Exclusives Featured Tech Field Day Events

Unmasking Bad Actors with Gigamon

The future of traffic is secure. We’ve seen a huge shift from merely having SSL-enabled sites for login purposes to the new normal of always-SSL sites for every thing you do. That shift toward automatic security has helped build a trusted platform for users to feel secure at all times and decreased the vulnerability that they feel when filling in forms or typing their credit card info in for an order.

But what happens when the bad guys start using the same security we enjoy to hide their nefarious intent?

Behind The Mask

At Networking Field Day 15, Gigamon had a great presentation where they discussed the idea that a growing segment of network traffic is encrypted malware:


At first, even the people around the table can’t believe it’s so low. I couldn’t believe it either. I think that 33% is a low number of sure, but I also think that recognizes the challenges of getting illegitimate software authorized by legitimate means.

We’ve already seen breaches of certificate authorities like Comodo and Symantec. Rather than doing the due diligence necessary to prove that the person requesting the certificate was valid, they simply rubber-stamped the approval process and took the money. And the malware writers are doing even more creative things like signing the payloads with multiple valid certificates to avoid being detected.

This leads me to think that we’re only really starting to see the beginning of secure malware. Once the writers figure out how to sign these payloads and slip them into a packet stream you’re going to see even more issues with detection. SSL is great for keeping your credit card numbers secure when buying from Amazon. But that same security obfuscates the payload of a malicious program that’s being scanned by your network defenses.

Removing the Cowl

Gigamon outlined how they are using their technology to crack the packet flows and decrypt them to analyze their payloads. Their inline solution gives organizations the capability to intercept SSL traffic and perform decryption and analysis. That means that one platform can provide the visibility you need across a wide breadth of sensors, like intrusion protection, firewalls, and even encrypted server-to-server communications. That reduces the attack surface for intruders trying to compromise your infrastructure looking for the keys to decrypt all of your traffic. One central location is much easier to secure than decryption protocols across multiple disparate systems.

Additionally, the Gigamon SSL Decryption solution can detect SSL communications per application even when they aren’t using port 443. This is huge for those malware applications that try to create a normal communications channel to start the session and then switch to SSL when it’s time to transmit the data that will get them detected. But having a solution that can find the encrypted packets and deal with them in real time, you reduce the likelihood that anything bad is going to slip through the cracks and ensure that you will find the bad actors before they compromise your security infrastructure.

The Slippery Slope

A lot of the discussion around tools like Gigamon’s SSL Decryption deal with the fact that we’re essentially performing an attack against the traffic. By inserting a device in the middle of the data stream that decrypts and reeccrypts the data, we’re performing a classic man-in-the-middle (MITM) attack. There are more than a few security professionals that are wary of giving a solution that much power. Even the most technologically illiterate user would be cautious when they found out that their secure bank transaction had something in the middle listening to the packet flow.

However, we have to look at the benefits of this solution when placed against the potential risks. By having a MITM performing traffic analysis, you can catch the bad programs before they hurt your users. Yes, there is a risk. However, it’s a manageable risk for security professionals. There are also challenges with getting the Gigamon certificates loaded to guest devices and IoT infrastructure like smart thermostats and other devices that don’t allow for much user interaction. But, like most email scanning systems and data loss prevention (DLP) devices, you need to be able to see what’s going on in the network to stop the things that shouldn’t be happening. Creating and maintaining a solution with a very narrow focus is the key to ensuring security across your organization from threats both current and in the future.

Putting It All Together

I’ll admit that I find myself going back and forth on the SSL decryption argument. I like my privacy. But I also know that the average user is going to fall for a spearphishing attack at some point. Multiply that by the number of users in your organization and you see the potential for disaster. Now, imagine that disaster comes cloaked behind SSL and is untraceable by your current protection mechanisms. I’ve already had to fight the filtering of Facebook in a school when SSL-always was enabled. Knowing there’s a solution that can give me visibility gives me hope that we can stem the tide of encrypted malware before it becomes a flood. We just have to temper our new found power with heaps of responsibility.

About the author

Tom Hollingsworth

Tom Hollingsworth is a networking professional, blogger, and speaker on advanced technology topics. He is also an organizer for networking and wireless for Tech Field Day.  His blog can be found at https://networkingnerd.net/

1 Comment

Leave a Comment