversion,willpotentially 

experiencethislossofvisibility. 

HowToDecryptTrafficforAnalysis:ATaleOfTwoMethods 

Therearetwomodelsforaccessinganddecryptingdataforsecurityanalytics: 

 

1. Interception/Man-in-the-middle 

2. Out-of-bandmonitoringanddecryption 

3 

  

 

Theinterception,orman-in-the-middle(MitM),modelrequiresplacingadevicein-lineonthe 

networksothatallmessagespassingacrossthenetworkarecapturedbytheMitMdevice, 

decrypted,analyzed,thenre-encryptedandsentalongtotheirfinaldestination.Thoughthismodelis 

widelyused,recentresearchhasshownthatitintroducesmoresecurityrisksthanitsolves.Because 

MitMdevicesdecryptdatain-line,theyhavetoatleasttemporarilystorecleartextdata,makingthem 

ajuicytargetforhackers.Researchalsoshowsthatupto60%ofMitMsolutionsincreaseriskby 

re-encryptingmessagesusingaweakerciphersuitethantheoriginalmessagehadused.Additionally, 

MitMsolutionsinherentlyintroducenetworklatency,andnonearearchitectedtoperformwellatthe 

scaleandthroughputlevelsrequiredbytoday'senterprisenetworks. 

 

Therefore,theout-of-bandmonitoringanddecryptionmethodispreferableforSecOpsteams 

monitoringinternal(East-West)trafficforhiddenthreats.Out-of-bandsolutionsacquireacopyof 

networktrafficfromanetworktaporportmirror.Sincethey'renotpreventingtheoriginal 

communicationsfromgoingthrough,theydonotintroduceanynetworklatency,nordotheyneedto 

re-encryptthecommunications,whicheliminatestheriskofusinglower-qualityencryption 

algorithms.  

HowExtraHopReveal(x)Out-of-BandDecryptionWorks 

ExtraHopReveal(x)isanout-of-bandsolutionthatconductsalldecryptionandanalytics"onbox."This 

meansitneverneedstosendanycleartextdataacrossthenetworknorre-encryptanymessages. 

ThisapproachmeansthatReveal(x)introducesnorisktothetrafficitmonitors,unlikeMitM 

solutions. 

DataAcquisition 

Forhardware-basedout-of-bandsolutions,acquiringdataviaanetworktaporportmirrorisafairly 

straightforwardprocess.Reveal(x)appliancescaningest,decrypt,andanalyzeupto100Gbpsof 

trafficinrealtime.Incloudenvironments,Reveal(x)useseitherMicrosoftAzurevTAPorAmazon 

VPCTrafficMirroringtoacquirethepackets. 

TakingAdvantageofDecryptionWhileStillProtectingSensitiveData 

Reveal(x)isdesignedtoprovideuserswithdeep,meaningfulnetworktrafficanalysiswhileprotecting 

theprivacyofsensitivedata,personalidentifiers,ordataregulatedbyvariousindustrystandards 

suchasHIPAA,PCI,SOX,GDPR,andothers.Customerschooseexactlywhichtraffictosendto 

Reveal(x)foranalyticssotheycanavoidanalyzingsensitiveorregulateddata.However,itisnot 

necessarytocompletelyignoresensitivetrafficthiswaybecauseReveal(x),bydefault,doesnot 

exposedatathatisinscopefortheabove-listedregulations.Theplatformprovidescustomizable 

controlsfordataaccessusingApplicationInspectionTriggersandRoleBasedAccessControls 

(RBAC),soSecOpsteamscangetthevisibilitytheyneedwhilestayingfullycompliant.  

4 

  

UsingandProtectingYourPrivateKeysinTLS1.3 

Reveal(x)accessestheephemeralsessionsecretsforeachconversationwithalightweight 

secret-sharingagentinstalledoneachserverwhosecommunicationsneedtobedecrypted.  

 

TheagentsecurelytransmitssessionsecretsfromeachserveracrossaPFSencryptedchanneltothe 

Reveal(x)appliance,wheretheyaresecurelystoredandonlyaccessibletouserswiththehighest 

levelofadministrativeprivilege.  

 

 

AnImportantNoteonRSAKeyExchange ItshouldbenotedthatasofTLS1.3,RSAkeyexchangeisdeprecated.Reveal(x)stillallowsusersto 

uploadRSAkeys,becausemanyenterprisesystemsstilluseearlierversionsofSSL/TLS.Thisis 

consideredaninsecurepractice,andwerecommendeliminatinguseofRSAandadoptingTLS1.3. 

