Infosecurity Europe 2017: Automated Real-Time Breach Prevention with SonicWall

Join SonicWall at Infosecurity Europe 2017 on the 6-8th of June, Olympia, London, UK – Stand C280. Register now to meet the team and get your free ticket.

IT security can’t be an afterthought! It’s at the core of everything organizations do. Without it, they can’t grow, can’t move forward and can’t innovate. Without effective security, too often, organizations default to inaction, to not moving forward. And the recent WannaCry worldwide ransomware attack demonstrates just that, with the terrible consequences for some of the NHS hospitals’ patients and for Renault-Nissan who were forced to shut down some of their factories, costing them hundreds of thousands of euros in losses per day.

The explosion of advanced threats is rendering legacy network security solutions obsolete. Ransomware, zero-day threats, encrypted malware and other attacks expose organizations to breaches that threaten business viability and compliance requirements.

This creates the need for a new breed of network security solutions that deliver more than just breach detection. Organizations require breach prevention capable of handling threats delivered by any vehicle including web and email, over encrypted or unencrypted traffic, across any network including wired and wireless. Moreover, they need it, for not only PCs but tablets, smartphones and IoT devices too.

At Infosecurity Europe, SonicWall will demonstrate its automated real time breach prevention solution that enables its customers to stay ahead of cybercriminals in the continually evolving cyber arms race, allowing them to Innovate More, Fear Less and meet their compliance requirements.

Speaking of which, the General Data Protection Regulation – GDPR – goes into effect in May 2018. It will affect companies of all sizes, in all regions, and in all industries, who holds EU citizen personal information. Victims of a data breach when the GDPR goes into effect risk significant fine (up to 20 million euros or four percent of their global revenues), and loss of reputation, that could bring the business to its knees. So do not put off early consideration of GDPR: the scale, complexity, cost and business criticality of GDPR means that it will take some a long time for most companies to achieve full compliance. Start now if you haven’t done so.

SonicWall’s on-site demos and security experts will empower you and your organization’s networks to overcome numerous crimes targeting weak spots in your network. You will definitely want to see a demo of our award-winning multi-engine sandbox, SonicWall Capture ATP, which scans network traffic to prevent zero-day and advanced threats. We will show how we can block unknown files from your network until Capture reaches a verdict, using by a highly effective multi-engine sandbox. Near real-time verdicts are rendered by our highly efficient Capture Threat Network. Our next-gen firewalls also detect malware hiding in SSL, SSH or TLS encrypted traffic to cloak malicious behavior, C&C communication and exfiltration.

Because email is a constant target for attacks, especially ransomware, we will showcase our revolutionary technology for email security that now integrates with our award-winning Capture Advanced Threat Protection (ATP) Service. SonicWall’s Email Security solutions allow you to deploy a next-gen solution to protect email files, stop phishing and block ransomware. Don’t miss out the opportunity to speak to our experts, and learn how you can block spoofed email and zero-day attacks with our hosted service or our on premise enterprise email security solutions.

Today’s ever-growing number of connected devices by mobile workers and vendors requires organizations to rethink their needs for IoT security. SonicWall’s Access Security and network segmentation delivers the right level of access to your mobile workers and reduces the threat surface. Right network segmentation is required for critical business apps and data to ensure better protection. With our Access Security solutions, you can define granular access policies, enforce multi-factor authentication and monitor all activities for compliance.

We are looking forward to seeing you in June. Make sure to stop by the SonicWall stand, where you will get a chance to step in to the eye of the Cybersecurity Storm, and go against the clock to protect your network by Capturing advanced threats in our wind tunnel game, which promises to be very entertaining!! Prizes daily for those that Capture More and Fear Less!

Before you go, be sure to download our  2017 SonicWall Threat Report.

Why You Can Not Afford to Ignore SSL Inspection

I often get asked, “Why should we implement SSL inspection? We just upgraded our security from stateful inspection to deep inspection. If something is encrypted, is it not encrypted for a reason, for being secure?” Let me explain…

Back in the day, network traffic was well behaved. If you were a software vendor and wanted to offer a new application, you had to sign up with IANA and get a reserved port for your application. It is called a socket, the combination of a port number and a protocol such as TCP. The first firewalls were simple packet filters who controlled traffic to an application by controlling access to a socket. Firewalls evolved to stateful inspection, where you are not just controlling who has access to a socket but also the integrity of a TCP connection from the beginning of a proper handshake to closure. Once a connection is established, only this particular client and the application can communicate.

