Why is Ransomware Still Around?

Ransomware is an advanced form of malware that attempts to get users to pay a fee or spoofed fine in order to regain access to their device or files.  The simplest version will place an image on one’s screen claiming the user downloaded illegal content or is using pirated software and will demand the payment of a fine or be arrested.  Other versions like Cryptowall or Cryptolocker will actually encrypt all the files on a computer and demand payment in trade for the key to decrypt the files… with some not delivering what they promised. First arriving on the scene in 2005 as an Eastern European threat, it grew into a global attack by the end of 2013.

To help put ransomware into perspective, look at the organizations that have already been hit by an attack.  Most people don’t report these types of things but others have.  The City of Detroit was hit with a ransom of $800K… and didn’t pay.  An entire hospital district was hit in nine different locations and had to pay out. Ransomware authors are seeing a payday and you can expect them to continue until it is no longer profitable.  They are sending their code in email, packaging it in files and also placing it on the internet hoping to lure people in with free content or to pull a bait and switch move that could cost a business dearly.

Security organizations have been working tirelessly to stop this attack by building in mechanisms to stop unauthorized encryption as well creating signatures to stop known attacks for this group of malware.  In the chart below you’ll see SonicWall next-generation firewalls blocked nearly 90 Million ransomware attempts in May 2016 alone.  These happy stats are the result of the hundreds of ransomware signatures actively stopping this attack. So after years of battling ransomware, why is it still an issue?  With such a great rate of success from security vendors, why haven’t attackers given up the fight?

Despite our success, you have to keep mind that signatures only work for the things we know about.  We know all the various variants of Locky, Tescrypt, Crowti, and others, but they evolve and change to better evade the defenses of security technologies.  The mission for a firewall vendor is to rapidly create new signatures for all of the ransomware variants before any new iterations can victimize businesses.  SonicWALL has been doing this using a mix of people and technology but now we have a new tool customers can use that can stop brand new ransomware versions (and all other malware variants) called SonicWall Capture ATP.

In my next blog, I’ll explain in greater detail how SonicWall Capture works. In the meantime, you might want to read our e-book, How ransomware can hold your business hostage.

Critical Business Threats: Ransomware and Employee Online Shopping

According to a recent PWC survey, 54 percent of respondents buy products online every month. And millions of employees shopped online yesterday with their work devices on business networks. The critical business threat: Will any of your business computers or networks get infected with malware when employees make personal online purchases?

We believe so, and our SonicWall Global Response Intelligent Defense (GRID) network research backs this up.

Good News: Chip Cards Are Working

Research gathered through the SonicWall GRID Network indicates that the new chip-and-sign credit cards and point of sale (POS) systems are more effective than legacy technologies in detecting and blocking breaches. After big data breaches at retailers like Target and Home Depot, many retailers upgraded to chip-based POS systems.

Whenever new malware is discovered, we create a software signature set that is automatically propagated to all of our customers’ firewalls, to help keep their systems safe from attack. In 2014, before the new chip cards and POS systems, our team released 14 new POS-related malware signature sets.

In 2015, this number decreased to nine new POS malware signature sets. And in 2016 to-date, after the broad adoption of chip-based cards and readers, we have only had to release a single new signature.

Bad News: SPAM Is Now a Huge Business Threat

As POS systems have become harder to hack, the bad guys are looking for more efficient ways to steal online. Falling back on the tried and true email-based phishing attacks, personal shopping phishing emails are now a real threat to your business systems and networks.

Our email security research team observes that SPAM email usually increases in volume significantly during Cyber Week, starting the week before Black Friday, then drops off after Cyber Monday. Our numbers show a dramatic 2x increase in SPAM this year from 2015. In the run-up to Thanksgiving and Black Friday we saw 110 percent growth, increasing to 143 percent growth through Cyber Monday.

One of our SPAM honeypots collected the following data for Cyber Week:

  • Average number of SPAM messages 2015: 33,725 a day
  • Average number of SPAM messages 2016: 82,888 a day

More Bad News: Ransomware Targets Businesses

Increasingly we are finding that if malware makes it into your business network, it will be ransomware. First released in 1989, ransomware can infect your system and lock out users from accessing devices or files. When the victim pays a ransom (usually electronic money or bitcoins) the device can be unlocked by the hackers. Needless to say, ransomware can put your business-critical data and systems at risk.

