Encryptionvs.Visibility:WhySecOps
MustDecryptTrafficforAnalysis
Abstract Researchshowsthatenterprisesareincreasinglyencryptingtrafficinsidecorporate networks(theEast-Westcorridor),onthepublicinternet,andintheNorth-Southchannel betweenthem.Studiesalsoindicatethatattackersareintentionallyusingencryptedtraffic tohidetheirmaliciousactsmorethaneverbefore. Inthispaper,you'lllearnaboutseveraloptionsforretainingtheneededvisibilitytodetect andrespondtothreatsinencryptedtraffic.You'llalsolearnhowExtraHopReveal(x) decryptscriticaltrafficinrealtime,outofband,withnoperformancepenalty,toenable SecOpstoseeandfightthreatsthatarehidingintheencrypteddarkspace.
TableofContents
WhyEnterpriseSOCsareRapidlyEnablingStrongEncryption
DarkSpace:WhyDecryptionIsNecessaryforSecOpsSuccess
TheEvolutionofCiphersandStandards:TLS1.3andDefaultPFS
HowToDecryptTraffic:ATaleOfTwoMethods
HowExtraHopReveal(x)Out-of-BandDecryptionWorks
DataAcquisition
TakingAdvantageofDecryptionWhileStillProtectingSensitiveData
UsingandProtectingYourPrivateKeysinTLS1.3
AccessingCriticalDatawithNeed-To-KnowDecryption
DivingDeepwithWireShark
HowHackersHideTheirTracksWithEncryption
IsDecryptionNecessaryforDetectionandInvestigation?
WhataboutTLSFingerprinting?Don'tJA3SignaturesWork?
Whatis"EncryptedTrafficAnalysis"andDoesItWork?
WhyEnterprisesAreRapidlyEnablingStrongEncryption
Inthepast,andeventoday,manyenterprisesneglectedtoencryptthetraffictraversingthe
east-westcorridorinsidetheirnetwork.Encryptingdatatakeswork,introducescomplexityandcost,
andreducesthevisibilitythatsecurityoperationsteamshaveintotheirbusiness'scriticalsystems
anddata.SecOpsteamsneedthisvisibilitytodotheirjobs,andforthisreasonmayfeelconflicted
aboutencryptingdatainflightinsidethenetwork.
However,asgeneralconcernsaboutdataprivacygrowandnewregulationsliketheEU'sGeneral
DataProtectionRegulation(GDPR)havecomeintoeffect,theadoptionofin-flightdataencryption
onthewebandinsidetheenterprisehasincreased.
Today,themajorityofwebtrafficisencrypted,atrenddrivenbymajorwebtechnologyproviders.
TheGoogleTransparencyReportsaysthat91%ofwebtraffictoGoogleintheUnitedStatesis
encrypted,withsimilarlyhighpercentagesofencryptedrequestsfrommanyothercountries
worldwide.
1
Datacentertrafficisalsoincreasinglyencryptedasorganizationsrespondtoregulatoryand
customerrequirements,andmoreandmoretechnologyvendorsturnencryptiononbydefault.A
2018Ponemonstudyfoundthatthenumberofbusinessesapplyingencryptionacrosstheir
enterprisenetworkshasincreasedsteadilysince2005acrossallindustrysectors,from15%in2005
to43%in2018.A2019surveyreportissuedbyEnterpriseManagementAssociates(EMA)
indicatedthat59%ofverylargeenterprisesalreadyhadTLS1.3encryptionenabled,74%of
respondentshadeitheralreadystartedenablingTLS1.3encryptiononinternalconnectionsorwere
planningtowithinsixmonths.
Furthermore,perfectforwardsecrecyhasbeenavailableinTLS1.2foryears,andmanyenterprises
havealreadyenabledit.EvenifTLS1.3adoptionisslow,perfectforwardsecrecycreatesareal
visibilitychallengeforsecurityteamstoday.
DarkSpace:WhyDecryptionIsNecessaryforSecOpsSuccess
Encryptionisontherise,andit’sagoodthingforprivacy.Butit’salsoaboontohackers.Encryption,
bothinsidecorporatenetworksandonthepublicinternet,createsdarkspaceandblindspotsthat
attackersusetohidetheiractivitiesfromsecurityteams.
