The Dark Side of TLS Encryption

Cybercriminals are known for using seemingly useful and harmless tools against unsuspecting organizations, and they’ve done it again. According to a new report by Sophos, 46% of malware communicating with a remote system over the internet was found to be using TLS encryption to conceal communications and evade detection. This is a staggering percentage, considering that just last year that number was only 23%.

In the wake of revelations about mass Internet surveillance, the use of TLS (Transport Layer Security) has grown because of the privacy and security it affords for a wide variety of internet communications. In fact, according to browser data from Google, the use of HTTPS has grown from just over 40% of all web page visits in 2014 to 98% in March. Cybercriminals have caught onto these benefits as a result, and now malware operators are also adopting TLS to prevent defenders from detecting and stopping the deployment of malware and theft of data.

Behind the Increase in TLS Encrypted Malware

A large portion of the growth in overall TLS encryption use by malware can be linked in part to the increased use of legitimate web and cloud services protected by TLS—such as Discord, Pastebin, Github and Google’s cloud services—as repositories for malware components, as destinations for stolen data, and even to send commands to botnets and other malware. It is also linked to the increased use of Tor and other TLS-based network proxies to encapsulate malicious communications between malware and the actors deploying them.

Sophos researchers also documented an increase in the use of TLS in ransomware attacks over the past year, especially in manually deployed ransomware—in part because of attackers’ use of modular offensive tools that leverage HTTPS. But the vast majority of what researchers detect day-to-day in malicious TLS traffic is from initial-compromise malware: loaders, droppers and document-based installers reaching back to secured web pages to retrieve their installation packages.

All of this adds up to a more than 100% increase in TLS-based malware communications since 2020. And that’s a conservative estimate, as it’s based solely on what Sophos researchers identified through telemetry analysis and host data. As a result, defending against malware attacks has become just that much more difficult. Without a defense in depth approach, organizations are increasingly less likely to detect potential threats before they have been deployed by the attackers.

Network Security Opportunities for Channel Partners

With cyberattacks constantly happening, businesses of all types and sizes must be able to detect and stop attacks. However, they need to be able to focus on doing what they do best–and have a partner they can trust to provide advanced, next-gen protection.

Sophos Firewall and the new XGS Series appliances deliver the speed and protection that channel partners need to secure their customers. For network admins, this completely re-engineered hardware platform finally takes a common dilemma off the table: how to scale up protection for today’s highly diverse, distributed and encrypted networks without throttling network performance.

Sophos Firewall includes native support for TLS 1.3 and provides a user interface that clearly shows if traffic has caused issues and how many users were affected. With just a couple of clicks, you can exclude problematic sites and applications without reverting to a less-than-adequate level of protection. Sophos Firewall is also easily managed on the cloud-based Sophos Central platform, saving channel partners time and resources with the ability to easily manage multiple firewalls and different solutions from one single pane of glass.

With so many organizations still not understanding what technologies are needed to protect against exploits, ransomware and encrypted traffic, channel partners now need to become critical security advisers and service providers to their customers. Together with Sophos and solutions like Sophos Firewall, partners have a significant opportunity to grow their own security knowledge and network security revenue, while also improving their customers’ protection.

This guest blog is part of a Channel Futures sponsorship.