Infosecurity Europe 2017: Automated Real-Time Breach Prevention with SonicWall

Join SonicWall at Infosecurity Europe 2017 on the 6-8th of June, Olympia, London, UK – Stand C280. Register now to meet the team and get your free ticket.

IT security can’t be an afterthought! It’s at the core of everything organizations do. Without it, they can’t grow, can’t move forward and can’t innovate. Without effective security, too often, organizations default to inaction, to not moving forward. And the recent WannaCry worldwide ransomware attack demonstrates just that, with the terrible consequences for some of the NHS hospitals’ patients and for Renault-Nissan who were forced to shut down some of their factories, costing them hundreds of thousands of euros in losses per day.

The explosion of advanced threats is rendering legacy network security solutions obsolete. Ransomware, zero-day threats, encrypted malware and other attacks expose organizations to breaches that threaten business viability and compliance requirements.

This creates the need for a new breed of network security solutions that deliver more than just breach detection. Organizations require breach prevention capable of handling threats delivered by any vehicle including web and email, over encrypted or unencrypted traffic, across any network including wired and wireless. Moreover, they need it, for not only PCs but tablets, smartphones and IoT devices too.

At Infosecurity Europe, SonicWall will demonstrate its automated real time breach prevention solution that enables its customers to stay ahead of cybercriminals in the continually evolving cyber arms race, allowing them to Innovate More, Fear Less and meet their compliance requirements.

Speaking of which, the General Data Protection Regulation – GDPR – goes into effect in May 2018. It will affect companies of all sizes, in all regions, and in all industries, who holds EU citizen personal information. Victims of a data breach when the GDPR goes into effect risk significant fine (up to 20 million euros or four percent of their global revenues), and loss of reputation, that could bring the business to its knees. So do not put off early consideration of GDPR: the scale, complexity, cost and business criticality of GDPR means that it will take some a long time for most companies to achieve full compliance. Start now if you haven’t done so.

SonicWall’s on-site demos and security experts will empower you and your organization’s networks to overcome numerous crimes targeting weak spots in your network. You will definitely want to see a demo of our award-winning multi-engine sandbox, SonicWall Capture ATP, which scans network traffic to prevent zero-day and advanced threats. We will show how we can block unknown files from your network until Capture reaches a verdict, using by a highly effective multi-engine sandbox. Near real-time verdicts are rendered by our highly efficient Capture Threat Network. Our next-gen firewalls also detect malware hiding in SSL, SSH or TLS encrypted traffic to cloak malicious behavior, C&C communication and exfiltration.

Because email is a constant target for attacks, especially ransomware, we will showcase our revolutionary technology for email security that now integrates with our award-winning Capture Advanced Threat Protection (ATP) Service. SonicWall’s Email Security solutions allow you to deploy a next-gen solution to protect email files, stop phishing and block ransomware. Don’t miss out the opportunity to speak to our experts, and learn how you can block spoofed email and zero-day attacks with our hosted service or our on premise enterprise email security solutions.

Today’s ever-growing number of connected devices by mobile workers and vendors requires organizations to rethink their needs for IoT security. SonicWall’s Access Security and network segmentation delivers the right level of access to your mobile workers and reduces the threat surface. Right network segmentation is required for critical business apps and data to ensure better protection. With our Access Security solutions, you can define granular access policies, enforce multi-factor authentication and monitor all activities for compliance.

We are looking forward to seeing you in June. Make sure to stop by the SonicWall stand, where you will get a chance to step in to the eye of the Cybersecurity Storm, and go against the clock to protect your network by Capturing advanced threats in our wind tunnel game, which promises to be very entertaining!! Prizes daily for those that Capture More and Fear Less!

Before you go, be sure to download our  2017 SonicWall Threat Report.

Why You Can Not Afford to Ignore SSL Inspection

I often get asked, “Why should we implement SSL inspection? We just upgraded our security from stateful inspection to deep inspection. If something is encrypted, is it not encrypted for a reason, for being secure?” Let me explain…

Back in the day, network traffic was well behaved. If you were a software vendor and wanted to offer a new application, you had to sign up with IANA and get a reserved port for your application. It is called a socket, the combination of a port number and a protocol such as TCP. The first firewalls were simple packet filters who controlled traffic to an application by controlling access to a socket. Firewalls evolved to stateful inspection, where you are not just controlling who has access to a socket but also the integrity of a TCP connection from the beginning of a proper handshake to closure. Once a connection is established, only this particular client and the application can communicate.

