Encryption is a focal point of modern security architecture: Encrypting sensitive information both at rest and in transit provides a litany of benefits to security-conscious organizations by greatly increasing the difficulty of obtaining access to sensitive information.
Encryption Improves Security
Encryption offers many benefits to improve security, securing the transmission of data for both external and internal network traffic. In general, encryption is gaining wider adoption. According to the Google Transparency Report, 95% of internet traffic is HTTPS. HTTPS stands for Hypertext Transfer Protocol Secure, the secure portion refers to the use of an encapsulating encryption protocol, typically TLS. Encryption is important for securing sensitive communications such as financial transactions across the internet. Encryption is also increasingly important for securing credentials, ensuring regulatory compliance, and enabling Zero Trust security models across the enterprise.
TLS is an encryption technology that establishes a trusted connection between a web server and a client. TLS can be thought of as a tunnel with traffic flowing through it. Only the server and client can see the traffic inside that tunnel, because those devices have a shared session key (essentially, a lock and key pair). For example an adversary that tries to intercept HTTPS traffic will be unable to view the content of the HTTP traffic, which might contain passwords, credit numbers, or other sensitive information—because the adversary doesn't have the session key.
TLS is used to encrypt a wide range of protocols including HTTP and is used for traffic that traverses the internet as well as internal enterprise traffic. For example, LDAP is an authentication protocol that shuttles user credentials between a Windows domain controller and network devices. One recommendation is to implement LDAPS, which is LDAP traffic secured within a TLS connection.
Active Directory & Kerberos Encryption
In Microsoft Active Directory (AD) environments, Kerberos, and NTLM are protocols that provide user validation and authentication mechanisms for users. Kerberos implements its own encryption mechanism, and both NTLM and Kerberos can, and should, be configured to leverage TLS as a means of ensuring the security of data as it traverses the network. Without these protocols, user credentials and authentication tickets sent across the network are vulnerable to eavesdropping attackers. AD services (from printers to production servers) rely on these protocols to authenticate and authorize users, meaning that most connections between AD-joined clients and servers in modern Windows networks should be encrypted.
Decryption Can Improve Security Too
In general, encrypting traffic helps improve network security. So how does decrypting traffic also improve network security?
To answer this question, let's consider the perspective of an adversary. Their goals are to compromise targets and laterally move across the network while avoiding detection. Encrypting their connections to victims means that they can hide their malicious activity from a variety of technologies such as firewalls, intrusion detection systems (IDS), and proxy devices. Furthermore, adversaries often work with applications and tools already available on their victims' machines, using established encryption technologies to make secure connections from compromised devices to new targets.
With encryption, network defenders can be at least partially, if not entirely, blind to some of these attacks:
- Vulnerability exploits, such as SQLi, XSS, and CVE attacks. These attacks often rely on malicious HTTP payloads or headers, which can be concealed within an encrypted connection.
- Command-and-control traffic. A compromised device might communicate with an external attacker-controlled server through an encrypted connection. This type of malicious traffic might contain exfiltrated data, malware, or malicious commands.
- Database attacks. Adversaries that launch attacks on databases can hide their malicious database queries within encrypted communications.
- Stolen or forged Kerberos tickets. Adversaries with stolen administrative or service credentials can forge Kerberos tickets, which serve as authorization mechanisms within the AD environment. For example, a golden ticket is a forged ticket providing domain-level administrator rights to domain resources.
- Living-off-the-land attacks. Inside the network, an adversary uses the same tools that Windows administrators use to make changes to Windows devices. In environments where encryption has been fully implemented, attackers can leverage these tools with virtual impunity as the traffic will be unreadable to administrators.
True network traffic analysis for enterprises requires the ability to decrypt approved traffic for analysis. Decrypting traffic also empowers network defenders to collect forensic evidence that helps with investigations into suspicious behavior.
How Secure Decryption Is Done
Decrypting network communications helps you confidently detect and respond to many common threat behaviors. Some network detection and response (NDR) products have no visibility into database traffic or the encrypted portion of Kerberos, MS-RPC, and other Microsoft protocols.
ExtraHop Reveal(x) network detection and response includes secure decryption methodologies that provide visibility into an array of protocols:
- Web: HTTPS, HTTP/2
- Database: PostgreSQL, MySQL, TDS (Microsoft SQL Server), TNS (Oracle DB)
- Email: SMTPS, SMTP+START_TLS
- Directory services: LDAPS, Microsoft-encrypted LDAP
- Remote management: RDP, MS-RPC, and LDAP
- File sharing: FTPS
- Voice over IP: SIP-over-TLS
- SSL/TLS: SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3
You can configure Reveal(x) to securely, temporarily retain keys that decrypt approved network traffic for analysis. With these keys, Reveal(x) can inspect traffic for indicators of compromise or suspicious behaviors.
- SSL/TLS Decryption. You can configure Reveal(x) to decrypt SSL/TLS traffic based on the type of supported cipher suite that the network connection is secured with.
- AD Decryption. You can configure Reveal(x) with an Administrator account that synchronizes decryption keys for all user and service principals on an AD domain. Reveal(x) can then decrypt and parse traffic for protocols such as Kerberos, LDAP, and MS-RPC, as well as detect dangerous Kerberos attack techniques such as golden and silver tickets.
Always Be Prepared for the Next Attack
The recent attack on the Windows Print Spooler service, referred to as PrintNightmare, illustrated the challenges that encryption poses to network defenders. This zero-day vulnerability enabled adversaries to leverage Microsoft remote procedure call (MS-RPC) functions that installed a malicious payload—instead of a benign printer driver file—on victim machines. In modern Microsoft environments, the malicious payload can be concealed from network defenders within an encrypted connection. Reveal(x) gives defenders the ability to decrypt MS-RPC, Kerberos, NTLM, and TLS protocols and fully parse over 75 protocols, allowing for more in-depth analysis and the creation of forensic-level metadata for the most commonly used network protocols.
Without decryption, adversaries have an advantage. Implementing secure decryption with Reveal(x) helps you stay prepared and ready to prevent the next nightmare.