Half the World’s Malware is Now Encrypted

F5 Miniature
Published May 06, 2021

What you can’t see could be hurting your organization, and encryption is a major blind spot. According to F5 Labs, over 80% of worldwide internet traffic is encrypted, and the lack of visibility into encrypted traffic presents a substantial security threat. According to a recent report from security researchers at Sophos, nearly half (46%) of all malware in 2020 was hidden within an encrypted package. Organizations that do not have the resources to decrypt traffic packets may therefore be letting massive amounts of malware enter their networks. Without visibility into encrypted traffic, your organization’s assets may be vulnerable to malicious attacks such as command-and-control communications (and the resulting attacks) or data exfiltration.

Why is So Much Malware Encrypted Today?

In the report, the researchers identified two major reasons for the increase in encrypted malware. First, they found that more and more malware is being hosted on legitimate cloud-based storage solutions, such as GitHub and Google Workspace, which are encrypted with TLS. Hackers were therefore piggybacking off existing certificates from trusted organizations in order to attack enterprises. Second, the researchers suggested that the wide availability of TLS-enabled code snippets allowed bad actors to use encryption easily and frequently. And with the increasing amount of legitimate traffic spurred by remote work during the Coronavirus pandemic, it is even more imperative for organizations to keep up with the high demand while balancing organizational security.

However, encryption is certainly not “the bad guy.” In fact, encryption is vital to protecting data privacy. While handling sensitive data online, from accessing bank records, to entering a password, to checking medical records, the ubiquitous padlock in our browser bars provides users with a sense of confidence when browsing the web. Medical records and financial records can stay secure, and the theft and misuse of data is decreased significantly. And critically, application hosts can stay compliant with regulations meant to protect user privacy such as the European Union’s General Data Protection Regulation (GDPR)—which recommends, but does not require, encryption—and the California Consumer Privacy Act (CCPA), and act as good stewards of their user’s data.

But bad actors can also obtain TLS certificates. Encryption, while helpful in protecting users’ data privacy, may create a serious risk for your enterprise if not decrypted and inspected for malicious payloads coming into your environment, and sensitive data exfiltration or command-and-control communications on outbound traffic. While no-cost and readily available TLS certificates allow application hosts to cheaply protect their users’ data privacy, bad actors can also hide malware behind a certificate. And it’s becoming easier and easier for them to do so.

Inefficient Decryption Solutions Can Lead to Multiple Points of Security Failure

At your organization, you may already be addressing the threat of encrypted traffic by using devices in your security stacks, such as data loss prevention software (DLPs), next-gen firewalls (NGFWs), or an Intrusion Prevention System (IPS), among others, to decrypt, inspect the package for malware, and re-encrypt traffic traversing your network. And while these security solutions can be used to decrypt packets, they don’t do the job very well or very efficiently.

These solutions were designed to address security, and not the computationally intensive task of traffic decryption. Taking valuable energy and cycles away from their primary task of security can result in devices being overwhelmed and unintentional traffic bypass, which can lead to exploits and attacks. Security devices strung together in a “daisy chain” configuration can lead to multiple points of failure, like a series of lights on a string. If one fuse blows out while there is power flowing through the wire, every light after the broken fuse in the string will also turn off and no longer be functional. Each component is a possible point of failure. One element falls down, and the whole system (or security stack) is impacted.

Daisy-chaining security devices like a string of lights is also not cost-effective or efficient. In addition to creating multiple points of failure, this model increases security’s total cost of ownership (TCO) by requiring subscriptions (or promoting over-subscription) to a variety of services, leads to high latency for the end-user, and creates significant complexity. This means that many organizations are dealing with encrypted threats in a way that is both impractical and insufficient, and they may even be creating additional frustration for end users related to slow application access. Fortunately, F5 SSL Orchestrator is purpose-built to inspect encrypted traffic.

Orchestrating Resilient Infrastructure Security

F5 SSL Orchestrator provides cost-effective visibility and orchestration of all inbound and outbound SSL/TLS traffic. Instead of daisy-chaining security services together in a delicate series, F5 SSL Orchestrator employs a dynamic service chain model that intelligently manages traffic decryption across a security chain with a contextual classification engine using policy-based traffic steering. This system is resilient and non-linear, so that when one security service goes down, the system can still protect your organization’s assets. SSL Orchestrator also provides easy insertion of existing security solutions for optimal uptime, grouping of services, advanced monitoring capabilities, scaling, and load balancing of security solutions.

To find out how F5 SSL Orchestrator can help increase security for your business, please contact