This whole paradigm changed when many more applications were developed than ports were available. Instead of applying for a new socket with IANA, software vendors zoned in on socket 80/TCP which is used by regular web servers. This also became a convenient port since most firewall policies would permit this port already. Recent Sonicwall research on customer networks shows that, today, over 90% of all connections use this port (or its cousin 443/tcp). The rest is mostly mail and DNS, and some voice-over-IP (VoIP) traffic. You may ask, “If everybody is using these two sockets, and I need to leave the socket open because a client could sit anywhere on the Internet (and for that matter a server could sit anywhere in the cloud), what is stateful inspection good for?” Exactly!

The security industry shifted towards deep inspection. Sonicwall was actually one of the very early players and evolved from SPI (Stateful Packet Inspection) to DPI (Deep Packet Inspection) over a decade ago, with many traditional security vendors only getting onto the bandwagon very recently. Deep inspection no longer cares about the socket, it cares about what data is transmitted, and whether it contains malicious content. With DPI, you can decide what applications do and do not go through your firewall. It is as granular as permitting Facebook, but denying “likes”, and does this regardless of which socket the application is using. DPI also protects from malicious content, both within the data stream as well as with embedded files, at a central network location.

What does this have to do with SSL inspection? SSL (Secure Socket Layer) is the most commonly used encryption technology on the Internet, as it allows virtually any client to build with any other server an encrypted connection, without building a prior trust relationship. Just like how SPI became less effective, DPI became less effective within the last two years. In order for DPI to look into traffic, it cannot be encrypted. Encrypted traffic looks to a firewall just like a random series of bits and bytes. If SPI became, to say it casually, “useless”, you see, the same happens to DPI right this very moment. Because all a malicious actor has to do is to encrypt the communication and can tunnel through the firewall, completely bypassing any security policy.

There are many reasons why this just happened overnight. For one, computers kept following Moore’s law, and became incredibly cheap and accessible. Malware is often distributed from breached machines, such as notebook computers, smart phones, or even the Internet of Things (such as your baby monitor). All of these devices can distribute encrypted malware while the performance impact on these devices is so minimal that the user will not notice. Another reason is that, with the Edward Snowden disclosures, many technology companies very vocally encouraged content providers to switch to encrypted traffic for pretty much anything in order to maintain citizen’s privacy from their own, or a different government. Now you add large operators of server farms to the mix, who can all be abused and (involuntarily) converted into malware distribution platforms, and you have the perfect storm. The firewall you “just” updated from SPI to DPI is on its way to become redundant as it becomes blind.

SonicWall calls SSL inspection DPI-SSL, which stands for Deep Packet Inspection of SSL encrypted traffic. Instead of the client, such as web browser, establishing an encrypted connection directly with a web server, DPI-SSL works by establishing an encrypted connection between the client and the SonicWall firewall. The SonicWall firewall then establishes an encrypted connection to the server so that the SonicWall firewall can inspect the traffic in-between. This all happens transparently and automatically, without user interaction, but with the user’s knowledge to maintain integrity.

But now you may be thinking:  “I just upgraded to deep inspection. Now I have to invest into SSL inspection technology?” This is true for most vendors, unfortunately. Over half of all vendors require you to purchase a dedicated platform to perform SSL decryption and re-encryption services. We at SonicWall believe that many vendors did not take investment protection seriously three years ago, when they promised investment protection to you when you bought the deep inspection solution. SonicWall as the leader of DPI, recognizes the importance of SSL inspection as well as the investment customer made into DPI already. For this reason, SonicWall issues DPI-SSL licenses free of charge.

The good news is that DPI-SSL is not just free, but also already built into your SonicWall Gen-6 TZ, NSA, or Super Massive appliance. Stay tuned for my next blog, where we will discuss technical details and how you implement DPI-SSL into your network.