Network Security Must-Haves

Online shopping will only continue to grow, especially over holidays, so it’s important to be proactive to keep your business systems protected. Along with monitoring employee access and updating policies, here are some must-haves.

  • Ensure your firewall is next-generation with content filtering on, including encryption scanning and packet filters; your goal is to monitor and inspect all incoming data and stop ransomware
  • Consider a cloud-based protection service like our Capture Advanced Threat Protection Service; a good one will speed up your response time, leverage the power of multiple engines to stop zero-day attacks, and automate remediation
  • Manage network bandwidth to limit or stop streaming; streaming is one of the easiest ways to let malware in
  • We strongly recommend EV SSL certificates for every external business website
  • Vet your SSL certificates and sources, to ensure they are publicly rooted and aren’t bringing in malware from the dark web
  • Audit your SSL certificates regularly to ensure they are up to date
  • It goes without saying but back up your data regularly; if ransomware does infect your network you will need to quickly access business-critical data

Online Shopping Safety for Consumers

  • If you don’t have one yet, upgrade to a chip-based credit card
  • Always look for an EV SSL certified logo on sites you shop
  • Use mobile devices (tablets or phones) and shop with store apps from businesses you know and trust; these apps are vetted and tested
  • Avoid shopping on sites with a Windows-based laptop; Windows is the most targeted operating system (OS) for hackers
  • Remain on the site until you complete a transaction; don’t follow redirects
  • Stay current with the latest OS software updates on your devices so you have the latest security patches; always update from the trusted site of the software provider, not a third-party site or a pop up
  • Update your apps regularly, especially ones that you provide sensitive data to: credit card numbers, banking and health information
  • Create complex, hard-to-crack passwords and keep them in a secure place
  • Change your passwords often and keep them hidden ­– not on sticky notes on your computer

IT Security Done Right Enables State and Local Governments

News reports about new data breaches have become an all too frequent occurrence.  But cyber attacks can’t and don’t stop state and local governments from getting on with the business of governing. It’s easy to fall into a state of paralytic fear about attacks and data breaches, but in the meantime, state and local governments need to deliver the services their citizens rely upon, and continue to leverage technology to expand and improve those services.

If IT security is viewed as a defense mechanism by government, and even by security professionals themselves, government doesn’t work at well as it needs to.  A more productive attitude is to view security as an enabler of ongoing and new information technology efforts, providing a secure foundation for governments to take advantage of new technologies, provide employees and citizens with the ability to access the services they need from any device, and most importantly, streamline and improve those services.

In other words, we at SonicWall want to help state and local government IT security to become the Department of Yes. Making this change in viewpoint, doing security the right way, is the subject of the Government Computer News article, Take a Positive Approach to Security.

In the article, SonicWall’s Ken Dang goes into detail on how to accomplish this. Improving protection of government assets needs to be coupled with improving legitimate access to resources, which in turn improves efficiency, a key consideration for resource-constrained IT departments. Ken discusses a contextual approach to access, in which requests are evaluated based on a case by case basis, with the particular user’s specific requests placed in the context of the time and place of the request itself.

For the contextual approach to be effective, access information needs to be shared among all the different security devices and solutions throughout the government’s IT.  It’s important to have the proper tools to do this – which we’re happy to provide –but it requires breaking down organizational silos, getting people used to the idea that security is done better when the groups responsible for the many different aspects of security cooperate and communicate.

Contextual security particularly mandates this relationship when it comes to networks and user identities. Without transparency and full awareness between the two, the opportunity to improve overall security posture becomes a lost opportunity. But when government IT embraces that transparency and awareness, and leverages its capabilities by inspecting every packet on the network, even encrypted packets (which bear an increasing share of attack exploits) – that’s the path to security done right.

Add up all the above, couple it with our cost-effective, easy to install, SonicWall next-generation firewalls and other network security solutions, and IT security for state and local governments moves away from being an obstacle and towards being an enabler of better, more effective and responsive government.

Understand the Risks Online Shopping During Black Friday Poses to Your Network

As I was driving home the other day one of my children spotted a house with old Halloween decorations on it. With the holidays coming, it’s a good reminder of the potential impact they can have on an organization. Black Friday, Cyber Monday and the weekend in between kick off the unofficial holiday shopping season which goes until the end of the year. Add in Thanksgiving and we’re looking at a lengthy period of consumer shopping, much of which is done online.