AccessingCriticalDatawith Need-To-KnowDecryption 

Normally,youcangetalltheinformationyou 

needforincidentinvestigationandresponse 

fromthemetricsprovidedbyReveal(x)without 

needinganypersontolayeyesonunencrypted 

data.However,sometimesseeingthepackets 

themselvesistheonlywaytoproveexactlywhat 

happened.Whetheryou'reprovingtoa 

third-partyvendorthattheiractionconstituted 

anSLAviolationorprovidingevidenceof 

5 

  

regulatorycompliance,sometimesyouneedaccesstocleartextpackets. 

 

Reveal(x)isabletoprovidehighlygranular,role-basedaccesstothedecryptionkeysforspecific 

sessions.We'vecoveredhowthedataandPFSsessionkeysareacquiredinearliersections.Here's 

whattheexperienceislikeforindividualusers: 

 

Reveal(x)usersmaybeassignedoneofthreelevelsofaccess:  

1. NoAccess 

2. AccesstoPacketsOnly 

3. AccesstoPacketsandSecrets  

Userswithaccesstopacketsandsecretswillseeanew"DownloadSessionKeys"buttonwhen 

lookingatpacketsinReveal(x).Thiswillenablethoseuserstodownloadtheasymmetrickeyto 

decryptthepacketstransmittedbetweenthespecificclients,duringthespecifictimewindowoftheir 

search.Thenatureofasymmetrickeyencryptionmeansthatthekeysaccessiblebyhighly-privileged 

Reveal(x)userscanonlydecrypttheexactpacketstheuserselects.Eveniftheasymmetrickeywas 

compromised,itcouldnotbeusedonanythingbeyondthatnarrowrangeofpackets.  

DivingDeepwithWireShark 

WhileReveal(x)usesitsdecryptioncapabilitiestoprovidetherichestdataforreal-timeanalysisand 

metrics,andtoprovidedataformachinelearningbehavioraldetection,theproductdoesnotprovide 

thecapability,on-appliance,tomanuallyexamineindividualpacketsthathavebeendecryptedusing 

PFSsessionkeys.Todecryptandexaminedownloadedpackets,userswiththehighestlevelof 

privilegeneedtodownloadthesessionkeysandtherelevantPCAPfilesanduseWiresharktoopen 

andexaminethem.  

HowHackersHideTheirTracksWithEncryption 

Thevisibilitychallengesforsecurityoperationsteamswillonlygrowmorepressingashackersget 

betteratusingencryptedchannelsinsidetargetnetworkstoconcealtheirreconnaissance,privilege 

escalation,datastaging,andlateralmovementactivities.BydecryptingallTLStrafficbetweencritical 

assetsinsidethenetwork,SecOpsteamscanmoreeasilydistinguishnormal,benignTLS 

communicationsfromthosebeingusedbybadactorstoconcealrecon,lateralmovement, 

unauthorizeddatabaseaccessandauthenticationtransactions,andmore. 

 

Attackersoftentakeadvantageoftheencryptionalreadyinplaceinsidethetargetnetwork.For 

example,ifanattackerhascompromisedaninternalclient,andisusingthatmachinetoattempttolog 

intoasensitivedatabase,thosecommunicationsarelikelyalreadyencrypted.Ananalyticstool 

withoutdecryptioncapabilitieswouldseethatsomecommunicationhadhappenedbetweenthe compromisedmachineandthedatabase,butnotmuchelse.AnanalyticstoolwithL7visibilityand 

PFSdecryptionwouldbeabletoseethatthecompromisedmachinewasrepeatedlytryingandfailing 

tologintothesensitivedatabase—orworse,thattheysuccessfullyloggedin,retrievedsensitivedata, 

6 

  

andthendroppedtheaudittabletoerasetheirtracks.Theaddedcontextanddetailofferedbyboth 

L7visibilityanddecryptioncanmakeamaterialdifferenceintheSecOpsteam'sabilitytounderstand 

thelevelofriskandreactappropriately. 

 

Athird,lesscommonscenariooccurswhenattackersactivelyencrypttheirowncommunications 

usingdifferentmethodsorprotocolsthanthosepresentonthetargetnetwork.Ifthese 

communicationsareobservedbyananalyticstoolwithoutdecryptioncapability,theymayappearas 

benignnetworktraffic.However,iftheSecOpsteamisdecryptingalloftheirothernetworktraffic, andtheyencounteraconversationthatcan'tbedecrypted,thatprovidesastrong,immediatesignal 

thatthetrafficismaliciousandshouldbeinvestigated. 

IsDecryptionNecessaryforDetectionandInvestigation? 