EternalRocks Computer Worm (May 26, 2017)

EternalRocks is a malware taking use of the Shadow Broker’s NSA leak exploiting multiple SMB vulnerabilities. EternalRocks emerged earlier than WannaCry and multiple variants have been observed since its first appearance. However, the developer of the EternalRocks SMB worm appears to have shut down his operation after the intense focus from the media. [ref]

EternalRocks spreads by exploiting multiple SMB vulnerability after it affects the targets and downloads the payload. The following are some network traffic:

Here is the write file operations:

The downloaded exploits have been observed in the following directory:

In the config directory there are configuration files with exploits names:

SonicWall Threat Research team has researched this malware and released the following signatures to cover them:

  • GAV:13638 EternalRocks.G6
  • GAV:13639 EternalRocks.G5
  • GAV:13640 EternalRocks.G4
  • GAV:13648 EternalRocks.G3
  • GAV:13651 EternalRocks.G2
  • GAV:13657 EternalRocks.G1

There are also existing IPS signatures detecting the SMB traffic:

  • IPS:12800 Windows SMB Remote Code Execution (MS17-010) 3
  • IPS:12801 Windows SMB Remote Code Execution (MS17-010) 4
  • IPS:12792 Windows SMB Remote Code Execution (MS17-010) 2
  • IPS:12794 Windows SMB Invalid Trans Session Setup Request
  • IPS:12795 EternalBlue MS17-010 Echo Response
  • IPS:12796 Suspicious CIFS Traffic 13

Elmers Glue Locker demands $35k but fails to encrypt! (May 26th, 2017)

Another day, another ransomware! This time, the Sonicwall Threats Research team have discovered a very ambitious new ransomware threat called Elmer’s Glue Locker which appears to be in early development. So early that it fails to encrypt any files at all!

Infection Cycle:

The Trojan uses the following icon and metadata:

The Trojan performs no network communication.

The Trojan adds the following files to the filesystem:

  • %APPDATA%LocalPackagesMicrosoft.BingFoodAndDrink_8wekyb3d8bbweRoamingStateHOW_CAN_I_DECRYPT_MY_FILES.txt
  • %APPDATA%LocalPackagesMicrosoft.BingHealthAndFitness_8wekyb3d8bbweRoamingStateHOW_CAN_I_DECRYPT_MY_FILES.txt
  • %APPDATA%LocalPackagesMicrosoft.MoCamera_cw5n1h2txyewyRoamingStateHOW_CAN_I_DECRYPT_MY_FILES.txt
  • %APPDATA%LocalPackagesMicrosoft.WindowsReadingList_8wekyb3d8bbweRoamingStateHOW_CAN_I_DECRYPT_MY_FILES.txt

HOW_CAN_I_DECRYPT_MY_FILES.txt contains the following text:

      Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.

      Encryption was prodused using unique public key for this computer.

      To decrypt files, you need to obtain private key and special tool.

      To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension.

      Depending on your operation system version and personal settings, you can find it in:



      'C:/Documents and Settings/All Users/Application Data',

      'Your Desktop'

      folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~').

      Then send it to one of following email addresses:

      Your ID: {REMOVED}#4FDBF87A34166C70955ED0ECBC1DDFCD

      Do not worry if you did not find key file, anyway contact for support.

It displays the following information on the desktop background:

It demands that the user sends a hefty sum of 16 Bitcoins to 14Vbyx3SCUvLKj3FWWefEVWAs4jJ9R2qqi (over $35,000 USD at the time of writing) for file recovery.

The message directs the user to open a link to a server that is hosted on the tOr network:


This leads to the following site:

As expected (from ransomware that doesn’t work) there has been no transaction activity at the supplied Bitcoin address:

Although there was no file encryption activity when we analysed this sample, the threat is still significant. We expect the creators to add this capability in the very near future.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: ElmerLocker.RSM (Trojan)

Ransomware-as-a-Service RaaS is the New Normal

Business models always have to tackle the method of distribution, will they sell directly or through a channel of distributors or a mix of both. The same is with ransomware developers. Many are electing to take their successful code and sell it as a kit, which eliminates many risks and the hard work of distribution all the while collecting a cut of the prize.