Cybercriminalshavetakenthecueandareincreasinglyhidingtheirmaliciousactivitiesinside
encryptedtraffic.The2018AnnualCybersecurityReportfromCiscoshowedthat70%ofthe
malwarebinariestheysampledtookadvantageofencryptednetworktrafficinsomemanner.The
Symantec2017InternetSecurityThreatReportfounda60%increaseinmalwarethatspecifically
usedSSLtoencryptitsowncommunications.Furthermore,attackersarelearningto"liveoffthe
land"byusingexistingsystemsandtechnologyinsidetheirtargetnetworkstomovelaterallyand
escalateprivileges.Encryptionisvitalforsecurityandprivacy,butitcanbeadouble-edgedsword
whenattackersareabletohidetheirmaliciousactionsinlegitimate-seemingencryptedtrafficusing
approvedcapabilitiesintheirtargetnetworks.
Forallthesereasons,visibilityintoencryptedcommunicationsisessentialfordetectingmalicious
accesspatternstodatabases,storage,andAPIs,aswellasinternalauthenticationactivityassociated
withlateralmovement,datastaging,andprivilegeescalation.Analyzingthedecryptedcontentsof
transactionsacrossthenetworkallowsforfasteridentificationandremediationofthreatsbeforea headline-makingdatabreachhappens.Ontheotherhand,decryptingtrafficindiscriminatelycan
introducetheriskofhavingsensitivedataincleartext,easierforhackerstosteal,andmayviolate
regulationsforbusinessesthathandlePCIorHIPAAregulateddata,orbusinessessubjecttoGDPR.
TheEvolutionofCiphersandStandards:PerfectForwardSecrecy &TLS1.3
Notonlyisencryptiongrowingmoreprevalent,butencryptionitselfischanginginwaysthat
introducechallengesforvisibility.InMarchof2018,IETFratifiedTLS1.3asthenewstandard
2
encryptionprotocolfornetworkcommunications.Themostimpactfulaspectofthisupdateisthe
requirementofPerfectForwardSecrecy(PFS).PreviousversionsofTLSallowedtheuseofthenow
deprecatedRSAciphersforkeyexchange,andallowedserversandclientstouselong-termprivate
keysfromwhichindividualsessionkeyscouldbederived.Thismeantthatiftheprivatekeyfora
serverorclientwascompromisedatanypoint,allofthatdevice'scommunicationsovertheperiodof
timethekeywasinusewouldbevulnerabletomaliciousactors.PFS,usingEllipticCurve
Diffie-HellmanEncryption,createsanephemeralsessionkey,or"secret,"foreachconversation.The
ephemeralsecretisonlyusedforthatconversation,andcannotbederivedfromtheprivatekeyof
eithertheserverortheclient.Evenifanattackercompromisedasessionsecret,itwouldonly
decryptthatsession.Othersessionswiththesameserverwouldstillbesecure.Forhackerstryingto
steallargedatabasesofintellectualpropertyormillionsofcreditcardnumbers,thispresentsa
significantchallenge.
Unfortunately,thesamechallengeispresentedtoSecOpsteamswhoneedvisibilityintotheirtraffic
inordertodetectandinvestigatethreats.ThischallengeisnotlimitedonlytoTLS1.3.Any
environmentwithperfectforwardsecrecyenabled,regardlessofTLSversion,willpotentially
experiencethislossofvisibility.
HowToDecryptTrafficforAnalysis:ATaleOfTwoMethods
Therearetwomodelsforaccessinganddecryptingdataforsecurityanalytics:
1. Interception/Man-in-the-middle
2. Out-of-bandmonitoringanddecryption
3
Theinterception,orman-in-the-middle(MitM),modelrequiresplacingadevicein-lineonthe
networksothatallmessagespassingacrossthenetworkarecapturedbytheMitMdevice,
decrypted,analyzed,thenre-encryptedandsentalongtotheirfinaldestination.Thoughthismodelis
widelyused,recentresearchhasshownthatitintroducesmoresecurityrisksthanitsolves.Because
MitMdevicesdecryptdatain-line,theyhavetoatleasttemporarilystorecleartextdata,makingthem
ajuicytargetforhackers.Researchalsoshowsthatupto60%ofMitMsolutionsincreaseriskby
re-encryptingmessagesusingaweakerciphersuitethantheoriginalmessagehadused.Additionally,
MitMsolutionsinherentlyintroducenetworklatency,andnonearearchitectedtoperformwellatthe
scaleandthroughputlevelsrequiredbytoday'senterprisenetworks.
