SonicWall SMA OS 8.6 Delivers Seamless Remote Access Using Web-based Access Methods

Smartphones, laptops and internet connectivity have become necessities of life. We move around with powerful computing devices in our pockets or backpacks. This “on-the-go” lifestyle has transformed the way we work. Employees today want on demand access to resources and the ability to be productive from anywhere.  Organizations too are embracing cloud and mobile, and allowing employees to use their personal devices for work. This is a win-win situation for employees and organizations but also a big challenge for IT departments. IT has the daunting task of providing secure access to corporate resources without exposing risks such as:

  • Unauthorized users gaining access to company networks and systems from lost or stolen devices
  • Malware and ransomware infected devices acting as a conduit to infect company systems
  • Interception of company data in-flight on unsecured public WiFi networks
  • Loss of business data stored on devices if rogue personal apps or unauthorized users gain access to that data
  • The ability to react as quickly as possible to minimize the window of exposure before an attacker can potentially cripple the organization

To address these risks and empower IT, SonicWall Access Security (SMA) solutions with policy-enforced SSL VPN deliver seamless remote access with the highest standards of security. SMA OS 8.6 expands the feature set on the Secure Mobile Access (SMA) 100 Series appliances with enhanced security and intuitive features that deliver the best experience for remote access.

  • Microsoft RD Web Access integration – Admins can now select to offload applications on the RD Web Access portal, onto any web browser. This new feature provides users with seamless access to remote desktops and applications through web browsers.
  • Enhanced security – SMA uses an in-house connect agent to establish a secure connection for RD Web Access without needing to set up a VPN tunnel. The agent has no dependency on Java or Active X.
  • Driverless printer redirection –Print files from remote desktops seamlessly, just like printing a local file. Files on remote desktops can be published as a PDF on your local machine and can be printed locally.
  • Modernized UI – A refreshed UI that is even more intuitive for users and admins. The firmware conforms to the new SonicWall branding guidelines.

Customers with an active support contract can download SonicWall SMA OS 8.6  from mysonicwall.com.

The Seven Habits of Highly Effective Ransomware Attacks

In 2016, SonicWall detected a 600% growth in ransomware families. We saw a wide range of ransomware forms and attack vectors in the 2017 Annual Threat Report; some successful, others not so much.  So, what is at the core of any successful attack? If you understand the seven components of a ransomware campaign strategy, you can better defend yourself from one of the most pernicious forms of malware in history.

1. Intelligent target research

Any good scammer knows how to find the right people in an organization to target with the right message.  Hackers know that municipal and healthcare  are a ripe choice. Even though organizations are providing awareness education, people still click on cleverly created social media posts and emails. In addition to this, hackers can go to any public lead generation database and find the right set of victims for a phishing campaign.

2. Effective delivery

Since 65 percent of ransomware attacks happen through email, a scammer can easily send that infected attachment to someone in accounts payable claiming it is an unpaid invoice.  A similar attack brought BWL of Lansing, Michigan to its knees for two weeks and cost the utility provider around $2.4M USD. Secondly, developing sensationally titled social media posts with a farfetched photo are great at funneling people to infected web destinations, which make up roughly 35 percent of successful attacks.

3. Good code

Because companies are bolstering their security strategy, attackers should focus on ways of circumventing this.  First, aggressive hackers update their code frequently to get past signature-based counter-measures.  Second, the code should have several built-in evasion tactics to sneak past advanced defenses such as network sandboxes.  Cerber’s code provides a great example for other attackers to model. Malicious code authors are hoping the target does not deploy a multi-engine sandbox like SonicWall Capture Advanced Threat Protection, which is much more difficult to evade. Third, the code should worm from system to system to create as much havoc as possible and therefore increase the potential payoff.

4. Great understanding for infected systems

Any good hacker will know what he/she has infected and thereby ask for an appropriate ransom.  Endpoints such as a laptop are worth $1K, servers $5K and critical infrastructure as high as hundreds of thousands of dollars.  Hackers hope that their targets do not have segmented networks so they can infect multiple systems within a single attack. They also rely on inconsistent backups for a higher customer conversion rate.

5. Patience & persistence

In order for organizations to stay safe from an effective attack, they have to be right all the time.  For the attackers, they have to be right just once.  Although awareness, security, and consistent backups are the essential ingredients to ransomware defense, they are not perfect.  This is why good hackers keep trying, repackaging code into different delivery mechanisms and exploit kits.