Throughout the past year, and even until the large-scale WannaCry attacks, floating between the peaks of the infamous events are small focused attacks en masse from rebranded exploit kits. In the past quarter, we have discovered a mix of developer hobby/chaos-malware, rebranded ransomware, and repackaged RaaS ransomware.

  • Trumplocker
  • AlmaLocker
  • Jigsaw
  • Lambda
  • Derialock
  • Shade
  • Popcorn

Recently, one author showed how easy it is to launch a ransomware attack within an hour… with zero hacking skills. So what does this mean to an organization like yours? Should this scare you? Simply put, attacks from more sources equals more attacks but SonicWall has your back.

First off, organizations can have the front-line protection of our award-winning multi-engine network sandbox, SonicWall Capture Advanced Threat Protection (ATP) Service. Capture ATP automatically takes suspicious code at the gateway of your network, and runs it in three parallel engines (and counting) to see what it wants to do from the application, to the OS, to the software that resides on the hardware. We find the newest ransomware families and updates this way.

Secondly, our Capture Labs research team catches many new variants of ransomware and malware in multiple ways as well as from a multitude of external sources. Once new ransomware families are found (either from Capture ATP, a honeypot, or another Capture Labs source), the intelligence is cross-pollinated to the rest of the SonicWall portfolio of security products.

Lastly, organizations can expect to be hit by a wide range of ransomware attacks and should ensure they have a good backup policy and focus on awareness training.

To learn more, watch this video to see how SonicWall stops ransomware:

Don’t Be Fooled by the Calm After the WannaCry Chaos: Continuously Toughen Your Security

Some consider WannaCry to be the first-ever, self-propagating ransomware attack to wreak havoc across the globe. The chaos that followed is yet another harsh wake-up for many, in a situation far too familiar.  Only this time, the victims are new, the infection spreads more rapidly, the effects are far-reaching and the headlines are bigger.  I am sure you may be feeling overwhelmed with the ongoing news coverage of the EternalBlue exploit, WannaCry ransomware and Adylkuzz malware this past week.   Let us recap a few important observations to help us avoid a replay of history.

The WannaCry crisis was unlike any previous zero-day vulnerabilities and exploits that caused massive cyber-attacks in previous years. The major difference in this event is that there were early warning signs portending this sort of cyber-attacks through a series of leaks by the Shadow Broker, an unidentified hacking entity responsible for putting stolen U.S. National Security Agency (NSA) hacking secrets in the hands of nefarious actors, both foreign and domestic, looking to do us harm. Since the forthcoming threat was public knowledge and organization had ample time to mitigate the risk, why was WannaCry still able to achieve the level of success that it did? The reasons are quite simple and common with most organizations today.

1. Take care of the basics

Winston Churchill once remarked, “We live in the most thoughtless of ages. Every day headlines and short views.” Although the wisdom in these words was uttered many years ago, it seems as though we have yet to change our ways with respect to repeating poor cyber hygiene patterns. There are data security experts who have suggested that poor cyber-hygiene has caused as much as 80% of security incidents. Whether this figure is accurate or not, it is certain that the WannaCry and Adylkuzz attacks are the latest examples to support this statistic. Because of unpatched Microsoft’s Windows systems, victim organizations have allowed a broadly publicized and easily preventable exploit and ransomware to move into their environments simply because some of the most basic security measures were either not established or followed.

To avoid repeating this sort of mistake, organizations must understand that taking care of the basics means standing between being likely breached and likely avoiding one. Therefore, instituting a zero-tolerance policy to patch every system and device in the environment must never be an option. Putting in place auditable workflows and technology that can programmatically check and perform security updates without the need for manual intervention will help organizations move towards a more proactive defense posture.

2. Security staffing an unsolved problem

What we are seeing right now is a serious talent shortage in the security employment industry. Hiring good, affordable security professionals is a huge concern for many organizations across all industries. When organizations do not have adequate security staff or are unable to fill positions, they do not have the capacity necessary to proactively identify and remediate risk areas at the speed needed to avoid a security event like WannaCry. This common, unsolved problem manifests itself with most organizations, especially during major cyber events.

