The SonicWall Security Threat Report 2016: Highlighting Trends in Exploit Kits

In February, we released our SonicWall Security 2016 Threat Report, and one of its highlights was a discussion on latest techniques and trends in exploit kits (EKs).

EKs have become a key tool for cybercriminals to take over the target machines (via an exploit) and subsequently install a malware of their choice.

For those who have some background in researching EKs, their stages would seem familiar. First, there is a redirection stage. This leads the user to the landing page of the EK (either directly or via infected website). This redirection stage can occur as a result of a URL link in the spam email or Twitter/Facebook feed, advertising banner redirection (malvertising) or simply an IFRAME redirection from an infected website.

Next is the landing stage. Here, the target visits the actual web server where the EK software resides (i.e., the landing page) and the exploit is delivered.

During exploitation, carefully crafted scripts determine the software components installed on victims machines (in order to select an appropriate exploit first). Then the successful targeted exploit is delivered and malware is subsequently installed on target machines.

Some of the stages described above can be shown using Spartan EK discovered by the SonicWall Threat Research team last year.

As you may note in Spartan’s exploit kit delivery technique, the initial Flash file was encrypted, and the actual exploit code resided only in memory and was never written to disk (thus avoiding potential detection by AV software).

EK delivery mechanisms are evolving, and require security vendors to use the latest up-to-date evasion techniques in order to successfully detect and/or prevent the attacks. It is not uncommon for EKs to check for the presence of certain AV software or virtualized environment during exploit stage, and thus abort its execution to prevent exposing itself to security professionals (see example code below).

For example, last year, we observed the Magnitude EK using steganography techniques during the redirection stage to dynamically generate an IFRAME from an encrypted/encoded image file. Such techniques make it more difficult for affected website owner to identify a potential website infection.

In addition, landing page URLs undergo periodic modifications to avoid detection by security vendors. We have observed landing page URL patterns change within 48 hours for certain EKs. Also, landing page’s software component detection techniques have undergone changes as well. Unlike in the past, we have observed EKs that can determine browser/component versions running on target systems without utilizing the JavaScript PluginDetect library.

What are some important conclusions security product designers can draw from the latest trends in EKs? For one, due to all the exploit and malware payload obfuscation trends in the latest exploit delivery techniques of exploit kits, it is now more important to quickly and correctly identify EK landing page access, and stop the exploit delivery immediately at the point of landing page access by the user. Thus, tracking EKs and their latest attack techniques is an important part of any threat research team’s activity.

Download the SonicWall Security Annual Threat Report today.

How to Open Your Own Department of Yes

Securing large organizations is a massively complex task. There are so many different domains of security to think about, it can drive a person crazy. Fortunately, as we work closely with our customers and partners, we have the opportunity to see and address many of these challenges. We share what we learn with the security community to show them how to think about identity and access management (IAM) and network security in a unified way to get more out of each solution without incurring more cost. We are on a mission to help CISOs open their very own “Department of Yes.” The goal is to help them see how IAM and network security can be business enablers.

For example, with SonicWall IAM and network security solutions working together, a policy on the next-generation firewall can help enforce an application governance policy defined in the IAM solution. SonicWall next-generation firewalls can be easily integrated with SonicWall One Identity Safeguard for Privileged Passwords to help tighten up security of the most trusted assets in any organization. Cloud Access Manager can consume data from the firewall to require elevated authentication. These are just a few examples of what we can do today and there will be more integration in the future that will help the CISO say yes more often.

On Monday, Curtis Hutcheson, VP and GM of SonicWall Security Solutions discussed in his blog the importance of becoming the Department of Yes. Curtis discussed our new approach to IT security ““ Govern and Protect ““ where our network-aware identity solutions and our identity-aware network solutions work together to enable organizations to take advantage of better security with less complexity and lower costs. By becoming the Department of Yes, the security team can now easily embrace new, innovative initiatives such as moving to the cloud, BYOD, digital transformation, the internet of things and more.

By governing every identity across the organization with our identity governance, privileged management and access management while inspecting every packet with our next-gen firewalls, secure mobile access, and email security, IT organizations no longer need to say no to supporting new strategic business initiatives.

