Skip to main content

Without proper inspection, encrypted data can be a significant security threat as the volume of malware in encrypted traffic grows. Most organizations are unprepared to conduct proper traffic analysis to cope with the issue. That’s the takeaway from two sets of new research into the threat malware hidden in encrypted traffic poses to organizations.

While CISOs might be aware of the risk of malware, most of it, a whopping 91.5%, is arriving over encrypted connections, according to the latest WatchGuard Internet Security Report Q2 2021. What makes this statistic so alarming is that just 20% of organizations are equipped to monitor encrypted traffic—meaning 80% of organizations are potentially missing most malware by not decrypting traffic for security scans.

Specifically, WatchGuard found just two malware variants, XML.JSLoader and AMSI.Disable.A, accounted for more than 90% of malware detections over secure web connections. Without some method of efficient traffic analysis and having the means to identify even this a small number of variants, the threat level is high.

The sheer volume of malware delivered on encrypted traffic has also seen a huge spike. Like many areas where it has supercharged problems, the pandemic has driven a 314% increase on 2020 levels of malware hidden in encrypted traffic, according to Zscaler’s ThreatLabz: The State of Encrypted Attacks, 2021 report, which analyzed billions of threats delivered over encrypted channels in 2021.

Performance concerns and privacy considerations are the biggest reasons this malware is getting through. “Too frequently, inspection of encrypted traffic is not employed because of the performance hit. This is why so much malware enters organizations over port 443—no one is decrypting the packets to look for malware. We have to modernize our security architectures to address the performance requirements when decryption and deep packet inspection are required,” says Matt Stamper, CISO and executive advisor at EVOTEK, who is also president of the ISACA San Diego Chapter.

Stamper is in favor of conducting threat models to review different inherent risks involving malware in encrypted traffic. He also believes that security architectures must take into account that most traffic can and should be encrypted.


All rights reserved Jenson Knight.