Many of the most significant issues organizations have in common today include the lack of understanding and visibility of:

  • What and where are the at-risk assets
  • Who and where are the at-risk users
  • What and where are the at-risk systems and devices
  • What are the risks and threats to focus on
  • What a proper security response plan looks like are

3. Lack the right tools in place

We have a situation today where exploit kits and ransomware are leveraging SSL/TLS encrypted traffic predominately for evading detection. A recent Ponemon Institute study reported that 62% of respondents say their organizations do not currently decrypt and inspect web traffic. However, the real concern is the fact that half of those respondents, who disclosed they were victims of a cyberattack in the preceding 12 months, claimed attacks leveraged SSL traffic to evade detection. So why is that?

The reasons provided in the same Ponemon study revealed that for those organizations that are not inspecting encrypted traffic:

  • 47% of the respondents said lack of enabling security tools was the top reason
  • 45% divulged that they do not have sufficient resources
  • 45% said they have overwhelming concerns about performance degradation.

Encrypted attacks threatening mobile devices, endpoint systems and data center resources and applications are on the rise. As we move towards an all-encrypted internet, organizations no longer have a choice whether to establish a security model that can decrypt and inspect encrypted traffic to stop hidden threats.

To learn more, here are two relevant informational pieces written by my colleagues on the WannaCry ransomware event that I highly recommend you to read. They offer additional perspectives and insights that can help you solve these security issues and be readily prepared for the next wave of cyber-attacks.

  1. WannaCry Ransomware Attack – It’s a Tragedy: What’s Next for Your Network? by Rob Krug, Solution Architect, Security
  2. SonicWall Protects Customers from the Latest Massive WannaCry Ransomware Attack by Brook Chelmo, Sr. Product Marketing Manager

When the chaos over WannaCry calms, the big question becomes, will you move on from this historic event with the lessons we’ve learned? Your answer is crucial since it will determine if the next major incident yields a more readied response from your organization.

Footnote: Ponemon Study,  Uncovering Hidden Threats within Encrypted Traffic, 2016

What you should know about EternalBlue exploit and WannaCry Ransomware

Since last weekend, the outbreak of WannaCry ransomeware has became the headline of the security news. This worm attack has integrated one of the most effective way of spreading – a 0day exploit on default windows service; And one of the most destructive yet profitable kind of payload: ransomware. SonicWall Threat Research Team has already released several SonicAlerts analyzing the exploits and ransomware (Shadowbroker releases alleged NSA EquationGroup Exploit Code Dump and WannaCrypt.RSM (high risk alert)). In this article, we will continue share more stories, insights and lessons learnt from this security incident.

The Data from SonicWall:

Since the “ShadowBroker”‘s initial NSA 0day leak, numerous exploits of MS17-010 have already in-the-wild. As of May 18 2017, SonicWall has tracked and intercepted over 800,000 attacks from 60 countries. The Top 3 are: US: 293306, Mexico: 3119, and Indian: 7035.

Details about the WannaCry ransomware:

The vulnerability used in “EternalBlue” (MS17-010) is triggered by a logical error on calculating the buffer boundary in the srv.sys. The attack surface is on Windows SMB service, via TCP port 445. Most of the ISPs has blocked this port from external access. However, it spreads fast in a local network filled with unpatched hosts.

Comparing to the 0-day exploit, the ransomware is rather immature. On the following aspects:

  • The payment: Bitcoin is a major ransom payment channel nowadays, thanks to its anonymity, cross-border payment and wider buying channels. In the “WannaCry”, the payment is implemented poorly: It hardcoded 3 Bitcoin wallet addresses in the code. As Bitcoin’s transaction records are transparent, the ransomware author will expose the amount of money he has received. And it’s also easier to track him when he is moving the money out of the wallets. Moreover, he hasn’t design an automatic way to determine if someone has paid – victims can only contact the author to do so. This further increased his possibility to be unveiled. If the ransomware generates new Bitcoin wallets for each victim, both issues could be solved and the author will be a lot harder to trace.
  • The file encryption: The WannaCry uses RSA + AES encryption, which is considered irreversible without a proper key. However, the encryption implementation is flawed, and the encrypted files are possible to be recovered. WannaCry uses the malware’s common practice to encrypt the files on user’s Desktop: overwrite the original file’s disk space with the encrypted file. However, for the files under non-system partition, it simply moves them to the %TMP% folder, and only uses standard deleting. So the files have a high chance to be recovered.
  • The kill switch: A strange domain name ( has become the kill switch for WannaCry, the infection slows down after the domain name is registered. Link

