This post was co-written by Dustin Updyke.
An important part of an organization's cybersecurity posture includes the monitoring of network traffic for proactive cyber defense. While enterprise network operators are focusing on how best to secure their networks, users are simultaneously demanding more privacy. The trend toward implementing network protocols designed to improve personal privacy is now making it harder for organizations to protect enterprise networks. This blog post briefly describes these protocols and the impact they will have on an organization's ability to monitor network traffic.
The Cyber Workforce Development Directorate in the SEI CERT Division is conducting realistic scenario simulations that enable DoD network defenders to adapt to recent trends to improve personal privacy. We also describe how these scenario simulations are enabling organizations to fully appreciate the impact of these protocols--and to adapt their defensive actions. Finally, we examine what techniques can still identify harmful network activity after privacy-enhanced protocols are widely implemented.
Several new technologies have been developed to enhance both privacy and security, including QUIC (Quick UDP Internet Connections), Transport Layer Security (TLS) 1.3, and DNS-over-HTTPS (DoH). These technologies continue to gain traction and are now implemented in popular web browsers, such as Google Chrome and Mozilla Firefox. Cybersecurity professionals need to understand the implications that these technologies have not only to enhance security on their networks, but also to potentially limit their network-security situational awareness (SA).
New Technologies Reduce Visibility of Harmful Network Activity
QUIC is a transport-layer network protocol designed to reduce the time for an application client to connect to a server, which is important in applications where the transmission is susceptible to a delay that would be noticeable by the end user. Speed is particularly important in common activities, such as web searching, video streaming, and other real-time applications. QUIC accomplishes a lower latency connection by replacing standard Transmission Control Protocol (TCP) with User Datagram Protocol (UDP). When streaming video, for example, QUIC typically reduces the view start time by two to three times compared to traditional HTTP/2 TCP requests. QUIC improves performance while maintaining data security by utilizing a payload encrypted through a proprietary encryption strategy.
TLS 1.3 and DoH came about as the result of a series of escalations between the privacy and surveillance communities. Beginning with TLS 1.3, the session's certificate (which contains information about the hostname, organization name, expiration times, revocation status, and signature verification) is now also encrypted over the wire. Before the advent of TLS 1.3, tools could examine this certificate during the handshake stage of connection setup and potentially spot problems. Additionally, the Server Name Indication (SNI), which provides a plaintext server name for each request and has also been something that tools routinely examine, is now encrypted in transit. SNI therefore can no longer be used to detect and proactively block dangerous network activity.
DoH seeks to improve individual privacy by masking DNS queries, which historically could be used to reveal something about an individual's browsing activity. Even with TLS- and Secure Sockets Layer (SSL)- enabled websites, a user's DNS request would provide a cleartext indicator of where the user's traffic should be routed. DNS queries therefore allowed network operators to track and filter secure browsing sessions that use HTTPS. DoH introduces the same protections to DNS queries that TLS 1.3 offers to secure web browsing. If a host is fully configured to use DoH, it is possible that no cleartext DNS traffic will be emitted from the host during the course of normal web browsing.
The challenge with the widespread adoption of QUIC, TLS 1.3, and DoH is that security tools--including firewalls, proxies, and gateways--often proactively block harmful user activity by examining the key pieces of information outlined above within a network's traffic to both protect users and to increase an organization's network situational awareness. With the introduction of these technologies, network sensors (and thus the entire organization) may now be blind to important decision-driving metadata.
Building Realistic Simulations for Cyber Defenders
Participants in training are more likely to immerse themselves in an exercise when it provides authentic network traffic. The goal of the CERT Cyber Workforce Development (CWD) team is to build cyber training environments that are as realistic as possible. For example, if the use of certain malware is a trend seen in the wild, then that malware is incorporated into the training environments built by CWD. A recent example of this was the use of weaponized Excel spreadsheets to deliver the LimeRAT family of malware to unsuspecting victims. CWD engineers re-created this attack and incorporated it into a cyber simulation. This simulation enabled network defenders to experience it firsthand in a controlled environment where they could study the attack and build countermeasures.
QUIC, TLS 1.3, and DoH are three new challenges facing cyber defenders. The CWD team has created several simulations that enable our training and exercise participants to learn more about these technologies in real-world scenarios. These scenarios take place within simulated large-scale and complex enterprise networks. One scenario that we developed this year introduces a piece of malware specifically designed to leverage DoH to hide the activity of downloading a beacon and also to utilize DoH for the subsequent connection to an external command-and-control (C2) server.
The storyline that accompanied this malware scenario is that a user attempted to subvert local DNS by using what was purported to be a virtual-private-network (VPN) application to access restricted websites from an enterprise workstation. The "VPN application" was malware in disguise. This scenario provides us with a way to introduce and talk about the potential difficulties and challenges that these new technologies may pose to cyber defenders.
One of the ways that we advise our exercise participants to observe this hidden DNS traffic is through TLS interception on a proxy server. Even without this technique, however, participants can analyze traffic patterns where HTTPS packets are high in frequency and small in size, and show a pattern of beaconing on some regular interval.
Building New Defensive Strategies
The advent of these new network protocols requires that network administrators update the behavioral fingerprinting techniques that many organizations have developed over time to detect and proactively block harmful network activity. Many defensive strategies rely on formerly decision-driving metadata that will no longer be accessible in cleartext. Although access to this information may no longer be available, there are other properties of network traffic that may be useful as indicators in the future. For example, one of the connection properties of QUIC is that it is always preceded by another TCP TLS connection at some point in its past. This linkage might provide clues about the connection as a whole for analysis purposes. QUIC is already available in a number of industry-standard browsers, and if UDP is not blocked in an organization, it is likely that that organization is already observing QUIC on the network. The CERT Cyber Workforce Development team provides simulations to help to prepare an organization to understand how these new technologies will affect network-traffic monitoring capabilities.
There are several tools available to simulate the technologies highlighted in this post within your own organization, including the following:
Learn more about CERT Cyber Workforce Development.
This post has been shared 0 times.
Get updates on our latest work.
Sign up to have the latest post sent to your inbox weekly.