Is This the Beginning of the End for Transport Layer Security Inspection Techniques?

Written by

In November 2019, the US National Security Agency (NSA) issued a Cyber Advisory, warning enterprises of a number of risks associated with Transport Layer Security Inspection (TSLI) techniques.

This practice that has been growing in popularity as more and more companies chose to deploy encryption technologies in order to secure their data and comply with increasingly onerous regulations.

TLSI – also known as ‘break and inspect’ – is the process of decrypting data flows in order to scan for threats, and then re-encrypting them before they enter or leave an organization’s infrastructure. It has become a key defense for any company using encryption, which is also concerned that encrypted traffic flows provide the perfect cover for hackers attempting to infiltrate their systems or exfiltrate their data.

Indeed, these flows have proven to be highly effective hiding places for malicious command & control (C&C) traffic. This ‘decryption approach’ is necessary because the traditional inspection devices deployed by many organizations are unable to scan encrypted traffic flows for malware.

The NSA’s new guidance may, spark a change in thinking, especially as it follows similar advice from Gartner, which, in 2018, suggested the process of decrypting traffic in this way wasn’t viable due to rising costs, latency issues and privacy concerns. Here are some of the risks highlighted within the NSA’s advisory:

Proxy device mis-configurations
TSLI is performed by a proxy device, which converts the TLS session into plaintext before forwarding it to a firewall or IDS/IPS device to scan for threats. The problem highlighted by the NSA relates to when the proxy device forwards decrypted traffic to external inspection devices. Here, any misrouted traffic could result in the inadvertent exposure of sensitive data.  

The TLS chain is only as strong as its weakest component
With ‘break and inspect’, a single TLS session becomes a chain of two separate connections – one between an external server and the forward proxy device, the other between the forward proxy and the TLS client that initiated the session with the external server. 

These two connections behave as a single entity when negotiating which traffic to inspect, which to let through, and which to block. The NSA identifies this as a problem because one of the two connections might employ weaker cipher suites than the other. This would cause the security of the whole session to be downgraded.

Automatic trust of certificates is open to abuse
The NSA also expresses concern about the certification process associated with TLSI. In essence, TLS clients are configured to automatically trust the certification authority (CA) of proxy devices; a situation that’s wide open to abuse and could be hijacked by threat actors to circumnavigate inspection devices.

Single point of failure attracts hackers and insiders alike
By decrypting data ready for inspection, enterprises are essentially creating a single point of failure. Instead of having to target multiple, encrypted data silos or systems, hackers can focus their efforts of exploiting the TLSI process. 

This set up also makes enterprises vulnerable to insider threats. Personnel responsible for administering TLSI have the potential to access a glut of sensitive information, all in plaintext. 

Breach of privacy regulations
The whole premise of ‘break and inspect’ is based on the need to decrypt encrypted data, yet much of this data will be highly sensitive and protected by the law as well as the many industry regulations that prescribe how confidential information should be treated. TSLI may force some organizations to turn a blind eye to their compliance obligations, increasing their exposure to prosecution and fines.

Multiple breaks in the chain amplify the problems
Those enterprises using multiple forward proxy devices – where traffic is decrypted, inspected and re-encrypted consecutive times – may exacerbate several of the problems listed above. For example, hackers have more soft targets to attempt to exploit, while the situation around which certificates to trust becomes even more complex.

Furthermore, this whole approach is not just compute intensive, it is unnecessary. If the first proxy is effective at weeding out malware, there should be no need for subsequent checks.

Weigh up the risks or look for new solutions
The NSA makes it clear that TLSI does have advantages. It is, after all, the only method by which traditional inspection devices can ensure an enterprise’s infrastructure is protected from encrypted malware. It also urges organizations to weigh up these benefits against TSLI’s many risks.

There is, however, an alternative way for enterprises to tackle this problem. Instead of relying on traditional anti-malware scanners that can’t support encrypted traffic, they can now utilize machine learning techniques that are able to inspect encrypted traffic without ever having to decrypt it.

These solutions work by analyzing what malware looks like at a metadata level, applying this intelligence to block further threats. As well as being a much neater and more proactive approach to malware detection, they also nullify many of the TSLI-related risks flagged up by the NSA.    

What’s hot on Infosecurity Magazine?