Hackers hiding in encryption

Encrypted traffic is doing its job. More data in transit is being protected, which is essential for business privacy and resilience. The problem is that bad actors are now benefitting from the same cover, and they’re getting very good at hiding. Commonly used protocols such as HTTPS, web browsing traffic or DNS requests are camouflaging malicious activities, making them hard to detect as illegitimate. It therefore takes deep cyber-security expertise and technology innovation to distinguish hackers and ransomware gangs from the harmless patterns of use.

 

Patterns that point to compromise

If attackers are using common protocols to hide, how can organisations tell the difference between legitimate use and something hostile? Network Detection and Response (NDR) solutions are focused on sorting through what’s suspicious versus legitimate - and can do so in a number of ways without the need to decrypt traffic.

 

As an example, a common protocol such as HTTPS can still be suspect if it is used by an uncommon process. If HTTPS traffic is being generated by an application that has never used it in the organisation’s environment before, it’s going to be flagged as something worth investigating.

Data volumes can also be a strong indicator. When an otherwise normal-looking connection suddenly starts pushing unusually large amounts of data out of the organisation, it may indicate an exfiltration.

 

Another area that might point to compromise is lateral movement between internal systems. If an attacker compromises one machine, they’re likely to make moves to infiltrate a higher-value target. This could be a file server, finance system or identity infrastructure.

 

Administrative tools, such as Remote Desktop Protocol or Secure Shell Protocol, are often where attackers lurk in these situations because they won’t set off alarms on traditional security tools. If the admin protocols are being used from a machine that a legit administrator doesn’t normally use, it’s a red flag. To help spot these suspicious patterns of behaviour, NDR is rapidly evolving thanks to AI-led innovations.

 

How NDR is changing

Traditional detection approaches struggled in encrypted environments because they relied heavily on signatures – rules had to be written to detect an attack type, and every time attackers came up with a new method, a new rule had to be written.

 

Newer approaches to NDR focus on behavioural analytics, making use of innovations in AI to analyse traffic flows and connections and spot what bad actors are attempting to do, rather than the exact attack method being deployed. AI also doesn’t need to see the traffic payload itself, which is often obscured by encryption. It just needs to see the behaviour between different systems to spot unusual activity.

 

Early NDR tools often leaned on basic anomaly detection, flagging anything that deviated statistically from the normal volume or frequency. A major development with NDR is mapping detections to recognised attacker tactics and techniques such as those catalogued in the MITRE ATT&CK framework, a globally accessible knowledge base informed by real-world observations. This gives alerts a much clearer investigative context and tends to reduce false positives. The alert is tied to a plausible attacker technique, rather than a simple deviation from a baseline.

 

NDR innovations are enabling early detection to change outcomes during incidents. If organisations can catch an attacker while they are establishing control or attempting lateral movement, there is a far better chance of containing the incident before it becomes a major breach.

 

Alongside this shift, encrypted traffic analysis is becoming more sophisticated, with graph-based machine learning identifying rare or risky connection patterns that do not occur in normal operations. Probabilistic modelling can also score sequences of events in a way that accounts for uncertainty – vital for when content can’t be inspected and inherently indirect signals need to be relied on.

 

NDR as one component in a wider approach

NDR is most effective when it is integrated with Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR). EDR focuses on executables, applications and suspicious activity on workstations and servers, such as malware. What EDR doesn’t do is see clearly the relationship between different machines, including who is talking to whom and how those communications evolve over time.

 

NDR provides a wider network view and can detect behaviours that bypass endpoint controls, including scenarios where attackers use stolen credentials or access via VPN to blend in. MDR then provides the operational layer. Signals from NDR and EDR, alongside firewall logs and identity data, are brought together so that detection is not fragmented.

 

A security operations centre (SOC) led by humans can sit at the core of these combined technologies. They can use the combined context to decide whether the activity is genuinely threatening and what action to take, helping to tune the system for the organisation’s unique operations and train AI solutions on what’s normal and expected in a specific environment.

 

Looking ahead, one trend to watch is better correlation between network events, endpoint events and identity. Identity-based attacks are rising, and an alert becomes far more actionable when it can be connected to a user account, how that user authenticated and whether that behaviour fits their role and the way they usually behave. This is vital when attackers are increasingly impersonating support teams or abusing collaboration tools to trick users into granting access.

 

Encryption should never be the blind spot

Encryption should never become a blind spot. It is now the default for how businesses protect data in transit, and attackers are adapting by hiding their activity inside familiar, encrypted protocols.

 

That is why organisations need detection that focuses on behaviour. NDR can surface suspicious patterns, such as unusual destinations, unexpected system-to-system relationships and signs of lateral movement or exfiltration, without decrypting traffic. When that network view is combined with EDR and MDR, teams gain clearer context and can respond earlier, ensuring quicker containment of threats and limited impact to the business.

 

---

 

Kevin Landt is VP of Product, Cybersecurity at Thrive

 

Main image courtesy of iStockPhoto.com and MF3d