TLS Encrypted Malware Requires Partners to Step up Network Security


Over the past decade, and particularly in the wake of revelations about mass Internet surveillance, the use of Transport Layer Security (TLS) has been one of the greatest contributors to the privacy and security of Internet communications. TLS has grown to cover a majority of Internet communications and according to browser data from Google, the use of HTTPS has grown from just over 40 percent of all web page visits in 2014 to 98 percent in March of 2021.

It should come as no surprise that malware operators have also been adopting TLS for essentially the same reasons: to prevent defenders from detecting and stopping deployment of malware and theft of data. Sophos researchers have observed dramatic growth over the past year in malware using TLS to conceal its communications. Sophos detected that in 2020, 23 percent of malware communicating with a remote system over the Internet were using TLS; today, it is nearly 46 percent.

Cybercriminals’ Adoption of TLS

A large portion of the growth in overall TLS use by malware can be linked in part to the increased use of legitimate web and cloud services protected by TLS—such as Discord, Pastebin, Github and Google’s cloud services—as repositories for malware components, as destinations for stolen data, and even to send commands to botnets and other malware. It is also linked to the increased use of Tor and other TLS-based network proxies to encapsulate malicious communications between malware and the actors deploying them.

Sophos researchers also documented an increase in the use of TLS in ransomware attacks over the past year, especially in manually deployed ransomware—in part because of attackers’ use of modular offensive tools that leverage HTTPS. But the vast majority of what researchers detect day-to-day in malicious TLS traffic is from initial-compromise malware: loaders, droppers and document-based installers reaching back to secured web pages to retrieve their installation packages.

All of this adds up to a more than 100 percent increase in TLS-based malware communications since 2020. And that’s a conservative estimate, as it’s based solely on what Sophos researchers identified through telemetry analysis and host data. As a result, defending against malware attacks has become that much more difficult. Without a defense in depth approach, organizations are increasingly less likely to detect potential threats before they have been deployed by the attackers.

Channel Partners’ Opportunity to Protect

With cyberattacks constantly happening, businesses of all types and sizes must be able to detect and stop attacks, but they need to be able to focus on doing what they do best, and have a partner they can trust to provide advanced, next-gen protection.

Sophos Firewall and the new XGS Series appliances deliver the speed and protection that channel partners need to secure their customers. For network admins, this completely re-engineered hardware platform finally takes a common dilemma off the table: how to scale up protection for today’s highly diverse, distributed, and encrypted networks without throttling network performance.

Sophos Firewall includes native support for TLS 1.3 and provides a user interface which clearly shows if traffic has caused issues and how many users were affected. With just a couple of clicks, you can exclude problematic sites and applications without reverting to a less-than-adequate level of protection. Sophos Firewall is also easily managed on the cloud-based Sophos Central platform, saving channel partners time and resources with the ability to easily manage multiple firewalls and different solutions from one single pane of glass.

With so many organizations still not understanding what technologies are needed to protect against exploits, ransomware, and encrypted traffic, channel partners now need to become critical security advisers and service providers to their customers. Together with Sophos and solutions like Sophos Firewall, partners have a significant opportunity to grow their own security knowledge and network security revenue, while also improving their customers’ protection.

Guest blog courtesy of at Sophos. Read more Sophos blogs here.