6. Good customer support

The best ransomware variants have good customer support channels. Attackers use them to negotiate with victims and assure them that they will get their data back if they pay.

7. Good payment management

Although other ransomware variants have used other forms of payment, bitcoin is still the best choice. Bitcoin is easier to obtain and exchange, so ransomware attacks have a higher payout ratio against consumers with infected endpoints. To mitigate bitcoin wallet compromise, hackers will rotate the associated email address with a specific wallet, which also pressures victims to pay quicker.

I hope that you will be able to read these notes to understand what is in the mind of an attacker possibly targeting your industry or organization.  Use these tips to develop a good anti-ransomware and malware strategy.  For more information, please watch this webcast How To Protect Your Organization From Ransomware.

Decryption Wars: The Cyber Arms Needed to Fight the Dark Side of Encryption

For those following along, over the past two months there have been several reports, warnings, blogs and other industry analyses suggesting that HTTPS inspection by security companies is actually weakening security.  Those that know me well know that I am a huge proponent of performing HTTPS inspection.  I found myself arguing against the recommendations of various advisories that suggest the very thing I have been saying, or rather preaching, for the past several years was now bad.

To start at the beginning, I suggest you examine the root of this challenge: the HTTPS traffic and why it is what it is.  There are several reasons why we all wound up surfing an encrypted internet, and while some would blame various breaches, scandals and/or privacy concerns, the result is the same.  The vast majority of the sites that we surf on the internet today are encrypted.  This rightly includes things like banking and e-commerce sites, but it also includes all things social media and web mail. Even a simple internet search is now encrypted within an HTTPS session.  Some would argue explicitly and indefinitely that this is a great leap forward for privacy and that of course would include the bad guys.

That’s right, in this mad rush to encrypt the internet we have seemingly encrypted all the threats that go along with it.  In fact, if you really think about it, every major breach in the past five years either leveraged malicious payload inside the encrypted communication or was carried out against encrypted traffic.  This of course includes attacks such as spear phishing and ransomware embedded in encrypted webmail.  Here a few of the stories that recently got a lot of press:

  • The OPM Breach, March 2014 – resulted in approximately 18 million people having their personal information (including background data on individuals possessing classified and top secret clearances) leaked all over the web. The breach occurred because internal OPM employees were compromised when accessing their personal webmail accounts through malicious attachments, which were obviously encrypted and thus went uninspected.
  • The breach of the DHS, FBI and Justice Department of the United States, February, 2016 – when nearly 30,000 agents had their personal information leaked online due to a single compromised email account.
  • Snapchat breaches (yes, plural: two big ones – 2014 and 2016) – these breaches resulted in millions of users as well as Snapchat employees having their personal details released.
  • My favorite, the Ashley Madison Breach, 2015 – caused by a spear phishing campaign that resulted in a brand new, perfect hit list of only 37 million users.
  • The IRS Breach (I know, there are a few to choose from) in 2015 – exposed over 700,000 Social Security numbers just by normal processes embedded within the HTTPS site.
  • The Yahoo Breach, 2014 – caused by a single employee getting spear phished and resulting in leaking of over 1 billion accounts, passwords, and secret question information.

Again, in each of these breaches, and thousands more I didn’t list, the attack was carried out by either compromising the actual encryption of the sites of these companies, or by delivering malicious content through typically encrypted communications like webmail and social networking sites.  The baffling part is that the vast majority of these breaches could have been prevented by proper security procedures, certainly some end user training and yes, inspecting within the encrypted communications.

Here is where things get confusing and somewhat argumentative, thus the decryption war.  In order for security vendors to inspect the encrypted connection or payloads within the encrypted session itself, they must act as a man-in-the-middle and essentially break the encrypted session between the client and the destination site or service.  That is the rub to various providers who are attempting to ensure the privacy of the end user client connection, when here comes the security vendor to break that encryption deliberately to look inside.  The providers lock it up, the security vendors break it open.

In some cases, this level of inspection is even mandated by federal law.  It’s required to block things like pornography in K-12 schools and there are serious consequences if an organization fails to do so.  I am not just talking about blocking a notorious URL of a popular site, but remember when I wrote above that even internet searches are encrypted.  Well go to your favorite search engine, select to search by images and enter the dirty word of your choice.  At this point, assuming you don’t have safe search enabled, you may be surprised at how well your search engine works to find things.  But again, if you want to keep little Timmy off those search results, HTTPS inspection is paramount.