This whole paradigm changed when many more applications were developed than ports were available. Instead of applying for a new socket with IANA, software vendors zoned in on socket 80/TCP which is used by regular web servers. This also became a convenient port since most firewall policies would permit this port already. Recent Sonicwall research on customer networks shows that, today, over 90% of all connections use this port (or its cousin 443/tcp). The rest is mostly mail and DNS, and some voice-over-IP (VoIP) traffic. You may ask, “If everybody is using these two sockets, and I need to leave the socket open because a client could sit anywhere on the Internet (and for that matter a server could sit anywhere in the cloud), what is stateful inspection good for?” Exactly!

The security industry shifted towards deep inspection. Sonicwall was actually one of the very early players and evolved from SPI (Stateful Packet Inspection) to DPI (Deep Packet Inspection) over a decade ago, with many traditional security vendors only getting onto the bandwagon very recently. Deep inspection no longer cares about the socket, it cares about what data is transmitted, and whether it contains malicious content. With DPI, you can decide what applications do and do not go through your firewall. It is as granular as permitting Facebook, but denying “likes”, and does this regardless of which socket the application is using. DPI also protects from malicious content, both within the data stream as well as with embedded files, at a central network location.

What does this have to do with SSL inspection? SSL (Secure Socket Layer) is the most commonly used encryption technology on the Internet, as it allows virtually any client to build with any other server an encrypted connection, without building a prior trust relationship. Just like how SPI became less effective, DPI became less effective within the last two years. In order for DPI to look into traffic, it cannot be encrypted. Encrypted traffic looks to a firewall just like a random series of bits and bytes. If SPI became, to say it casually, “useless”, you see, the same happens to DPI right this very moment. Because all a malicious actor has to do is to encrypt the communication and can tunnel through the firewall, completely bypassing any security policy.

There are many reasons why this just happened overnight. For one, computers kept following Moore’s law, and became incredibly cheap and accessible. Malware is often distributed from breached machines, such as notebook computers, smart phones, or even the Internet of Things (such as your baby monitor). All of these devices can distribute encrypted malware while the performance impact on these devices is so minimal that the user will not notice. Another reason is that, with the Edward Snowden disclosures, many technology companies very vocally encouraged content providers to switch to encrypted traffic for pretty much anything in order to maintain citizen’s privacy from their own, or a different government. Now you add large operators of server farms to the mix, who can all be abused and (involuntarily) converted into malware distribution platforms, and you have the perfect storm. The firewall you “just” updated from SPI to DPI is on its way to become redundant as it becomes blind.

SonicWall calls SSL inspection DPI-SSL, which stands for Deep Packet Inspection of SSL encrypted traffic. Instead of the client, such as web browser, establishing an encrypted connection directly with a web server, DPI-SSL works by establishing an encrypted connection between the client and the SonicWall firewall. The SonicWall firewall then establishes an encrypted connection to the server so that the SonicWall firewall can inspect the traffic in-between. This all happens transparently and automatically, without user interaction, but with the user’s knowledge to maintain integrity.

But now you may be thinking:  “I just upgraded to deep inspection. Now I have to invest into SSL inspection technology?” This is true for most vendors, unfortunately. Over half of all vendors require you to purchase a dedicated platform to perform SSL decryption and re-encryption services. We at SonicWall believe that many vendors did not take investment protection seriously three years ago, when they promised investment protection to you when you bought the deep inspection solution. SonicWall as the leader of DPI, recognizes the importance of SSL inspection as well as the investment customer made into DPI already. For this reason, SonicWall issues DPI-SSL licenses free of charge.

The good news is that DPI-SSL is not just free, but also already built into your SonicWall Gen-6 TZ, NSA, or Super Massive appliance. Stay tuned for my next blog, where we will discuss technical details and how you implement DPI-SSL into your network.

Ransomware-as-a-Service RaaS is the New Normal

Business models always have to tackle the method of distribution, will they sell directly or through a channel of distributors or a mix of both. The same is with ransomware developers. Many are electing to take their successful code and sell it as a kit, which eliminates many risks and the hard work of distribution all the while collecting a cut of the prize.

Throughout the past year, and even until the large-scale WannaCry attacks, floating between the peaks of the infamous events are small focused attacks en masse from rebranded exploit kits. In the past quarter, we have discovered a mix of developer hobby/chaos-malware, rebranded ransomware, and repackaged RaaS ransomware.

