1 T H R EAT S A R E H I D I N G I N E N C RY P T E D T R A F F I C O N YO U R N E T WO R K Manoj Sharma Technical Director Symantec Corp Mark Sanders Lead Security Architect Venafi
T H R E A T S A R E H I D I N G I N E N2 W H AT YO U W I L L L E A R N Why encryption and digital certificates are helping our adversaries How to architect for today and tomorrow s SSL/TLS threatscape What you need to successfully run your operations What s your 90 day action plan 2
S S L / T L S T H R E AT S U P D AT E 3
T H R E A T S A R E H I D I N G I N E N4 P R O B L E M : Σ Κ Ό Τ Ο Σ = S C O T O M A = B L I N D S P O T
T H R E A T S A R E H I D I N G I N E N5 50-7 5 % A N D C L I M B I N G Of enterprise network traffic is encrypted with SSL/TLS today 5
T H R E A T S A R E H I D I N G I N E N6 L E S S T H A N 2 0 % Of organizations with a FW, IPS/IDS or UTM decrypt SSL/TLS traffic Source: D Hoinne, Jeremy and Hils, Adam. Gartner. Security Leaders Must Address Threats from Rising SSL Traffic. Gartner Doc: G00258176. December 9, 2013.
T H R E A T S A R E H I D I N G I N E N7 5 0 % O F N E T W O R K AT TA C K S W I L L U S E S S L / T L S B Y 2 0 1 7 7 0 % N E T W O R K AT TA C K S W I L L U S E S S L / T L S B Y 2 0 2 0 70% of 7
T H R E A T S A R E H I D I N G I N E N8 E N T U N N E L S M E A N S E C U R I T Y S Y S T E M S C A N T S E E W H AT S C O M I N G 8
T H R E A T S A R E H I D I N G I N E N9 T R A D I T I O N A L S E C U R I T Y S Y S T E M S C A N T K E E P U P W I T H P E R F O R M A N C E N E E D E D T O D E C R Y P T A N D I N S P E C T S S L / T L S N E T W O R K 9
NGFW IDS / IPS Host AV Traditional Web Gateway SIEM Email Gateway DLP Web Application Firewall T H R E A T S A R E H I D I N G I N E N10 B A D G U Y S A R E E VA D I N G D E F E N S E S Traditional Enterprise Defenses Threat Actors Traditional Threats Advanced Threats Nation States Cybercrime Known Threats, Novel Malware Hactivists Known Malware, Zero-Day Threats Insider-Threats Known Files Targeted Attacks Known IPs/URLs Modern HTTPs
T H R E A T S A R E H I D I N G I N E N11 S S L / T L S : H I D D E N D A N G E R S Bad Actors are using encryption to: Hiding Malicious Actions and Messages Hiding the Initial Infection Hiding the Command and Control Channel Hiding Data Exfiltration 2987 blacklisted SSL certificates: https://sslbl.abuse.ch/ Most (recently) are Dyre C&C, KINS C&C, Vawtrak MITM, Shylock C&C, URLzone C&C, TorrentLocker C&C, CryptoWall C&C, Upatre C&C, Spambot C&C, Retefe C&C, ZeuS MITM, etc. * TCP Ports used by Dyre Trojan for Hidden Command & Control - Blue Coat Labs 11
T H R E A T S A R E H I D I N G I N E N12 S S L / T L S : H I D D E N D A N G E R S Users: Are they SSL Aware? 12
T H R E A T S A R E H I D I N G I N E N13 N E X T B I G H A C K E R M A R K E T P L A C E W I L L B E I N S T O L E N C E R T I F I C AT E S 13
14 A R C H I T E C T I N G F O R S S L / T L S T H R E AT S
T H R E A T S A R E H I D I N G I N E N15 Today Ready for Threats A R C H I T E C T U R E G A P A N A LY S I S Role of Decryption Non-Existent/Tactical Strategic Inspection Points Few Performance Struggling Wirespeed Outbound Decryption: Internal trusted root CA Inbound Decryption: all keys & certs available Inbound Decryption: keys & certs securely distributed Few Email, flash drive, file server All available Encryption distribution w/o people 15
T H R E A T S A R E H I D I N G I N E N16 I N B O U N D A N D O U T B O U N D T R A F F I C Inbound SSL Decryption Web & Email Servers, Customer Web Portals Outbound SSL Decryption Encrypted Email, Social Networks, CRM, etc. IPS & IDS AV DLP APM SIM & SIEM Forensics Security Solution IPS & IDS AV DLP APM SIM & SIEM Forensics Security Solution Internet Internet Web, Email & Portal Servers Clients
T H R E A T S A R E H I D I N G I N E N17 W H AT D O Y O U T H I N K T H I N G S L O O K L I K E? Secure Communications
T H R E A T S A R E H I D I N G I N E N18 SSL & SSH Keys & Certificates T H I S I S W H AT I T R E A L LY L O O K S L I K E SSL Keys & Certificates Secure Communications Server Authentication Client-side Server Authentication Secure Communications Server Authentication Client-side Authentication
T H R E A T S A R E H I D I N G I N E N19 M O R E K E Y S, M O R E C E R T I F I C A T E S, M O R E E N C R Y P T I O N
T H R E A T S A R E H I D I N G I N E N20 B A L A N C I N G C O M P L I A N C E A N D D ATA P R I VA C Y DATA PRIVACY CONCERNS RISK OF ADVANCED THREATS LEAD TO REQUIREMENTS 1) Manage what type of information is decrypted 2) Assure custody and integrity of encrypted data 20
