HTTPS (Hypertext Transfer Protocol Secure) refers to an extension of the Hypertext Transfer Protocol (HTTP), used to make the communication between a server and browser properly secured. It’s a crucial part of the internet that is used for both authenticating an accessed website, and also protecting the integrity and privacy of data exchanged during transit. You can trust it, right?
Unfortunately, as with many critical pieces of internet infrastructure, bad actors are constantly on the lookout for ways they can exploit the good intentions behind HTTPS as a way to cause damage. While HTTPS is the industry standard when it comes to encryption and data protection in transit, it’s not a foolproof solution when it comes to cracking down on bad actors. Malware is able to be transmitted and encrypted with just as much ease as genuine, legitimate files. Picture it like streets in a city: They can be used by emergency services, such as police or ambulances, to help people — but they can also be used by criminals. If, in the case of HTTPS, organizations fail to inspect encrypted traffic, they can leave themselves open to attack.
The problem is also getting worse, not better. This failure by organizations has helped result in a big rise in the number of attacks exploiting HTTPS. For those without the right protective measures, such as a web application firewall (WAF), the effects can be extremely devastating.
From malware to browser exploits
Many types of traffic can make use of HTTPS. The overwhelming majority of attacks that utilize encrypted channels are malware (which can, itself, take multiple forms — such as Ransomware or data exfiltration attempts — depending on what the attacker wants to achieve with it.)
But it could also be used for transmitting ad spyware, phishing attempts, cryptomining attacks (in which machines are taken over for use mining for cryptocurrency), botnets, XSS (cross-site scripting) attacks, webspam, browser exploits, anonymizer attacks, and more.
According to one recent report, HTTPS threats have increased more than 314 percent between January and September this year. In the previous year, threats increased nearly 260 percent, showcasing that 2021’s terrifying activity spike is far from an isolated scenario. Attacks vary depending on industry, with the greatest increase in attack rates being the 23x increase targeting tech companies. These make up more than half of attacks. Other sectors commonly targeted include manufacturing, retail and wholesale, finance and insurance, government, healthcare, and education.
Failure to inspect traffic properly
HTTPS does protect against certain malicious cyber attacks. For example, it safeguards against man-in-the-middle attacks, whereby an attacker inserts themselves into the communication between two parties, enabling them to carry out eavesdropping and possible data tampering. However, it can also be used by attackers to their advantage.
As already noted, many organizations don’t properly inspect encrypted traffic. Part of the reason for this is that encrypted files are more difficult to fingerprint than unencrypted files, meaning that they can more easily evade detection by security teams. Another explanation for not all security teams performing the proper HTTPS introspection comes down to how computationally intensive it can be. Attempts to carry this out at sufficient scale using legacy hardware security tools is virtually impossible. Inspection of HTTPS traffic can also create privacy issues if personal traffic is included in encrypted traffic.
Organizations that are aware of this threat need to ensure that they protect against encrypted exploits. The risk of data being stolen, computer systems being taken over, or myriad other potential “worst case scenario” situations is simply too bad to ignore — and getting worse all the time. It’s high time that organizations rethought their security posture in a way that protects against HTTPS exploits that seek to harm them, regardless of which industry or sector they are operating in.
Invest in the right tools for the job
One valuable tool to have in their arsenal is a web application firewall (WAF) or another firewall that’s able to perform TLS introspection to protect against encrypted malware. WAFs play a critical role when it comes to putting together a comprehensive, fool-proof Web Application and API Protection (WAAP) stack, designed to secure from edge to database. It means that users receive only the traffic that they want to receive. It’s the kind of technology that’s an essential piece of the puzzle to have in a world in which cyber attacks continue to plumb new depths in terms of the damage they can cause.
The best time to have invested in these tools would have been yesterday. Failing that, acting now is the second-best option available to you. It’s far better to invest in them prior to an attack, rather than having to deal with the consequences after the worst happens.
After all, there’s a whole industry of bad actors working overtime to ensure that the “worst that can happen” is even worse than you can possibly imagine.