youri babakhanians - Fotolia

How can stealthy SSL attacks be detected and mitigated?

SSL attacks "in stealth mode" are helping attackers avoid detection and analysis. Expert Nick Lewis explains how to discover and defend against the threat.

I heard SSL can help attackers work "in stealth mode." How do these attacks work, and what are the best ways to detect stealthy SSL attacks?

Governments and society at large have a complicated relationship with encryption. There are many valuable protections that encryption provides to society and individuals, but encryption can also be used for nefarious purposes, such as to prevent analysis of the network traffic or of the data in use by using SSL to encrypt the connections.

Defenders benefited in the past from the difficulties of implementing encryption, as it was difficult for malware authors to break it to recover data, but as attackers adopt more traditional software development techniques -- such as using well-tested encryption libraries -- this benefit is eroding. When SSL is used correctly by an attacker, it prevents a defender's network tools from checking the data for signatures and renders many of these tools ineffective. As Grant Asplund of Blue Coat Labs noted, enterprises are being naïve if they believe that any network connection using SSL should be trusted.

Stealthy SSL attacks can be detected by inspecting network connections for anomalies using a network-based anomaly detection system -- such as AlienVault Behavioral Monitoring Software, Arbor Networks SP and Lancope Stealthwatch, among others -- and eventually generating an alert to be investigated. Even though the data payload might be encrypted, there is still very valuable data in IP headers. For example, IP headers include the IP source, IP destination, and other assorted metadata fields that can be used to detect the exact time an IP address connected to a different IP address; data that can be used in anomaly detection system. If an encrypted connection, for example, sent a significant amount of data to a new IP address, this might be something to investigate. Depending on how the encryption is used -- like what algorithm or block size is used -- that indicator could be added to anomaly data to improve detection.

In order to defend against SSL attacks, an enterprise could also use a network inspection device that decodes SSL connections so they can be inspected. Note, however, that enterprises should very carefully assess the risk versus benefit tradeoff of using such a network inspection tool, weighing the potential protections, privacy concerns and effectiveness of other security tools to achieve the same protections without the privacy issues. Enterprises should also clearly communicate with internal staff to help them understand the security controls in use, be transparent in their use, and implement appropriate privacy protections.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Learn how to secure SSL after a man-in-the-middle attack

Read more on SSL/TLS security and the RC4 algorithm's involvement in SSL/TLS

This was last published in November 2015

Dig Deeper on VPN security