  • Trumplocker
  • AlmaLocker
  • Jigsaw
  • Lambda
  • Derialock
  • Shade
  • Popcorn

Recently, one author showed how easy it is to launch a ransomware attack within an hour… with zero hacking skills. So what does this mean to an organization like yours? Should this scare you? Simply put, attacks from more sources equals more attacks but SonicWall has your back.

First off, organizations can have the front-line protection of our award-winning multi-engine network sandbox, SonicWall Capture Advanced Threat Protection (ATP) Service. Capture ATP automatically takes suspicious code at the gateway of your network, and runs it in three parallel engines (and counting) to see what it wants to do from the application, to the OS, to the software that resides on the hardware. We find the newest ransomware families and updates this way.

Secondly, our Capture Labs research team catches many new variants of ransomware and malware in multiple ways as well as from a multitude of external sources. Once new ransomware families are found (either from Capture ATP, a honeypot, or another Capture Labs source), the intelligence is cross-pollinated to the rest of the SonicWall portfolio of security products.

Lastly, organizations can expect to be hit by a wide range of ransomware attacks and should ensure they have a good backup policy and focus on awareness training.

To learn more, watch this video to see how SonicWall stops ransomware:

Don’t Be Fooled by the Calm After the WannaCry Chaos: Continuously Toughen Your Security

Some consider WannaCry to be the first-ever, self-propagating ransomware attack to wreak havoc across the globe. The chaos that followed is yet another harsh wake-up for many, in a situation far too familiar.  Only this time, the victims are new, the infection spreads more rapidly, the effects are far-reaching and the headlines are bigger.  I am sure you may be feeling overwhelmed with the ongoing news coverage of the EternalBlue exploit, WannaCry ransomware and Adylkuzz malware this past week.   Let us recap a few important observations to help us avoid a replay of history.

The WannaCry crisis was unlike any previous zero-day vulnerabilities and exploits that caused massive cyber-attacks in previous years. The major difference in this event is that there were early warning signs portending this sort of cyber-attacks through a series of leaks by the Shadow Broker, an unidentified hacking entity responsible for putting stolen U.S. National Security Agency (NSA) hacking secrets in the hands of nefarious actors, both foreign and domestic, looking to do us harm. Since the forthcoming threat was public knowledge and organization had ample time to mitigate the risk, why was WannaCry still able to achieve the level of success that it did? The reasons are quite simple and common with most organizations today.

1. Take care of the basics

Winston Churchill once remarked, “We live in the most thoughtless of ages. Every day headlines and short views.” Although the wisdom in these words was uttered many years ago, it seems as though we have yet to change our ways with respect to repeating poor cyber hygiene patterns. There are data security experts who have suggested that poor cyber-hygiene has caused as much as 80% of security incidents. Whether this figure is accurate or not, it is certain that the WannaCry and Adylkuzz attacks are the latest examples to support this statistic. Because of unpatched Microsoft’s Windows systems, victim organizations have allowed a broadly publicized and easily preventable exploit and ransomware to move into their environments simply because some of the most basic security measures were either not established or followed.

To avoid repeating this sort of mistake, organizations must understand that taking care of the basics means standing between being likely breached and likely avoiding one. Therefore, instituting a zero-tolerance policy to patch every system and device in the environment must never be an option. Putting in place auditable workflows and technology that can programmatically check and perform security updates without the need for manual intervention will help organizations move towards a more proactive defense posture.

2. Security staffing an unsolved problem

What we are seeing right now is a serious talent shortage in the security employment industry. Hiring good, affordable security professionals is a huge concern for many organizations across all industries. When organizations do not have adequate security staff or are unable to fill positions, they do not have the capacity necessary to proactively identify and remediate risk areas at the speed needed to avoid a security event like WannaCry. This common, unsolved problem manifests itself with most organizations, especially during major cyber events.

Many of the most significant issues organizations have in common today include the lack of understanding and visibility of:

  • What and where are the at-risk assets
  • Who and where are the at-risk users
  • What and where are the at-risk systems and devices
  • What are the risks and threats to focus on
  • What a proper security response plan looks like are

3. Lack the right tools in place

We have a situation today where exploit kits and ransomware are leveraging SSL/TLS encrypted traffic predominately for evading detection. A recent Ponemon Institute study reported that 62% of respondents say their organizations do not currently decrypt and inspect web traffic. However, the real concern is the fact that half of those respondents, who disclosed they were victims of a cyberattack in the preceding 12 months, claimed attacks leveraged SSL traffic to evade detection. So why is that?

The reasons provided in the same Ponemon study revealed that for those organizations that are not inspecting encrypted traffic:

  • 47% of the respondents said lack of enabling security tools was the top reason
  • 45% divulged that they do not have sufficient resources
  • 45% said they have overwhelming concerns about performance degradation.

