Here is a funny one: does pervasive traffic encryption KILL Network Traffic Analysis (NTA) dead?
Well, OK, not truly “kill it dead,” but push it back to 2002 when it was called “N-BAD” [“a coincidence? I think not”] and was solely Layer-3/flow/netflow-based. Back then, it was considered either a niche security technology or a luxury with a market of barely any millions [this of course excludes non-security focused traffic monitoring that Gartner calls NPMD].
We’ve been asking different people this question in different forms and we’ve heard very different things (all quotes below are made up, these are genericized versions of the things we’ve heard):
- “Yes, network encryption and especially TLS 1.3 will doom content inspection. Do not buy NTA, the boxes will be doorstops soon” [some say that TLS 1.3 only kills NFT and not NTA due to making stored data decryption dramatically harder if at all possible; cert pinning makes both hard, but you can work around it]
- “No… SSL/TLS is old hat, and much of our internal traffic (East – West) remains plaintext – so NTA will work here for many years” [a very past-looking view, but much of IT is in the past, so perhaps OK?]
- “Well, we only do flow-based ‘NTA’ anyway because of some privacy mumbo-jumbo, so encryption does not make it any worse.” [this is a fairly sane view, but this is akin to saying “return to 2002 won’t harm us since we in fact live in 2002”]
- “In fact, we can analyze encrypted traffic data by using a tamed, but proprietary vendor magic unicorn or open–source (JA3)” [TRUE] and “It works as well as plaintext analysis” [100% FALSE!]
From the above list, the path #4 is the most exciting to watch, of course. I am really curious how far we can go with analytics, data science and machine learning to try to glean security-relevant insight from encrypted and shallow data.
So, what can we conclude? You can:
- Keep fighting the MitM / decryption battles and you will win some and lose some, but will eventually lose the war. Will it be in 2021 or 2030? No idea when, but it will happen.
- Push hard for your vendor to improve encrypted data analytics and the level of insight derived from flow-/header-level traffic data – but be aware of the hard limits of this path.
- Accept that NTA will deliver less in the future due to disappearance of most (but not all) layer-7/content visibility.
- Stick to the endpoint and toss your NTA out of the window (example).
Blog posts related to NTA, NDR and this research: