SSL/TLS-based data security threats are on the rise

Register now

Once seen as the ultimate protection for data being transmitted over the internet, Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) have become the ultimate playground for cybercriminals.

Zscaler ThreatLabZ, the research organization I lead at Zscaler, analyzed the encrypted traffic traversing the Zscaler cloud in the second half of 2018 and prepared a report of our findings. The Zscaler cloud is a globally distributed, purpose-built architecture that delivers a platform of security services to Zscaler’s enterprise customers around the world.

Each time a user at one of our customers connects to an internet property or cloud application, it is a transaction, and our cloud processes more than 60 billion transactions a day. With this volume, our cloud provides valuable insight into traffic patterns and the types of threats organizations are facing globally.

We already knew that the use of encryption had been rising each year and our research showed this trend continuing. By December 2018, the amount of SSL-encrypted traffic on the Zscaler cloud increased by 10 percent to nearly 80 percent of all traffic. This growth rate coincides with that of the Google Transparency Report and Mozilla’s findings for the Firefox browser.

As the use of SSL grows, cybercriminals are increasingly using encryption to conceal and launch attacks. In the second half of 2018, the Zscaler cloud blocked 1.7 billion threats hidden in SSL traffic, which translates to an average of 283 million advanced threats blocked per month. What’s particularly startling about this number is that most organizations are unable to decrypt and scan all their SSL traffic due to the expense and performance implications, so they rely on less-effective techniques, such as IP and domain blocking, or simply let it go uninspected.

The top threats we blocked included phishing attempts, malicious content, botnets, and browser exploits. Specifically, the Zscaler cloud blocked 2.7 million phishing attacks over encrypted channels per month—an increase of more than 400 percent over 2017. We blocked 196 million instances of malicious content, including compromised websites, malicious redirect scripts, and malvertising attempts. On average, we blocked 32 million botnet callback attempts per month—the top five most active were banking Trojans. And we blocked an average of 240,000 browser exploitation attempts per month, which spiked 50 percent in December, just in time for the holidays.

One of the reasons that SSL-based threats have increased so dramatically is because SSL/TLS certificates, which were once expensive and difficult to obtain, are now easy to get—at no charge. The vast majority of the certificates involved in security blocks in the Zscaler cloud were issued by Let’s Encrypt, a free service.

Furthermore, nearly 32 percent of newly registered domains that use SSL encryption were blocked by our cloud. Newly registered domains are considered risky, as cybercriminals often create a new fake domain for each new attack. As such, malicious domains tend to be short-lived. We recommend blocking attempts to access newly registered domains (our cloud blocks these attempts automatically).

While the percentage of growth in SSL traffic is slowing as it reaches near totality, the threat trends are increasing in both frequency and sophistication. Cybercriminals know that most organizations are unable to inspect SSL traffic at scale. So, with malicious websites that can be built in no time and free SSL certificates, they’re launching attacks that have a good chance of going undetected.

Organizations should be inspecting all encrypted traffic, even from CDNs and trusted sites, because many of the threats we continue to block are from legitimate sites that have been compromised. Organizations that don’t inspect all traffic are at risk of infiltration that can be difficult to remediate, lead to costly breaches, or damage their reputation.

For reprint and licensing requests for this article, click here.