    This “kill switch” is likely to be part of its anti-sandbox approach. To avoid being discovered by dynamic analysis, some malwares will first identify whether the running environment is in a sandbox (if so, it won’t commit malicious behaviors). To better analyze malwares with a dead C&C server, sandboxes sometimes fake responses from server side to let the sample expose more behaviors. WannaCry exploits this feature to identify the sandbox environment – if it received a response from a domain name that shouldn’t exist, then stop working. And ironically, this made itself a kill switch.

Development of the story:

Windows XP Users might be able to recover the encrypted files due to another vulnerability on the Windows XP crypto library : The CryptDestroyKey and CryptReleaseContext functions does not erase the prime numbers from memory before freeing the associated memory. Which allows recovering the RSA key pair and then the encrypted files. The tool “WannaKey” is available on GitHub: Link

Microsoft blame on NSA for leaking their 0-days: Link

North Korea hackers might have involved in the incident: Link

Lessons from this incident:

Although the worm exploits a new vulnerability, its spreading mechanism has many similarities to the old “Blaster” (MS04-011) and “Confiker” (MS08-067). And the worm still caused heavy damage on today’s Internet, infected companies, institutions and government agencies.

Here are some possible factors for making you a “WannaCry” victim, which may exist on some people for a decade:

  • Your organization does not install a firewall with proper rules/file filters. You don’t have a updated anti-virus software with active protection.
  • You don’t keep Windows updated.
  • You don’t backup important files.
  • You use Windows XP.
    (Although Microsoft has issued emergency patch for the discontinued Windows XP, it was too late for most Windows XP victims)

SonicWall have created the a series of signatures to protect our customers from the the leaked NSA exploits:

  • 12700 Windows SMB Remote Code Execution (MS17-010)
  • 12792 Windows SMB Remote Code Execution (MS17-010)
  • 12794 Windows SMB Invalid Trans Session Setup Request
  • 12795 EternalBlue MS17-010 Echo Response
  • 12796 Suspicious CIFS Traffic 13
  • 12801 Windows SMB Remote Code Execution (MS17-010)
  • 12800 Windows SMB Remote Code Execution (MS17-010)
  • 9732 WannaCrypt.RSM.ar7
  • 9734 WannaCrypt.RSM.ar6
  • 9735 WannaCrypt.RSM.ar5
  • 9736 WannaCrypt.RSM.ar4
  • 9739 WannaCrypt.RSM.ar3
  • 9741 WannaCrypt.RSM.ar2
  • 9742 WannaCrypt.RSM.ar1
  • 9744 WannaCrypt.RSM.7z3
  • 9745 WannaCrypt.RSM.7z2
  • 9747 WannaCrypt.RSM.7z1
  • 12293 HydraCrypt.C
  • 16519 WannaCrypt.RSM
  • 18723 WannaCrypt.RSM_2
  • 18771 WannaCrypt.RSM_3
  • 18789 WannaCrypt.RSM_4
  • 19199 WannaCrypt.RSM_8
  • 19881 HydraCrypt.C_2
  • 36011 WannaCrypt.RSM_4
  • 36115 WannaCrypt.RSM_5
  • 36136 WannaCrypt.RSM_6
  • 36145 WannaCrypt.RSM_7

Are You Seeing This? Uncovering Encrypted Threats

Night vision goggles. Airport x-ray machines. Secret decoder rings. What do they all have in common? Each helps you find something that is hidden, whether it’s an object or code that someone may not want you to discover. Your organization’s security solution needs to perform in a similar manner by inspecting encrypted traffic. Here’s why.

