Proactive cybersecurity: TLS packets and HTTP headers help firms

TLS packets and HTTP headers are just a couple of sources of proactive cybersecurity intelligence contributing to exposure management.
16 October 2023

Proactive cybersecurity tools capable of learning from TLS packets, HTTP headers, and many other signals can help to close open windows and shrink the attack surface of web applications.

Transport layer security (TLS) – as the name suggests – plays a key role in protecting data sent over the web. Online shoppers have TLS to thank for encrypting their payment information. It also makes emails unreadable while in transit from senders to recipients. “TLS is the foundation of secure communications on the internet,” Gavin Millard, VP & Deputy CTO at Tenable told TechHQ. And that sure footing includes enabling proactive cybersecurity measures.

“Proactive security helps companies identify flaws before they become a problem,” said Millard, noting how the firm’s cybersecurity tools carry out 28 different checks on a single web certificate as part of its exposure management services.

Proactive cybersecurity advice

Proactive cybersecurity perspective: Gavin Millard, VP & Deputy CTO at Tenable shares his thoughts on what can be learned from TLS packets and HTTP headers with Tech HQ.

TLS and other signals, such as HTTP header information, can provide valuable insights when it comes to exposure management. With the help of proactive cybersecurity tools capable of ‘slicing and dicing’ external attack surface data, companies can quickly identify assets that are broken or misconfigured.

Old or broken certificate chains are a sure sign that IT infrastructure is in need of attention – either to be updated or removed from service. TLS data can offer protection too from malicious servers thanks to active server fingerprinting – a methodology that Salesforce has helped to promote through JARM.

Passive TLS fingerprinting simply listens to network traffic, which can result in false positives depending on the transmissions. JARM, on the other hand, sends TLS Client Hello packets that have been carefully selected based on their fingerprinting capabilities.

“The manner in which the Server Hello is formulated for any given Client Hello can vary based on how the application or server was built,” wrote John Althouse of Salesforce’s engineering team, in a blog post introducing JARM.

Proactive cybersecurity signals

Server responses will vary according to the type and version of the OS, the libraries being used, and the order in which they are called, as well as other configuration differences. “The combinations of factors make it unlikely that servers deployed by different organizations will have the same response,” said Althouse.

Hashing the various TLS signals gives security teams JARM fingerprints with little or no overlap that can be used to distinguish between legitimate and malicious activities.

Also, returning to the theme of proactive cybersecurity, organizations can turn on JARM fingerprints for their own assets. If multiple servers generate the same value, it could be a warning sign and signal that it’s time to revoke and reissue TLS certificates.

As mentioned, HTTP headers are useful too, when carrying out exposure management. Content security policy headers can help analysts identify which assets may be cause for concern based on those labeled as “unsafe”.

“Headers detail what is and isn’t accepted,” Millard explains to TechHQ, discussing their role in proactive cybersecurity methods. By setting a cryptographic version threshold, or defining which algorithms are allowed, HTTP headers can be used to protect against so-called downgrade attacks.

In the absence of such protection, bad actors will attempt to fool servers into communicating using protocols with known vulnerabilities that can then be used to mount an attack. HTTP headers can shut down numerous attack paths that may attract adversaries on the lookout for low hanging fruit.

Exposure management systems can identify a multitude of security cracks, such as where HTTP headers have been overlooked, which includes servers unintentionally exposed to non-local scripts. HTTP headers can both strengthen and weaken security, so it’s important to know what’s what.

Understanding the scope of the attack surface can be a huge challenge for large firms, particularly for those that have grown through acquisitions and may now include a patchwork of different systems.

Given these issues, many organizations are choosing to use cybersecurity tools as part of due diligence processes to avoid any unwanted surprises further down the road.

SSL and HTTP header checks are just a couple of quick yet powerful methods for implementing proactive cybersecurity using exposure management systems. What’s more, the addition of AI takes security screening to the next level.

It’s no surprise to discover that login pages, or pages linking to login pages, should be prioritized in terms of web security. But the lessons that can be learned from HTTP headers, in particular, are deeper still. And AI automates what would otherwise be a dark art in finding patterns among all of that data.

AI automation

Looking ahead, generative AI tools could bring further clarity to organizations – enabling staff to query data gathered by exposure management systems using natural language prompts rather than having to provide less intuitive and more formulaic inputs.

Organizations such as MITRE list hundreds of thousands of cybersecurity vulnerabilities on their CVE pages, which is an overwhelming number of issues for any firm to keep on top of. However, web security doesn’t have to be shouldered alone, and reaching out for proactive cybersecurity support can soon patch cracks in a company’s defenses, as well as providing ongoing alerts when security windows are left open.