TLS, and it’s older forerunner SSL, are used to maintain the confidentiality and integrity of network communications. This is a double edged sword for Information Securitydepartments as this allows private information to remain private, but canalso be used to hide malicious activity.
Current defensive measures fordealing with network traffic encrypted using TLS typically takes one of twoforms:
Attempting to detect malicious activities via other means which are outside of the encrypted session, such as endpoint security tools and IP address blacklists.
Break the TLS trust model by effectively attacking all connections, including trusted connections, via MiTM with a trusted certificate. (yes AV vendors, I'm looking at you)
This talk discusses (ok maybe rants about) the problems with the current "state of the art" and introduces other techniques, such as TLS Fingerprinting and TLS Handshake Mangling, which can be used to solve the same problems with less ofthe issues of current systems.
Lee Brotherston is a Director of Security for a startup in the Toronto area. Having spent nearly 20 years in Information Security, Lee has worked as an Internal Security resource across many verticals including Finance, Telecommunications, Hospitality, Entertainment, and Government in roles ranging from Engineer to IT Security Manager. He's also old enough to have done computering on a Commodore 64. Twitter handle of presenter(s): @synackpse