Alessio Mercuri, Security Engineer at Vectra AI, explains why decrypting packet payloads is not always effective in identifying advanced cyber attacks within a network.
Manually executed “nation state” and RansomOps attacks have become among the largest and most common destructive attack methods used by cybercriminals. Among the most dangerous, they are also difficult to detect. Is decrypting packet payloads operationally effective in helping analysts spot signs of these advanced attacks within a network? The short answer is “no,” for at least three reasons.
Few advantages for the defender
Passive decryption of standard encryption, such as TLS, is operationally expensive. Suffice it to say that with TLS 1.3 it requires the installation of an agent on all connected endpoints. Furthermore, decryption does not offer the defender many advantages that are not already offered by active decryption with a firewall or proxy. Finally, neither actually helps defenders trace an advanced attacker’s C2 channel or data exfiltration.
Advanced decryption and cyber attacks
We consider traffic at the edges of an organization’s network, where encryption is prevalent, and look for signs of command and control and data exfiltration. We will find that decryption offers defenders very little, if any, benefit when it comes to detecting advanced nation state attacks or manually executed criminal attacks such as RansomOps. Here because.
Nation state attack tools are customized
Nation state actors usually assemble several chian tools so that they can be used by their attack teams. These tool chains often include internally developed tools and other standards. The latter will be highly customized to avoid being detected with simple methods that detect their simple presence. Furthermore, more capable nation state actors will add further complexity. They will configure custom and standard tools differently for each target and will not reuse any of the infrastructure used to conduct attacks on different targets. As a result, decrypting payloads to execute signatures yields no significant benefit to detection capabilities.
Attack tools (RansomOps) are changed
Manually executed attacks, as is the case with most RansomOps attacks, serve a criminal business model that aims to make money. This is why it makes no sense for cyber criminals to spend big resources to build tools from scratch, as this simply reduces potential profits. On the contrary, almost all cyber criminals make heavy use of tools available on the market, changing the default settings that most signature-based security solutions would detect.
Vectra AI opinion on decryption and advanced cyber attacks
To avoid this, attackers overwrite the standard configuration, making the signatures useless. Infrastructure is most commonly reused, but can be identified via domains and/or IPs without decryption. Just as with nation state attacks, therefore, decrypting payloads to execute signatures yields no significant benefit for detection.
To defend against advanced attacks
Whether faced with a nation state attack or RansomOps, breaking external TLS encryption to gain access to the internal HTTP request does not help the defender. There is no fixed scheme for creating a signature, and the actual payload (commands sent, command results returned, software downloaded, etc.) is obscured by lightweight encryption using the attacker’s randomly generated key.
Alternative methods
So, unless an organization is willing to adopt a very restrictive Internet access policy (in practice, a “whitelist” that includes only Internet sites it trusts), C2 channels cannot be identified by looking for patterns of bytes in decrypted HTTP payloads. Exfiltration detection follows more or less the same logic. Internal encrypted payloads are impervious to standard DLP approaches. The only other means of detecting C2 or Exfil relies on analyzing time series information of data transfers or observing simple volume anomalies. And neither requires decryption of the outer shell.