Blog

April 21, 2020

Network Content and You: Why Logs Matter in the Age of TLS/SSL

Written by: Brandon Denker

As more and more enterprise network activity is encrypted through TLS/SSL, many security pundits and marketers have devalued the security benefits of capturing encrypted and unencrypted network log data. However, we shouldn’t be so quick to dismiss network logs. Even in environments with heavy dependence on encrypted traffic, this log data can prove invaluable for real-time security analysis, forensics, and threat hunting activity.

There are a couple of big reasons why network content matters for security teams and why it will remain relevant for a long time in the future.

Commodity Activity Still Operates in the Clear

Yes, it is true that cybercriminals today will do their best to take advantage of encrypted channels to hide their tracks. However, the reality is attacks are still not carried out in complete encryption, leaving traces and artifacts analysts can use for detection and tracking. Although all of our legitimate services and privacy-focused services in the enterprise are moving to SSL, we’re a long way away before all of our network traffic is singularly encrypted. And looking into attack patterns it is also clear that for the most part the attackers are not monolithic about it, either. There still remains a great deal of commodity criminal activity that happens in the clear.

Often that is due to necessity, because the bad guys can’t set up proper encryption and certificates on every single one of their delivery or command-and-control (C2) nodes in their infrastructure. Other times it’s due to circumstance, where they’re utilizing a compromised device and lack privileges or ability to deploy encryption. As such, they have to pick and choose their spots. On a practical level, this means that many criminals today are not utilizing encrypted mechanisms to carry out their initial infections.

At least some part of the cyber kill chain is left unencrypted. Even if a company has no capabilities of inspecting encrypted traffic, if they inspect all of their other network traffic they’re likely to spot evidence of several attacks leaving breadcrumbs in the first stages of the attack.

Even Sophisticated Actors Drop Clues in Unencrypted Traffic

If you want to talk about more sophisticated attackers, obviously they’re going to attempt to encrypt all of their activities in some way or another. Which is why when it comes to security analysis host activity will obviously be the gold standard for collection. However, for those companies that can’t afford it yet or don’t have the maturity to examine it in depth, hope is not lost.

Everyone has firewall logs, and most have proxy or application-level firewall logs, so even if activity is encrypted through SSL, it’s still leaving behind some level of metadata. There’s still information about the certificate that was exchanged and you can potentially get a domain from that. There’s also still information on how much data was transferred. If you find evidence of one-sided connections where the host is sending large amounts of data but not receiving much back or vice versa, that could be a red flag.

More Data is Always Better When Hunting Threats

Whenever a security analyst is tracking an infection, the more metadata they can get their hands on the better their investigation will go. In the past, we’ve seen unfortunate incidents where companies fall into the encryption stigma, saying “Everything’s going to SSL, so what good are proxy logs, without SSL interception” leading to dropping the logging or decommissioning the technology altogether. But that only hurts firms in the long run.

Proxy data, IDS data, and other network connection data (such as Zeek)—even if it isn’t shipped to a SIEM—can prove vital during response for an incident or to feed threat hunts from time to time. Many times threat intelligence and open source intelligence reports will reveal a specific SSL certificate or pieces of network metadata associated with a threat actor making it is trivial to search your data for that information to look for that activity.

It’s for all of these reasons that we do our best as analysts and security evangelists to fight the stigma against network content. It still matters and can prove invaluable to security professionals in the trenches.

Ready to read more? Find out Why Artificial Intelligence Can’t Save Your SOC.

About the Author