Why All Federal Agencies Should Break and Inspect Secure Traffic

Andrew Hickey is the editorial director of A10 Networks. 

The data breach that rocked the Office of Personnel Management in 2015 resulted in the theft of an estimated 21.5 million records, including personally identifiable information such as Social Security numbers, names, dates, places of birth, addresses, fingerprint images and background check data.

It’s billed as the cyberattack that shocked the U.S. government, and it was discovered when a security engineer decrypted and inspected a portion of the SSL traffic that traverses the agency’s network and noticed some odd outbound traffic.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Hackers had used SSL encryption to shield their activity and to cloak a piece of malware designed to give them access to the agency’s servers. They used that malware to steal mountains of data.

Had that engineer not decrypted and inspected the network’s SSL traffic, that malware may have continued to go unnoticed, making the already monstrous breach more catastrophic.

Hiding in Not-So-Plain Sight

As evidenced by the OPM data breach, one attack method modern hackers use to infiltrate federal networks is encrypted streams. Essentially, they use secure, encrypted traffic to obfuscate malware.

Advanced adversaries don’t want to something that jumps out at security engineers. There are no shiny, blinking lights that say they’re performing a malicious activity. They want to hide among the noise and use SSL encryption for camouflage.

SSL traffic has become the largest network blind spot for government and federal agencies.

Nearly 70 percent of all traffic on the web is encrypted, and more than 85 percent of encrypted traffic uses advanced methods like Elliptical Curve Cryptography and Perfect Forward Secrecy.

Despite the massive amount of encrypted traffic, the majority of agencies do not have the proper solutions or processes in place to break and inspect the SSL/TLS traffic.

SSL Inspection Not a Priority for Agencies

A Ponemon Institute survey titled “Hidden Threats in Encrypted Traffic” found 50 percent of malware attacks are expected to be delivered via encrypted channels and 80 percent of organizations are not inspecting their SSL traffic. And of the public-sector respondents indicating they had been attacked, 43 percent of those attacks are believed to have used encryption to evade detection.

Ninety-three percent of public-sector respondents recognize inspection of SSL traffic is “important” to “essential” to their agency’s overall security; however, just 38 percent decrypt web traffic to detect attacks, intrusions and malware. Of those who said they don’t decrypt, only 50 percent have plans to implement SSL encryption and decryption in the near term.

Eliminate the Blind Spot

While government agencies don’t look at the bottom line like enterprises and businesses, they do face the same type of performance requirements from their end users, budgetary constraints and return-on-investment pressures. They demand solutions that are efficient and cost effective. They can’t sacrifice security or performance for cost savings.

Agencies need solutions that can break and inspect advanced SSL traffic and that enable them to get the most bang for their buck out of their existing security infrastructure. They need to protect sensitive, often high-risk information while also ensuring threat actors can’t use secure encrypted traffic as a back door to steal data.

Decrypting and re-encrypting SSL traffic helped OPM uncover a massive breach, reinforcing the need for all federal agencies to ensure they have visibility into what kind of traffic is on their network, even if it’s encrypted and presumed secure.