Interview: Zscaler’s Deepen Desai On Encrypted Attacks And Cybersecurity Trends In 2024

HTTPs, the standard encryption for traffic both to and from a website, is crucial to protect browsing traffic and end-user data. Google reports that 95% of web traffic is encrypted using HTTPs. But encryption is a double-edged sword. Paradoxically, despite the security benefits of HTTPs, encrypted web traffic can be a significant blind spot for security teams. 

Encrypted web traffic requires ten times the computational power to inspect compared with unencrypted. This makes it highly difficult for organizations without a cloud-based proxy network architecture to detect encrypted malware attacks. Common malware spread via encrypted web traffic includes phishing webpages, adware, ransomware attacks, file-grabbing software, and keystroke monitoring spyware.

Zscaler’s recent 2023 State of Encrypted Attacks Report revealed 85.9% of total cybersecurity threats are now delivered over encrypted web channels, with browser exploits increasing by 297.1% year-on-year. To discuss the key findings of the report, and other cybersecurity trends we can expect to see in 2024, Expert Insights sat down with Zscaler’s Global CISO and Head of Security Research and Operations, Deepen Desai. Listen to our full interview on the Expert insights podcast, or read an edited summary below.

Deepen, thanks for joining us today. It would be great if you could kick things of with an explanation of what exactly is an encrypted attack, and how do they work?

Thank you. Encrypted attacks are basically where threat actors are taking advantage of the TLS (Transport Layer Security) and SSL (Secure Sockets Layer) channel to deliver the malicious payload, to deliver the end payload, to start the attack, and even to exfiltrate data once they have successfully established persistence in your environment. 

When we say encrypted attacks, it’s basically using the legitimate HTTPS channel. There are many variants of this attack. We could think of traditional web pages or files being served over this channel. Or the smarter ways, where things like DNS, for instance, over HTTPS is also a legitimate channel that can also abused by the threat actors.

Zscaler’s report indicates that these attacks can be a significant blind spot for security teams. I was very interested in the statistic that encrypted traffic inspection can require ten times the resources compared with non-encrypted inspection. What are the key takeaways from the report, and what has it told us about how encrypted attacks are evolving?

You were spot on when you mentioned the legacy technology is not able to scale. It requires 10x more compute power when it comes to inspecting TLS traffic. This is where the organizations that are still leveraging legacy infrastructure have to make decisions on what to inspect and what not to inspect without impacting user experience. When you have a cloud native, proxy-based architecture, that problem goes away. 

As far as the report is concerned, the team actually looked at nearly 30 billion threats that were blocked over encrypted channels last year. And when we looked at it we actually saw threat actors leveraging encrypted channels across the kill chain, starting with the delivery stage where it could be a phishing page being delivered, or a link that results in drive by download or exploitation. The actual exploit payload is also being delivered over TLS. Stage one, final payload, as well as command and control activity where the malware is communicating back with the attacker-controlled infrastructure – all of that is leveraging the encrypted channel.

So, the key finding was that this is a trend that continues to grow. This should not be surprising to anyone. Overall, over 90% of the internet-bound traffic egressing the enterprise environment is over the TLS channel. The attacks that we saw last year represented a 24% growth year-over-year when compared to the year before.  Almost 78% of these attacks involved a malicious payload. This could be a compromised HTML page, it could be a JavaScript, it could be an executable file being downloaded, or a macro document. Anything that involved a malicious payload represented 78% of the total attacks. 

The team also looked at various industry verticals, how the trends differ, and we saw manufacturing as the most targeted industry vertical in this case. And then there is additional data that you will be able to see in the report. You will see the growth trends by threat categories. We also observed growth in phishing and browser exploitation attempts over encrypted channels.

One of the other things that caught my eye in the report was how generative AI technologies can be a key driver of these attacks, enabling attackers to launch huge amounts of ‘at scale’ attacks. How do you see that having an impact on encrypted attacks moving forward?

Yes, that’s a very good point. I have a predictions blog where I call 2023 out as generative AI revolution, or evolution year. It really marked a key milestone in terms of how enterprises (as well as the bad guys) are starting to use generative AI to become more efficient and do things at scale. Now, 2023 was just a starting point. We’re going see more and more of that this year when it comes to encrypted attacks. I’m just going to walk you through a simple chain of how an adversary can use generative AI to launch large scale attacks – even ransomware attacks.

