Report: 23% of malware families use encryption to avoid detection

SophosLabs Uncut article, “Nearly a Quarter of Malware now Communicates Using TLS,” details how hackers use encrypted communications to steal data such as financial details and other sensitive credentials. By using Transport Layer Security (TLS) cybercriminals were able to evade detection by hiding exploits, payloads, and stolen content.

The report explained how 23% of malware families use encrypted communication for Command and Control (C2) or installation while 44% of prevalent information stealers also use encryption to sneak hijacked data, including bank and financial account passwords and other sensitive credentials, out from under organizations.

Trojan Trio

“As SophosLabs’ research demonstrates, cybercriminals are boldly embracing encryption in an attempt to bypass security products,” said Dan Schiappa, chief product officer at Sophos. “Unfortunately, most firewalls lack scalable TLS crypto capabilities and are unable to inspect encrypted traffic without causing applications to break or degrade network performance.”

Have you read “Mapua partners with Sophos in offering cybersecurity courses”?

The security firm also found out that in all of these hacking activities, cybercriminals use three common Trojans: Trickbot, IcedID, and Dridex.

As a response to this strategy, Sophos introduced a new “Xstream” architecture for Sophos XG Firewall with high-performance TLS traffic decryption capabilities that eliminate significant security risk associated with encrypted network traffic, which is often overlooked by security teams due to performance and complexity concerns.

Threat analysis

XG Firewall also features AI-enhanced threat analysis from SophosLabs and accelerated application performance.

“With the new Xstream architecture in XG Firewall, Sophos is providing critical visibility into an enormous blind spot while eliminating frustrating latency and compatibility issues with full support for the latest TLS 1.3 standard,” Schiappa said. “Sophos’ internal benchmark tests have clocked a two-fold performance boost in the new XG TLS inspection engine as compared to previous XG versions. This is a game-changer.”

Latency too often deters IT admins from using decryption, as seen in an independent Sophos survey of 3,100 IT managers in 12 countries. The survey white paper, “The Achilles Heel of Next-Gen Firewalls,” reports that while 82% of respondents agreed TLS inspection is necessary, only 3.5% of organizations are decrypting their traffic to properly inspect it.

Key features

Sophos XG Firewall offers the following features organizations can leverage to mitigate undetected attacks.

Inspection of TLS 1.3 to detect cloaked malware: New port-agnostic TLS engine doubles crypto operation performance over previous XG versions

Optimized critical application performance: New FastPath policy controls accelerate performance of SD-WAN applications and traffic, including Voice over IP, SaaS and others, to up to wire speed

Adaptive traffic scanning: The newly enhanced Deep Packet Inspection (DPI) engine dynamically risk-assesses traffic streams and matches them to the appropriate threat scanning level, enhancing throughput by up to 33% across most network environments

Threat analysis with SophosLabs intelligence: Provides network administrators with the SophosLabs AI-enhanced threat analysis needed to understand and adjust defenses to protect against a constantly changing threat landscape

Comprehensive cloud management and reporting in Sophos Central: Centralized management and reporting capabilities in Sophos Central provide customers with group firewall management and flexible cloud reporting across an entire estate without additional charge

Integration with Sophos Managed Threat Response (MTR) service: Customers of XG Firewall who also subscribe to the Sophos MTR Advanced service will have deeper actionable intelligence to prevent, detect and respond to threats, as a result of the integration

Sophos XG Firewall is available in the cloud-based Sophos Central platform alongside Sophos’ entire portfolio of next-generation cybersecurity solutions. Sophos’ unique Synchronized Security approach empowers these solutions to work together for real-time information sharing and threat response.