Therefore,theout-of-bandmonitoringanddecryptionmethodispreferableforSecOpsteams
monitoringinternal(East-West)trafficforhiddenthreats.Out-of-bandsolutionsacquireacopyof
networktrafficfromanetworktaporportmirror.Sincethey'renotpreventingtheoriginal
communicationsfromgoingthrough,theydonotintroduceanynetworklatency,nordotheyneedto
re-encryptthecommunications,whicheliminatestheriskofusinglower-qualityencryption
algorithms.
HowExtraHopReveal(x)Out-of-BandDecryptionWorks
ExtraHopReveal(x)isanout-of-bandsolutionthatconductsalldecryptionandanalytics"onbox."This
meansitneverneedstosendanycleartextdataacrossthenetworknorre-encryptanymessages.
ThisapproachmeansthatReveal(x)introducesnorisktothetrafficitmonitors,unlikeMitM
solutions.
DataAcquisition
Forhardware-basedout-of-bandsolutions,acquiringdataviaanetworktaporportmirrorisafairly
straightforwardprocess.Reveal(x)appliancescaningest,decrypt,andanalyzeupto100Gbpsof
trafficinrealtime.Incloudenvironments,Reveal(x)useseitherMicrosoftAzurevTAPorAmazon
VPCTrafficMirroringtoacquirethepackets.
TakingAdvantageofDecryptionWhileStillProtectingSensitiveData
Reveal(x)isdesignedtoprovideuserswithdeep,meaningfulnetworktrafficanalysiswhileprotecting
theprivacyofsensitivedata,personalidentifiers,ordataregulatedbyvariousindustrystandards
suchasHIPAA,PCI,SOX,GDPR,andothers.Customerschooseexactlywhichtraffictosendto
Reveal(x)foranalyticssotheycanavoidanalyzingsensitiveorregulateddata.However,itisnot
necessarytocompletelyignoresensitivetrafficthiswaybecauseReveal(x),bydefault,doesnot
exposedatathatisinscopefortheabove-listedregulations.Theplatformprovidescustomizable
controlsfordataaccessusingApplicationInspectionTriggersandRoleBasedAccessControls
(RBAC),soSecOpsteamscangetthevisibilitytheyneedwhilestayingfullycompliant.
4
UsingandProtectingYourPrivateKeysinTLS1.3
Reveal(x)accessestheephemeralsessionsecretsforeachconversationwithalightweight
secret-sharingagentinstalledoneachserverwhosecommunicationsneedtobedecrypted.
TheagentsecurelytransmitssessionsecretsfromeachserveracrossaPFSencryptedchanneltothe
Reveal(x)appliance,wheretheyaresecurelystoredandonlyaccessibletouserswiththehighest
levelofadministrativeprivilege.
AnImportantNoteonRSAKeyExchange ItshouldbenotedthatasofTLS1.3,RSAkeyexchangeisdeprecated.Reveal(x)stillallowsusersto
uploadRSAkeys,becausemanyenterprisesystemsstilluseearlierversionsofSSL/TLS.Thisis
consideredaninsecurepractice,andwerecommendeliminatinguseofRSAandadoptingTLS1.3.
AccessingCriticalDatawith Need-To-KnowDecryption
Normally,youcangetalltheinformationyou
needforincidentinvestigationandresponse
fromthemetricsprovidedbyReveal(x)without
needinganypersontolayeyesonunencrypted
data.However,sometimesseeingthepackets
themselvesistheonlywaytoproveexactlywhat
happened.Whetheryou'reprovingtoa
third-partyvendorthattheiractionconstituted
anSLAviolationorprovidingevidenceof
5
regulatorycompliance,sometimesyouneedaccesstocleartextpackets.