We believe that our customers should be able to deploy strong identity and access management in concert with robust network security solutions where the two reinforce each other. By making the network security solution identity-aware and the identity management solution network-aware, we can now deliver superior protection and governance while lowering costs.

For more information on how you can open your own Department of Yes, be sure to check out this new SonicWall Security web site.

Is Your CISO Organization the Department of Yes? SonicWall Security Delivers

Businesses are ramping technology investments and capabilities faster than ever. Employees, customers and partners are accessing more applications and data every day. These investments drive enormous value to the business, but also create IT complexity and security vulnerabilities.

Our customers and partners constantly ask us to help them rise to these challenges, to help them deliver innovative initiatives and improve collaboration, while protecting their company. Often, the security risks around these new applications, projects and technologies, force IT to say “NO” to their business partners.

To change this model, we have invested in  SonicWall and SonicWall One Identity solutions to help organizations become more innovative and create competitive advantages by driving initiatives such as:

  • Leading your organization to the cloud
  • Deploying BYOD across your organization
  • Enabling a digital transformation
  • Completing stress-free audits

We feel that it’s time for a radically different point of view and SonicWall Security’s context-aware, integrated security solutions put us in the unique position to offer organizations the security they need in today’s complex IT environment.  SonicWall and SonicWall One Identity enable CISOs to govern every identity and inspect every packet, effectively identifying and isolating rogue activity, while letting the acceptable traffic flow.

These network inspection and identity governance capabilities give organizations the ability to confidently push beyond traditional boundaries while controlling vulnerabilities. We are empowering IT teams to deliver the strategic projects and capabilities that drive your business forward while providing the security you need.

We want to enable the IT security team to become the Department of “Yes.”

SonicWall and One Identity solutions reinforce each other to ensure we’re setting the highest bar for value to our partners and customers.

We’ve created this extensive security portfolio to enable you to:

  • Not only detect but also block advhelpanced threats at the gateway before they get into your network with extreme low latency
  • Automatically allow or deny ““ or step up authentication ““ for every user access attempt based on context that is derived from the network to identify abnormal activity
  • Provision a new employee, partner or contractor in 15 minutes across your enterprise and then de-provisioning them 15 minutes after they depart
  • Leverage Privileged Account Management controls like password vaulting and session management for those identities who have the “keys to the kingdom”

As we lead in the market with our innovative solutions, we can help you attain true governance of user and admin access to your network, applications and data and deeper security without compromising performance. We are committed to do all of this, effectively raising productivity and security, without increasing your costs.

For more information on how to start become the Department of Yes, explore our new informative SonicWall Security web site

Protect Remote Workforce Anywhere, Anytime on Any Device

Every day, we hear terrifying headlines such as this one – 27 million doctors’ mobile devices at high risk of malware. Our recent SonicWall Threat Report confirms the increase in malware targeted to Android devices. Fortunately today we are announcing the news of our latest  SonicWall Secure Mobile Access 11.4 OS and the SMA 1000 Series to arm your IT organization with greater security, scalability and ability to abide by compliance standards. With this launch, we deliver more power and speed to remote workers to securely access corporate data via policy-based access on any mobile device.

Our new  SonicWall SMA 11.4 offers numerous state of the art features. The dynamic Global Traffic Optimizer (GTO) will enable thousands of concurrent users to have protected remote access capabilities. Our new Regulatory Compliance standards meet the strictest security for the latest government regulations. The innovative Management API will deliver enhanced workflow; and the SAML 2.0 Support will save valuable remote workforce time. Enterprises like the NFL-champion Denver Broncos are using SonicWall Secure Mobile Access (SMA). I hope you will explore what this solution can do for you and your mobile strategy.

“We increased our return on investment by using SonicWall SRA with SuperMassive next-gen firewall because we offload VPN traffic from our main firewall to the SRA.” Russ Trainor, vice president of Technology, Denver Broncos.

Secure Mobile Access (SMA) 1000 11.4 OS brings the following additional functionality enhancements to this series.

