Innovation is central to cyberattacker's success, proven by groundbreaking attacks in recent years including those affecting SolarWinds, Kaseya, and Colonial Pipeline. Especially concerning is the fact that today's advanced attacks have become harder to detect due to the adversary's use of encrypted protocols to hide their tracks. Today, cyberattackers use encrypted protocols to perpetrate advanced tactics like living-off-the-land and golden ticket attacks in 60% of the most exploited vulnerabilities—rendering defenders blind to increasingly pervasive threats like ransomware.
To successfully defend against advanced attacks, it's imperative that security innovation matches the speed and scale of the adversary. That's why ExtraHop Reveal(x) 360 is honored to have received the 2022 Silver Edison Award for Cybersecurity under the Innovative Services category. Reveal(x) 360 was recognized for its strategic decryption capabilities that enable security teams to analyze traffic in encrypted protocols.
According to the Edison Awards, "The Gold, Silver and Bronze Winners are chosen as the 'best of the best' within their respective categories by some of the world's top senior business executives, designers, academics and innovation leaders." Subcategories for the Edison Awards "reflect the emerging innovations of each year." The inclusion of cybersecurity as a subcategory shows not only the need for security innovation but also the increasingly important role that cyberdefense plays in today's business strategy.
How Strategic Decryption Works
Encrypted protocols, including TLS 1.3, and Microsoft protocols SMBv3, Active Directory Kerberos, MS-RPC, NTLM, LDAP, and WINRM, protect sensitive information. While encryption is critical for security, it also makes network traffic less visible, and attackers have found ways to exploit encrypted blind spots to hide their activities. The Edison-Award winning technology behind ExtraHop Reveal(x) 360 uses strategic decryption to securely eliminate those blind spots which allow organizations to detect and investigate malicious activity before it results in a full-scale breach.
In technical terms, strategic decryption works by using a stream processor to mirror and decrypt traffic out-of-band, at line rate—decrypting up to 64k transactions per second using 2048-bit keys. In other words, ExtraHop Reveal(x) decrypts traffic at the same speed that it moves across the network in a way that can't be accessed by attackers and without dedicated decryption appliances.
The platform then uses machine learning to analyze encrypted and cleartext traffic for anomalies—up to petabytes per day—detecting malicious behavior, which allows security teams to accurately detect malicious activity such as command & control (C&C), SQL injection (SQLi), and NTLM relay attacks—all tactics that have become increasingly popular by advanced threats, including ransomware.
How Security Teams are Using Secure Decryption
Dr. Brain Garder, CISO at the City of Dallas explains the challenge by calling encrypted traffic "a little bit of a double-edged sword." Dr. Gardner adds, "the bad guys have figured this out: If we encrypt traffic, we lose visibility. Therefore I now have a new attack vector. Having visibility across encrypted traffic is super critical to being able to see whether it's anomalous or not."
"A real differentiator between ExtraHop and the other players that we looked at is the ability to un-encrypt traffic to have that visibility into it." Dr. Gardner and his team at the City of Dallas rely on this innovation to gain visibility into network blind spots caused by encryption.
For the city, the work of protecting critical services from potential attacks is ongoing. "Incident response is an everyday activity," says Samson Tasso, senior security analyst at the City of Dallas—but the ability to decrypt traffic offers him the insight he needs to get to the root of an investigation fast. "ExtraHop helps us understand the scope of the incidents down to the details: IP addresses, the protocols they use, the device name, and the users. Those details are the tools that help us know how we need to address an incident and understand what exactly happened."
For security teams like the one at the City of Dallas, emerging innovations in cybersecurity mean being able to keep pace with today's advanced threats—many of which have the resources of nation-state adversaries at their disposal. By developing novel new defenses to match and exceed an attacker's own innovation, pervasive threats like ransomware and nation-state adversaries become a little less threatening.