In today's digital world, we’ve come to trust HTTPS as the standard for encrypting and protecting data as it flows across the internet — the reassuring lock icon in a browser’s icon bar assures us our data is safe. Organizations worldwide have rightfully recognized this protocol as an imperative for data security and digital privacy, and overall, 95% of internet-bound traffic is secured with HTTPS.

But encryption is a double-edged sword. In the same way that encryption prevents cybercriminals from intercepting sensitive data, it also prevents enterprises from detecting cyber threats. As we revealed in our ThreatLabz 2023 State of Encrypted Attacks Report, more than 85% of cyber threats hide behind encrypted channels, including malware, data stealers, and phishing attacks. What’s more, many encrypted attacks use legitimate, trusted SaaS storage providers to host malicious payloads, making detection even more challenging. Encrypted channels are a major blindspot for any organization that is not performing SSL inspection today, enabling threat actors to launch hidden threats and exfiltrate sensitive data under cover of darkness.

As threats advance and the number of malicious actors grows, these types of attacks continue to increase. ThreatLabz analyzed more than 29 billion blocked threats over the Zscaler Zero Trust Exchange from September 2022 to October 2023, finding a 24.3% increase year over year, with a notable growth in phishing attacks and significant 297.1% and 290.5% growth for browser exploits and ad spyware sites, respectively.

So, what can enterprises do to thwart encrypted attacks? The answer is simple: inspect all encrypted traffic. However, the reality of this task remains a huge challenge for most organizations. To fix the problem, we must first explore and understand why this is the case.

Shining a light on cyber threats lurking in encrypted traffic

Threat actors are exploiting encrypted channels across multiple stages of the attack chain: from gaining initial entry through tools like VPN to establishing footholds with phishing attacks, to delivering malware and ransomware payloads, to moving laterally through domain controllers, to exfiltrating data, oftentimes using trusted SaaS storage providers and more.

Knowing this, enterprises should include mechanisms in their security plans to stop encrypted threats and prevent data loss at each stage of the attack chain. Here are four approaches that enterprises can adopt to prevent encrypted attacks and keep their data, customers, and employees secured.

Figure 1: stopping encrypted cyber threats across the attack chain

1. Inspect 100% of encrypted SSL/TLS traffic at scale with a zero trust, cloud-proxy architecture

The key to an enterprise strategy to stop encrypted attacks starts with an ability to scan 100% of encrypted traffic and content at scale, with zero performance degradation — that’s step one. A zero trust architecture is an outstanding candidate for this task for a number of key reasons. Based on the principle of least privilege, this architecture brokers connections directly between users and applications — never the underlying network — based on identity, context, and business policies. Therefore, all encrypted traffic and content flows through this cloud-proxy architecture, with SSL/TLS inspection for every packet from every user on a per-user basis with infinite scale, regardless of how much bandwidth users consume. In addition to this, direct user-to-app and app-to-app connectivity make it substantially easier to segment application traffic to highly granular sets of users — eliminating lateral movement risk that is often the norm in traditional, flat networks.

Meanwhile, a single policy set vastly simplifies the administrative process for enterprises. This is in contrast to application and network firewalls — themselves frequent targets of cyber attacks — which in practice translate to greater performance degradation, complexity, and cost at scale, while failing to achieve enterprise goals of 100% SSL/TLS inspection. In other words, stopping encrypted threats begins and ends with zero trust.

2. Minimize the enterprise attack surface

All IP addresses, or internet-facing assets, are discoverable and vulnerable to threat actors — including enterprise applications and tools like VPNs and firewalls. Compromising these assets is the first step for cybercriminals to gain a foothold and move laterally across traditional networks to your valuable crown-jewel applications.

Using a zero trust architecture, enterprises can hide these applications from the internet — placing them behind a cloud proxy so that they are only accessible to authenticated users who are authorized by business access policy. This simple fact empowers enterprises to immediately remove vast swaths of the external attack surface, prevent discovery by threat actors, and stop many encrypted attacks from ever happening in the first place.

3. Prevent initial compromise with inline threat prevention

Enterprises have numerous tools at their disposal to stop encrypted threats, and here, a layered defense is the best one. Critically, these defenses should be inline — in the data path — so that security tools detect malicious payloads before delivery, rather than pass-through, out-of-band approaches as with many traditional technologies.

There are a number of core technologies that should make up a best-practice defense. These include an inline sandbox with ML capabilities; in contrast, many traditional sandboxes assume patient-zero risk, an ML-driven sandbox at cloud scale allows companies to quarantine, block, and detonate suspicious files and zero-day threats immediately, in real time, without impacting business. Furthermore, technologies like cloud IPS, URL filtering, DNS filtering, and browser isolation — turning risky web content into a safe stream of pixels — combine to deliver enterprises what we would term advanced threat protection. While encrypted threats can pass by unnoticed by many enterprises, this type of layered, inline defense ensures that they won’t.

4. Stop data loss

Stopping encrypted attacks doesn’t end with threat prevention; enterprises must also secure their data in motion to prevent cybercriminals from exfiltrating it. As mentioned, threat actors frequently use legitimate, trusted SaaS storage providers — and therefore “trusted” encrypted channels —to host malicious payloads and exfiltrated data. Without scanning their outbound SSL/TLS traffic and content inline, enterprises have little way to know this is happening. As with threat prevention, enterprises should also take a multi-layered approach to securing their data. As best practices, enterprises should look for functionality like inline DLP, which inspects SSL/TLS content across all data channels, like SaaS apps, endpoints, email, private apps, and even cloud posture. As a note, in addition to exact data match (EDM), Zscaler has taken an AI-driven approach to automatically discover and classify data across the enterprise, and these categories are used to inform DLP policy. Finally, CASB provides another critical layer of security, protecting inline data in motion and out-of-band data at rest.

Diving deeper into encrypted attacks

Of course, these best practices are the tip of the iceberg, when it comes to understanding and defending against the full range of encrypted attacks. For a deeper analysis of how enterprises can stop encrypted threats, as well as discover key trends in this dynamic landscape, be sure to register for our upcoming January 18th live webinar with CISO Deepen Desai. Moreover, to uncover our full findings, get your copy of the ThreatLabz 2023 State of Encrypted Attacks Report today.