Encrypted attacks threatening mobile devices, endpoint systems and data center resources and applications are on the rise. As we move towards an all-encrypted internet, organizations no longer have a choice whether to establish a security model that can decrypt and inspect encrypted traffic to stop hidden threats.

To learn more, here are two relevant informational pieces written by my colleagues on the WannaCry ransomware event that I highly recommend you to read. They offer additional perspectives and insights that can help you solve these security issues and be readily prepared for the next wave of cyber-attacks.

  1. WannaCry Ransomware Attack – It’s a Tragedy: What’s Next for Your Network? by Rob Krug, Solution Architect, Security
  2. SonicWall Protects Customers from the Latest Massive WannaCry Ransomware Attack by Brook Chelmo, Sr. Product Marketing Manager

When the chaos over WannaCry calms, the big question becomes, will you move on from this historic event with the lessons we’ve learned? Your answer is crucial since it will determine if the next major incident yields a more readied response from your organization.

Footnote: Ponemon Study,  Uncovering Hidden Threats within Encrypted Traffic, 2016

Are You Seeing This? Uncovering Encrypted Threats

Night vision goggles. Airport x-ray machines. Secret decoder rings. What do they all have in common? Each helps you find something that is hidden, whether it’s an object or code that someone may not want you to discover. Your organization’s security solution needs to perform in a similar manner by inspecting encrypted traffic. Here’s why.

Over time, HTTPS has replaced HTTP as the means to secure web traffic. Along the way there have been some inflection points that have spurred on this transition such as when Google announced it would enable HTTPS search for all logged-in users who visit google.com. More recently, Google began using HTTPS as a ranking signal. Other vendors including YouTube, Twitter and Facebook have also made the switch. If you read articles on the use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption the latest numbers typically indicate that a little over 50% of all web traffic is now encrypted and that percentage is expected to continue growing. At SonicWall, data gathered by our Global Response Intelligence Defense (GRID) Threat Network shows the percentage to be a little higher, around 62%. We found that as web traffic grew throughout 2016, so did SSL/TLS encryption, from 5.3 trillion web connections in 2015 to 7.3 trillion in 2016. Like others, we also expect the use of HTTPS to increase.

On one hand, this is good news for everyone. Securing web sessions, whether the user is making a financial transaction, sending/receiving email or simply surfing the Internet, is a good thing. It’s also good business for organizations such as online retailers who receive sensitive personal and financial information from their customers and need to secure it from hackers. On the other hand, cyber criminals are now hiding their attacks in encrypted web traffic. Threats such as malware, intrusions, and ransomware are able to pass through the network undetected if they’re hidden using encryption. Cyber criminals are also using encryption to receive communications back from infected systems.

Given organizations’ growing trend toward HTTPS and its use by hackers to steal information, it makes sense to have a security solution in place that can decrypt and scan SSL/TLS-encrypted traffic for threats. Not everyone does, however, especially smaller organizations. According to Gartner’s Magic Quadrant for Unified Threat Management (UTM) from August 2016, the research and advisory company estimates that “Less than 10% of SMB organizations decrypt HTTPS on their UTM firewall. This means that 90% of the SMB organizations relying on UTM for web security are blind to the more advanced threats that use HTTPS for transport.”

Let’s add a little more fuel to this. By now most people have heard of the “Internet of Things.” The idea is that we have all manner of devices available that can connect to the Internet and send/receive data. No longer is it just our PC, laptop, smartphone and tablet. It’s our TV, car, refrigerator, watch, security camera. Essentially anything that’s Internet-enabled. The number of connected devices is growing rapidly. Gartner forecasts there will be 8.4 billion connected “things” in use in 2017 and by 2020 that number will grow to 20.4 billion. That’s a lot of things that can be potentially taken over by malware delivered through encrypted traffic.

Here’s the big question every organization needs to ask. “Does our security solution (typically a firewall) have the ability to decrypt SSL/TLS-encrypted web traffic, scan it for threats, use deep packet inspection technology to stop malware, and do it all with little or no performance hit?” If your firewall is three years old or more, the answer is likely no. Legacy firewalls may decrypt the traffic and do some threat detection, but not prevention. Or, it may do everything that’s required, just very slowly which isn’t good either. The firewall shouldn’t be a bottleneck.

