Two thirds of malware is invisible without HTTPS inspection

SeriousHoax

Level 41
Thread author
Verified
Top poster
Well-known
Mar 16, 2019
3,090
A new report from WatchGuard Technologies shows that 67 percent of all malware in the first quarter of this year was delivered via HTTPS, so organizations without security solutions capable of inspecting encrypted traffic will miss two-thirds of incoming threats.

In addition, 72 percent of encrypted malware was classified as zero day (meaning no antivirus signature exists for it, and it will evade signature-based protections). The findings suggest that HTTPS inspection and advanced behavior-based threat detection and response solutions are now requirements for every security-conscious organization.
Read the full article here
 
F

ForgottenSeer 85179

This doesn't mean that encryption should be inspected. This would only reduce overall security and should be a no-go.
At least for normal enduser but company worker get other/ higher security anyway so that doesn't matter too.
 

MacDefender

Level 16
Verified
Top poster
Oct 13, 2019
772
Yeah the article is really speaking on the perspective of if you were a business operation trying to use a UTM or L3 firewall to scan network traffic on behalf of your customers.
If you have endpoint security, said encrypted malware still has to be decrypted somewhere on your host and at that point, a memory or file or AMSI scanner should pick it up.
Plus, as the article mentioned, behavior blocking is another good strategy.


Malware is simply being lazy if HTTPS is enough to hide it. For any obscurity HTTPS provides, malware can simply be rewritten to encrypt or obfuscate their payload and then it’s hopeless to scan a network stream again.

Remember too if you are in the USA, using gateway/router level SSL interception can be a HIPAA violation so you have to carefully whitelist healthcare related services, etc. It’s just a pain. I think the real takeaway is you can no longer just place a device on your network and have it replace endpoint security.
 

SeriousHoax

Level 41
Thread author
Verified
Top poster
Well-known
Mar 16, 2019
3,090
Yeah the article is really speaking on the perspective of if you were a business operation trying to use a UTM or L3 firewall to scan network traffic on behalf of your customers.
If you have endpoint security, said encrypted malware still has to be decrypted somewhere on your host and at that point, a memory or file or AMSI scanner should pick it up.
Plus, as the article mentioned, behavior blocking is another good strategy.


Malware is simply being lazy if HTTPS is enough to hide it. For any obscurity HTTPS provides, malware can simply be rewritten to encrypt or obfuscate their payload and then it’s hopeless to scan a network stream again.

Remember too if you are in the USA, using gateway/router level SSL interception can be a HIPAA violation so you have to carefully whitelist healthcare related services, etc. It’s just a pain. I think the real takeaway is you can no longer just place a device on your network and have it replace endpoint security.
Btw, what's your opinion about legit pages getting compromised? Without HTTPS inspection, something like malicious scripts can cause damage like stealing users credentials and so on. Can those be detected by other forms? Can those be detected and blocked by browser extensions to some extent?
 

Nagisa

Level 7
Verified
Jul 19, 2018
341
Looks like people will have to rethink turning off https traffic inspection by security software...

It says big portion of malware spreading from secured connections are not detected by signatures. It means your https scanning module won't work anyway, right?

Also I wonder if is it possible to get infected while web shield is disabled on the security software. Should the executed malware get detected by memory scanning of an AV?
 

Arequire

Level 28
Verified
Top poster
Content Creator
Feb 10, 2017
1,700
Without HTTPS inspection, something like malicious scripts can cause damage like stealing users credentials and so on. Can those be detected by other forms? Can those be detected and blocked by browser extensions to some extent?
Webpages the malicious scripts are active on can be blocked by extensions, but they can't block just the script itself while leaving the page functional like HTTPS interception can.
 

MacDefender

Level 16
Verified
Top poster
Oct 13, 2019
772
Btw, what's your opinion about legit pages getting compromised? Without HTTPS inspection, something like malicious scripts can cause damage like stealing users credentials and so on. Can those be detected by other forms? Can those be detected and blocked by browser extensions to some extent?
I think the right answer for that is either a browser extension scans it or the browser itself provides AMSI scan points for network resources the browser downloads.
But in that case, are you concerned about malicious scripts scraping contents within the web browser or breaking out of the web browser?

The former, I guess, I’ve always not had confidence in an AV to be able to catch that. There’s simply so many ways for JavaScript to be obfuscated that it seems like this would be difficult to scan for. Not saying it isn’t an important problem, just I worry it’s not one that traditional definition of AV software and browser extensions can provide good protection for.