Organizations that have not implemented controls for detecting malware hidden in encrypted network traffic are at risk of having a vast majority of malicious tools being distributed in the wild, hitting their endpoint devices.
A study of threat activity conducted by WatchGuard Technologies using anonymized data gathered from customer networks showed 91.5% of malware detections in the second quarter of 2021 involved malware arriving over HTTPS-encrypted connections. Only 20% of organizations currently have mechanisms for decrypting and scanning HTTPS traffic for malware, meaning the remaining 80% are at risk of missing nine-tenths of the malware hitting their networks daily, WatchGuard said.
Corey Nachreiner, chief security officer at WatchGuard, says one reason why more organizations have not enabled network-based HTTPS decryption controls is because of both the perceived and somewhat real complexity of this setup.
“[For] man-in-the-middle decryption to work without messing up the sanctity of the HTTPS certificates that secure that traffic, you have to set up an intermediate or root CA certificate that is part of the official certificate verification process,” he says.
There are multiple ways to do this, some of which are tricky and others not as complicated.
“In short, it does take some work to do this the first time — and create exceptions so it starts working well — which is why some don’t make the effort,” Nachreiner says. “But we firmly believe it is worth the effort because otherwise your network security will miss a lot.”
The data point on encrypted malware is one among several in a report WatchGuard released this week that highlighted troubling trends for organizations on the malware front.
WatchGuard’s analysis, for instance, showed the number of script-based, or fileless, attacks in the first six months of this year alone had already reached 80% of the total for all of 2020. Data from last quarter suggested that fileless malware is on track to double in volume this year compared with 2020.