SESSION ID: ACB-W09 The Network Is Going Dark: Why Decryption Matters for SecOps Jesse Rothstein Joshua Northrup Co-Founder and CTO ExtraHop Networks @Jesse_Rothstein Manager of Monitoring and Automation Fiserv #RSAC #RSAC Introduction Jesse Rothstein Joshua Northrup Jesse is responsible for the technical direction and architecture of the ExtraHop platform. Rothstein co-founded ExtraHop in 2007. Before ExtraHop, Jesse held a six-year tenure at F5 Networks where he was a Senior Software Architect and co-inventor of the TMOS platform at F5. Josh planned, architected and implemented the ExtraHop deployment at Fiserv, one of the world's largest payment clearinghouses. At Fiserv, Northrup designed and implemented an intelligent monitoring and self-healing automation framework. 2 #RSAC Agenda • Encryption Trends • TLS 1.3 • Network Detection • Visibility Challenges • Traffic Analysis • Decryption • Fiserv Case Study • Next Steps 3 #RSAC Encryption Trend 100.00% 91% of Pages Loaded over HTTPS in Chrome 75.00% 58% of Top Sites Redirect to HTTPS 50.00% 25.00% 0.00% Google Transparency Report, “HTTPS encryption on the web” Scott Helme, “Top 1 Million Analysis”, September, 2019 Aug-15 Nov-15 Feb-16 May-16 Aug-16 Nov-16 Feb-17 May-17 Aug-17 Nov-17 Feb-18 May-18 Aug-18 Nov-18 Feb-19 May-19 Aug-19 % Sites % Pages 4 #RSAC TLS 1.3 Is Here – – – – – – Chrome version 65 (March 2018) Firefox version 60 (May 2018) Java 11 (Sept 2018) OpenSSL 1.1.1 (Sept 2018) Apache 2.4.37 (Oct 2018) Go 1.13 (Sept 2019) SSL 2.0 1994 SSL 3.0 TLS 1.0 1998 – Apple SecureTransport (early 2019) – Microsoft Edge 79 (mid-Jan 2020) – Windows 10 version 1909 (Nov 2019) (experimental only) TLS 1.1 2002 2006 5 TLS 1.3 TLS 1.2 2010 2014 2018 #RSAC TLS 1.3 Highlights – Faster handshakes – No obsolete ciphers or hashes – No compression or renegotiation SSL 2.0 1994 SSL 3.0 TLS 1.0 1998 – Downgrade protection – Encrypted certificates – Perfect Forward Secrecy TLS 1.1 2002 2006 6 TLS 1.3 TLS 1.2 2010 2014 2018 #RSAC TLS 1.2 Handshake Client ClientHello ClientKeyExchange ChangeCipherSpec Finished Application Data Server ServerHello Certificate ServerKeyExchange ServerHelloDone ChangeCipherSpec Finished [Application Data] Application Data 7 2-RTT handshake #RSAC TLS 1.3 Handshake Client ClientHello {+KeyShare} Finished [Application Data] Application Data Server ServerHello {+KeyShare} EncryptedExtensions Certificate CertificateVerify Finished [Application Data] Application Data 8 1-RTT handshake #RSAC Why Network Detection? “ NDR Network Data Network-based detection tools got the highest levels of satisfaction when compared against other detection approaches. Cyber Triad SIEM Log Files 2 0 1 9 S A N S S O C S U R V E Y R E S U LT S EDR Agents 9 #RSAC North-South vs. East-West N NORTH-SOUTH S Command & Control Exfiltration Initial Access External Services Network Detection EAST-WEST Discovery Credential Access Lateral Movement Collection Privilege Escalation #RSAC North-South Visibility: HTTP Unencrypted traffic = complete visibility WEB SERVER RESPONSE 200 OK REQUEST GET /index.html Host: example.com 93.184.216.34 What’s the IP of example.com? 93.184.216.34 11 North-South Visibility: HTTPS (TLS 1.2) Good visibility through DNS, SNI, and Server Certificate WEB SERVER RESPONSE Server Certificate REQUEST SNI: www.example.com 93.184.216.34 CN=www.example.org What’s the IP of example.com? 93.184.216.34 12 #RSAC X.509 Certificate Server Certificate Version: 3 (0x2) Serial Number: 0f:d0:78:dd:48:f1:a2:bd:4d:0f:2b:a9:6b:60:38:fe Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA Validity Not Before: Nov 28 00:00:00 2018 GMT Not After : Dec 2 12:00:00 2020 GMT Subject: C=US, ST=California, L=Los Angeles, O=Internet Corporation for Assigned Names and Numbers, OU=Technology, CN=www.example.org Public Key Algorithm: rsaEncryption (2048 bit) X509v3 extensions: X509v3 Authority Key Identifier: keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2 X509v3 Subject Key Identifier: 66:98:62:02:E0:09:91:A7:D9:E3:36:FB:76:C6:B0:BF:A1:6D:A7:BE X509v3 Subject Alternative Name: DNS:www.example.org, DNS:example.com, DNS:example.edu, DNS:example.net, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net #RSAC North-South Visibility: HTTPS (TLS 1.2) + DoH WEB SERVER S