Organizations that do not have measures to identify malware disguised in encrypted network traffic risk having the most harmful malicious tools in the wild dropped on their endpoint devices.
According to research done by WatchGuard Technologies using anonymized data obtained from client networks, 91.5 percent of malware detections in Q2 of 2021 were made via HTTPS-encrypted connections.
Only 20% of companies have systems in place to decrypt and scan HTTPS traffic for malware, putting the remaining 80% in danger of missing nine-tenths of the malware that hits their networks every day.
The difference in perceived and actual complexity of setting up network-based HTTPS decryption rules is one of the primary reasons why more businesses have not done so.
For man-in-the-middle decryption to operate without jeopardizing the integrity of the HTTPS certificates that protect that traffic, the correct approach would be to set up an intermediate or root CA certificate which is part of the official certificate validation process.
There are several ways to do this, some of which are difficult and others not. In short, doing this the first time — then creating exceptions, so it starts functioning effectively — takes some effort, which is why some people don’t bother. However, it is well worth the effort otherwise, the network security would be severely compromised.
The data point on encrypted malware is one of several in a study issued this week by WatchGuard. It highlighted worrying cyber trends for businesses.
As per WatchGuard’s study, total script-based, or fileless, cyberattacks in the first six months of this year had already surpassed 80% of the amount for the entire year of 2020. The previous quarter’s data hints that the volume of fileless malware is expected to quadruple this year compared to 2020.
Fileless attacks, such as those leveraging JavaScript, PowerShell, and Visual Basic, are another danger that certain antivirus (AV) systems have difficulty detecting.
Many of these scripts may be configured to execute living-off-the-land exploits, which means they never dump any malicious files on an endpoint. Instead, they keep carrying out their nefarious operations employing scripting and privileged access — the victims or enhanced credentials.
As a result, malware detection systems that are focused on files may overlook them.