Over time, HTTPS has replaced HTTP as the means to secure web traffic. Along the way there have been some inflection points that have spurred on this transition such as when Google announced it would enable HTTPS search for all logged-in users who visit More recently, Google began using HTTPS as a ranking signal. Other vendors including YouTube, Twitter and Facebook have also made the switch. If you read articles on the use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption the latest numbers typically indicate that a little over 50% of all web traffic is now encrypted and that percentage is expected to continue growing. At SonicWall, data gathered by our Global Response Intelligence Defense (GRID) Threat Network shows the percentage to be a little higher, around 62%. We found that as web traffic grew throughout 2016, so did SSL/TLS encryption, from 5.3 trillion web connections in 2015 to 7.3 trillion in 2016. Like others, we also expect the use of HTTPS to increase.

On one hand, this is good news for everyone. Securing web sessions, whether the user is making a financial transaction, sending/receiving email or simply surfing the Internet, is a good thing. It’s also good business for organizations such as online retailers who receive sensitive personal and financial information from their customers and need to secure it from hackers. On the other hand, cyber criminals are now hiding their attacks in encrypted web traffic. Threats such as malware, intrusions, and ransomware are able to pass through the network undetected if they’re hidden using encryption. Cyber criminals are also using encryption to receive communications back from infected systems.

Given organizations’ growing trend toward HTTPS and its use by hackers to steal information, it makes sense to have a security solution in place that can decrypt and scan SSL/TLS-encrypted traffic for threats. Not everyone does, however, especially smaller organizations. According to Gartner’s Magic Quadrant for Unified Threat Management (UTM) from August 2016, the research and advisory company estimates that “Less than 10% of SMB organizations decrypt HTTPS on their UTM firewall. This means that 90% of the SMB organizations relying on UTM for web security are blind to the more advanced threats that use HTTPS for transport.”

Let’s add a little more fuel to this. By now most people have heard of the “Internet of Things.” The idea is that we have all manner of devices available that can connect to the Internet and send/receive data. No longer is it just our PC, laptop, smartphone and tablet. It’s our TV, car, refrigerator, watch, security camera. Essentially anything that’s Internet-enabled. The number of connected devices is growing rapidly. Gartner forecasts there will be 8.4 billion connected “things” in use in 2017 and by 2020 that number will grow to 20.4 billion. That’s a lot of things that can be potentially taken over by malware delivered through encrypted traffic.

Here’s the big question every organization needs to ask. “Does our security solution (typically a firewall) have the ability to decrypt SSL/TLS-encrypted web traffic, scan it for threats, use deep packet inspection technology to stop malware, and do it all with little or no performance hit?” If your firewall is three years old or more, the answer is likely no. Legacy firewalls may decrypt the traffic and do some threat detection, but not prevention. Or, it may do everything that’s required, just very slowly which isn’t good either. The firewall shouldn’t be a bottleneck.

In his blog titled, “DPI-SSL: What Keeps You Up at Night?” my colleague Paul Leets states, “We must look into encrypted packets to mitigate those threats.” And he’s right. We need to be able to “see” into encrypted traffic in order to identify threats and eliminate them before they get into the network. And it needs to be done in real time. We call this automated breach prevention and it’s what our lineup of next-generation firewalls delivers. To learn more about automated breach prevention and how SonicWall next-generation firewalls decrypt SSL/TLS-encrypted traffic and scan for and eliminate threats without latency, visit the “Encrypted Threats” page on our website. Secret decoder ring not required.

SonicWall Protects Customers from the Latest Phishing Attacks

Ransomware attacks have been in the headlines a lot of late. Did you know that 65% of all ransomware attacks happen through phishing emails? Therefore, email security needs to be a major focus when delivering security awareness training. It is likely that future variants of the recent WannaCry ransomware attack will be delivered via phishing emails.

As reported earlier this month, some Gmail users fell victim to a massive phishing attack that frightened many… a phishing attack that targets all your contacts. Now let us look at how gmail users were susceptible to the phishing attack.


Gmail users received an email (from a known sender) that was an invitation to view a shared Google Doc. After clicking the link in the invitation email, users were directed to a legitimate “Google – Choose An Account” screen, after which they were prompted to authorize Google Doc to access their Gmail account.

Simply click “Allow”…  With no login prompt…

Sound suspicious yet?


