Reply to post: Decryption

Half of Q1's malware traffic observed by Sophos was TLS encrypted, hiding inside legit requests to legit services

Anonymous Coward
Anonymous Coward


TBH thats been the case for quite some time, its hardly a revelation from Sophos here.

Any serious intrusion has been using SSL traffic for C2 for a long old time.

The reasons are two fold:

1) its encrypted (like duh!)

2) Your network already chucks out so much SSL that they hide in the background noise

So you could always use something clever to decrypt and inspect at your edge - assuming that in 2021 you actually still have a physical edge now your workforce is working from home.

Assuming you have a physical edge, all you need to do is to deploy forward trust certs to all of your endpoints so the magic box can inspect the traffic.... at this point in any complex environment you then need to start building an exception list for decryption or everything breaks.... shortly after this you'll probably look for a low beam and a length of rope.

Your mileage may vary, but in a large complex environment....

You could always use ETDR solutions rather than network intercept, might be easier these days. Just make sure you buy the correct vendor one or you'll discover a large chunk of your platforms aren't supported either...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022