Encryption, Endpoint/Device Security, Malware

Vast majority of malware arrives over encrypted connections

Vlad Lapich, with tech startup company Fast, works on his computer on the first day back in the office on March 24, 2021, in San Francisco. (Photo by Justin Sullivan/Getty Images)

A new report from WatchGuard Technologies released on Thursday found that 91.5% of malware has been arriving over HTTPS-encrypted connections, making security researchers say that organizations not examining encrypted HTTPS traffic at the perimeter may miss some 90% of all malware.

The study also found that in the first six months of 2021, malware detections originating from scripting engines like PowerShell have already reached 80% of last year’s total script-initiated attack volume. At its present rate, fileless malware detections are on track to double in volume year-over-year. WatchGuard also reported that network attacks rose 22% over the previous quarter and have reached the highest volume since early 2018.

Enterprises can’t take encrypted traffic for granted, said Saryu Nayyar, CEO at Gurucul, who added that while it may not be possible to identify the payload, it’s possible for machine-learning models to identify dubious payloads in real-time and flag them for further investigation. Nayyar said we can consider this one of the true values of cybersecurity analytics, enabling enterprises to understand and better adapt to anomalous network traffic.

“It’s not surprising that malware is starting to be spread as encrypted payloads,” Nayyar said. “It’s not difficult to encrypt network traffic, and users certainly can’t tell the difference.”

Taylor Gulley, senior application security consultant at nVisium, said with the world moving toward secure communications, it makes sense that malware distributors will also use those tools. There’s also a rising desire for companies to monitor those communications, particularly where it concerns network traffic to and from their employees so they can catch malicious traffic early, Gulley explained.

“This requirement to monitor encrypted traffic for threats creates a dilemma where one must determine if the benefits outweigh the risks of such measures,” Gulley said. “While being a man-in-the-middle is a frequently sought position for an attacker, when a company attains the same position, similar risks present themselves.”

Nasser Fattah, senior adviser at Shared Assessments, said cybercriminals are now taking advantage of encryption channels — which obscure visibility — to deliver malware. 

“This is comparable to a letter bomb to the naked eye — where one does not know the damage until the letter is opened,” Fattah said. “It underscores the importance of ensuring visibility into what is coming through via encrypted channel to best mitigate malware as early as possible.”  

On the issue of fileless attacks or malware using PowerShell, Robert Boudreaux, field CTO at Deep Instinct, said this normally operates as an endpoint process that tries to run code in an encrypted or hidden format. “Security teams can protect this by using many endpoint solutions today through fileless protections or scripting control measures,” Boudreaux said.  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.