‘Federal Tech Talk’ Hosts SonicWall CEO Bill Conner to Examine Cybercriminal Strategies that Threaten Federal Agencies

During a recent trip to Washington D.C., SonicWall CEO Bill Conner stopped by Federal News Networks studios to join John Gilroy on Federal Tech Talk.

The pair took to the airwaves (and podcast) to focus on emerging cyber threats that impact enterprises, SMBs and federal agencies alike. Atop the list were attacks over non-standard ports, encrypted threats and malicious PDFs and Office files.

“What’s alarming on this one, these new techniques are evading traditional security sandboxes,” Conner told Gilroy on the show.

In mid-April, SonicWall announced new threat data that highlights the growing volume of PDF fraud campaigns. In all of 2018, the SonicWall Capture Advanced Threat Protection (ATP) sandbox discovered more than 47,000 new attack variants in PDF files. In March 2019 alone, the sandbox found more than 73,000 PDF-based attacks.

“It’s incredibly aggressive in terms of the volume. It’s also very evasive,” said Conner on the broadcast. “If you click on that PDF, it might not hit you immediately. It might be delayed before it activates itself. The alarming piece in this city (Washington D.C) — for the Feds — is that it is emanating out of Russia.”

The compelling 40-minute segment, which is available via podcast, also explored the growing volume of IoT attacks, fileless malware and other evolving exploits.

“It’s a cyber arms race,” said Conner. “As many good guys as we have coding to block it and stop it, you’ve got an equal number of bad guys on the other side looking for architecture or feature holes trying to get around [security controls].”

About Federal Tech Talk

Federal Tech Talk looks at the world of high technology in the federal government. Host John Gilroy of The Oakmont Group speaks the language of federal CISOs, CIOs and CTOs, and gets into the specifics for government IT systems integrators. John covers the latest government initiatives and technology news for the federal IT manager and government contractor.

Cyber Security News & Trends

This week, SonicWall’s recent PDF and Office cyberattack findings back up investigative reporting, a “secure” WhatsApp replacement is anything but, and vulnerabilities in the Internet of Things continue to create headlines.

SonicWall Spotlight

The Growing Partnership Between Russia’s Government and Cybercriminals – 60 Minutes

  • In a new investigative report, CBS examines evidence of increasingly blurred lines between Russia intelligence agencies and the criminal exploits of notorious cybercriminals like Evgeniy Bogachev, better known as the hacker “slavik” and “lucky12345”. The report further supports SonicWall’s recent findings of escalating PDF and Office document-based attacks likely originating from Russia.

Cyber Threat Report: Over 10 Billion Attacks of Various Types Recorded in 2018 – Business Review

  • Business Review reflect on the figures from the 2019 SonicWall Cyber Threat Report and the recently revealed data on the rise of dangerous PDF files.

PDF: The Vehicle of Choice for Malware and Fraud – HelpNet Security

Cyber Security News

How Nest, Designed to Keep Intruders out of People’s Homes, Effectively Allowed Hackers to Get In – Washington Post

  • Internet connected devices, like Google’s Nest family, struggle striking the right balance between making devices very secure and making them easy to use. If too much friction is put in place for security reasons, then brands risks turning potential users off.

FBI: Cybercriminals Set New Record in 2018 by Causing More Than $2.7 Billion in Reported Losses – Washington Times

  • The FBI’s Internet Crime Complaint Center have released their annual report, detailing an almost doubling of financial losses caused by cybercrime in 2018.

Bug in French Government’s WhatsApp Replacement Let Anyone Join ÉLysée Chats – Ars Technica

  • A “secure” messaging app launched by the French government was hacked almost immediately upon release.

An Inside Look at How Credential Stuffing Operations Work – ZDNet

  • ZDNet dig deep into the world of cybercrime to explain how credential stuffing works, detailing both the tools and methods used, but also its place in the criminal economy.