Reveal(x)isabletoprovidehighlygranular,role-basedaccesstothedecryptionkeysforspecific
sessions.We'vecoveredhowthedataandPFSsessionkeysareacquiredinearliersections.Here's
whattheexperienceislikeforindividualusers:
Reveal(x)usersmaybeassignedoneofthreelevelsofaccess:
1. NoAccess
2. AccesstoPacketsOnly
3. AccesstoPacketsandSecrets
Userswithaccesstopacketsandsecretswillseeanew"DownloadSessionKeys"buttonwhen
lookingatpacketsinReveal(x).Thiswillenablethoseuserstodownloadtheasymmetrickeyto
decryptthepacketstransmittedbetweenthespecificclients,duringthespecifictimewindowoftheir
search.Thenatureofasymmetrickeyencryptionmeansthatthekeysaccessiblebyhighly-privileged
Reveal(x)userscanonlydecrypttheexactpacketstheuserselects.Eveniftheasymmetrickeywas
compromised,itcouldnotbeusedonanythingbeyondthatnarrowrangeofpackets.
DivingDeepwithWireShark
WhileReveal(x)usesitsdecryptioncapabilitiestoprovidetherichestdataforreal-timeanalysisand
metrics,andtoprovidedataformachinelearningbehavioraldetection,theproductdoesnotprovide
thecapability,on-appliance,tomanuallyexamineindividualpacketsthathavebeendecryptedusing
PFSsessionkeys.Todecryptandexaminedownloadedpackets,userswiththehighestlevelof
privilegeneedtodownloadthesessionkeysandtherelevantPCAPfilesanduseWiresharktoopen
andexaminethem.
HowHackersHideTheirTracksWithEncryption
Thevisibilitychallengesforsecurityoperationsteamswillonlygrowmorepressingashackersget
betteratusingencryptedchannelsinsidetargetnetworkstoconcealtheirreconnaissance,privilege
escalation,datastaging,andlateralmovementactivities.BydecryptingallTLStrafficbetweencritical
assetsinsidethenetwork,SecOpsteamscanmoreeasilydistinguishnormal,benignTLS
communicationsfromthosebeingusedbybadactorstoconcealrecon,lateralmovement,
unauthorizeddatabaseaccessandauthenticationtransactions,andmore.
Attackersoftentakeadvantageoftheencryptionalreadyinplaceinsidethetargetnetwork.For
example,ifanattackerhascompromisedaninternalclient,andisusingthatmachinetoattempttolog
intoasensitivedatabase,thosecommunicationsarelikelyalreadyencrypted.Ananalyticstool
withoutdecryptioncapabilitieswouldseethatsomecommunicationhadhappenedbetweenthe compromisedmachineandthedatabase,butnotmuchelse.AnanalyticstoolwithL7visibilityand
PFSdecryptionwouldbeabletoseethatthecompromisedmachinewasrepeatedlytryingandfailing
tologintothesensitivedatabase—orworse,thattheysuccessfullyloggedin,retrievedsensitivedata,
6
andthendroppedtheaudittabletoerasetheirtracks.Theaddedcontextanddetailofferedbyboth
L7visibilityanddecryptioncanmakeamaterialdifferenceintheSecOpsteam'sabilitytounderstand
thelevelofriskandreactappropriately.
Athird,lesscommonscenariooccurswhenattackersactivelyencrypttheirowncommunications
usingdifferentmethodsorprotocolsthanthosepresentonthetargetnetwork.Ifthese
communicationsareobservedbyananalyticstoolwithoutdecryptioncapability,theymayappearas
benignnetworktraffic.However,iftheSecOpsteamisdecryptingalloftheirothernetworktraffic, andtheyencounteraconversationthatcan'tbedecrypted,thatprovidesastrong,immediatesignal
thatthetrafficismaliciousandshouldbeinvestigated.
IsDecryptionNecessaryforDetectionandInvestigation?
Manyvendorsofmonitoringandanalyticsproductsmaketheclaimthatitisunnecessarytodecrypt
trafficforanalysis.TheybelieveSecOpsteamscangetenoughinformationoutoflimiteddatasuchas
NetFlowandloganalytics,orbyanalyzingthestill-encryptedtraffic.Forthereasonslistedinthis
brief,theyarewrong.Decryptingandanalyzingpacketsallthewaydowntotheapplication
transactionpayloadatLayer7frequentlyprovidesalevelofdefinitiveinsightthatallowsSOC
analyststoprioritizetheiractionsandrespondconfidentlybeforedamageisdone,inawaythat
simplyisn'tpossiblewithencrypteddatalimitedtoL4flowcommunications.
