It wasn’t that long ago when the ‘crown jewels’ of Equifax, the sensitive data, were up for grabs by the hackers who “masked their incursions by using encrypted communications.” Leveraging encryption to gain access to critical data has become a frequent occurrence in recent times. Bad actors forge cryptographic keys and digital certificates to create tunnels into your network, thereby unleashing a range of malicious activities like installing malware and stealing data.
In networking, tunneling is a method by which data is transported across a network using protocols that are not supported by that particular network. Tunneling works by encapsulating data packets and is critical for securing communication across networks. Some of the major types of tunnels include Secure Shell (SSH) tunnel, Virtual Private Network (VPN) tunnel, split tunnel, and Generic Routing Encapsulation (GRE) tunnel.
A VPN tunnel refers to an encrypted connection between your device and a VPN server of your organization. Cryptographic keys ensure the security of the VPN tunnel, thus safeguarding your online activities from hackers and internet service providers. The VPN tunnel isn’t immune to security risks unless the encryption is strong enough to fend off threat actors and the keys are well secured. According to Zscaler’s 2022 VPN Risk Report, 44 percent of organizations witnessed an increase in exploits targeting their VPN, and 71 percent of them are concerned that VPN may jeopardize their ability to keep the IT environments secure.
The primary aim of an SSH tunnel is to safeguard the connection between a local and remote computing device. While SSH is commonly used to secure data transfer over untrusted networks, it is also pivotal in creating a secure tunnel between devices for forwarding other network connections that aren’t normally encrypted. As an SSH tunnel plays the role of a medium for allowing remote access to internal corporate resources, it can be an easy target for malicious actors.
Let’s look at some of the common ways hackers exploit an encrypted tunnel to gain unauthorized access to networks.
- Set up phishing websites using TLS/SSL tunnels: A phishing website is a spoofed website having a domain name and the appearance of a legitimate website. They are designed in a way such that users believe them to be a genuine and legit site and where users, unfortunately, disclose their personal information like credit card details and password credentials. Attackers use TLS/SSL certificates to establish seemingly trustworthy and authentic identities, which the victim’s browser will trust. Once the targeted user establishes an encrypted session with the malicious website, the attackers lay their hands on this sensitive information. As HTTPS sessions are generally trusted, these encryption attacks are hard to detect.
- Move malicious payloads through SSH tunnels: SSH keys are a pair of public and private keys that are used to authenticate and establish an encrypted communication channel between a client and a remote machine over the internet. SSH authenticates each machine via server and client keys without the need to manually type authentication credentials. Compromised SSH tunnels prove to be an ideal environment for hackers to move malicious payloads between file servers and applications in stealth mode and steal data.
- Compromise IPsec and VPN tunnels: Internet Protocol Security (IPsec) or L2TP is a set of protocols that are used to establish encrypted communication between devices. This protocol helps in securing data transferred over public networks. It is also used in setting up VPNs and functions by encrypting the IP data packets and also authenticating the source of the packets. As IPsec tunnels enable remote access, cyber criminals use them to penetrate networks during discovery and incursion attack phases by duping unsuspecting users. By launching these attacks, hackers can successfully compromise VPN endpoints and enjoy a free pass into networks.
How to Secure Encrypted Tunnels?
TLS/SSL inspection adds critical visibility to the TLS traffic and is an efficient way to secure encrypted tunnels from getting compromised. TLS inspection decrypts and monitors the encrypted traffic while making it available for security features like URL filtering and malware prevention. Without TLS inspection, you will have limited visibility into the encrypted traffic that may have malware in disguise. This process allows security professionals and administrators to implement effective access control and threat detection strategies for securing encrypted tunnels.
Besides TLS inspection, managing and monitoring keys and certificates are essential. Compromised SSH keys and digital certificates like TLS certificates can weaken the security posture of your organization, leading to unfortunate incidents. Sometimes, SSH keys that are long obsolete but still in the network can cause more harm than live keys. Since organizations are not aware of their existence, hackers could steal them undetected and use them to gain entry into the network. Detecting expired or unused keys and promptly invalidating them can stop a large number of attacks, like man-in-the-middle attacks and malware injection, from happening.
Visibility is the cornerstone of any protection mechanism. Yet, most enterprises still have little to no visibility into their certificate and key infrastructure. With AppViewX CERT+, you can automate certificate and key lifecycle management to proactively mitigate threats and ensure compliance. AppViewX CERT+ powered by enterprise-grade automation helps with smart discovery, holistic visibility, and centralized management of certificates and keys across hybrid multi-cloud environments.