At this point, it was not Google Docs requesting access – but actually a malicious app.  As Reddit carefully detailed, this hack would actually:

  1. Bypass any 2-factor authentication controls
  2. Scour your Gmail contacts list, and replicate itself by sending emails (on your behalf) to everyone you’ve ever emailed
  3. At this point, it would also have access to your Gmail account, including the ability to read previous messages


SonicWall™ Email Security now integrates with the Capture Advance Threat Protection service, to deliver fine-grained and user-transparent inspection of SMTP-based traffic. The cloud-based Capture ATP service can scan a broad range of email attachment types, analyze them in a multi-engine sandbox, and block dangerous files or emails before they reach your network. SonicWall Email Security with Capture ATP gives you a highly effective and responsive defense against email-borne threats, including ransomware, phishing, spoofing, spam and viruses.


To avoid phishing scams, below is a refresher on what you can do to not fall prey:

  • Don’t click on URLs in emails without checking its full path and understanding where it is leading to.
  • Don’t download any plug-ins from the email link itself. Go to the vendor’s (Adobe, Microsoft etc.,) website to download plug-ins
  • User 2-factor authentication, wherever possible

Finally, if you were a victim of this attack, following are a few steps you can take to resolve the situation.

  • Go into your Google Account Permissions page and remove access privileges for the Google Docs account
  • Google also encourages users to report phishing emails in Gmail

Lastly, test your knowledge on all-things-Phishing related by taking the SonicWall Phishing IQ Test… and avoid being scared of emails!

Download Solutions Brief: What your next-gen email security needs to stop advanced threats.

Wrapped Up a Winning Week at Dell EMC World 2017: SonicWall Helps Secure More. Fear Less.

We enjoyed a “winning” week engaging with our loyal customers and partners at Dell EMC World, attended by more than 12,000 IT professionals like you.

SonicWall had a strong and visible presence, with one key goal: to maintain and strengthen our ties with Dell and our mutual customers and partners.  This event affirmed how important Dell EMC customers and partners are to SonicWall, and how committed we are to helping you stay ahead of the cyber arms race.

The buzz of this year’s event was all around “Realize your Digital Future.”  We heard from many customers, partners and Dell executives that organizations are looking to digital transformation to drive IT innovation, enhance workforce mobility and reduce risk.  Throughout the event, attendees explored the exciting and innovative benefits that digital transformation will provide.

However, digital transformation also increases exposure to risks for your customer data, your reputation and your organization’s credibility.  It was clear from feedback at the event that the partnership and solutions from SonicWall and Dell EMC provide the perfect combination to keep you ahead of cybercriminals in the continually evolving cyber arms race.

In the SonicWall booth, we demonstrated how our solutions empower you to prevent breaches, stop phishing attacks, block ransomware, uncover SSL encrypted threats and identify compromised IoT devices.  Our kiosk demos included:

  • Our award-winning multi-engine sandbox, SonicWall Capture ATP, which can scan and block unknown files until a verdict can be reached in order to prevent zero-day and advanced threats.
  • SonicWall’s next-gen firewalls help prevent breaches caused by encrypted malware. Over 60% of today’s web traffic now uses SSL encryption, which can lead to under-the-radar hacks and expose your network to breaches. Most modern firewalls claim to decrypt and scan encrypted traffic, but not all perform well in the real world.
  • SonicWall Email Security with Capture, which can stop phishing and block ransomware in your email. Ransomware attacks have grown at a tremendous rate, with email as one of main attacks vectors.
  • Our latest Secure Mobile Access solutions, which let you define granular access policies, enforce multi-factor authentication and monitor all activities for compliance. SonicWall’s access security and network segmentation delivers the right level of access to your mobile workers and reduces the threat surface.
  • The integration of Dell EMC X-Series switches with SonicWall to extend your network infrastructure securely and centrally manage switches, firewalls and wireless access devices.

Our goal at SonicWall is to help you stay protected and ahead of today’s ever-changing cyber attacks. We do this with the intelligence of our advanced global GRID Network, the unique integration of our award-winning Capture capabilities with our Email Security solutions, and our IoT security solutions. SonicWall lets you protect your enterprise while you drive business productivity, with next-gen firewalls, access security, and email security solutions. We look forward to continuing the momentum of Dell EMC World to give you the power to secure more and fear less.