WhataboutTLSFingerprinting?Don'tJA3SignaturesWork?
Yes!Infact,welovefingerprintingmethodsandwewerethrilledtobuildsupportforJA3andJA3S
intoReveal(x).
TLSfingerprintingabsolutelyhasaplaceintheSecOpstoolbox.JA3signaturesareagreatwaytotell
whennewapplicationsshowuponyournetwork,andeventellwhenanovelapplicationstarts
communicatingwithanewendpoint.ThecombinationofJA3andJA3Sisparticularlygoodfor
detectingstealthycommand&controltraffic.Thisapproachofanalyzingencryptedtrafficcan
provideavaluablepuzzlepiece,butnotacompletepicture.Reveal(x)supportsJA3andJA3S
fingerprintsforallTLStraffic,andalsoprovidesreal-timeTLSdecryptionforcriticalassets,even
whenperfectforwardsecrecy(PFS)isused,allowingcompletevisibilityandend-to-endinvestigation
andforensicsintothreatsagainstessentialinfrastructure.
Whatis"EncryptedTrafficAnalysis"andDoesItWork?
Thisoneisalittlemorecomplicated.Whenvendorssay"encryptedtrafficanalysis,"theyoftenmean
thattheyareinferringmaliciousbehaviorbylookingatthesequenceofpacketlengthsandtimes
(SPLT)inobservedtransactions.
7
Forexample,afteranadversarycompromisesamachineinsidethetargetnetwork,theyarelikelyto
trytomovelaterallytofindandaccessdatabasescontainingvaluabledata.Anencryptedtraffic
analysisvendormightseetherelateddatabasetraffic,andmightbeabletoseethatthecadenceof
thecompromisedmachine'sinteractionswiththedatabasedoesn'tlookthesameasusual
interactionswiththatdatabase.Thereissometruthtothisclaim,buttheapproachisakintoa
signature-basedapproach.Attackerscanalwayschangetheirpatternsofbehaviortoavoiddetection
throughthesemechanisms.Signature-baseddetection,whetherthesignatureisahashofaspecific
malware,orabehavioralfingerprint,willalwaysrequireconstantupkeepbecauseadversariesadapt.
Aproductthatwasdecryptingthistrafficandinspectingthepayloaditselfwouldbeabletosee
whethertheactualmethodsbeingusedlookedmalicious.Forexample,seeingaseriesofSELECT*
methodsfollowedbyaDROPTABLEwouldbeamuchclearersignalofmaliciousactivitythana
changeintimingorvolumeoftransactions.Decryptingtrafficforanalysisisoftentheonlywayto
confidentlydifferentiatelegitimateuseofaprotocolfrommalicioustunnelingbyanattackerlivingoff
theland.
ExtraHopReveal(x)istheonlynetworktrafficanalyticsproductcapableofdecryptingPFStrafficat
linerateatsustained100Gbpsofthroughputtoprovidecompletevisibility,real-timedetection,and
guidedinvestigationsaboutthethingsthatmattermosttotheSOC.
LearnMoreAboutWhySecOpsNeedsDecryptiontoSucceed
BlogSeries:UnpackingTheLoomingChallengeofEncryptionforSecOps,Parts1&2
BlogPost:WhatisPerfectForwardSecrecy?
Video:HowDoesExtraHopPerfectForwardSecrecyDecryptionWork?
AlreadyACustomerandWantToGetStarted?
HerearesomehandylinkstoExtraHopdocumentationabouthowtogetstartedwithdecryptionin
ExtraHopReveal(x)NetworkTrafficAnalytics:
AdminUIGuidetoSSLDecryption
PerfectForwardSecrecyInstallation
InstallingPFSForwarderonF5
ThisdocumentcontainsproprietaryinformationandmaterialthatisownedbyExtraHopNetworks,Inc.,andisprotectedbyapplicable
intellectualpropertyandotherlaws,including,butnotlimitedto,copyright.Thisdocumentisconfidentialandintendedfortheinternaluse
ofrecipientsonly,andmaynotbecopied,distributed,orreproducedinwholeorinpartyinanyformwithouttheexpresswrittenpermission
ofExtraHopNetworks,Inc.
8
Recommended