Yes, I am sure that I will hear pushback by some that say that the privacy of end user computing is more important than keeping little Timmy off of some adult images, but let’s look at another aspect, the enterprise.

Assume the large banking institution that manages your entire life’s savings hires a new employee bent on getting rich quick.  In this economy that is not a stretch to imagine.  One day, while working late, they open a file containing the top 1,000 most lucrative accounts, including yours, and upload it to their personal cloud storage drive or webmail account that is obviously front ended by HTTPS.  How can the bank’s data leakage policies be effective if they can’t inspect inside the HTTPS traffic?

Another example you say?  Okay, what about a harmless little scenario including a small county government.  Believe it or not the county and municipal networks have a lot of personal identifiable information that may pertain to you.  Maybe county records, medical information, employment records or even tax information.  Let’s assume an employee of the county falls for a spear phishing scam in their email or instant message application that unlocks and exflitrates all of the information about you that should have been safeguarded.  Are you okay with that?

The truth is simple.  If you are not inspecting your encrypted communications, then you are essentially blind to more than sixty-five percent of your overall internet usage.  Think about that.  To put that math into simple numbers, if you have a 100 Mbps Internet connection, then on average you may have 65 Mbps that you are not safeguarding.  That equates to roughly seven full length DVDs worth of data an hour.  So, the real question you should be asking is, “Do I feel lucky?”

In the defense of the data providers, there is a point of responsibility on behalf of the security vendors to ensure that they while they are inspecting and performing as a man-in-the-middle, they are not weakening the overall encryption level of the connection.  Meaning they cannot substitute stronger forms of encryption with weaker forms and subsequently some of the various security vendors are in fact, doing this.  However, from the security vendor perspective it is absolutely absurd that any network should inherently trust providers.  This applies directly to various providers from rushing out new forms of encryption that the security industry cannot yet inspect or protect.  The only result will be allowing more threats into the network.  I am sorry, providers, I refuse to simply trust you completely when it is readily proven that you are not always 100% secure.  With that, I will always inspect my encrypted traffic, and as a seasoned cyber warrior, I will always err on the side of caution.

Trust, but verify. 

Download a Solution Brief: Best Practices for Stopping Encrypted Threats

Evolution of Email Threats: The Rise of Ransomware, Spear Phishing and Whaling Attacks 

Email has been around since the 1970s. Today, everyone and every business uses email for their communications. To put things in perspective, according to Radicati group – 122 business emails were sent and received per user per day in 2015! That is a lot of email for humans to process without making a bad judgement call. It has also become the vector of choice for threat actors to initiate advanced phishing campaigns.

Spam emails were the first form of email borne threats and the first documented email spam attack happened in 1996. Spam was unwanted mail that clogged up people’s inboxes. Malware was sent using spam emails to try to get confidential information or exfiltrate data. Spam was been seen as more of an annoyance.

Over the years, email-borne threats have transitioned to disruption of businesses and services. Today the attacks are more sophisticated and targeted, resulting in financial and reputation loss. It has become easy for hackers to monetize their attacks using zero-day malware, which is available on the dark web marketplace. Attacks such as ransomware and spear-phishing have a direct impact on an organization’s bottom line.

Threat actors used phishing tactics and sent mass email campaigns to try to dupe unsuspecting victims. These were mass email campaigns with a low success rate. Today, attackers carry out targeted and focused tactical email campaigns as part of a spear phishing attack. Social engineering plays a big part in phishing campaigns today.

Reports indicate that phishing campaigns now use ransomware and zero-day malware is the next evolution in phishing. According to the 2017 SonicWall Threat Report the most popular payload for malicious email campaigns in 2016 was ransomware, and the trend is expected to continue throughout 2017.

The top email-borne threats today are – ransomware, spear phishing and whaling or business email compromise.

Ransomware

Ransomware is a type of malware (usually zero-day on unknown) that is designed to encrypt data and block access to a computer system until a sum of money is paid.

According to a study conducted by SANS Institute, Ransomware delivered through phishing emails has emerged as the most identified type of attack for those organizations that had experienced a           breach. This is in line with the findings of the 2017 SonicWall Threat Report, in which ransomware was found to be the payload of choice for malicious email campaigns.

Another study conducted by that Osterman research group shows that nearly one-half of companies in North America were a victim of ransomware in the last 12 months. And no surprises here, as nearly 60% of ransomware was delivered through emails either using malicious links or malware-ridden attachments.

