Transport Layer Security (TLS): Issues & Protocol
Although Transport layer security (TLS) provides enhanced security, cybercriminals have become increasingly savvy, finding ways to circumvent many of these protections. Learn how malicious actors exploit vulnerabilities within TLS to introduce new forms of malware.
What is transport layer security?
Transport layer security (TLS) is the modern version of the now-deprecated secure socket layer (SSL) protocol. It is located between the application protocol layer and the TCP/IP layer, where it can secure and send application data to the transport layer.
TSL 1.0 was first established in 1999 for establishing encryption channels over computer networks. Since 2018, the most current version is TSL 1.3. TSL is located between the application protocol layer and the TCP/IP layer, where it can secure and send application data to the transport layer. It is maintained and developed by the Internet Engineering Task Force.
Due to multiple vulnerabilities within SSL, organisations require a more robust protocol to coincide with the increasing number of web-based technologies. For example, unlike SSL, TSL allows you to negotiate encryption on regular ports and protocols such as IMAP and POP. This enables secure communication over a wide range of ports and protocols.
This has led to TLS becoming the standard practise for transmitting data between web servers and clients. This cryptographic protocol secures your data with a layer of encryption as it is transmitted over the internet.
While TLS provides enhanced security in most situations, it still has its share of attacks by cybercriminals trying to gain access to an organisation’s confidential data. It is important to learn how malicious actors use TLS to introduce malware, how these attacks infiltrate environments—with references to some well-known examples—and how Trend Micro Cloud One™ – Workload Security uses zero-config TLS inspection across data to protect your organisation from malicious actors.
Various TLS Attack Methods
TLS is used to encrypt web and email communications, giving you an advantage over cybercriminals looking to access your data while in transmission. Since TLS is encrypted, there is a high chance that the information sent via the connection is not being inspected. This creates an attack vector for malware and can provide attackers access to your network without being blocked.
It is important to shine a light on the most notable TLS attacks and explore up-to-the-minute solutions.
Man-in-the-Middle (MITM) Attacks
This significant threat to organisations involves a malicious element “listening in” on communications between parties. These types of cyberattacks compromise data being sent and received, as interceptors don’t just have access to information but can also input their own data.
An example of a MITM attack is active eavesdropping. By taking advantage of a weakened network, often unsecured based on lack of a firewall or due to using a device outside of a professionally managed environment, cyber attackers can access business and financial information. This is done when a threat actor intercepts the dialogue between two parties, making it seem like the victims are speaking with each other when, in actuality, the conversation is controlled by the attacker. At this point, the threat actor can insert messages into the conversation to convince one or both victims to share sensitive data and/or transfer funds.
Although it was originally invented to aid law enforcement agencies and the military to conduct surveillance operations, the Stingray phone tracker is often the chosen method for cybercriminals looking to intercept communications. This is done by imitating a cell tower to force mobile devices within its vicinity to connect to it.
MITM attacks have become so prevalent, including notable breaches against Nokia and DigiNotar, it has led to Equifax withdrawing all of its mobile device apps in the wake of its highly publicised 2017 data breach to mitigate a possible MITM attack.
Although TSL includes strong encryption features, much like all technology, it has its flaws. Cyberattacks have been able to exploit known or unknown vulnerabilities in TLS. One of the most prominent and recent examples is the 2019 Raccoon attack. Uncovered in TLS 1.2 and earlier versions, this vulnerability allowed threat actors to decrypt server and client communications with a shared session key. This malware had the ability to arrive on a system through several delivery techniques. This included exploit kits, phishing, and bundling with other malware.
Raccoon gave cybercriminals access to login credentials, credit card information, cryptocurrency wallets, and web browser information. Presented as malware-as-a-service (MaaS), Raccoon provided these functions to threat actors for a relatively cheap price, ranging between US$200 to US$300 per month, making up for its lack of a basic infostealer.
In 2014, the Heartbleed security bug was publicly disclosed. As the bug exploited the OpenSSL cryptographic library, which is mostly used as a TLS implementation to safeguard private online communications. Heartbleed gained notoriety by accessing web browser and application data like email, peer-to-peer messaging, and VPNs.
Trend Micro Solution to TLS Security Concerns
While TLS is one of the widely-used security protocols on the internet, the increasing number of cyberattacks targeting it has caused organisations to explore solutions to better secure their network and customers’ data.
In order to address TLS security concerns, Workload Security uses a cloud-based intrusion prevention system (IPS). A built-in TLS Session Key Intercept (TLS SKI) decrypts and inspects web or application data using zero configuration to connect to your network services and devices.
How Workload Security prevents TLS breaches
While every TLS communication session is encrypted, each with its own unique, temporary session key, any further communication beyond a session requires a different key. This ensures that, if a session key is compromised, only the data in that session will be compromised rather than the entire TLS communication.
As this adds an extra level of security to your TLS, cybercriminals can also use TLS sessions to carry out a malicious attack.
Workload Security allows you to capture both ingress and egress traffic using SKI. This is an important step in inspecting traffic for encrypted malware.
Trend Cloud One built-in SKIs obtain session keys from clients and web servers in real-time. This enables you to utilise an authorised system to decrypt TLS traffic. This eliminates the need to import certificates or credentials, boosting vulnerability-shielding capabilities and providing you with the most advanced first-line defence.
Cybercriminal activity designed to maliciously steal data and disable computers and networks has been on the rise. The fact that SSL/TLS sessions have become the most popular methods for data transfer on the internet has left these protocols susceptible to dangerous attacks. This has put organisations’ reputation at risk and can lead to legal troubles. Cybercriminals now possess the tools to expose confidential data such as trade secrets and prototypes, as well as sensitive customer and employee information. Protecting your organisation starts with protecting your data.
Learn more about how Trend Cloud One includes comprehensive security capabilities for the applications you build in the cloud, allowing you to better recognise, access, and mitigate cyber risk across your organisation.