As federal agencies continue to evolve cloud infrastructures and support a work-from-anywhere workforce, they are likewise evolving security approaches.
More and more data needs to be protected as it moves between on-premise data centers, clouds, applications, and endpoints. Though encrypting traffic with Secure Sockets Layer (SSL) and Transport Layer Security (TLS) is the standard way to protect data in transit from prying eyes, encryption has, itself, become a threat across industries, including government, as cybercriminals embed malware inside encrypted traffic.
Attackers are now gaining leverage by sneaking malware past security tools that do not fully inspect encrypted traffic. As the percentage of traffic that is encrypted continues to grow, so do the opportunities for attackers to deliver threats through encrypted channels. The 2020 State of Encrypted Attacks report from Zscaler’s ThreatLabZ shows that due to a spike in cloud-based collaboration apps, there has been a 260 percent increase in SSL-based threats in the last nine months.
With the majority of federal employees working remotely and accessing internal applications, there has also been an increase in ransomware activity and demand for ransomware payments as attackers target online systems that employees rely on to continue conducting business. The report shows that there has been a 500 percent increase since March 2020 in ransomware attacks delivered over SSL/TLS channels.
The U.S. Department of the Treasury’s Office of Foreign Assets Control recently issued an advisory to highlight the risks associated with ransomware payments. In addition, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the Department of Health and Human Services recently released a joint alert that shows an increase in imminent cybercrime threats to hospitals and healthcare providers specifically.
The new digital landscape has given adversaries a larger playing field to manipulate, targeting vulnerabilities in infrastructures and user profiles to demand rewards for their attack efforts. To combat this, federal agencies must be alert and ready to accommodate modern networks, mobile users, and advanced threats.
The Advanced New World of Cyber Attacks
How are adversaries using encrypted traffic against us? Today’s adversaries can create sophisticated attack chains that start with an innocent-looking phishing email containing hidden malware. If an unsuspecting user clicks, then the attack moves into the malware installation phase, and ultimately the exfiltration of valuable data.
What makes the attacks so nefarious is that the hidden malware is also encrypted, which changes the file structure completely. Cybersecurity systems rely on a file’s structure (or “fingerprint”) to identify incoming threats. But if every time a file is encrypted it gets a new fingerprint, it will be unrecognizable as a threat.
Though agencies warn employees to inspect suspicious URLs for errors or indicators that they may not be legitimate, cybercriminals take advantage of techniques such as domain squatting and IDN homograph attacks. These actions make pixel replicas of popular websites that look virtually indistinguishable from the real ones. Then, adversaries deliver the malware and steal login credentials and personal information from the user.
During the past year, there has also been the addition of data exfiltration, which allows ransomware gangs to infiltrate sensitive data before encrypting the data. This feature acts like an insurance policy for attackers – even if the victim has good backups, they’ll pay the ransomware to avoid having their data exposed.
Walking the Tightrope: User Experience vs. Staying Secure
Traditional on-premises security tools cannot provide the performance and capacity needed to decrypt, inspect, and re-encrypt traffic in an effective manner, but inspecting encrypted traffic must be a key component of agencies’ security defenses. Eighty percent of all traffic uses SSL/TLS encryption by default, and the public sector is one of the five sectors most often targeted with ransomware attacks. How can agencies be sure to decrypt and inspect all traffic, while maintaining compliance, for all users on and off the network?
Decrypt, Detect and Prevent SSL Traffic with Cloud-Based Proxy Architecture
A cloud-based proxy architecture lets agencies easily scan all encrypted traffic for data exposure and threats, without extra cost or degradation to performance. This allows agencies to provide a more proactive approach to security with machine learning to scan for threats in real time and actively prevent malware attacks.
Isolate Unknown Attacks with AI; Prevent Patient Zero Malware
Today’s ransomware attacks are uniquely crafted for each target – giving every agency the potential to fall into “patient-zero” malware. Agencies need to take a cloud-delivered platform sandbox approach with AI-driven quarantine that stops zero-day threats. This allows security teams to inbound and analyze unknown files before delivery – a vast improvement over traditional sandbox “pass-through” approaches that allow the file to reach its target and cause potential harm.
As well as performing consistent SSL inspection on all traffic, a cloud-delivered platform guarantees that agencies can scale SSL inspection without capacity limitations.
Provide Consistent, Secure Access for All Users, Anywhere with Secure Access Service Edge (SASE)
Whether federal employees continue to work from home, headquarters, in the field or on the go, they need consistent security and access to applications and data across their IT environment. The SASE framework moves essential security functions, such as web gateway firewalls, zero-trust capabilities, data-loss prevention, and secure network connectivity, all to the cloud. SASE also ensures optimal bandwidth and low latency by connecting users to cloud applications and services, while pushing security as close to the user or system as possible. This model provides a consistent experience no matter where the user is located.
Reduce Your Attack Surface with Zero Trust
Zero trust means an organization does not inherently trust any user. Trust must be continually assessed and granted in a granular fashion. This allows agencies to create policies that provide secure access for users connecting from any device, in any location.
Traditional firewalls publish an organization’s applications on the internet, making them accessible to adversaries. However, zero trust makes apps invisible and accessible only by authorized users, creating a zero attack surface
Zero trust also never places users on the network. Cybercriminals cannot attack IP addresses or IDs they cannot see, keeping devices and users safe.
Protecting Government in the Era of Encrypted Attacks
To combat ransomware attacks and other attacks through encrypted channels, agencies should adopt a cloud-native proxy-based architecture. A cloud-based security platform meets the demands of decryption and inspection by elastically scaling computing resources, and providing consistent policy enforcement across multiple locations.
Agencies should ensure that SSL inspection at scale is part of their platform of services so that as traffic increases, capacity is added instantly. As encrypted traffic expands, inspecting that traffic must be a top priority.
A multilayered defense-in-depth strategy that fully supports SSL inspection will be essential for all agencies to ensure that their enterprises are protected from escalating threats hiding in encrypted traffic.