Ransomware is quickly becoming an epidemic for organizations worldwide.

Spear Phishing

Spear phishing attacks are targeted socially engineered campaigns designed to trick unsuspecting employees. Attackers create fake profiles on social media and networking sites to gather information and launch targeted email attacks in the future.

According to SANS 2016 Threat Landscape Survey, spear phishing and whaling are significant forms of attacks reported. Another survey by Cloudmark estimates that the cost of a spear phishing attack is 1.6M and 73% of companies acknowledge that spear phishing poses a significant threat.

Business Email Compromise (BEC)

BEC emails spoof trusted domains and imitate brands and corporate identities. In many cases, the emails appear from a legitimate trusted sender or from the company CEO typically asking for wire transfer of money.

According to the FBI – BEC is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

This is a very real and a growing issue. The FBI has put up a public service announcement saying that BEC is a 3.1 billion dollar problem. Even the IRS has recently put up a notice on its website to educate people regarding this form of threat.

Today’s advanced threats require a new set of email security features in addition to the traditional capabilities. A multi-layered email security solution ensures protection to protect business communications. Businesses need a next-generation email security solution that offers comprehensive threat prevention capabilities.

Read our solution brief: What Your Next-Gen Email Security Needs to Stop Advanced Threats – to learn what your email security solution needs to block today’s advanced email-borne threats.

Why Defeating Encrypted Threats Should Be Your Top Priority

Times are extremely restless for security teams as they face highly motivated adversaries, and the onslaught of very active and progressive cyber-attacks.  Today’s hacking techniques are stealthy, unpredictable in nature and waged by skillful attackers capable of developing innovative ways of circumventing security defenses. One new and more popular way that is becoming a status quo among malware writers today is the malicious use of encryption. Using encryption methods such as Transport Layer Security (TLS) or Secure Sockets Layer (SSL), attackers now cipher malicious payloads and command and control communication to evade detection. I offer some helpful tips to overcome these threats.

Based on a small sample of threat data recently collected by NSS Labs’ BaitNETTM test environment1, it shows the malicious use of encryption soared nearly 13,000% in 2016 compared to 2014.  Moreover, information gathered by Virus Total and SSL BlackList reveals the number of malware families using encryption increased almost 5,700%, and command and control communications involving these malware families leaped 20,000% in Q4 of 20152.  Although the sample size may be small considering it came from a single test harness, it does accurately reflects the tens of millions of systems of tens of thousands of organizations making TLS/SSL connections that are subjected to the unseen harm caused by encrypted threats.

Organizations that choose not to (or whose firewall is limited in its ability to) inspect encrypted traffic are missing a lot of the value of their security systems.  When there is no visibility, they are unable to view what is inside that traffic, spot malware downloads, identify ransomware and see the unauthorized transmission of privileged information to external systems.  With the rise of encrypted attacks threatening mobile devices, endpoint systems and data center applications, it is imperative that organizations quickly establish a security model that can decrypt and inspect encrypted traffic and neutralize the danger of hidden threats.  Otherwise, they cannot stop what they cannot see.

To make matters more problematic, the majority of current firewalls are inadequate in their ability to handle encrypted threats because decrypting and inspecting encrypted traffic can create performance problems.  The two key areas of TLS/SSL that affect inspection performance are establishing a trusted connection and decryption/re-encryption for secure data exchange.  Both are very complex and compute intensive because each TLS/SSL session handshake consumes 15 times more compute resources3 from the firewall side than from the client side.  Most firewall designs today do not provide the right combination of inspection technology, hardware processing power and scalability to handle the exponential increase in computing capacity required.  Therefore, they often collapse under the heavy load and eventually disrupt business operations.  According to NSS Labs, the performance penalty on a firewall when TLS/SSL inspection is enabled can be as high as 74% with 1024b ciphers and 81% with 2048b ciphers4.   In other words, your firewall performance degrades to an unusable level.

These important points should spark serious security conversations for security teams, and give them the opportunity to educate their leadership team and/or board about encrypted threats, as well as why inspecting TLS/SSL traffic must be one of the top priority to the breach prevention strategy.  To defeat encrypted threats effectively, the security system must be able to perform in a way that does not infringe on privacy and legal matters, while not becoming a choke point on their network that will cause any network and service disruption.  The right solution begins with the right inspection architecture as the foundation, because not all firewall inspections perform equally in the real world.  Security teams would want to avoid any post-deployment surprises by doing their full due diligence when shortlisting firewall vendors.  Slowly and thoroughly, you would want to conduct a proof-of-concept (POC) and validate the right firewall that demonstrates the desire security efficacy and performance without any hidden limitations.