Unauthorized Party Muscles Its Way Into Bodybuilding.Com’s Systems – SC Magazine

  • Bodybuilding.com revealed that it suffered a data breach in February 2019 leaving exposed a trove of data, including the real names, email addresses, physical addresses and phone numbers. Stored financial information beyond partial card numbers was not exposed.

Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking Apps – Motherboard

  • A hacker broke into the accounts of thousands of GPS trackers and claims that “with one touch, I can stop these vehicles engines.” He says that he has carried out this hack to raise awareness of the poor security on the GPS apps.

Cybersecurity: UK Could Build an Automatic National Defence System, Says GCHQ Chief – ZDNet

  • Following a recent UK cybersecurity survey suggesting that only 15% of people say they know how to protect themselves online, the head of the GCHQ in the UK has called for cybersecurity responsibility not to be dependent on individuals but shared by governments, ISPs and businesses.

In Case You Missed It

What to Look for in a CASB Solution

Virtually every organization across major verticals — K-12 and higher education, financial services, retail and hospitality, and government — is undertaking digital transformation endeavors. And this includes migrating applications and data to the cloud.

When organizations do choose to adopt cloud technologies, software-as-a-service (SaaS) is the most popular choice according to a Gartner forecast for public cloud adoption. This is evident in the number of SaaS applications a typical organization uses. According IDG, 73% of organizations have at least one application in the cloud and another 17% plan to do so in the next 12 months.

2018 Cloud Computing Survey

73% of organizations have at least one application in the cloud and another 17% plan to do so in the next 12 months.

The adoption of SaaS applications brings about new security challenges for IT teams and increases attack surfaces for cybercriminals. The main use case for SaaS security is data protection. How do you protect your corporate data when you no longer have full control of the infrastructure or lack visibility into who can access that data and from which device/location?

The need to address this challenge created a new market segment in 2011 called Cloud Access Security Brokers (CASBs) or Cloud Security Gateways (CSGs). The CASB market segment is one of the fastest growing in information security with Gartner estimating a growth rate of 46% CAGR from 2017 to 2022.

Today, cloud security is not just about limiting or securing access to cloud applications. Cloud security is a shared responsibility where the organization that consumes cloud services is responsible for protecting sensitive data within their SaaS tenants. In fact, according to Gartner, “Through 2022, at least 95% of cloud security failures will be the customer’s fault.”

What is CASB?

At a high level, CASB solutions typically deliver the following four functionalities:

  1. Visibility. Enable cloud discovery to shed light on cloud application usage and shadow IT activities.
  2. Data security. Secure the corporate data uploaded or hosted in the cloud by enabling data loss prevention (DLP) and monitor user activity.
  3. Threat protection. Identify anomalous user behavior and provide anti-malware and sandboxing capabilities to protect against threats in the cloud.
  4. Compliance. Empower organizations with auditing and reporting tools to demonstrate compliance, especially in regulated industries.

CASB: The evolution of cloud security

The early CASB solutions were geared toward large enterprises that were early adopters of cloud services. These solutions required sophisticated on-premise deployments that proxied all traffic (either forward or reverse proxy) to enforce inline policies for cloud usage.

This proxy-mode CASB approach is sometimes known to introduce latency and/or cause breakage in application functionality, creating a bad user experience. In fact, it’s why Microsoft recommends against using proxy-based solutions when securing Office 365.

The next generation of CASB solutions take advantage of the API-based architecture that SaaS platforms are built on. API-mode CASB is the only way to provide complete visibility into SaaS environments.

API-based CASBs are easy to deploy and provide the most coverage for SaaS security use cases across sanctioned IT, shadow IT, managed devices and unmanaged devices (BYOD).

On-Demand Webinar with Guest Michael Osterman

Need more security and control for your cloud applications? View this joint on-demand webinar, “Securing Your SaaS Landscape,” with Osterman Research principal analyst Michael Osterman, to explore the major concerns and issues organizations have with SaaS adoption, what to look for in a CASB solution and an overview of SonicWall Cloud App Security.

