Sometimes it feels terrible to be right. In our recent Global Application & Network Security Report we predicted an increase in complex encrypted attack vectors and the importance of putting in place adequate defenses that can scale and inspect encrypted traffic. Just last week, we got a vivid example of the increasing threat posed by encrypted attack vectors. A high profile attack occurred with an organization that had both a combination of on-premises and cloud-based DDoS protection, yet the organization’s site still went down, in large part because the attack “hid” from detection by the cloud-based resources by using encryption.
The clear and unfortunate reality is that attackers are on to the impact they can have by encrypting their attacks. Organizations looking at cloud-only solutions need to be aware of this growing trend and factor this into their thinking on what ultimately is the best solution for complete protection.
Why are attackers increasing their use of encrypted attacks? There are two main reasons. First, the encryption of the traffic allows the attack to evade detection by an unfortunate percentage of the DDoS protection products and services on the market. Many of those that do claim to provide protection from encrypted attacks suffer significant performance degradation when hit with encrypted traffic, meaning that to build a suitable solution with these technologies would require over-provisioning and buying extra gear to compensate from the performance drop. The other reason we’re seeing more attackers turn to encrypted attack vectors is they understand that encrypted traffic puts an extra burden on all the computing resources within the application stack. As a result, they can generate “successful” attacks with a much lower level of total traffic when it is encrypted.
There are two clear factors challenging protection in the cloud against an attack like this. First is the ability of most cloud-based resources to inspect encrypted traffic. In most cases, this capability is severely limited because most providers require sharing of private keys for the certificate of the protected server. Most organizations balk at this and in so doing the (typically unknowingly) pass on protection from encrypted attacks. Without the ability to decrypt the traffic, most cloud providers simply pass encrypted traffic along to the protected server.
This doesn’t have to be the case. Radware’s encrypted attack solution allows any certificate issued by the organization to manage the traffic decryption to identify attack traffic and isolate it for mitigation.
Second, this attack highlighted that even within the category of encrypted attacks, there is considerable innovation and creativity being employed by attackers. SSL attack detection and mitigation solutions that do not use challenge-and-response capabilities to more accurately differentiate between legitimate users and bots will leave customers exposed. Detection of only known attack patterns for encrypted attack vectors means that all encrypted attacks that do not fit predefined attack profiles will be passed along to the target server, and more likely than not, will result in an outage.
The fact that the organization that was the target of last week’s attack did have both on-premise and cloud-based protection yet still went down also highlights the importance of single-vendor hybrid solutions. The use of separate technologies on-premises and in the cloud creates a number of complicating factors for effective protection. Chief among them is the common lack of coordination when dealing with attacks. It’s an easy decision when you see attack traffic coming into your environment to swing all traffic to a cloud-based scrubbing resource, hoping they can clean the traffic. But the lack of visibility into the full nature of the attack and the inability to inspect encrypted traffic flows in this case resulted in the cloud scrubbing provider to return enough of that traffic to the target assets to take them down.
It’s customary for us to make a number of predictions in our annual report on the threat landscape. At the end of the year when we go back and look at which ones came to fruition, it’s with a mixed set of emotions… it’s nice to know when we’ve provided solid advice to the industry but also disappointing to see that as a community we have not successfully progressed our ability to protect from that which we saw coming. Here’s hoping more organizations learn from last week’s attack and heed the warnings on the growing threat of encrypted attacks.