Why organizations should consider HTTPS inspection to find encrypted malware

Some 67% of all malware seen in the first quarter was delivered via HTTPS, according to security firm WatchGuard Technologies.

Abstract Malware Ransomware virus encrypted files with keypad on binary bit red background. Vector illustration cybercrime and cyber security concept.

Image: nicescene, iStockphoto

HTTPS was designed to secure web traffic by encrypting communications and thus prevent man-in-the-middle attacks and other types of eavesdropping. But HTTPS can hide malicious traffic directed toward an organization since a secure gateway by itself won't inspect encrypted content. 

HTTPS inspection is a process by which you can analyze the encrypted web traffic and content, though some organizations shy away from this technique as it can do more harm than good if not implemented properly. A report released Wednesday by WatchGuard Technologies explains why HTTPS inspection can help in your security analysis.

SEE: Encryption: A guide for business leaders (free PDF) 

In its Internet Security Report for Q1 2020, WatchGuard reported that 67% of all malware last quarter was delivered via HTTPS. Since more websites now use HTTPS for encrypted connections, many WatchGuard customers have enabled HTTPS inspection, which looks for malicious content by decrypting traffic at the gateway. Though signature-based security products can combat known threats, they're unable to block much of the malware that can get through unless combined with the inspection of encrypted traffic.

Setting up HTTPS inspection can be tricky as it does require some extra effort. And if not configured correctly, this process can actually weaken the end-to-end encryption and protection provided by security gateways and products.

"Some organizations are reluctant to set up HTTPS inspection due to the extra work involved, but our threat data clearly shows that a majority of malware is delivered through encrypted connections and that letting traffic go uninspected is simply no longer an option," Corey Nachreiner, chief technology officer at WatchGuard, said in a press release. "As malware continues to become more advanced and evasive, the only reliable approach to defense is implementing a set of layered security services, including advanced threat detection methods and HTTPS inspection."

A report from the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) offers some recommendations on HTTPS inspection.

"Organizations using an HTTPS inspection product should verify that their product properly validates certificate chains and passes any warnings or errors to the client," CISA said. "A partial list of products that may be affected is available at The Risks of SSL Inspection. Organizations may use badssl.com as a method of determining if their preferred HTTPS inspection product properly validates certificates and prevents connections to sites using weak cryptography. At a minimum, if any of the tests in the Certificate section of badssl.com prevent a client with direct Internet access from connecting, those same clients should also refuse the connection when connected to the Internet by way of an HTTPS inspection product.

SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)

"In general, organizations considering the use of HTTPS inspection should carefully consider the pros and cons of such products before implementing," CISA added. "Organizations should also take other steps to secure end-to-end communications, as presented in US-CERT Alert TA15-120A."

HTTPS inspection is also important with the shift to remote working, according to Kowsik Guruswamy, CTO at Menlo Security.

"It's no surprise that malware and other threats are being delivered via seemingly secure connections by hiding under the false security of HTTPS to evade traditional AV measures," Guruswamy told TechRepublic. "When enterprises don't perform adequate SSL inspections, they are vulnerable to malicious attacks and susceptible to malware deliveries such as the ones described in this research. Moving a workforce almost entirely remote only compounds the issue. As a result, VPN and SSL infrastructure is overwhelmed and so hackers are using old tricks to send malicious files and phishing links over SSL, and enterprises are being blindsided.

"Inspecting SSL traffic is one of the most important measures a company must put in place," Guruswamy added. "Without this, attackers are able to bypass all the security measures and use the most widely used application by any user--the browser. Remote working has exacerbated this issue since people are not working from the safety of a secure enterprise network, so cloud security solutions have become critical to enable companies to implement scalable SSL inspection no matter where users are working from."

To bolster your overall security defenses, WatchGuard also offers the following advice:

  • TLS inspection Is a necessity. Only inspecting unencrypted traffic doesn't cut it anymore. If you don't inspect TLS encrypted traffic, you will only catch a third of the malware coming into your network. Configure your network perimeter to inspect encrypted traffic in a secure way with the use of trusted certificates. While it is a bit of extra work, once completed, the firewall will have visibility into the other two-thirds of malware you'd miss otherwise.
  • Use a layered defense. Using an outdated single layer of defense on your network perimeter is not enough to block most attacks. No antivirus product can protect you from every malware variant but a layered defense consisting not only of signature-based security but also machine learning, malware sandboxing, and education of the end user can increase your chances against the current threat landscape significantly. In addition, we recommend endpoint detection on individual computers for protection against malware that bypasses the perimeter, such as variants spread through USB drives or smartphones.
  • Block Command and Control (C2C) channels and malicious sites. Ransomware and other malware increasingly spread through compromised sites and name squatting, where the name of the malicious site looks like the name of a popular real site. Network security services need a real-time guard to prevent botnets from accessing Command and Control domains as well as prevent users from visiting phishing sites. Any endpoint detection should also include protection against ransomware by not only blocking the malware but also blocking any actions the ransomware takes against business-critical data. Leverage security services that block these sorts of sites via DNS or normal HTTP queries.

Also see