CASB protects Office 365 deployments

According to the Cybersecurity Insiders 2018 Cloud Security Report, the most popular SaaS app used by organizations of all sizes is Microsoft Office 365.

Many associate Office 365 to email because it’s the most used app within the Office 365 suite. So, when CISOs and IT directors begin migrating on-premise mailboxes to Exchange Online, the default response is to extend the incumbent Secure Email Gateway (SEG) or Mail Transfer Agent (MTA). This approach to secure cloud email creates two significant blind spots:

  1. Causing security gaps. Does not protect other apps within Office 365, so it becomes a point solution that is focused on securing only email.
  2. Missing internal threats. Does not scan internal Office 365 emails, which is becoming increasingly relevant in the current threat landscape with credential compromises and account takeovers.

To address these blind spots, you need to buy an add-on service (to scan internal email) from your email security provider (if they offer one) and deploy a CASB to protect the data residing in OneDrive and SharePoint Online. That’s one more point solution that IT directors need to add to their budget, and IT administrators need to deploy, get trained and manage.

Full-featured CASB solution: SonicWall Cloud App Security

When you view cloud email as a SaaS app, it makes sense that a CASB solution should protect data and provide visibility even if that data is in the form of email messages.

That’s why SonicWall Cloud App Security leverages APIs to directly integrate to SaaS platforms and combine both data security and email security to provide complete protection for SaaS in a single solution. The CASB solution can be implemented in minutes without the need for any on-premise appliances or software installations.

Cyber Security News & Trends

This week, SonicWall CEO Bill Conner appears on the Chertoff Group podcast, our threat researchers release details on the dramatic rise in PDF-related cyberattacks, and there’s an ongoing legal fight over whether a cyberattack can be considered an act of war.

SonicWall Spotlight

SonicWall Detects, Reports Dramatic Rise in Fraudulent PDF Files in Q1 2019 – SonicWall Press Release

  • SonicWall Capture Labs threat researchers are reporting a substantial increase of fraudulent PDF files. The fraud campaign takes advantage of recipients’ trust in PDF files as a “safe” file format that is widely used and relied upon for business operations.

‘Chase & Capture’: The Chertoff Group Hosts SonicWall CEO Bill Conner on Latest Podcast – Podcast

  • SonicWall CEO Bill Conner speaks on the latest Chertoff Group Insights & Intelligence podcast, “Chase & Capture: Inside the Tactical Advances between Cybercriminals and the Security Industry.” He joins host Katie Montgomery to discuss the SonicWall 2019 Cyber Threat Report.

Of Billions and Trillions: Firewalls, Threats and Sonicwall’s Thriving Business – Sify Finance

  • With around one billion malware attacks detected a week, AI and machine learning are just part of how SonicWall are raising the cybersecurity bar – SonicWall’s Bob Vankirk and Debashish Mukherjee are interviewed by Sify Finance.

Old-school cruel: Dodgy PDF email attachments enjoying a renaissance – The Register (UK)

  • The Register investigates the findings of the SonicWall Capture Labs showing a substantial increase of fraudulent PDF files.

The State of Cyber Arms Race: Unmasking the Threats Coming in 2019 – SonicWall Webcast

  • SonicWall’s John Gordineer presents a Webinar sharing the findings of the 2019 SonicWall Cyber Threat Report and discusses and analyses what this intelligence tells us about the Cyber Arms Race.

Mar-a-Lago Malware Event: A Study in What NOT to do With Unknown USB Keys    – SonicWall Blog

  • Don’t plug it in. Critical advice from SonicWall’s Brook Chelmo on what to do, and what not to do, if you find a USB key lying around your workplace.

