Network Visibility: Can You Analyze Encrypted Traffic for Cybersecurity Threats?

Share and earn Cybytes
Facebook Twitter LinkedIn Email

We get this question a lot: Can you analyze encrypted traffic for cyber threats?

It just came up again during the question and answer section of our most recent webinar about threat hunting, so we thought it would be useful to answer it here.

The short answer is yes, you can analyze encrypted network traffic, though there are caveats. For example, you cannot read the contents of encrypted traffic that uses the Secure Sockets Layer or Transport Layer Security (SSL/TLS) protocols, which are commonly used to secure web communications in transit. That’s by design, of course, because in many ways the purpose of encryption is precisely for that reason. As such, encryption is both a benefit and a challenge for the defender striving to protect the network.

What the defenders can use is metadata to examine encrypted traffic for threat indicators. Every network transaction, even those that are encrypted – like a website call or a web request – has data that describes it: originating IP address, destination IP address, the network protocol being used (HTTPS), the number of packets sent and the byte count, among potentially hundreds of other attributes. These attributes can be examined to help identify threats or potential threats in several ways – here are three techniques we commonly see:

1) Monitor traffic flow for network anomalies. 

The first way is to monitor traffic flow for metadata attributes that indicate abnormal network activity. This works the same way for both encrypted and unencrypted traffic. A newly-established connection, between two machines, that does not typically happen is a good example – a server that an outside supplier legitimately uses to manage IoT devices starts calling a machine that hosts the partner bill payment system. The traffic may be encrypted but you are able to identify that connection as suspicious because these two hosts shouldn’t be talking to each other.

To read the entire post, please click here.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Bricata
Bricata is a cybersecurity solutions provider that combines a powerful network threat hunting platform into a comprehensive threat detection and prevention solution to help determine the true scope and severity threats. Bricata simplifies network threat hunting by identifying hidden threats using specifically designed hunting workflows that use detailed metadata provided clearly and eases your transition from the known to unknown malicious activities in conjunction with an advanced threat detection and prevention platform which detects zero-day malware conviction.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?