  • Global Traffic Optimizer (GTO) – provides a turnkey approach to delivering massive global scalability of concurrent users while continuing to maintain secure access. This allows customers to better address secure access of data as they face an ever-growing workforce, company expansion to different locations both within country and globally, and proliferation of device types used by workers.
  • Regulatory Compliance – ensures security compliance with the most stringent industry and government regulations, like “Federal Information Processing Standards” (FIPS) and Suite B cipher support. This is crucial in highly regulated organizations to maintain compliance (e.g., Government, Financial, Healthcare, etc.).
  • Management API – gives access to SonicWall’s SMA API. This enables enhanced workflow, orchestration and automation, improving customers’ operational processes, increasing productivity and reducing costs.
  • Enhanced SAML 2.0 support – creates a great end-user experience by allowing Single Sign-On (SSO) eliminating individual sign on to SaaS applications. This saves time used to spend in logging onto multiple applications, one at a time.

These key innovations are critical because mobile users are often using the same device for both business and personal tasks.  Consequently, businesses are at a growing risk of multiple security breaches such as:

  • Unauthorized users gaining access to company networks and systems from lost or stolen devices
  • Malware-infected devices acting as a conduit to infect company systems
  • Interception of company data “in-flight” on unsecured public Wi-Fi networks
  • Loss of business data stored on devices if rogue personal apps or unauthorized users gain access

SonicWall’s Secure Mobile Access (SMA) portfolio solves these problems our customers are facing by providing mobile and remote workers using smart phones, tablets or laptops (whether managed or unmanaged) with policy-enforced SSL VPN access to mission-critical applications, data and resources without compromising security.

In case you missed this, the following key functionality enhancements have already been added across the SMA 1000 line that are especially noteworthy: Centralized Management System (CMS), HTML Clients and Proxies and Personal Device Authorization. 

This entire impressive operating system runs on the SonicWall SMA 1000 Series Models: SRA EX6000, SMA 6200, SMA 8200V (Virtual Appliance), SRA EX7000, SMA 7200, and SRA EX9000.

Our customers are already benefiting from these powerful anytime, anywhere on any device security solutions.

“With SonicWall, we can stay at the forefront of this changing landscape. We have a great business relationship with SonicWall, and its customer service and engineering support was outstanding,” said our customere C.J. Daab, Technology Support Coordinator, Hall County School.

Learn more detail on  SonicWall Secure Mobile Access data sheet.

Chocolate and Network Security: A Match Made in Heaven

I’ve just finished lunch and something is missing. It was a good lunch too: grilled cheese sandwich and lentil soup (a nod to the chilly, blustery Spring morning outside). I liked my lunch, but now I want a little”¦ I don’t know”¦ a little something. What I’d like, truth be told, is a little bit of chocolate. Maybe a small chunk of Ghirardelli’s mile, or whoa ““ how about a lovely Lindt Lindor truffle? Yes, that would be just the ticket, but alas”¦ there’s no chocolate in the house.

And what, you may ask, has this to do with Security?

Everything. I assure you. Everything.

Let’s say you’re a distributor of fine chocolates, candies, gourmet sauces and other foods for the discerning palette. Let’s say you’re business is expanding by leaps and bounds, and your IT infrastructure is increasingly at risk, as you get hit with various malware events. No one really thinks of the critical role that IT plays in under-girding the success of gourmet food, but as wholesale and retail provider, First Source, knew ““ without a sound and safe infrastructure, they were going to be in trouble. But not only did First Source need an updated security infrastructure to better protect against threats 24×7, they also needed this to happen while improving the speed and quality of its order processing.

As a chocolate craver, let me tell you, I’m so glad First Source put SonicWall Security’s mobile and network security solutions and gourmet food together.

Over a period of 18 months, First Source designed and deployed a company-wide SonicWall next-generation firewall solution “” including firewall appliances at each remote location “” to act as the gatekeepers for the First Source IT infrastructure.

And wouldn’t you know it – the SonicWall solution has not only boosted the company’s security, but having site-to-site SSL VPN access with load balancing and high-speed internet connections has allowed the company to increase efficiency and collaboration too (read what other benefits First Source experienced here >>)

In almost every industry, in almost every location a solid secure infrastructure under girds almost all aspects of our lives. Even my chocolate cravings”