Cyber Security News

Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong. – New York Times

  • Zurich Insurance have refused to pay out on a cyberattack insurance claim by Mondelez, citing a “war exemption.” Mondelez originally made the claim after losing business while infected by NotPetya ransomware but, after the United States government tied the NotPetya attack to the Kremlin, Zurich classified the cyberattack as collateral war damage. Mondelez are pursuing a case against Zurich Insurance in the courts.

Facebook Uploaded Email Contacts of 1.5m Users Without Consent – The Guardian

  • Facebook admitted to “unintentionally” uploading the address books of 1.5 million users without their consent, blaming a legacy verification program. They say they will delete the data and notify those affected.

Data on Thousands of Law Enforcement Personnel Exposed in Breach – Dark Reading

  • Hackers leaked personal information on the FBI, police officers, Secret Service and other federal employees after a breach of three websites associated with the FBI National Academy, a 501(c)(3) organization.

A Hacker Has Dumped Nearly One Billion User Records Over the Past Two Months – ZDNet

  • A hacker calling themselves Gnosticplayers has stolen and published almost a billion user records over the past two months. ZDNet investigates the hacker community, finding that some hackers are not only motivated by money but by fame and a desire to be remembered.

In Case You Missed It

New PDF Fraud Campaign Spotlights Shifting Cybercriminal Phishing Tactics

PDF cyberattacks are nothing new. They are, however, growing in volume, deception, sophistication and are now used as vehicles to modernize phishing campaigns.

SonicWall Capture Labs Threat Researchers announced a substantial increase of malicious or fraudulent PDF files. These fraud campaigns take advantage of recipients’ trust in PDF files as a “safe” file format that is widely used and relied upon for business operations.

In March 2019 alone, SonicWall Real-Time Deep Memory Inspection (RTDMI™) discovered more than 73,000 new PDF-based attacks. In comparison, we found 47,000 new attack variants in PDF files in all of 2018.

“Increasingly, email, Office documents and PDFs are the vehicle of choice for malware and fraud in the cyber landscape,” said SonicWall President and CEO Bill Conner in the official announcement. “SonicWall Capture ATP with its RTDMI technology is at the forefront of catching new cyberattacks that elude traditional security sandbox technology.”

Last year, RTDMI identified over 74,000 never-before-seen cyberattacks, a number that has already been surpassed in the first quarter of 2019 with more than 173,000 new variants detected.

In March, the patent-pending technology identified over 83,000 unique, never-before-seen malicious events, of which over 67,000 were PDFs linked to scammers and more than 5,500 were PDFs with direct links to other malware.

Since 2017, Capture ATP with RTDMI has discovered increasing volumes of new threats leveraging PDFs and Office files.

Most traditional security controls cannot identify and mitigate malware hidden in PDF file types, greatly increasing the success of the payload. This increase implies a growing, widespread and effective strategy against small- and medium-sized businesses, enterprises and government agencies.

That’s where SonicWall RTDMI is unique. The technology analyzes documents dynamically via proprietary exploit detection technology, along with static inspection, to detect many malicious document categories, including PDFs, Office files, and a wide range of scripts and executables.

PDF malware attacks: A technical autopsy

SonicWall Capture Labs threat researchers dissected specific paths these fraudulent PDF campaigns take victims to infect them with malware.

In one example (see image below), Capture Labs cross-referenced a malicious file, at the time of detection, with popular collaboration tools from VirusTotal and ReversingLabs. No results were found, indicating the effectiveness of the RTDMI engine.

Targets of the scam email campaigns receive malicious documents from businesses luring victims with PDF files that are made to look deceivingly realistic with misleading links to fraudulent pages. The proposed “business offer” within the PDF is enticing to recipients, often promising free and profitable opportunities with just the click of a link.

Pictured below, the victim is sent to a fraudulent landing page masquerading as a legitimate money-making offer.

SonicWall hypothesizes that by using PDFs as delivery vehicles within their phishing campaigns, attackers are attempting to circumvent email security spam filters and next-generation firewalls — a core reason RTDMI is finding so many new malicious PDFs.