You could use something like ChatGPT for instance to ask: “What are some of the top vulnerabilities that exist in a VPN or a firewall, that are usually found exposed to the Internet?” Then you could use a vulnerable, or a dark web version of ChatGPT, there are a couple of them doing the rounds, and ask it to craft that exploit code for you as well. You could then launch those against exposed assets, to gain a foothold. 

The generative AI piece can also be leveraged to spin up hundreds, if not thousands of phishing pages, and this pages can be hosted in the native language. You don’t need to know the language of the local region. Generative AI will solve that problem for you. These pages can then be hosted on legitimate storage service providers, clouds service providers. 

We’ve seen Microsoft being abused, Google, [and] AWS. They will rely on the Wildcard certificate, (e.g. *.), Whether it’s on the Azure side or on the Google side. They will abuse that and then serve those phishing pages over encrypted channels. The same method can be used for serving stage one payload, stage two payloads, and ransomware payloads.

So, with that in mind, what are the most effective tools that you would recommend to prevent encrypted malware attacks, and what are the best practices that organizations should be implementing to stay protected?

I think of TLS as yet another channel. But it’s a channel that is going to represent a significant blind spot if the organizations don’t tackle it. The tools and technologies exist. I’ve seen different scenarios. Number one is: yes, the underlying legacy architecture prevents them from inspecting TLS at scale. But then there is also this second bucket where the tools and technologies are capable of doing it, but there is a privacy concern. Which is legitimate, but you should have a balanced approach. Pick things like not doing TLS scanning for government sites, or financial sites or healthcare sites. But everything else, where a user is allowed to host arbitrary content or upload content, needs to be TLS inspected, because otherwise it represents a blind spot for your overall security posture. 

You may have the best security tooling in place, but if you’re only going to see a connection going to a domain, and the IP address, which may belong to Google, or Microsoft, or AWS, or Dropbox, it’s not going help much, unless you’re just outright blocking that destination. 

So, the best practices involve having a balanced strategy in terminating these TLS connections, inspecting it, and, obviously, having architecture implemented that allows you to do that without having to worry about compute resources. That’s number one. 

Number two is implementing zero trust architecture. Again, I always call this out as one of the most important things when you’re fighting against any type of multi-stage attacks and TLS driven attacks are no different. This is where you’re trying to look at your overall security tooling holistically. What are you doing to reduce that external attack surface? What are you doing to enforce consistent security to prevent that initial compromise? This is where inspecting that encrypted channel, consistently, comes into play.

What are you doing to reduce your blast radius? Prevent that lateral threat propagation, east-west. TLS inspection also comes into play when a compromised asset, or malicious insider is hitting your internal applications with the intent to steal data. And then, finally, what are you doing to prevent your data from being exfiltrated, to prevent data loss? TLS inspection plays a very important role here as well, because like I said, threat actors are using legitimate cloud storage service provider to exfiltrate data from the victim environment. So, you have to perform TLS inspection to catch it and to block it

Stepping back and looking at the broader threat landscape as we move from 2023 into 2024, what would you say were the biggest cybersecurity challenges you saw last year and what lessons should organizations be taking into this year?

I think the number one top-of-the-mind challenge was ransomware. Ransomware has been in the news for the past several years. Last year, it was one of the most successful years for ransomware, in terms of successful attacks that were conducted, and the amount of ransom that was exfiltrated as well. We also saw different tactics being used by some of the more prevalent ransomware operators. Ransomware-as-a-Service continued to rise. We saw more gangs come into play where they were acting as the initial access broker. 

Ransomware also involved attacks where they were not encrypting the data – that was another trend that we saw, especially on the attacks that were successful. [Attackers] will just exfiltrate tons and tons of data and hold the victim accountable. If the victim doesn’t pay the ransom, the data is made public. This is where there were a lot of attacks that were successful, yet they never became public information, because there was no business disruption. The victim paid the ransom and data was destroyed.

The second area of learning is generative AI. I talked about AI for security, now I’m talking about security for AI. It’s equally important. With generative AI, I’m talking about large language models and various apps that are already out there allowing organizations to become more efficient.

However, there were also mistakes made. There were not proper controls put in place in terms of the data that was egressing the environment, as well as the data that was also brought back in. This was purely because of a lack of understanding. So, there are a lot of lessons learned over how to securely enable usage of these generative AI applications in the enterprise environment. 