Let’s take a look at some of the numbers to put this into perspective. According to the National Retail Federation (NRF), in 2015:

  • Holiday sales increased 3% to over $625B
  • Seven in 10 retailers reported an increase in their overall holiday sales revenue
  • 81% saw an increase in online sales
  • Mobile, including both phones and tablets, accounted for 30.4% of online sales
  • Black Friday had the highest sales revenue for 68% of retailers, regardless of channel, while Cyber Monday saw the highest online/mobile sales

The expectation for 2016 is similar – higher sales and an increase in the use of mobile devices for online shopping which is great news for retailers. Interestingly, despite the growth in mobile transactions, the NRF found that online purchases using desktops still brought in the highest transaction size during the 2015 holiday season. Either way, there continues to be a transition toward online purchasing even when consumers collect their items at the store.

In an earlier blog I touched on three potential impacts online shopping by employees during Black Friday and other holidays can have on organizations – loss of productivity, bandwidth consumption and network security. Let’s take a closer look at the affect it can have on security.

No matter the device they use – desktop computer, laptop, tablet or smartphone – anytime employees shop online at work over the corporate network it introduces risk. Inadvertently downloading malware from websites, even those that are known to be legitimate sites, is a very real danger. Hackers are continually finding new ways to develop more sophisticated versions of threats such as viruses, worms, and Trojans that can evade detection. One tactic they use to deliver these threats is phishing emails which lure recipients into clicking on a link in an email that appears to be legitimate. Once the employee complies, the malware is downloaded onto the device and it can spread throughout a network. Phishing emails are very popular during the holidays, often disguised as retailer promotions. According to a Prosper Insights & Analytics Post-Holiday Consumer Survey, 24% of respondents said they visited a website they shopped on last holiday season through an email promotion. Clearly hackers have learned that email promotions are popular with online shoppers.

Another threat you’re likely to hear more about during the holiday season is ransomware. This attack uses malware that denies access to data or systems unless the victim pays a ransom to the cybercriminal. Without access to files, data or entire systems most organizations can’t function. Some victims pay the ransom and if only a few systems are affected the cost can be manageable. But imagine the price if you have hundreds or even thousands of networked devices. It’s enough to put some organizations out of business.

Whether we like it or not, employees will use the devices available to them to shop online during Black Friday and other holidays. When they do it from the office or store, most likely they will use your organization’s network to connect to the Internet and this introduces risk. Fortunately there are steps every organization can take to secure their network and protect themselves and their customers from threats like phishing attacks and ransomware during the holiday online buying season. Deploying a SonicWall next-generation firewall with our Capture Advanced Threat Protection service stops unknown and zero-day threats before they can enter your network.

BlackNurse DDoS Attack Can Interrupt your Network; Discover how SonicWall Blocks

Whenever there’s talk of a DDoS (distributed denial-of service) attack, network administrators think of multiple systems flooding a network device from various locations on the internet. However, when it comes to BlackNurse, a new & quite different type of DDoS, a single laptop can launch the attack to bring down the gateway firewall!

Last week the TDC SOC, Security Operations Center of Denmark Telecom, updated its report stating how BlackNurse, as a non-traditional DDoS attack can harm your network. Typically, a normal ping attack is based on an ICMP Type 8 Code 0, whereas BlackNurse is ICMP Type 3 Code 3. The attack will overload the firewall CPU which, as a result, causes an increase in dropped packets.

Unlike traditional ICMP flood attacks, BlackNurse can consume low-bandwidth pipes and disrupt the operations of your organization. Whether your uplink speed is 100Mbps or even 1Gbps, BlackNurse is effective even at bandwidths as low as 15Mbps.

The typical impact observed on firewalls is high CPU loads. In such cases users on the company’s local network will no longer be able to send or receive traffic to and from the internet. That’s because the firewall is busy processing the heavy load of incoming packets from the attack.

Now as a SonicWall firewall owner the first question coming to your mind is: Am I protected against BlackNurse?

The answer is: YES. All you need to do is to guarantee “ICMP Flood Protection” is enabled in Firewall Settings in user interface (see image below). In order to gain more information on configuring ICMP Flood Protection please refer to the SonicOS admin guide.

