SWNEpisode13

From Security Weekly Wiki
Jump to navigationJump to search

Recorded February 18, 2020 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  •  
    Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.
  •  
    Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Security News

    Expert Commentary: Jason Wood

    Malware and HTTPS – a growing love affair

    We’ve talked a number of times about browsers encouraging everyone to use HTTPS for all their web sites. This “encouragement” became more aggressive when they started labeling sites using HTTP as “insecure”. As a result, most of the sites that I find myself on are using HTTPS. Malware authors have now decided that maybe using HTTPS is a good thing for them too. The Naked Security blog released a post and report on the growing usage of HTTPS by malware that is worth a read.

    The TLDR is that the usage of HTTPS is increasing for malware. According to Sophos, roughly 23% of all malware now uses encrypted HTTP. This has an obvious impact on security monitoring and the data we capture using our tools. We may find that the tools we are mainly depending on may not provide the data we expect or need. As malware authors change their tactics, we need to evaluate our defenses and respond. It’s just not acceptable to lose capability because we don’t change our practices.

    For example, network IDS is one of the first security tools that I deployed, but the data it captures is now less rich because of encryption. Does that mean I should no longer use network security tools? No, I do not believe so, though it does change some of the priority that I place on network IDS. It still has very valuable information for me when I’m performing analysis on traffic, but it’s not unusual to not be able to extract a payload due to encryption. So instead, I tend to use network tools to analyze what IP addresses are talking to each other, what ports they use and monitor for patterns of traffic emerging across the network.

    Endpoint security tools, DNS monitoring, and other tools become more important as network encryption increases. I find now that my analysis focuses more on execution behavior, such as why did that Word document open a command prompt, which then executed PowerShell, and then started talking to a server I’ve never seen before.

    At the moment, we are in a transition state. According to Sophos, 77% of the malware being used is still using HTTP. They correctly point out that web traffic using plain old HTTP is now more unusual and may be an anomaly worth investigating. There is still a ton of bad stuff to be caught using HTTP, but we need to start preparing for when HTTPS eventually becomes the primary mode of network communication.

    Some defenses can include the use of proxy servers that perform traffic inspection of decrypted HTTP traffic. That requires implementing a proxy with a certificate authority certificate that is recognized for all your systems. Then you can require all traffic using HTTP and HTTPS to only be allowed out of your network using the proxy. There are some potential legal and privacy ramifications due to the data being decrypted, analyzed, and then re-encrypted to the destination site. You’ll want to avoid performing this activity on banking sites, for example. Work with your legal and HR departments before implementing something like this. Make sure you are authorized to perform this type of monitoring. If allowed, it can really save you some grief.

    There are definitely tools out there that can help deal with malware changing their tactics. If someone says we are all doomed due to encryption, they are not correct and probably want to sell you something or have some other agenda. We can continue to perform effective monitoring, but we have to adapt. And it’s always better to start making those changes early on in the process rather than waiting until you are reacting to a malware outbreak that you can’t detect.