The etymology of the metaphor “Double-edged Sword” is in contention—some suggest it originates from the Arabic, سَيْف ذُو حَدَيْن(sayf ḏū ḥadayn), while others argue for an English origin circa 15th century CE. Regardless of its actual origin, it is a good analogy for the dilemma organizations face as encrypted communications become more and more commonplace.
Figure 1 – Growing proportion of encrypted web traffic
On the one hand, encrypting data supports its confidentiality, which satisfies privacy advocates. However, encrypted traffic also provides new opportunities for threat actors. The NSS Labs series, The Encrypted Web, discusses the advantages of encrypted channels for cybercriminals, including: encrypted traffic is less frequently scanned, has higher infection success rates, has greater success using less sophisticated attacks, and has low-cost or free domain validation certificates. Additionally, it has been reported that attackers employ encrypted channels specifically to obfuscate malicious code from network security devices.
Earlier this year, we conducted the NSS Labs 2018 Encryption Security Study, which aimed to a) enumerate the proportion of US enterprises that terminate, decrypt, and scan SSL/TLS traffic, b) determine the types of traffic commonly terminated, decrypted and scanned, c) resolve TLS/SSL versions currently in use, and d) quantify the type and frequency of threats using encrypted channels discovered in US enterprises in the past six months.
The study was part of a quantitative, two-arm study conducted through a survey of 141 role-verified full-time IT security professionals with a minimum of three years in role. Qualified respondents actively managed security technologies for organizations with a minimum of 500 employees.
When participants were asked if their organization terminated, decrypted, and scanned encrypted traffic, the majority of respondents (n=133; 94.3%) indicated their organization did. Those who did not cited performance impacts as the primary deterrent. Inbound traffic scanned via reverse proxy was the predominant method of decryption and scanning in our sample (n=114, 80.9%), with outbound decryption and scanning via forward proxy in lesser proportion (n=60, 42.6%). The most commonly decrypted and scanned traffic protocol reported by survey participants was HTTPS, followed by SMTPS, and IPSec.
Participants were asked which technologies their organizations employed to decrypt and scan traffic. Results suggest a number of technologies are employed for this purpose with dedicated SSL appliances the most frequently reported in our sample.
Figure 2 – Technologies employed to decrypt and scan encrypted traffic by vertical
Several reports have revealed that attackers are using encrypted channels to deliver and obfuscate malicious code; therefore, we asked participants which threats using encrypted channels their organizations had detected in the last six months. Cross-protocol attacks were the most commonly reported (50.4% of participants, reporting), followed by renegotiation attacks (45.4%) and downgrade attacks (36.2%). Next, we asked respondents who reported that they have detected such threats to describe how frequently the threats are detected. Our results showed a substantial proportion of organizations detect these threats daily, or even hourly.
Employing effective strategies and technology to block threat actors from exploiting data encryption is more important than ever—and the pressure is mounting. For example, Australia just passed the Assistance and Access Bill, which can effectively force ISPs, telcos, and other organizations to build encryption back doors for law enforcement use. For the enterprise, encryption security is indeed a double-edged sword.
The NSS Labs Security Insight Study includes results from both the NSS Labs 2018 Encryption Security Study and the NSS Labs 2018 Data Center Security Study. If you’re interested in encryption or data center security, we recommend giving it a read, and if you’d like to discuss these topics, we’d love to speak with you! Email us email@example.com and reference this blog.
Will Fisher is a Senior Research Analyst for the NSS Labs Enterprise Architecture Research Group (EARG), whose charter is to help enterprises solve security challenges. Will is a research scientist who holds a PhD in Experimental Psychology. He has worked at NSS Labs for the last two and half years performing and analyzing qualitative and quantitative research into enterprise IT security.
 Helme, S. (August 24, 2018). Alexa Top 1 Million Analyses – August 2018. Retrieved from https://scotthelme.co.uk/alexa-top-1-million-analysis-august-2018/
 Pappalexis, J. (2016). The Encrypted Web Series. NSS Labs. Retrieved from https://research.nsslabs.com/reportaction/report-404/Marketing?SearchTerms=encrypted%20web
 Basu, S. (2017). The fight within encryption. Cyber Security: A Peer-Reviewed Journal, 1(1), 44-47.
 Ponemon Institute. (2016). Hidden Threats in Encrypted Traffic: A Study of North America & EMEA. Retrieved from https://www.ponemon.org/local/upload/file/A10%20Report%20Final.pdf
 Cisco. (2018). Encrypted Traffic Analytics. Retrieved from https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf
 ZScaler. (2018). February 2018 Zscaler SSL Threat Report. Retrieved from https://www.zscaler.com/blogs/research/february-2018-zscaler-ssl-threat-report
 Moon, M. (December 7, 2018). Australia’s controversial anti-encryption bill passes into law. Retrieved from https://www.engadget.com/2018/12/07/australia-access-assistance-bill-now-a-law/
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.