Emerging Threats

Unpacking the risks of encrypted traffic

Dec 23, 2022
Unpacking the risks of encrypted traffic Unpacking the risks of encrypted traffic

Encrypted web traffic is the norm, but is its prevalence causing enterprise security to overlook a significant threat vector? While encryption is helpful for hiding communication from prying eyes, it can also hide threats from IT security teams and SOCs. The Zscaler ThreatLabz 2022 State of Encrypted Attacks report takes a comprehensive look at this problem and offers insights that could prevent a catastrophic breach.

Key findings include:

  • There is a year-over-year bump of 20% in encrypted threats on the Zscaler Zero Trust Exchange, the world’s largest security cloud
  • More than 85% of attacks use encrypted channels
  • The top five nations targeted by encrypted threats are the US, India, South Africa, the UK, and Australia
  • Encrypted attacks of every type have increased since 2021
  • Manufacturing saw a 239% increase in encrypted threats, the largest increase among affected verticals

While users have come to equate encryption with safety, cybercriminals have taken to weaponizing it. Phishing attacks using encrypted channels increased 89% year-over-year. During the same time frame, overall phishing attacks only increased by 29%. This demonstrates the value encrypted traffic offers to threat actors seeking to improve their operations. Other encrypted attacks, such as cryptomining and browser exploitation, saw increases above 140%. Webspam in encrypted channels increased by over 1,640%. 

Encryption’s skyward trajectory 

The Zscaler Zero Trust Exchange processes more than 260 billion transactions daily, considerably more than popular web search engines. Our internal monitoring tools, which are publicly viewable, show about 89%-92% of enterprise traffic going through the Zero Trust Exchange is encrypted at any given moment.

Figure 1: The growth of encrypted traffic on Google from 2014 to 2022

Likewise, Google has a chart showing the growth of encrypted traffic from 2014 to 2022. During this time, encrypted traffic went from 50% to 95%. In other words, it took less than a decade for the vast majority of web traffic to become encrypted. Unfortunately, legacy network architecture such as firewalls cannot give a business visibility into encrypted traffic. Many nations have also implemented legislation governing the handling of certain types of data, further complicating inspecting encrypted traffic with traditional network tools. 

How can organizations safeguard against encrypted attacks?

Fortunately, encrypted traffic inspection is possible at scale when performed by a cloud-native, zero trust platform like the Zscaler Zero Trust Exchange. The massive computing power of the cloud is necessary for quickly inspecting the sheer amount of encrypted traffic generated by professional organizations. Trying to inspect every encrypted communication, from every device, using traditional network and datacenter technologies is simply not feasible. A cloud-based proxy architecture, however, can decrypt, detect, and prevent threats in encrypted traffic at scale.

By placing business assets behind a cloud-based proxy, an organization’s attack surface remains hidden from the public. This also creates the buffer between communicating parties necessary to perform encrypted traffic inspection. Users, workloads, and other communication requests use the Zero Trust Exchange as a virtual switchboard for establishing connections. In addition to connecting each requestor to a specific resource, the proxy architecture can also decipher encrypted traffic as it travels between the two parties.    

Figure 2: Cloud-based proxy architecture with TLS inspection provides full visibility into encrypted traffic

These automated inspections can happen nearly instantaneously by harnessing the power of the cloud. Additional advanced technology, such as AI sandboxing, can be leveraged to quarantine suspicious traffic and prevent zero day attacks. The encrypted data is never exposed to human eyes, which solves many problems associated with data privacy laws and regulatory compliance.

Figure 3: Four benefits of the Zero Trust Exchange and inspecting encrypted traffic​​​​​

An organization’s public-facing assets (aka discoverable infrastructure) are minimized by using a cloud-based proxy architecture. This vastly reduces an organization’s attack surface. By facilitating communication through the Zero Trust Exchange, businesses ensure that only trusted users reach authorized resources. Traffic traversing the environment is visible to the cloud-based proxy architecture, which empowers other security processes to detect and prevent cyber attacks.

Another benefit of connecting users to specific resources is the ability to implement app-based segmentation. Threats cannot perform lateral movement when party A can only connect to party B, and the underlying network remains invisible. Data is also safer in an environment where encrypted traffic can be analyzed for PII, sensitive information, or subjected to OCR scans.

Final thought

Too many users draw a false sense of security from seeing a lock symbol in their browser bar. Encrypted traffic, like any tool, can be used for good purposes or misused to cause harm. Not all SSL and TSL certificates are equal (see our report), but all encrypted traffic creates a blind spot for organizations without inspection capabilities. With over 85% of cyber attacks coming through encrypted traffic, organizations must ensure their current security solutions provide visibility into this threat vector.

What to read next

The politics of TLS/SSL inspection 

SSE solution series: choose SSL/TLS inspection of traffic at production scale

Zero trust element #5: Prevent compromise