21 D I F F E R E N C E S I N E N T E R P R I S E E N C R Y P T I O N S T R AT E G I E S B Y C O U N T R Y S o u r c e : P o n e m o n I n s t i t u t e. 2 0 1 6 G l o b a l 21 E n c r y p t i o n T r e n d s S t u d y. 2 0 1 6
T H R E A T S A R E H I D I N G I N E N22 A R C H I T E C T U R E F O R V I S I B I L I T Y CLIENT INTERNET SERVER GLOBAL INTELLIGENCE NETWORK GATEWAY / FIREWALL SECURITY ANALYTICS CORPORATE SERVERS ❷ SSL VISIBILITY APPLIANCE ❸ ❶ ❹ SANDBOX CLIENT NG IPS Encrypted traffic Decrypted traffic 22
T H R E A T S A R E H I D I N G I N E N23 P K I A R C H I T E C T U R E F O R I N S P E C T I O N Inbound Outbound Enterprise Root STATIC SSL Decryption Intermediate STATIC www app.. v125.. GENERATED ON THE FLY google.com outlook.com dropbox.com
T H R E A T S A R E H I D I N G I N E N24 S S L B L I N D S P O T S I N A C T I O N : D ATA I N F I LT R AT I O N + E X F I LT R AT I O N U S I N G S S L Malware Infiltration and Data Exfiltration using Wireshark Compare pcaps from identical operations with and without SSL Inspection enabled in the network. Download from a file magnetic* from sourceforge.net (HTTP Download) Download a known file using HTTPS: Infiltration Upload sensitive data using HTTPS: Exfiltration 24
T H R E A T S A R E H I D I N G I N E N25 V I D E O 25
S S L B L I N D S P O T S : D ATA E X F I LT R AT I O N E X P E R I M E N T Symantec DLP Network Prevent Details: Base OS: MS Windows 2012 R2 DLP Network Prevent Software Version: 14 DLP Network Prevent configured to monitor HTTP and HTTPS ports. SSL Inspection Device: Hardware Mode:SV800 / Software Version 3.8.2-409 Experiment: 1. Upload sensitive data using HTTP 2. SSL Inspection Disabled: Upload sensitive data using HTTPS 3. SSL Inspection Enabled: Upload sensitive data using HTTPS T H R E A T S A R E H I D I N G I N E N26 NOTE: SYMANTEC DOES NOT CLAIM THEY CAN INSPECT SSL TRAFFIC ON THEIR NETWORK DLP PRODUCTS 26
T H R E A T S A R E H I D I N G I N E N27 V I D E O 27
E C O N O M I C S O F S S L D E C R Y P T I O N Cost of No-Action =Infection=Intrusion=Breach=$ Direct Low performance -> higher cost to reach needed throughput Incomplete support for latest ciphers creates unseen blindspots Indirect Time and effort to identify, gather, distribute, and update keys & certificates T H R E A T S A R E H I D I N G I N E N28 28
O N G O I N G O P E R AT I O N S 29
T H R E A T S A R E H I D I N G I N E N30 M A I N TA I N I N G D E C R Y P T I O N Capture new keys and certificates (including those generated outside of IT security) Update renewed, rekey keys and certificates throughout SSL/TLS chain (e.g. firewall, load balancer, WAF, etc.)
4 5 D AY A C T I O N P L A N 31
T H R E A T S A R E H I D I N G I N E N32 YO U R 4 5 D AY A C T I O N P L A N Map your SSL footprint = Risk Exposure Decrypt once feed many v/s decryption in many places in network Performance impact of decryption on existing network/security devices Local regulations and compliance requirements Outbound: HR and Legal must be consulted to ensure user privacy is respected and preserved. Inbound: Obtaining keys/certificates, how will you keep them secure, how will you keep them updated 32
T H R E A T S A R E H I D I N G I N E N33 M A P Y O U R I N B O U N D S S L / T L S F O O T P R I N T Where and how many SSL/TLS enabled entities? What are all systems involved in SSL/TLS through DMZ? (e.g. firewall, load balancer, WAF, etc.) What are the security controls that need visibility in to encrypted traffic? How will you track keys and certificates? How frequently are they renewed and rekeyed? Who and how many are responsible for each key and certificate? How will you get them? How will you transfer keys and certificates? How will you update keys and certificates? 33
T H R E A T S A R E H I D I N G I N E N34 M A P Y O U R O U T B O U N D S S L / T L S F O O T P R I N T % of Total North-South Traffic is SSL/TLS encrypted SSL Versions seen on the networks SSL Versions have known vulnerabilities. SSL: Bad; TLS: Good BP: Do not allow known bad protocols Certificate Status Valid certificate v/s invalid certs Should not see any traffic with invalid certificate. BP: Do not allow not-valid cert traffic SSL/TLS traffic that isn t on port 443 Non-SSL traffic that is using port 443 Protocol versions in-use Ciphers used Strong v/s Weak cipher suites Logjam/Freak/Heartbleed BP: Do not allow connections with weak ciphers Top N SSL Sites by Request Users of SSL/TLS Traffic North-South communication 34
35 Manoj Sharma Technical Director Symantec Corp manoj_sharma@symantec.com Mark Sanders Lead Security Architect Venafi mark.sanders@venafi.com THANK YOU