Decrypting the need for encryption: why it’s important to test security counter measures with encrypted attacks

Due to best practices, regulations, and compliance standards, organizations are mandated to comply with keeping their customers’ data and assets secure. Looking at the newly introduced California Consumer Privacy Act1, we can also see further government regulations being put in place - holding organizations accountable for breaches and safeguarding user information. Because of this, the majority of the connections made across both networks and as well as the internet are now encrypted. Google2 estimates around 94% of traffic to and from their services are encrypted. Using this data and viewing encryptions growth over time, it is clear that organizations are making it a priority to secure their customers’ data.

Securing networks through encryption is the primary method to meeting these mandates and keeping data safe. However, having everything encrypted also puts a heavy strain on network devices, such as firewalls and the rest of the security infrastructure. It is important to properly manage good and bad traffic and keep a high level of performance.

Adopting Spirent’s industry-leading security validation solutions, such as CyberFlood Data Breach Assessment (DBA), gives security teams the capability to encrypt hacker activity that runs over TCP. CyberFlood DBA assesses production networks using real attacks, malware and applications. The benefit to encrypting assessment traffic along with other techniques, such as evasions and obfuscation, allows us to further act like hackers in the wild and realistically validate security infrastructures. Providing this realism of traffic techniques within DBA is critical and will allow security teams to have visibility of vulnerabilities and improve their security efficacy on the entire network.

validate security infrastructures

1California Consumer Privacy Act: https://www.caprivacy.org/

Most next-generation firewalls on the market have a full suite of security capabilities for finding vulnerabilities on a network, detecting such events if configured properly. Let’s look at a few examples on how CyberFlood DBA can further help harden security devices via assessments using the TLS Encryption feature.

In the image below, DBA results show the firewall blocking two attacks and two malware scenarios with a configuration of typical security settings. On this assessment, we are not encrypting traffic, but sending these vulnerabilities as-is from Spirent’s TestCloud Content Library. It is important to note that we are able to correlate and match our findings based on our Security Information and Event Management System (SIEM).

firewall blocking attacks and malware

In the next example, we took the same four attacks, encrypted the traffic using TLS v1.2, and generated the traffic through the firewall without inspection or decryption capabilities. The result shows the two attacks and two malware scenarios as unblocked by the firewall. This illustrates why it’s important for organizations to enable and test SSL inspection and decryption capabilities. Without it, potential breaches will mostly likely occur as the mitigation service in this case was unable to block the encrypted attacker content.

enable test SSL inspection decryption capabilities

In the final example, DBA will test the SSL inspection or decryption engines of the network firewall and test its ability to find TLS encrypted attacks sent over different ports. We took two of the same attacks and put one on a default port versus a standard TLS port, in this example the HTTPS (443) port. Due to our firewall only inspecting traffic on HTTPS ports and a few others, we were able to breach the environment on a different port while encrypted. By reconfiguring the firewall, policies to inspect encrypted traffic may showcase difference levels of protection accuracy against attack and malicious content that is hidden under the guise of encrypted messaging.

Img 4	TLS Encrypted using different ports

In summary, due to encryption becoming the standard for data transmissions, security teams need realistic testing tools to get a view of their threat landscape – helping find vulnerabilities and take action to remediate. With Spirent’s robust content TestCloud library and features like TLS and evasion techniques, we can closely emulate what hackers are doing to breach environments.

CyberFlood Data Breach Assessment delivers accurate, automated assessments of live production environments, safely using emulated traffic scenarios, so security teams can identify and address vulnerabilities before attackers do.

For more information, please visit: https://www.spirent.com/solutions/cybersecurity


comments powered by Disqus
× Spirent.com uses cookies to enhance and streamline your experience. By continuing to browse our site, you are agreeing to the use of cookies. If you would like to learn more about how we use cookies