In his blog titled, “DPI-SSL: What Keeps You Up at Night?” my colleague Paul Leets states, “We must look into encrypted packets to mitigate those threats.” And he’s right. We need to be able to “see” into encrypted traffic in order to identify threats and eliminate them before they get into the network. And it needs to be done in real time. We call this automated breach prevention and it’s what our lineup of next-generation firewalls delivers. To learn more about automated breach prevention and how SonicWall next-generation firewalls decrypt SSL/TLS-encrypted traffic and scan for and eliminate threats without latency, visit the “Encrypted Threats” page on our website. Secret decoder ring not required.

SonicWall Protects Customers from the Latest Phishing Attacks

Ransomware attacks have been in the headlines a lot of late. Did you know that 65% of all ransomware attacks happen through phishing emails? Therefore, email security needs to be a major focus when delivering security awareness training. It is likely that future variants of the recent WannaCry ransomware attack will be delivered via phishing emails.

As reported earlier this month, some Gmail users fell victim to a massive phishing attack that frightened many… a phishing attack that targets all your contacts. Now let us look at how gmail users were susceptible to the phishing attack.

THE PHISHING EMAIL

Gmail users received an email (from a known sender) that was an invitation to view a shared Google Doc. After clicking the link in the invitation email, users were directed to a legitimate “Google – Choose An Account” screen, after which they were prompted to authorize Google Doc to access their Gmail account.

Simply click “Allow”…  With no login prompt…

Sound suspicious yet?

THE HACK

At this point, it was not Google Docs requesting access – but actually a malicious app.  As Reddit carefully detailed, this hack would actually:

  1. Bypass any 2-factor authentication controls
  2. Scour your Gmail contacts list, and replicate itself by sending emails (on your behalf) to everyone you’ve ever emailed
  3. At this point, it would also have access to your Gmail account, including the ability to read previous messages

THE PROTECTION

SonicWall™ Email Security now integrates with the Capture Advance Threat Protection service, to deliver fine-grained and user-transparent inspection of SMTP-based traffic. The cloud-based Capture ATP service can scan a broad range of email attachment types, analyze them in a multi-engine sandbox, and block dangerous files or emails before they reach your network. SonicWall Email Security with Capture ATP gives you a highly effective and responsive defense against email-borne threats, including ransomware, phishing, spoofing, spam and viruses.

WHAT ELSE YOU CAN DO

To avoid phishing scams, below is a refresher on what you can do to not fall prey:

  • Don’t click on URLs in emails without checking its full path and understanding where it is leading to.
  • Don’t download any plug-ins from the email link itself. Go to the vendor’s (Adobe, Microsoft etc.,) website to download plug-ins
  • User 2-factor authentication, wherever possible

Finally, if you were a victim of this attack, following are a few steps you can take to resolve the situation.

  • Go into your Google Account Permissions page and remove access privileges for the Google Docs account
  • Google also encourages users to report phishing emails in Gmail

Lastly, test your knowledge on all-things-Phishing related by taking the SonicWall Phishing IQ Test… and avoid being scared of emails!

Download Solutions Brief: What your next-gen email security needs to stop advanced threats.

Wrapped Up a Winning Week at Dell EMC World 2017: SonicWall Helps Secure More. Fear Less.

We enjoyed a “winning” week engaging with our loyal customers and partners at Dell EMC World, attended by more than 12,000 IT professionals like you.

SonicWall had a strong and visible presence, with one key goal: to maintain and strengthen our ties with Dell and our mutual customers and partners.  This event affirmed how important Dell EMC customers and partners are to SonicWall, and how committed we are to helping you stay ahead of the cyber arms race.

The buzz of this year’s event was all around “Realize your Digital Future.”  We heard from many customers, partners and Dell executives that organizations are looking to digital transformation to drive IT innovation, enhance workforce mobility and reduce risk.  Throughout the event, attendees explored the exciting and innovative benefits that digital transformation will provide.

However, digital transformation also increases exposure to risks for your customer data, your reputation and your organization’s credibility.  It was clear from feedback at the event that the partnership and solutions from SonicWall and Dell EMC provide the perfect combination to keep you ahead of cybercriminals in the continually evolving cyber arms race.

