×
Ransomware Reversal

TLS Decryption for Sandbox and APT Systems

Nubeva SKI Enables Deeper Visibility and Increases Product Value for Forensics Solutions 

sandbox

PROBLEM: Sandboxes are an essential technology for any complete cybersecurity program.  However, TLS 1.3 and TLS 1.2 with PFS inhibit these inspection systems’ traditional passive and MITM decryption capabilities. This hinders the ability of a sandbox to fully understand how malware is behaving in the network when the malware conceals the details within TLS encrypted traffic. As a result, your systems are blind to the command and control (C2) outbound behavior of malware, which can have significant implications for a) building block rules for defense systems or b) understand how to decode and recover from an incident of malware that's taken hold in an organization.

For manufacturers, these technical gaps lead to negative business implications but also lost market potential for sandbox and APT systems. Offering a product with incomplete functionality leads customers to look externally to fill technology gaps and causes sales friction, complicated POC’s and rising support costs.

Fact: Sandboxes are blind to malware network communications.

Nubeva SKI for Forensics Systems

The Nubeva SKI solution offers an enhancement to Sandbox/APT systems. Adding SKI functionality provides the ability to see into encrypted communications carried out by malware, including command and control and data exfiltration activities. 

Nubeva offers a modular and comprehensive suite of software components that can easily be integrated into any system to enhance existing services. Nubeva enables manufacturers to deliver more complete functionality and provide deeper and broader visibility and security to customers. As a result, it drives higher product value to customers, market opportunities and makes selling and supporting easier. 

.  

Learn About SKI
Inspect More Traffic

Fill Decryption Gaps

Technical Advantage 

Improve Detection and Blocking of APT

Detects known and unknown malware, lateral movement, and data exfiltratration. 

Detect APT C2 Traffic

Detect APT command and control traffic to any service, including but not limited to social network accounts, anonymized TOR networks, and remote access trojans (RATs).

Inspect All Traffic 

Any session North-south-east-west.  Decrypts TLS 1.3, 1.2 with PFS along with legacy TLS, without MITM. See into APT traffic authenticated with pinned certificates as well as MTLS/client-side cert-based sessions.

More Value to Your Customers

Business Advantages

Expand Product Value

With increased visibility, detect and respond to threats faster, reducing customer risk, improving customer convenience and overall product value. 

Sales Acceleration

Adding SKI support allows sales teams to sell more products, close bigger deals, and create lasting customer success. 

deliver-more-value

Integrate Nubeva SKI Support into Your Product Suite

Adding Nubeva SKI into your products can be fast and easy, allowing you to get to market quickly with low entry hurdles.

The core concept of SKI is to capture TLS session keys used by malware and all their outbound sessions and then to use those keys to decrypt traffic from PCAP files or any real-time streams.   With session keys available, simple, high speed, and low-cost bulk decryption is available into any traffic.   Simply match traffic with keys using the client-random value of each TLS session, and decrypt. 

 

Sandbox TLS Inspection

Nubeva offers a comprehensive suite software component, available in source or binary forms, enabling fast and flexible SKI decryption implementation into most product sets.  Nubeva provides software to get keys and to decrypt using keys.  While there are many implementation models and options for sandbox inspection systems, here are the basics: 

Get Session Keys

Nubeva has perfected the learning and exporting keys from application and TLS process memory as they are created during the TLS handshake. Simply deploy our session key learning software on any VM, node, or endpoint. 

Key learning software is delivered as a C library or turnkey agents and containers in binary or source code form. Key extraction is 100% reliable. This read-only micro-process is ultra-secure,  transparent, and non-disruptive to application code, does not impact applications, and operates with minute memory and CPU requirements. Get Keys for:

  • Any TLS 1.3, 1.2, and legacy. 

  • Any session N-S-E-W including pinned and client certificate sessions.

  • Traffic to internet, cloud, and other 3rd party servers and services

  • Metal, VM’s, containers running on a client, in datacenter or cloud

  • OS and commercial applications as well as malware communications 

 

Get Started: 

Simply add Nuebva TLS decryption technology to your product to enable the capture of keys. Implement the SKI sensor into your existing sandbox technology via source code or with our native Nubeva SKI container. Key acquisition can be offered as a standard feature or as an incremental option/upgrade

Decrypt with Session Keys

With keys in hand, decryption is trivial. To decrypt, once you have the keys, all you need is copies of the traffic, either pcap files or real-time monitoring scenarios to which the keys can be matched via client random. Nubeva complements key discovery with a suite of decryption support options. Decryption can be performed onboard to keys can be exported and decryption accomplished on external decryption systems.  Nubeva enables systems to:

  • Enhance existing datapath or add new datapath

  • Any traffic and any session

  • Leverage crypto instruction set acceleration in standard CPUs

  • Achieve ultra high throughputs over 25Gb/s per core

  • Efficient use of  CPU and Memory resource

 

Get Started: 

Already have Decryption? – Add the ability to receive keys and decrypt by modifying your existing engine or utilizing Nubeva’s SKI Decrypt TLS C-Library and Reference code. 

Don't have Decryption?  Nubeva’s Decryptor Containers and Keyserver Container provide a fast and easy implementation to receive keys and decrypt.

.

There are a myriad of implementation options spanning key acquisition, key transport, and handling, as well as decryption.

Nubeva works with our customers to develop the ideal architecture and craft highly customized licensing programs and support services to enable customer success.

Let's discuss how SKI can work with your systems.

Get a Demo

Resources

In this video, Erik Freeland, Head of Customer Engineering, demonstrates the Nubeva Sensor capturing keys from a variety of applications including Windows Browsers, DropBox, and Microsoft Office 365. ...
Tech Brownbag - Nubeva's Key Discovery is Evolving. First TLS. Now, Ransomware. Nubeva develops and licenses enterprise-class software for decryption to enable world-class application monitoring and n...
In this comprehensive paper entitled A Definitive Guide to Modern Network Decryption: A Case for Nubeva SKI in a TLS 1.3 World and Beyond we cover the following:  Part 1: The State of the Visibility o...