Effect of TLS traffic on inspection

Experts,

I was wondering what effect the rise in TLS traffic has on IDS applications like Zeek.
Since Zeek (or other IDS applications like Snort and Suricata) will not be able to inspect the content of majority of the connections as they will be encrypted, will this make IDS less useful going forward?
If yes, what are the ways being considered to overcome this challenge? Is becoming an inline device with man in the middle capabilities an option? Or is TLS offloading to a different device that can send us a copy of the decrypted traffic for inspection the preferred option?

Please pardon me if these are naive questions. I am new to the world of IDS and am trying to learn more about them.

  • Abhi

If you can decrypt, do that. If you can sniff decrypted traffic and encrypted, then you’d get all the decrypted traffic plus all the super useful ja3 and ja3s fingerprints.

There is a ton of value in mapping what TLS cipher suites are used where in your environment. If you have enough money decrypt and sniff both decrypted and encrypted, I’d do it.

Cheers,

JB



From: toabhisheksingh@gmail.com
Sent: March 12, 2020 3:48 AM
To: Zeek@zeek.org
Subject: [Zeek] Effect of TLS traffic on inspection

Experts,

I was wondering what effect the rise in TLS traffic has on IDS applications like Zeek.
Since Zeek (or other IDS applications like Snort and Suricata) will not be able to inspect the content of majority of the connections as they will be encrypted, will this make IDS less useful going forward?
If yes, what are the ways being considered to overcome this challenge? Is becoming an inline device with man in the middle capabilities an option? Or is TLS offloading to a different device that can send us a copy of the decrypted traffic for inspection the preferred option?

Please pardon me if these are naive questions. I am new to the world of IDS and am trying to learn more about them.

  • Abhi

This is NOT intended as an advertisement, but if you want to check it out, we’ve been blogging about how to use Zeek vs encrypted traffic on the Corelight blog.

https://corelight.blog/tag/encryption/

Sincerely,

Richard

These are helpful talks on the subject on using zeek style metadata

JA3 asking for a friend (2019): https://www.youtube.com/watch?v=HrP6Ep3xgQM&t=684s
Network forensics in an encrypted world (2017 but covers a lot of indicators you can hunt on) https://www.youtube.com/watch?v=APHlvFaUEKE&t=1930s
Encrypted things: Network detection and response in an encrypted world https://www.youtube.com/watch?v=HPvIGP2mgbI&t=2667s
Security Onion Conference 2019: Finding traffic anomalies using SSL certificates https://www.youtube.com/watch?v=-WD9BWlENwc&t=762s