If I were to give an example, Zscaler Zero Trust Exchange, for instance, helps large organizations securely enable usage of generative AI applications. We make sure none of the sensitive proprietary data is leaking out to public instances of LLM. And then we also make sure that the things that are coming back into your environment are not malicious.

The third thing, and this was during the middle of last year, were, I wouldn’t call them sophisticated, but a variation of social engineering attacks. Groups like Scattered Spider were targeting IT help desk employees, picking up the phone and calling the employee. But they were targeting a specific group of users in these enterprises, saying “Hey, I’m an employee of the organization, I lost my phone, I need help resetting my account, my MFA, so that I can get access and be productive.” And they enjoyed a lot of success, because of the way certain processes are set up on the IT side. Everyone learned out of it. ThreatLabz issued a lot of advisories and guidance to global organizations around how to defend against these type of attacks.

And then the final piece that I’ll call out is an increase, and this is a growing trend from the past five years now, in targeted attacks happening against VPNs and VPN concentrators that are exposed to the Internet. The goal here is to gain that entry point into the environment, to move around, get to the crown jewels, and get the data.

Last year, we talked a lot about the move to consolidated security platforms, integrating AI into security tools and AI security ‘co-pilots’. Looking ahead to 2024, what are your predictions for security teams that we are likely to see this year? 

Yeah, platform consolidation will continue to happen. That is a theme that we will see in 2024. Given the type of attacks that we see and the way the threat landscape has evolved, all organizations realize that a solid platform-based approach is what is required in order to defend against these type of attacks, rather than managing a string of point products. Because the correlation, the time it takes to respond, is too much. There are areas, for example, where Zscaler comes into play, where we solve the entire north, south, east, west side of the house by connecting the right parties and enforcing policies, performing TLS inspection and all of that. 

AI will play a very important role, both on the good side as well as on the bad side. I’m going to focus on the good side right now. We will see AI, and I’m talking about both generative and predictive AI, being leveraged to extensively improve detection efficacy by almost all security vendors. Now, the efficacy, the impact will depend on the amount of data that these vendors have. Because, ultimately, the better your training data is, and the better your subject matter expertise, the better the outcomes.

It will also be used to thwart AI driven attacks. You will see AI start being used to fight AI, and that’s ultimately the theme that we’re building towards. It’s already started, and we’ll continue to see more in in the coming months. AI will also be leveraged to improve overall security posture. This will be achieved by doing policy impact analysis, helping with configuration, and find some areas where you could optimize. This is having a trained large language model that’s able to identify those attack paths and is able to identify those configuration issues. We’ll see more and more security producers embedding that, and security teams around the world taking advantage of that.

My final question for you Deepen – what are your recommendations for security leaders and CISOs as they start to plan out the year ahead and the investments they should be making?

I’ll give three recommendations. Number one, I already mentioned around the zero-trust architecture. Everyone understands the importance of zero trust architecture, but everyone is at a different phase of their journey. You need to prioritize certain aspects of zero trust architecture. If you want to learn more, there are certain publications we have done. You need to prioritize those, rather than doing it after you get hit by an attack. Make sure you prioritize the most important elements of zero trust.

That brings me to the second point, which is actually one of the critical aspect of zero trust, which is prioritization of user-to-app segmentation. Not bringing the user on the same network as the application. There is no concept of ‘network’, you are just connecting the right party to the right party. All security leaders and CISOs should prioritize this because it is where the maximum damage happens in case of many of the attacks. Whether it’s TLS driven, whether it’s ransomware, whether it’s generative AI driven. One asset going down, one identity going down is an incident that you need to respond to, and if you have a flat network, it provides an open runway for the threat actors to move around and bring down your entire environment. I highly recommend fixing this issue.

And then the third aspect. Think of AI; how AI can improve your security processes and efficacy? And then also think about security for AI as you enable you organization for various non-security use cases. Pay a lot of attention to the security of those large language models, the AI applications your organization is fast tracking, in order to make sure you don’t run into a data leakage incident.

In my predictions, I call out in greater detail how we will see threat actors launching supply chain attacks on the generative AI ecosystem and development environments. This is where, not only, will they target an organization’s own LLM and AI adoption, but they will also target the supply chain which these adoptions will rely upon. So, it’s a third-party attack that will then downstream into thousands of organizations that will rely on that third party.

You can listen to our full interview with Deepen Desai on the Expert Insights podcast:

Listen On Apple Podcasts

Listen On Spotify