PROBLEM: Sandboxes are an essential technology for any complete cybersecurity program. However, TLS 1.3 and TLS 1.2 with PFS inhibit these inspection systems’ traditional passive and MITM decryption capabilities. This hinders the ability of a sandbox to fully understand how malware is behaving in the network when the malware conceals the details within TLS encrypted traffic. As a result, your systems are blind to the command and control (C2) outbound behavior of malware, which can have significant implications for a) building block rules for defense systems or b) understand how to decode and recover from an incident of malware that's taken hold in an organization.
For manufacturers, these technical gaps lead to negative business implications but also lost market potential for sandbox and APT systems. Offering a product with incomplete functionality leads customers to look externally to fill technology gaps and causes sales friction, complicated POC’s and rising support costs.
The Nubeva SKI solution offers an enhancement to Sandbox/APT systems. Adding SKI functionality provides the ability to see into encrypted communications carried out by malware, including command and control and data exfiltration activities.
Nubeva offers a modular and comprehensive suite of software components that can easily be integrated into any system to enhance existing services. Nubeva enables manufacturers to deliver more complete functionality and provide deeper and broader visibility and security to customers. As a result, it drives higher product value to customers, market opportunities and makes selling and supporting easier.
Fill Decryption Gaps
Detects known and unknown malware, lateral movement, and data exfiltratration.
Detect APT command and control traffic to any service, including but not limited to social network accounts, anonymized TOR networks, and remote access trojans (RATs).
Any session North-south-east-west. Decrypts TLS 1.3, 1.2 with PFS along with legacy TLS, without MITM. See into APT traffic authenticated with pinned certificates as well as MTLS/client-side cert-based sessions.
More Value to Your Customers
With increased visibility, detect and respond to threats faster, reducing customer risk, improving customer convenience and overall product value.
Adding SKI support allows sales teams to sell more products, close bigger deals, and create lasting customer success.
Adding Nubeva SKI into your products can be fast and easy, allowing you to get to market quickly with low entry hurdles.
The core concept of SKI is to capture TLS session keys used by malware and all their outbound sessions and then to use those keys to decrypt traffic from PCAP files or any real-time streams. With session keys available, simple, high speed, and low-cost bulk decryption is available into any traffic. Simply match traffic with keys using the client-random value of each TLS session, and decrypt.
Nubeva offers a comprehensive suite software component, available in source or binary forms, enabling fast and flexible SKI decryption implementation into most product sets. Nubeva provides software to get keys and to decrypt using keys. While there are many implementation models and options for sandbox inspection systems, here are the basics:
Nubeva has perfected the learning and exporting keys from application and TLS process memory as they are created during the TLS handshake. Simply deploy our session key learning software on any VM, node, or endpoint.
Key learning software is delivered as a C library or turnkey agents and containers in binary or source code form. Key extraction is 100% reliable. This read-only micro-process is ultra-secure, transparent, and non-disruptive to application code, does not impact applications, and operates with minute memory and CPU requirements. Get Keys for:
Any TLS 1.3, 1.2, and legacy.
Any session N-S-E-W including pinned and client certificate sessions.
Traffic to internet, cloud, and other 3rd party servers and services
Metal, VM’s, containers running on a client, in datacenter or cloud
OS and commercial applications as well as malware communications
Simply add Nuebva TLS decryption technology to your product to enable the capture of keys. Implement the SKI sensor into your existing sandbox technology via source code or with our native Nubeva SKI container. Key acquisition can be offered as a standard feature or as an incremental option/upgrade
With keys in hand, decryption is trivial. To decrypt, once you have the keys, all you need is copies of the traffic, either pcap files or real-time monitoring scenarios to which the keys can be matched via client random. Nubeva complements key discovery with a suite of decryption support options. Decryption can be performed onboard to keys can be exported and decryption accomplished on external decryption systems. Nubeva enables systems to:
Enhance existing datapath or add new datapath
Any traffic and any session
Leverage crypto instruction set acceleration in standard CPUs
Achieve ultra high throughputs over 25Gb/s per core
Efficient use of CPU and Memory resource
Already have Decryption? – Add the ability to receive keys and decrypt by modifying your existing engine or utilizing Nubeva’s SKI Decrypt TLS C-Library and Reference code.
Don't have Decryption? Nubeva’s Decryptor Containers and Keyserver Container provide a fast and easy implementation to receive keys and decrypt.
There are a myriad of implementation options spanning key acquisition, key transport, and handling, as well as decryption.