In the SonicWall booth, we demonstrated how our solutions empower you to prevent breaches, stop phishing attacks, block ransomware, uncover SSL encrypted threats and identify compromised IoT devices.  Our kiosk demos included:

  • Our award-winning multi-engine sandbox, SonicWall Capture ATP, which can scan and block unknown files until a verdict can be reached in order to prevent zero-day and advanced threats.
  • SonicWall’s next-gen firewalls help prevent breaches caused by encrypted malware. Over 60% of today’s web traffic now uses SSL encryption, which can lead to under-the-radar hacks and expose your network to breaches. Most modern firewalls claim to decrypt and scan encrypted traffic, but not all perform well in the real world.
  • SonicWall Email Security with Capture, which can stop phishing and block ransomware in your email. Ransomware attacks have grown at a tremendous rate, with email as one of main attacks vectors.
  • Our latest Secure Mobile Access solutions, which let you define granular access policies, enforce multi-factor authentication and monitor all activities for compliance. SonicWall’s access security and network segmentation delivers the right level of access to your mobile workers and reduces the threat surface.
  • The integration of Dell EMC X-Series switches with SonicWall to extend your network infrastructure securely and centrally manage switches, firewalls and wireless access devices.

Our goal at SonicWall is to help you stay protected and ahead of today’s ever-changing cyber attacks. We do this with the intelligence of our advanced global GRID Network, the unique integration of our award-winning Capture capabilities with our Email Security solutions, and our IoT security solutions. SonicWall lets you protect your enterprise while you drive business productivity, with next-gen firewalls, access security, and email security solutions. We look forward to continuing the momentum of Dell EMC World to give you the power to secure more and fear less.

DPI-SSL: What Keeps You Up at Night? Protect More. Fear Less.

If you have been in this industry for more than a few years, you have probably heard the sales pitch, “What keeps you up at night?” It’s a typical sales tactic to elicit an emotional response to threats that seem to be out of your control. It’s designed to draw you out, start a conversation, and ultimately, prey on your fears.

We have enough security issues to concentrate on without having to prey on fears.  That is one of the reasons I never liked this sales pitch. I have always felt it is better to address the challenges facing network security and do what we can to face those threats.

Growing up in Santa Cruz California, I learned to swim in the ocean with some pretty scary waves.  If you did not see a wave coming, you would get swamped by the wave.  But if you faced the wave and dove under it, the threat was mitigated.  If we do not see the threats in network security, we too can be swamped. For this same reason, we must look into encrypted packets to mitigate those threats.  We cannot face what we do not see.

The SonicWall 2017 Annual Threat Report shows that over half the mechanisms delivering malware utilized encryption to mask the threats.  The threat actors who create malware know that if they encrypt their payload, the odds of end system infection are very high while intrusion detection is low.  As far as effort to create an encrypted session than a standard, plain-text session, is minimal.  So, there is little extra work to create encrypted payloads while the reward is large.

In the last few months, there have been some tests and claims from well-respected Web Browser vendors making the claim that Security Devices doing Deep Packet Inspection (DPI) of encrypted packets weaken security. Their testing showed that many security product vendors deploying ‘Man in The Middle’ tactics to de-crypt and re-encrypt packets for the inspection, re-encrypted with a lower quality of encryption.  This effectively did weaken security, and by doing so, drew the conclusion that security devices performing DPI-SSL weaken your protection.

This position is understandable, however, SonicWall takes this opportunity to actually increase security by hardening HTTPS encryption when weaker cyphers or invalid certificates are presented.

Workstations and end systems do a very good job of updating browsers, checking for revoked certificates and supporting strong encryption methods. But there are many times in which we find the same is not true for hosted sites that contain many servers but have limited IT resources. Encryption methods get depreciated, but these often to not get updated and within the server negotiation of Transportation Layer Security (TLS) session, older and outdated methods still exist today. Secure Sockets Layer 1, 2 and 3 protocols are no longer recommended for sensitive data and should not be used.

The SonicWall next-generation firewall can detect when a server is presenting these weak encryption methods and block session initiation. Of course, there are times when this is not desirable. In that case, we also have the ability to let these connections establish. When I am confronted with incidents where TLS is not supported from a host that contains sensitive data, I have been successful in reaching out to that organization and letting them know they are not complying with Transport Layer best practices.

When networks are breached, sometimes the only time you find out is when these compromised devices “phone home.”  In doing so they will use encryption.  Trojans, malware, and botnets leverage Command and Control Centers for updates and orders.  They use non-standard ports and are not typically web connections. SonicWall is not dependent on port numbers or browsers but all ports. Every packet in each direction is inspected, securing your network.

The next time someone comes into your office and asks you, “What keeps you up at night,” don’t fall into this fear trap.  With SonicWall, sleep sound.  Protect More and Fear Less.

WannaCry Ransomware Attack – It’s a Tragedy: What’s Next for Your Network?