Screenshot of ICMP Flood Protection screen

According to Akamai’s September 2016 security report DDoS attacks are on the rise with 70 percent year over year. Security of our customers is our top priority, and SonicWall takes every measure to protect your network against all threats, DDoS included.

Please stay informed and updated with our SonicWall Threat Research updates here.

Defend Your Mobile Enterprise Network with New SonicWall Secure Mobile Access 12.0

Do you wake up in the middle of the night and wonder, where’s my smart phone, did I leave my laptop in the Uber? In my previous role as VP of Mobility at a top Fortune 500 financial company, like many CISOs, I tackled these issues of loss of intellectual property across my work, every day. Today, we have to cope not only with the misadventures of lost or stolen devices, but are increasingly threatened by malware and now the challenge of targeted attacks, which see mobility as the weakest link.

Advanced threats to mobile and remote users are real and ever evolving with more sophisticated evasive techniques. Weakly secured remote systems present a rich target for Trojans, key loggers or spear phishing attackers to harvest credentials for threat actors to walk right into the core of a company’s network in order to plant ransomware or exflitrate data for sale on the dark net. To compound these challenges a remote and mobile access service provides the foundation of any business continuity service, so it must be available 24/7, zero outage is not acceptable.

As a service owner, how do you sign up to such high SLA’s? How do you say “Yes” to mobile, yet lock down valuable resources across your mobile enterprise networks?

Today, SonicWall announces the launch of SonicWall Secure Mobile Access Series 1000 12.0 OS. The SMA 1000 Series delivers reliable service across different mobile platforms and enforces the “who, what, where and why” while protecting data from interception on unsecured public Wi-Fi networks.

With its 25 years history of securing over a million networks for a multitude of organizations, SonicWall is recognized for unique innovations that ensure mobile and access security. SonicWALL’s Secure Mobile Access (SMA) portfolio provides policy-enforced access to mission-critical applications, data and resources without compromising security. This exciting launch of SonicWall’s (SMA) 1000 Series OS 12.0, allows our customers and partners to immediately leverage the many new SMA 12.0 features, including:

  • Global High Availability –G-HA delivers dynamic scalability and availability. SMA is deployed within a single data center or across multiple geographically dispersed data centers delivering the highest redundancy and resilience.
    • Global Traffic Optimizer (GTO) enables a highly available VPN Service – Global Traffic Optimizer dynamically allocates users to appliances based on user load from a single global URL. GTO is now enhanced and there is a user redirect to other available appliances. This supports an immediate VPN reconnection. It also incorporates all of web traffic to take advantage of the highly scalable and resilient web services.
  • Blended SSO technology: Enables organizations to use a single pane of glass to access campus resources and SaaS cloud applications in the cloud.
  • Superior security ensures that the highest security stance is maintained for compliance and data protection by utilizing the latest ciphers and strongest encryptions including the Suite B cryptographic algorithms.


Secure Mobile Access secures many of the largest enterprise networks; the Denver Broncos rely on our robust SMA solution to secure any device, anytime and anywhere.

“We increased our return on investment by using SonicWALL SRA with SuperMassive next-gen firewall because we offload VPN traffic from our main firewall to the SRA.” Russ Trainor, vice president of Technology at the Denver Broncos. Watch a video:

[embedyt] http://www.youtube.com/watch?v=puJQ3X2rTHU[/embedyt]

“We are excited with the new SonicWall Secure Mobile Access 12.0 for our mobile enterprise customers. With the new innovation of the Global High Availability which includes the Global Traffic Optimizer, the blended SSO technology and the rules based access control – all available today – we will be able offer the highest security for our mobile customers.” Lloyd Carnie, CTO at Core – a Premier Partner of SonicWall.

“With SonicWALL, we can stay at the forefront of this changing landscape. We have a great business relationship with SonicWall, and its customer service and engineering support was outstanding.” C.J. Daab, Technology Support Coordinator, Hall County School.

To learn more on the SonicWall Secure Mobile Access product line, please visit here.