For more detail information, read our Executive Brief titled, “Solution Brief: Best practices for stopping encrypted threats.”

1 https://www.gartner.com/imagesrv/media-products/pdf/radware/Radware-1-2Y7FR0I.pdf
2 https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/

SonicOS 6.2.7 Delivers More Breach Prevention and Easier Management to Next-Gen Firewalls

There is no end to the danger of cyber-criminal activities, as long as there is an underground marketplace that makes it almost impossible for authorities to intervene and enforce law and order.  We continue to see our adversaries relentlessly going after money by developing and experimenting with different methods and tools against new and existing vulnerabilities, in preparation for the next phase of their business model. To deal with this cybercriminal activity and have greater network security, I am excited to announce SonicOS 6.2.7, which provides enhanced breach prevention, a new threat API, improved scalability and connectivity while simplifying management to ensure small businesses and large distributed enterprises receive a high quality-of-service level, increased on-demand capacity and connectivity and better security.

Here are some of the historical cyber attacks that require deeper network security:

  1. CVE logged nearly 4,000 new vulnerabilities with more than two-thirds of them associated with network attacks.
  2. Ransomware was spotted as far back as 2005, but rarely seen until its recent return to the world stage as the most popular payload for spam, phishing and exploit campaigns, collecting an estimated of $200 million in ransom payout globally so far. The fear of infections and subsequent business disruptions has forced institutions to begin augmenting their existing defense model to address this threat.
  3. According to NSS Labs, the malicious use of encryption is rapidly growing and allowing criminals to use it as an effective evasion technique. When encrypted connections are improperly managed and go uninspected, they become defenseless tunnels for concealing malware downloads and command and control (C&C) communication, spreading infections and most serious of all, extracting massive amounts of data.
  4. In November, the Mirai botnet management framework launched the largest mass-scale distributed denial of service (DDoS) attacks on record, using hundreds of thousands of Linux-based IoT devices that took down a major DNS service provider. IoT-based attack is anticipated to be one of the fastest growing and most prevalent attack vectors in 2017.
  5. A new breed of exploit kits surfaced leveraging cryptographic algorithms to encrypt and obfuscate landing pages and malicious payloads to spread ransomware at scale more effectively.

Moreover, organizations are quickly embracing new technologies such as cloud and virtualization to advance their digital business ambition.  As they embrace these new technology platforms, they find themselves needing to augment their network architecture to meet new data, capacity and connectivity demands.

The biggest question now is what we can do differently in our cyberdefense model to scale performance, secure us from advanced threats and help enable organizations to grow and move securely forward. SonicWall introduces the latest update to its next-generation firewall SonicOS operating system, version 6.2.7.0.  Many of new features in the release are focused on three primary outcomes of the firewall system.

  1. Enhancing breach prevention capabilities
  • Deep packet inspection of SSH (DPI-SSH) to detect and prevent advanced encrypted attacks that leverage SSH, block encrypted malware downloads, cease the spread of infections, and thwart command and control (C&C) communications and data exfiltration
  • Threat API platform designed to receive any and all proprietary, OEM and third-party threat intelligence feeds to combat a wide variety of advanced threats such as zero-day, malicious insiders, compromised credentials, ransomware and APTs
  • Biometric authentication technology on the user mobile device such as fingerprints that cannot be easily duplicated or shared to securely authenticate the user identity for network access.
  • Additional security extensions include granular SSL controls and DPI-SSL of IPv6 encrypted traffic, DNS Proxy to securely control both incoming and outgoing DNS traffic to eliminate any potential DNS cache poisoning, DNS spoofing, and buffer overflow attacks transmitted through DNS commands and more
  1. Improving ease of use and management
  • Auto-provisioning VPN simplify and reduce complex distributed firewall deployments down to a trivial effort by automating the initial site-to-site VPN gateway provisioning while security and connectivity occurs instantly and automatically.  As an added advantage, policy changes are centrally managed and automatically updated on every VPN peer across the WAN environment.
  1. Increasing scalability and connectivity
  • Dell X-Series Switch extensibility enhanced network security flexibility and scalability that adapts to service-level increases and ensures network services and resources are continuously available and protected when capacity grows without having to upgrade the firewall system.

Download the SonicOS 6.2.7 today.