“It’s a tragedy.” At least that is what we are told.  Time and time again, when bad things happen, we hear the same things replayed over and over again, or “what could we’ve done to prevent this,” or “we didn’t know.”  In life, this can be an honest reaction to certain things. Some things are left to powers way beyond our mortal control, but that doesn’t apply to the cyber world in this digital age. Exploits are a daily thing; this is not new.  There are more than forty new viruses created every sixty seconds, of every minute, of every hour, of every day.  The “I didn’t know” defense can only play out so long.

This was never truer than just this past week with the incredibly dynamic Ransomware attack – the WannaCry Exploit– in the UK and Spain. Here is what we know, some exploit kits that allegedly were created by certain government agencies was again allegedly stolen and leaked online to the masses. Some elements of these exploit kits were then leveraged in a new extremely aggressive form of Ransomware that leverages a worm-like attack against connected network machines through various read/write functions of the Windows Operating System.  This latest Ransomware variant was then set loose on the world, infected more than 200,000 systems in more than 100 countries, including several healthcare institutions in the United Kingdom, and even a couple of telecommunications companies in Spain. Guess what? It is certainly not the first exploit to leverage this form of attack, and it certainly will not be the last.

It has been for far too long that companies and institutions continue to treat cyber security like it is still the 1990’s. Back then, it was typical for network admins to simply deploy this new technology called a “firewall” behind their router, and then let it sit for months, even years, without so much as logging into the unit. They had no need to. If the unit was up, that was all that mattered. Perhaps they would log into add a new Access Rule or a VPN Policy, but for the masses that was it. It was a terrible practice then; today it a death sentence for the network, and maybe even the career.

Network admins need to alert their senior management, including those C-Level employees, and let them know that security is no longer a back-office job that is performed only when needed. Security has evolved. It is a front office task that demands daily attention. And guess what else? Sometimes that means that there is some heavy lifting involved.

Here is the basic truth: proper security procedures, training, and architecture prevent breaches. This starts with ensuring that all traffic is being inspected, including that pesky encrypted traffic. This can not be a half-baked solution that only inspects partial traffic flows, or has to rely on multiple endpoint clients to alert before identifying threats. Crossing one’s fingers and wishing for the best simply will not do. Only implementing an aggressively secure countermeasure to stop the aggressive advanced persistent threats will protect networks from malicious exploits.

Install a solution that delivers automated security updates, that is fully application aware, has built in intrusion prevention and anti-virus scanning, including encrypted traffic inspection. All of these features, including the fully integrated SonicWall Capture Threat Prevention – a multi-engine cloud-based sandbox for zero-day malware attacks, are included on the SonicWall UTM Appliance and next-generation firewalls. SonicWall customers and partners were protected on April 20, when the SonicWall Capture Labs Threat Network issued a signature for the WannaCry exploit.

Recently, I had the pleasure of sitting down with a business owner of a company that had been breached. It was a typical story. A user’s credentials had been compromised, and unauthorized access through an unprotected RDP session led to devastating consequences.  When questioned why a VPN front-end to the RDP session was not deployed, the response was that it was to many extra configurations to maintain.  When asked what about enabling a two-factor authentication solution to send a text message to users’ phones, the response was it was too complex. What if they forget their phone that day? Then when I am asked why there was a breach, I just WannaCry.

For more information, please read SonicWall’s Ransomware Review and Defeating the Encrypted Threat.
Protect More Fear Less

SonicWall Protects Customers from the Latest Massive WannaCry Ransomware Attack

Note: This blog was updated on Monday, May 15.

First, if you are a SonicWall customer and you are using our Gateway Anti-Virus, Intrusion Prevention service, and Capture Advanced Threat Protection then your SonicWall firewall has been protecting your network from WannaCry ransomware and the worm that spreads it since 17 April, 2017. Since the release of the first version of the code, we have identified several new variants and have released additional counter measures. We will continue to update this blog as our Capture Labs research team uncovers more information and as additional protection is automatically rolled out to our customers’ firewalls.

Here’s more:

The Attack

This massive ransomware attack became infamous by shutting down a number of hospitals in the UK’s National Health Service (NHS) system and thus preventing patients from receiving critical care. The attack hit over 100 countries across the world with an untold number of victims. WannaCry is a combination of a Trojan/ransomware and a worm that leverages an SMB file sharing protocol exploit named EternalBlue. The Shadow Brokers leaked EternalBlue in April 2017 as part of a bigger dump of NSA developed exploits. This exploit affects various versions of Microsoft Windows operating systems, including a number of versions that are in end-of-life status. Although Microsoft released a large number of patches on March 14 to address this vulnerability, the attack remains dangerous as many organizations have not applied the patch.