What’s Your E-rate Plan? Three Things to Consider

A few weeks ago one of my sons got a new Chromebook at school. The old one had been around for a few years and was rather outdated in terms of the technology. The new version has a touch screen and can be used as a laptop or tablet. Not exactly new to anyone in the tech world, but for a kid it’s pretty exciting. From the school’s perspective, it was clearly time to replace aging hardware and take advantage of the latest technology innovations for learning. In other words, the school had a plan.

Schools and libraries applying for E-rate funds also need to have a plan. I’m not talking about figuring out who is going to complete and file Form 470 and when it should be submitted. This is about understanding your current network infrastructure and how you will use the funds to build a better, faster version that delivers on new initiatives over the next few years. When you’re building out your plan, here are three things you should consider.

  1. Look ahead three to five years. Considering how fast technology changes, three years will keep you on top of new developments although five years is more practical from a cost perspective. E-rate Category 2 services such as firewalls, routers, switches and access points continue to evolve rapidly with new features and faster speeds. For example, today’s firewalls can block threats such as ransomware that the previous generation can’t, and those legacy firewalls are only a few years old.
  2. Don’t let hardware slow you down. The use of online learning in the classroom continues to grow. So too does the use of bandwidth-intensive apps. When evaluating products that will go into your infrastructure, understand how much of your current capacity is being used. Then buffer that by 20% to 30% to plan for future growth. Just as important, make sure any hardware you look at can handle the increase in bandwidth. Otherwise it can become a bottleneck in the network.
  3. Let someone else manage security for you. Something that schools and libraries may not be aware of is that they can outsource security as a Managed Internal Broadband Service within Category 2. This covers services provided by a third party for the operation, management, and monitoring of eligible broadband internal connections components. The good news with this approach is that you won’t incur any upfront capital expenditures, you typically pay a low monthly subscription fee and you have a predictable annual expense model.

School IT directors are frequently tasked with implementing initiatives that help enhance learning in classrooms and across school districts. Often, however, they have to say “No” due to security risks that opening the network poses. So how can IT become a “Department of YES”? When building your plan, look for E-rate eligible products that support initiatives such as secure access to resources, mobility, moving to the cloud, compliance and others. If the products you’re considering can’t enable these securely, then you don’t want to spend your valuable E-rate dollars on them. To learn more about E-rate and how it can be used to purchase eligible security products for your network, read my earlier blog on the topic.

For some schools building and maintaining a security infrastructure isn’t something they can or want to take on. If that’s case for your school or district, SonicWall Security-as-a-Service may be the answer. We’ll connect you with a SonicWall-certified partner who’s experienced at installing, configuring and managing a network security infrastructure.

To learn more about SonicWall and E-rate, read our white paper titled, “Technical Considerations for K-12 Education Network Security.”

New SonicWall SecureFirst Partner Program -100% Security, 100% SonicWall

Today is an exciting day for SonicWall and our channel partners.  As part of SonicWall’s transition to an independent company owned by Francisco Partners and Elliot Management and to affirm our 100% channel strategy, we are launching the new SonicWall SecureFirst Partner Program.  We thought long and hard on what to name our new program.  So why SecureFirst?  SECURE – because for SonicWall, security is our mission – it’s all we do and it’s what motivates us every day – to protect our customers from the constantly evolving cyber threat landscape.  And FIRST – because our partners and customers always come first!

SecureFirst is now the way our channel partners worldwide access the entire SonicWall portfolio of technology and solutions – from our best-in-class next-generation firewalls, SonicWall Capture for advanced threat protection, access security, email security and Security-as-a-Service.  With SecureFirst, all of these solutions will continue to be available through SonicWall’s network of valued Distributors, so partners can continue to source SonicWall products uninterrupted, in the way they are accustomed. Partners will find several program levels in SecureFirst, allowing them to commit to SonicWall solutions at a level that is right for their security practices. With the different levels of commitment to the program come differentiated levels of rewards and benefits. Central to the new program is Reward for Value, SonicWall’s partner profitability framework that rewards partners for the value they bring to selling, implementing, and supporting SonicWall solutions. Both up-front discounts and back-end rewards have all been refreshed with the new program and are optimized for partners growing their security practice with SonicWall. New sales and technical enablement will become available as well as new programs to help partners leverage greater services and support opportunity with their SonicWall solutions.  When you add it all up, SecureFirst has the horsepower to deliver high performance and deep security solutions with unparalleled protection for your customers, while driving accelerated reward and value for your business.