What does this PDF fraud campaign mean?

PDFs are becoming a very attractive tool for cybercriminals. Whether or not these are new attacks — or we are just developing the ability to detect them with RTDMI — the volume indicates that they are a serious problem for SMBs, enterprises, governments and organizations across a wide range of industries.

What’s the motive?

While SonicWall data doesn’t help us understand motivation, it does show that the amount of malicious, PDF-related activity is on the rise. We believe that this is happening for a variety of reasons, including:

  • Better awareness. Users have learned that executables sent to them are potential dangerous and could contain viruses, so they are more hesitant to click .exe files, forcing attackers to try new techniques.
  • Deprecation of Flash. Adobe Flash was a key attack vector in the past, but has been deprecated and will be completely end of life in 2020. So, attackers’ ability to use Flash exploits have been greatly reduced, forcing them to change tactics.
  • Must-trust files. Businesses move fast. Users are under constant pressure and don’t have the time, experience or know-how to vet every file type that hits their inbox. As such, users make assumptions that trusted file types (e.g., PDFs, Office files) used daily are, for the most part, safe. So, users are more likely to read and click links within them without considering the source or ramifications.

What is the impact of the PDF fraud campaigns?

This is very difficult to determine. In the 2019 SonicWall Cyber Threat Report, Capture Labs reported that 34% of the new attack variants found by Capture ATP were either PDF or Office files — a figure that had grown from 13% since the last half of 2017. This data implies that this attack vector is growing, is widespread and is an effective strategy.

Who is behind this?

While attribution is difficult, SonicWall believes the latest spike in malicious PDF activity is Russian-based because of the use of many .ru top-level domains leveraged across analyzed campaigns.

How to stop cyberattacks that use PDF and Office files

  • Force attacks to reveal intentions. SonicWall RTDMI operates in parallel with the SonicWall Capture ATP sandbox service to quickly get a verdict on any suspicious piece of code as it operates in memory, including malicious PDFs and Office files.
  • Protect the most common attack vectors. Another important layer of defense against malicious PDFs is email security. SonicWall offers cloudhosted and on-premises email security solutions. SonicWall leverages advanced security controls to examine files, senders, domains and URLs to look for malicious activity.
  • Make training a policy. Improve awareness by implementing employee training protocols to ensure users know how to examine PDF and Office file attachments carefully before opening or clicking unknown links.
  • Use endpoint protection. SonicWall recommends using advanced endpoint security, such as Capture Client powered by SentinelOne, to constantly monitor the behavior of a system to scout for malicious behavior, including PDF attacks.

Stopping PDF Attacks: 5 Ways Users & Organizations Can Work Together

Leveraging malicious PDFs is a great tactic for threat actors because the file format and file readers have a long history of exposed and, later, patched flaws.

Because of the useful, dynamic features included in the document format, it’s reasonable to assume further flaws will be exposed and exploited by adversaries; these attacks may not go away for some time. Furthermore, there’s no way for the average user to diagnose a benign or malicious PDF as it opens.

Since the average SonicWall customer will see nearly 5,500 phishing and social engineering attacks targeting their users each year, it’s vital to remain vigilant about the dangers of PDFs and deploy advanced security to prevent attacks.

Why are malicious PDFs being used in cyberattacks?

In many kinds of malicious PDF attacks, the PDF reader itself contains a vulnerability or flaw that allows a file to execute malicious code. Remember, PDF readers aren’t just applications like Adobe Reader and Adobe Acrobat. Most web browsers contain a built-in PDF reader engine that can also be targeted.

In other cases, attackers might leverage AcroForms or XFA Forms, which are scripting technologies used in PDF creation that were intended to add useful, interactive features to a standard PDF document. To the average person, a malicious PDF looks like another innocent document and they have no idea that it is executing code. According to Adobe, “One of the easiest and most powerful ways to customize PDF files is by using JavaScript.”

