Strong encryption can be a double-edged sword. It is obviously an essential mechanism for protecting data – e.g., payment card details, passwords, sensitive files, etc. – that is in transit across networks or even at rest in databases. On the other hand, the precise mechanism that it utilizes to shield all of this valuable information from prying eyes (namely, its cipher) is equally good at hiding malware from scanners.
How encryption enables certain types of cyberattacks
The potential for cybercriminal use of encryption was always there, but it really came to the fore with the emergence of CryptoLocker in 2013. CryptoLocker was ransomware that used strong encryption to scramble the files that it was holding hostage from the owner. This meant that unless the end user paid a fee to obtain the key, his or her files were essentially unrecoverable, no matter what actually happened to CryptoLocker itself.
"CryptoLocker infections put infected computers at an elevated risk of being rendered unusable," stated a Trend Micro Premium Security Support document. "This is because once files are encrypted, almost all anti-malware tools are only able to remove the CryptoLocker variant from the system, leaving encrypted files unusable."
Beyond CryptoLocker, encryption has also become an issue in IP network traffic. An entire cottage industry of tools for decrypting HTTPS traffic has sprung up, allowing enterprises to sift through encrypted data to see if any malware is also hiding behind the cipher. A group of Cisco researchers even recently explored the possibility of spotting malware within SSL/TLS without performing decryption, since it is such a computationally intensive process.
How big is the scope of the encrypted malware threat?
Ever since the 2013 revelations about the extent of various state-operated surveillance initiatives around the world, encryption has been on the rise. Google alone estimated that in early 2016, 77 percent of requests to its servers were encrypted, up from less than 50 percent at the end of 2013.
This shift has helped facilitate the rise of encrypted threats. A 2016 survey of 1,000 IT professionals conducted by the Ponemon Institute and A10 Networks found that 80 percent of respondents had suffered a cyberattack within the past year and that approximately half thought that their attackers had used encryption.
The study also revealed:
- Inbound encrypted traffic was expected to increase from 39 percent to 45 percent of all traffic by 2017, and outbound traffic to jump from 33 percent to 41 percent.
- Only 16 percent of respondents thought that they could identify malware exfiltrating data in outbound traffic; 17 percent said the same about stopping inbound traffic with their standard intrusion prevention systems.
- Seventy-five percent stated that their organizations were at risk from encrypted malware, meaning that they stood to possibly lose sensitive data and intellectual property.
Despite the dangers posed by threats that hide in encryption, many organizations are not well-equipped to deal with the challenge. The survey takers identified some of the hurdles here, including a lack of specific tools and experienced personnel, as well as the performance degradation that happens whenever HTTPS traffic is decrypted. The bottlenecks that encryption can create are one of the reasons that a lot of data at rest in databases is still unencrypted, since accessing it millions of times a day via queries would be impractical.
Addressing encrypted malware in the years ahead
A proactive, multi-pronged strategy is needed to combat today's complex encrypted malware threats. Dedicated tools can help by passing HTTPS traffic through a special appliance that discreetly decrypts the data so that it can be inspected by IT professionals for anomalies.
Another essential measure it to educate employees about the risks so that they don't unwittingly contribute to the problem. For example, they should resist divulging any sensitive information via email phishing schemes, or leaving their accounts vulnerable to exploitation via weak username/password combinations or lack of rigorous access controls.
Encryption is an essential protective mechanism that nevertheless must be carefully managed. Be sure to know the risks of it being used against you to scramble your files or hide malware.