Sign up for SecureFirst today. We encourage all partners – whether you are legacy SonicWall, legacy Dell or a new partner looking to onboard with SonicWall — to enroll in the SecureFirst Partner Program.  The process is simple and straightforward. Further details can be found at the new partner website www.sonicwall.com/partners.

With a twenty-five year legacy as a security industry leader, we couldn’t be more excited about the launch of the new program.  Partnering has always been at the heart of SonicWall’s strategy and the partner program is an important part of that.  But equally important is the commitment we make to the channel and the deliberate dependence we have on our partners.  And the entire SonicWall team of security professionals that is dedicated to the success of our partners and their customers. These things will never change.  They are just as much a part of the new SonicWall as they’ve always been.  Thanks for investing in your partnership with the new SonicWall.  As always, we want to hear from you.  Find us on Twitter @SonicWall and @sppataky.

“We are pleased that the Secure First Partner Program rewards committed partners for the value they provide to customers, provides sufficient product margin and rebates, and offers discounted training and incentives for new SonicWall partners to grow their SonicWall practice.

Western NRG has been working with SonicWall exclusively for over a decade. We provide customers with custom-fit SonicWall configuration, ongoing appliance management, network reporting, and expert network security support. We are excited for what lies ahead as SonicWall begins this new chapter and continues to deliver the world’s best security solutions.” Said Timothy Martinez, President and CEO of Western NRG, Inc.

“For over a decade, SonicWall has been such a great and valuable partner across Latin America. A channel-centric vendor that provides profitable growth opportunity for us and our resellers on the cyber security segment helping small, medium and large customers to protect their infrastructure and applications,” said Rafael Paloni, President Latin America, Network1 ScanSource.

Infographic: 300 Companies Defend Their Data from Zero-Day Threats with SonicWall Capture

To understand how SonicWall Capture Advanced Threat Protection Service (ATP) protects the average company we looked at the data for 300 networks. SonicWall Capture ATP examines suspicious code and files to discover never-before-seen zero-day attacks.  So, in one day, how many of these new variants did Capture find?  See the infographic below to see what you could be up against without it. Read more about SonicWall Capture in my earlier blog: We are Sparta; the Battle to Defend Our Data From Invaders. Already a fan of SonicWall Capture? Share the infographic with your followers.

Infographic on zero-day threats

Fears rise after Dyn’s DDoS attacks. How can you prepare yourself?

The recently publicized Distributed Denial of Service (DDoS) attacks on the Domain Name System (DNS) service provider Dyn involved large numbers of IoT (Internet of Things) botnets. These attacks took many high traffic websites such as Twitter, Spotify and Netflix temporarily offline.

Contrary to conventional wisdom, recent reports suggest this attack could be the largest of its kind carried out by amateur hackers as opposed to someone with skills that are more sophisticated. This was made possible by an anonymous developer of the Mirai malware who recently published the source code as open source on the underground hacker network. This is the black marketplace on the web where skilled cyber criminals share content, innovate, enhance their skills and offer their expertise and malicious code to lesser skilled criminals.  Criminals do not even have to code today. There is an entire support system in place to enable hacking campaigns like this one. The Mirai-based DDoS attack serves as another harsh reminder never to be complacent with our security model.

It is very clear the evolving threat environment has a profound effect on the way we manage security risks with respect to vulnerabilities in the security of IoT devices.  It is estimated that the number of these devices connected to IP networks will nearly triple the size of the global human population by 2017.  More than 9 billion devices are already connected to the internet today.  By 2020, it will increase to the range of 20 and 50 billion according to reports from Gartner, IDC and others.  What we should anticipate is a highly intricate Wi-Fi controlled network of devices such as digital wearables, thermostats, light controls, vending units, and all sorts of smart appliances that could live everywhere inside our homes, public places, retail spaces, and work environments.  We all need to remember is that the vast majority of these devices are not designed with a focus on good security coding practices.  In fact, a very large percentage of these devices have known vulnerabilities within their firmware that can easily be exploited by advanced malware such as Mirai.  The questions to ask are (1) how many of these may be connected to your Wi-Fi network, and (2) what is the risk your organization may be exposed to already today?