 

Manyvendorsofmonitoringandanalyticsproductsmaketheclaimthatitisunnecessarytodecrypt 

trafficforanalysis.TheybelieveSecOpsteamscangetenoughinformationoutoflimiteddatasuchas 

NetFlowandloganalytics,orbyanalyzingthestill-encryptedtraffic.Forthereasonslistedinthis 

brief,theyarewrong.Decryptingandanalyzingpacketsallthewaydowntotheapplication 

transactionpayloadatLayer7frequentlyprovidesalevelofdefinitiveinsightthatallowsSOC 

analyststoprioritizetheiractionsandrespondconfidentlybeforedamageisdone,inawaythat 

simplyisn'tpossiblewithencrypteddatalimitedtoL4flowcommunications.  

WhataboutTLSFingerprinting?Don'tJA3SignaturesWork? 

Yes!Infact,welovefingerprintingmethodsandwewerethrilledtobuildsupportforJA3andJA3S 

intoReveal(x).  

 

TLSfingerprintingabsolutelyhasaplaceintheSecOpstoolbox.JA3signaturesareagreatwaytotell 

whennewapplicationsshowuponyournetwork,andeventellwhenanovelapplicationstarts 

communicatingwithanewendpoint.ThecombinationofJA3andJA3Sisparticularlygoodfor 

detectingstealthycommand&controltraffic.Thisapproachofanalyzingencryptedtrafficcan 

provideavaluablepuzzlepiece,butnotacompletepicture.Reveal(x)supportsJA3andJA3S 

fingerprintsforallTLStraffic,andalsoprovidesreal-timeTLSdecryptionforcriticalassets,even 

whenperfectforwardsecrecy(PFS)isused,allowingcompletevisibilityandend-to-endinvestigation 

andforensicsintothreatsagainstessentialinfrastructure. 

Whatis"EncryptedTrafficAnalysis"andDoesItWork? 

Thisoneisalittlemorecomplicated.Whenvendorssay"encryptedtrafficanalysis,"theyoftenmean 

thattheyareinferringmaliciousbehaviorbylookingatthesequenceofpacketlengthsandtimes 

(SPLT)inobservedtransactions.  

 

7 

  

Forexample,afteranadversarycompromisesamachineinsidethetargetnetwork,theyarelikelyto 

trytomovelaterallytofindandaccessdatabasescontainingvaluabledata.Anencryptedtraffic 

analysisvendormightseetherelateddatabasetraffic,andmightbeabletoseethatthecadenceof 

thecompromisedmachine'sinteractionswiththedatabasedoesn'tlookthesameasusual 

interactionswiththatdatabase.Thereissometruthtothisclaim,buttheapproachisakintoa 

signature-basedapproach.Attackerscanalwayschangetheirpatternsofbehaviortoavoiddetection 

throughthesemechanisms.Signature-baseddetection,whetherthesignatureisahashofaspecific 

malware,orabehavioralfingerprint,willalwaysrequireconstantupkeepbecauseadversariesadapt.  

 

Aproductthatwasdecryptingthistrafficandinspectingthepayloaditselfwouldbeabletosee 

whethertheactualmethodsbeingusedlookedmalicious.Forexample,seeingaseriesofSELECT* 

methodsfollowedbyaDROPTABLEwouldbeamuchclearersignalofmaliciousactivitythana 

changeintimingorvolumeoftransactions.Decryptingtrafficforanalysisisoftentheonlywayto 

confidentlydifferentiatelegitimateuseofaprotocolfrommalicioustunnelingbyanattackerlivingoff 

theland. 

 

ExtraHopReveal(x)istheonlynetworktrafficanalyticsproductcapableofdecryptingPFStrafficat 

linerateatsustained100Gbpsofthroughputtoprovidecompletevisibility,real-timedetection,and 

guidedinvestigationsaboutthethingsthatmattermosttotheSOC. 

LearnMoreAboutWhySecOpsNeedsDecryptiontoSucceed 

BlogSeries:UnpackingTheLoomingChallengeofEncryptionforSecOps,Parts1&2 

BlogPost:WhatisPerfectForwardSecrecy? 

Video:HowDoesExtraHopPerfectForwardSecrecyDecryptionWork? 

AlreadyACustomerandWantToGetStarted? 

HerearesomehandylinkstoExtraHopdocumentationabouthowtogetstartedwithdecryptionin 

ExtraHopReveal(x)NetworkTrafficAnalytics: 

 

AdminUIGuidetoSSLDecryption  

PerfectForwardSecrecyInstallation 

InstallingPFSForwarderonF5 

  

 

 

 

 

ThisdocumentcontainsproprietaryinformationandmaterialthatisownedbyExtraHopNetworks,Inc.,andisprotectedbyapplicable 

intellectualpropertyandotherlaws,including,butnotlimitedto,copyright.Thisdocumentisconfidentialandintendedfortheinternaluse 

ofrecipientsonly,andmaynotbecopied,distributed,orreproducedinwholeorinpartyinanyformwithouttheexpresswrittenpermission 

ofExtraHopNetworks,Inc. 

8