The first version of the worm/ransomware package had a kill switch that was accidently used to disable the worm feature which slowed its advance on Friday, 12 May 2017. However, new variants are appearing in the wild without this weakness. While the first version of the worm code can no longer spread the ransomware code, systems encrypted by WannaCry 1.0 will remain encrypted. Unfortunately, there is no known decryption method to recover files affected by WannaCry without paying cyber criminals (which is not advised).

Since Friday, 12 May 2017, SonicWall’s Capture Labs released six new signatures to block all known versions of WannaCry.  It is also worth noting that SonicWall security services on the firewall have built-in protections against the many components of this code, ranging from blocking contact with WannaCry Command and Control (C&C) servers to blocking attempts at exploitation of any unpatched SMB Microsoft vulnerabilities (such as EternalBlue).

WannaCry Ransomware

The Protection

SonicWall Capture Labs analyzed the EternalBlue attack in mid-April immediately after the Shadow Brokers file dump and rolled out protection for all SonicWall firewall customers well in advance of the first public attack.  All known versions of this exploit can be blocked from SonicWall protected networks via active next-generation firewall security services.

As a SonicWall customer, ensure that your next-generation firewall has an active Gateway Security subscription to receive automatic real-time protection from known ransomware attacks such as WannaCry. Gateway Security includes Gateway Anti-virus (GAV), Intrusion Prevention (IPS), Botnet Filtering, and Application Control. This set of technology has signatures against WannaCry (part of GAV), protections against vulnerabilities outlined in Microsoft’s security bulletin MS17-010 (part of IPS), and it blocks communication with the C&C servers where WannaCry’s payload comes from (part of botnet filtering).

Since SonicWall Email Security uses the same signatures/definitions as Gateway Security, we can effectively block the emails that deliver the initial route to infection. Ensure all email security services are also up to date to block malicious emails.  Since 65% of all ransomware attacks happen through phishing emails, this needs to be a major focus when giving security awareness training. Additionally, customers with SonicWall Content Filtering Service should activate it to block communication with malicious URLs and domains, which works in a similar way Botnet filtering disrupts C&C communication.

As a best practice always deploy Deep Packet Inspection of all SSL/TLS (DPI-SSL) traffic since more than 50% of malware is encrypted. This will enable your SonicWall security services to identify and block all known ransomware attacks. Enabling DPI-SSL also allows the firewall to examine and send unknown files to SonicWall Capture Advanced Threat Protection for multi-engine processing to discover and stop unknown ransomware variants.

View our webpage to learn more on how SonicWall protects against ransomware.

WannaCrypt Signatures

The most recent list of GAV/IPS signatures against EternalBlue and WannaCrypt as of 14 May 2017 at 11:45 AM PST

What’s Next

The party behind this attack has already released several variations of this attack for which we have established protections in place (see above). To ensure you are safe from newly developed updates and similar copycat attacks, first apply the Windows patch provided by Microsoft listed in the resources section.  Second, apply Capture Advanced Threat Protection (Capture ATP), SonicWall’s multi-engine network sandbox, to examine suspicious files coming into your network to discover and stop the latest threats just as we did with Cerber ransomware. Enable the service’s block until verdict feature to analyze all files at the gateway to eliminate malware before it can enter your network. Additionally, Capture Labs will continue to email customers Sonic Alerts on new threats.

Finally, phishing emails are the most common delivery mechanism for ransomware. It is possible that future variants of this ransomware will be delivered via emails. SonicWall’s email security solution uses Advanced Reputation Management (ARM) to inspect not only the sender IP but also the message content, embedded URLs and attachments. In addition, make sure you enable SPF, DKIM and DMARC advanced email authentication to identify and block spoofed emails and protect from spam and phishing attacks. For the best possible protection against such attacks, deploy SonicWall’s email security solution with Capture ATP service to inspect every email attachment in a multi-engine sandbox environment.

Apart from SonicWall security protections in place (listed above), as a best practice we recommend to disallow or block inbound SMB traffic (TCP 445, UDP ports 137-138, and TCP 139) and RDP traffic coming  from the internet on edge-facing Firewalls. If such access is required, implement secure remote access solutions like IPsec or SSL-VPN with proper authentication mechanisms in place.

Apply vulnerability patches on servers and PCs as recommended in Microsoft MS17-010 bulletin (listed above and below), disable SMBv1 communication (limit access via SMBv2/v3), as well as monitor for any suspicious activity on TCP 445.

Resources