Let’s face it, attack methods are changing all the time and, frankly, very quickly.  IoT-based attacks are one of the fastest growing and most prevalent DDoS attack vectors in 2016.  Many organizations are challenged with understanding their risk profile, what risks to focus on, and where to put more of their security, people and resources to better secure their environment from various types of cyber-attacks.  Unlike ransomware or zero-day threats, DDoS attacks are commonly used for the purpose of extortion.  Although it is still unclear what the primary motivation was behind the Dyn attack, it’s plausible to think that money could be the ultimate endgame.  As Dyn and other organizations facing potential Mirai-based attacks in the future, it wouldn’t be unusual for victims to receive a pre-warning of an imminent DDoS attack if the demand for money is not met.  So rather than taking a wait and see position with your security model, below are four key steps you can take to immediately reduce your risk profile.

Change the conversation from security to risk.

How would you respond if someone asked you whether your organization is secure?  The real answer is no in today’s world.  In light of what happened with Dyn and Krebs on Security, I encourage you to think about what you’ve been doing in your security programs, whether they are still effective and if you are secure as you can be.  The reality here is that we’re dealing with unpredictable risks.   The question of whether or not you’re secure is not the ideal question.  The appropriate question should be about your risk.  Understanding where your risks are and risk areas that you cannot tolerate allows you to make a realistic, accurate assessment of your security model and what part of your environment needs continuous focus.

Understand who is attacking you.

It is absolutely important to understand the adversary’s focus, what attack methods the hacker is likely to utilize against your specific organization, and make sure you’re not trying to spread security evenly as this weakens security where it needs the most focus.  Is the attacker after your data or attempting a service disruption?  You want your security to be laser focused on the risk areas that you have zero to low tolerance for while allowing security to be less deep and less focused in areas where you have a greater degree of tolerance.  Fundamentally, you have to accurately define the areas your adversaries are going after and where you’re going to put your people and technology.

Establish and rehearse your response and remediation plan.

We should accept the reality that it’s not a matter of if, but when we’re going to be attacked.  Therefore, establishing a strong and repeatable response and/or remediation plan is paramount to returning to optimal capacity and preserving your brand reputation.  Having a sanctioned plan and process in place to get things under control when they go from bad to worse prepares everyone on the response team to understand their roles and what they’re going to do during an attack.  You need to test your plan regularly, conduct simulations as if you would a fire drill, improve the process, and get first responders to be more efficient and well trained to execute the remediation plans as designed.  It can be a disaster recovery of the environment or quickly locking down compromised areas or spinning up secondary resources.  This way everyone knows their role and understands what needs to be done.  It’s also very important to involve non-technical responders such as PR, marketing, and legal to establish how they will respond and communicate on the business side to help maintain customer confidence and avoid any regulatory risks.  All of these must be well thought out in advance.

Reduce your attack aperture.

Predominantly, DDoS floods target the UDP protocol as the underlying mechanism and it remains one of the most common flood mechanisms today. Typically, attackers use random UDP ports to target a victim. NTP, DNS, SNMP are more susceptible because they are the most commonly and widely used protocols.  UDP floods use sophisticated targeted mechanisms to exhaust a target machine’s/group’s resources to a point that the end device will no longer be able to serve legitimate traffic. Not having a handshake mechanism like TCP (for legitimate connections) makes the protocol a favorite to attackers to spoof the Source IP address and redirect attack responses to any destination. The attacks can be amplified where large responses are redirected towards a target – like DNS amplification attacks on Dyn.

There are flood protection mechanisms on SonicWall firewalls to reduce the aperture for attacks via UDP, SYN and ICMP.

The UDP flood mechanism can be used to mitigate these attacks by setting a “healthy/baseline” threshold value for threats originating either outside or from within. Of course, if the attack were utilizing an anomaly in the protocol to launch an attack, then the SonicWall DPI engine would protect from such attacks. For SYN floods and ICMP floods, baseline thresholds can be set as well. Proper Source IP and Destination IP connection limits can be set on access rules to limit the number of connections to a particular destination. This combines with Geo-IP and Bot-Net (Command and Control centers) to add an additional protection mechanism.

For more information on SonicWall’s Next-Generation Firewall, and how it can help you focus on key risk areas and best prepare your organization for the next attack, contact a SonicWall security expert. To learn more, you can also download Achieve deeper network security and application control.