If you are a threat actor reading this, you are well versed in the above. And your victims are not. If you are an administrator responsible for keeping threats out and their damage to a minimum, it’s time to take some necessary precautions.

Stop PDF attacks with user-side prevention

First, there are a couple of things users can do to help reduce exposure to PDF-based attacks. Most readers and browsers will have some form of JavaScript control that will require adjustment.

  • Change you preferences. In Adobe Acrobat Reader DC, for example, you can disable Acrobat JavaScript in the preferences to help manage access to URLs.
  • Customize controls. Similarly, with a bit of effort, users can also customize how Windows handles NTLM authentication.

While these mitigations are “nice to have” and certainly worth considering, these features were added, just like Microsoft Office Macros, to improve usability and productivity. Therefore, be sure that you’re not disabling functionality that is an important part of your own or your organization’s workflow.

Stop PDF attacks with company-wide protections

Thankfully, SonicWall technology can quickly decode PDFs to see what the malware wants to really do, such as contact malicious domains or steal credentials. Here are three key ways organizations can limit exposure to PDF-based attacks.

  • Implement advanced email security. The first line of defense against malicious PDFs is email security. SonicWall offers cloud, hosted and on-premises email security solutions. SonicWall leverages advanced security controls to examine files, senders, domains and URLs to look for malicious activity.
  • Use endpoint protection. SonicWall recommends using advanced endpoint security, such as Capture Client powered by SentinelOne, to constantly monitor the behavior of a system to scout for malicious behavior. Capture Client stops threats before they execute and has great EDR capabilities to stop them as they do, see where they came from, and remediation steps, such as rollback in case they fully do.
  • Identify new threats. One thing that separates SonicWall from the rest is our patent-pending Real-Time Deep Memory InspectionTM (RTDMI). RTDMI operates in parallel with the SonicWall Capture Advanced Threat Protection (ATP) sandbox service. This is just one of our parallel engines in the sandboxing environment that gives us the ability to quickly get a verdict on any suspicious piece of code as it operates in memory, including malicious PDFs and Office files.

Malicious PDFs will be around for the foreseeable future, but through advanced security and good end-user awareness, your company will be better suited to prevent attacks.

For a more technical view on this, I recommend reading Philip Stokes’ blog from SentinelOne that inspired and supplied part of the content for this story. I also recommend watching our on-demand webinar, “Best Practices for Protecting Against Phishing, Ransomware and Email Fraud.”

‘Chase & Capture’: The Chertoff Group Hosts SonicWall CEO Bill Conner on Latest Podcast

You’ve hopefully read the 2019 SonicWall Cyber Threat Report from cover to cover. Now you can hear the insights directly from SonicWall President and CEO Bill Conner.

The Chertoff Group hosted Conner on Insights & Intelligence, the D.C.-based firm’s podcast that encourages dialogue about security, technology and policy.

Conner was joined by Chertoff Group Principal Katie Montgomery as they explored the fast-moving cyber arms race in the newest episode, “Chase & Capture: Inside the Tactical Advances between Cybercriminals and the Security Industry.” The episode provides key context about the cyber intelligence published in the 2019 SonicWall Cyber Threat Report.

“This report is a foundation for seeing what’s happening in the cyber arms race,” said Conner. “We learned how to fight by air, land and sea, but the new digital frontier is where the next threats are.”

During the 25-minute podcast, the pair discussed a number of emerging and critical cybersecurity trends and topics, including the:

  • Ebb and flow of cybercriminal strategy
  • Impact of IoT on cybersecurity
  • Machine learning and artificial intelligence
  • Never-before-seen cyber threats
  • Drop in ransomware volume in the U.K.
  • Growing importance of federal policy
  • Lurking repercussions of processor threats
  • Use of PDF and Office files to circumvent traditional security controls

The Insights & Intelligence podcast is available via Google Play, Spotify, Apple and at www.chertoffgroup.com/podcasts.

