Understanding the attack methods and techniques of bad guys provides valuable insights that can help you refine your security posture. This five-part series looks at attacks from a thief’s perspective and shows you how the latest security technologies can block them.
Coffee, Cocaine, and SSL Attacks.
Today’s cybercriminals have borrowed a tried and true technique from their drug-trafficking counterparts. Placing drugs in coffee shipments masks the scent of illicit drugs, allowing contraband to pass right under the noses of drug-sniffing dogs without detection. It seemed like a natural distribution strategy in Columbia the world’s number on cocaine producer, which also produces 11.5 million bags of coffee each year. Fortunately, DEA agents and Juan Valdez can breathe a little easier as better inspection technologies have evolved in recent years.
SSL attacks use a similar tactic. Hackers use seemingly normal SSL traffic to pass payloads through IPS devices and firewalls. Once encrypted SSL packets get past on-premise inspection engines they unleash malicious code to crash web servers or stage man-in-the-middle attacks. SSL encryption is the most popular cryptographic protocol for securing the privacy of web, email, and instant messaging communications, making SSL an attractive attack method. In 2014, McAfee Labs detected 24 million SSL attacks, accounting for 12 percent of all network attacks. Even basic attacks gain new life when delivered over SSL connections that can’t be inspected.
Look Both Ways to Stop SSL Attacks
Given the prevalence of SSL attacks, Intel Security believes advanced SSL inspection should be a standard, fully integrated feature within IPS and firewall solutions—not a bolt-on afterthought. Inspection must also be bi-directional. SSL inspection should work in concert with cutting-edge inspection engines to provide the proper threat protection organizations need. Effectively blocking SSL attacks requires three core capabilities:
- Inbound SSL inspection of HTTPS traffic allows organizations to detect abusive patterns and filter out malicious attacks before they reach web servers. Using high-performance IPS hardware maintains system throughput while taking advantage of other top-end inspection and emulation capabilities to protect an organization’s online presence.
- Bi-directional inspection of SSL traffic at the firewall allows more in-depth analysis, protecting both clients and servers from SSL attacks. Since attackers also use SSL encryption to exfiltrate captured data, outbound SSL inspection is an essential security capability.
- High availability and scalability are crucial given the sheer volume of SSL traffic.
Even the most powerful IPS and firewall hardware must include tightly integrated load- balancing and clustering capabilities—without the need to purchase and support third-party traffic-boosting solutions.
Learn more about how bad guys hide malicious code in SSL packets—including what you can do about it. Check out the new Intel Security Tech Brief: A Thief’s Perspective on SSL Attack Methods.