Technical Tuesday – 14 May 2013 – Identifying TLS/SSL Encrypted Network Exploitation Activity Using Traffic Externals by Jeff Kuhn of CACI

Posted by on May 14, 2013 in Events Archive | No Comments

A significant and growing percentage of legitimate Internet traffic is now encrypted – a problem for signature-based and other content-based network exploitation detection systems. Encrypted packet content is not available for analysis and the large amount of legitimate activity provides cover for exploitation activity. Enterprise level TLS/SSL proxy is one solution, using a network gateway appliance to intercept TLS traffic and decrypt it for analysis. It appears, however, that traffic externals such as session envelope shape and inter-packet timing can be practically used to find some TLS encrypted exploitation activity without intrusively decrypting packet contents. This discussion describes recently completed CACI research using adaptive data analytics to distinguish encrypted exploitation activity from legitimate network traffic based on traffic externals in a real world environment.

Presented by: Jeff Kuhn of CACI

Mr. Kuhn has 30 years of Intelligence Community and commercial experience in telecommunications system vulnerability analysis and security engineering. He began his career in the early 1980s at the R&D division of the National Computer Security Center before spending more than a decade performing Computer Network Operations engineering as a Department of Defense civilian. Mr. Kuhn then spent five years with GTE supporting their early CALEA lawful intercept efforts and a series of IC programs involving telecommunications security engineering. He is now the Chief Technologist for CACI CNO & Engineering Services, strongly focused on telecommunications security and Comprehensive National Cybersecurity Initiative programs.