A review of the paper for research, educational and recommendations.
🔘 Paper page: enisa.europa.eu/publications/encrypted-traffic-analysis
This report explores the current state of affairs in Encrypted Traffic Analysis and in particular discusses research and methods in 6 key use cases; viz. application identification, network analytics, user information identification, detection of encrypted malware, file/device/website/location fingerprinting and DNS tunnelling detection. In addition, the report discusses recent research in TLS practices identifying common improper practices and proposing simple but efficient countermeasures like certificates validation and pinning, minimize exposed data over HTTP redirects, using proper private keys and the latest versions of TLS (i.e. 1.2 and 1.3), deprecating older ones and employing certificate signing and by a trusted CA.
Increasing processing capabilities (with a decreasing cost), years of promoting cyber hygiene & security by design and conscious end users have led to widespread adoption of communication encryption. According to recent studies 70%-90% of internet traffic is protected by HTTPS and many applications employ encryption by default for their communication. Unfortunately, a similar picture is drawn in the adversarial part. Beyond ransomware, more and more sophisticated malicious software also employing encryption – whether standard protocols, like TLS, or custom cryptoalgorithms – to avoid detection and protect their communication. Hence it is important to consider the alternatives organizations have to analyse their [encrypted] network traffic in order to detect malicious activities and react appropriately. The main conclusion of this report is that there is no one solution to rule them all, each has its drawbacks and many of the researched ML and AI based proposals have not reached an appropriate maturity level.