About the ‘Intelligence & Insights’ Podcast

Listen to the best and brightest in security share their unique insights and perspectives around the changing nature of risk by downloading episodes of Insights & Intelligence, a Chertoff Group podcast. Hosted by Katy Montgomery, Insights & Intelligence explores the impact of security, technology and policy on today’s risk management decisions and how to create more resilient environments for today’s constantly changing world.

Mar-a-Lago Malware Event: A Study in What NOT to do With Unknown USB Keys

It’s troubling when the world of politics and IT security share headlines.

But on March 30, a Chinese national named Yujing Zhang walked into President Trump’s private resort, Mar-a-Lago, with a suspicious USB key and other electronic gear.

To everyone’s surprise (because you should never do this), a Secret Service member plugged the USB drive device into his work computer and noticed visible changes on the screen to confirm the strong possibility of malware. She was arrested by Security Service. Upon a search of the trespasser’s hotel room, nine more USB keys were found along with other gear.

Hacking 101: The “Lost” USB key

Dropping USB keys in sensitive locations is a valid attack method, and the accused trespasser may just have been trying to do this. This story falls in line with similar attacks on engineers and executives traveling in China.

It has been considered a best practice when in China on business to bring a “burner” laptop that is returned to IT to be reformatted. In many noted cases, unattended laptops in conference or hotel rooms have been infected via USB keys awaiting return to the home network.

When I worked for a well-known company in Mountain View, California, it was common to hear of people throwing USB keys at our lobby doors from the street; some of these I personally found. Every time I go to a retail checkout stand and see an exposed point-of-sale (POS) monitor, I look for exposed USB ports and think of that experience.

In the absence of a publicly released statement from the accused about her intentions with the keys at Mar-a-Lago, IT researchers expect she would try to insert them in a network-connected PC or drop in an employee-only part of the compound to minimize exposure.

According to a study with Google and the universities of Illinois and Michigan, 45% of people who found nearly 300 USB keys plugged them in to their personal devices to either “find the owner” or were just curious.

In another study, 60% of dropped keys found their way into U.S. Government computers. Additionally, eight out of 15 Western Australian government agencies “fell victim” to a similar test. Reasons aside, people insert and inspect these devices at the risk to personal devices or corporate networks.

How do you stop USB attacks?

The first step is education. Do something physical to make an impact. Put a garbage can in the lobby with a sign that says, “Place Found USBs Here.” But, please, take a picture and tag me (@BRChelmo) if you do.

The second step is the use of device control capabilities within an endpoint security solution that stops unknown USB keys from connecting to the endpoint.

With SonicWall Capture Client, for example, administrators can create customized policies for known and unknown USB devices. For instance, they could allow all mice and keyboards, but block unknown USB keys while allowing approved or registered ones.

If you do not have this option, you need to ensure your endpoint solution can stop malware based on behavior, not signatures. The malware found on USB sticks will often not be categorized by your vendor or VirusTotal.

This is why behavior-based anti-malware defense is important. According to the 2019 SonicWall Threat Report, 45 million new forms of malware were identified and blocked. A good part of this number was found via customer submissions to our sandboxing service called Capture ATP, which blocks suspicious code and files until a verdict is found.

In the case of Capture Client, the AI engine is always scouting for malicious behavior. As for the Secret Service member who activated the drive, Capture Client would have either stopped it before or during its execution. If the code on the key would have created system changes, the remediation capabilities would allow the agency to roll back that PC to its last-known good state. The administrator would have been notified of the event via an alert to quickly take action. This level of control is an absolutely critically layer of a sound security posture.

If you’d like to learn more about stopping advanced attacks that hit the endpoint, please watch this recent webcast, “Can You Stop These Two Endpoint Threat Vectors?”

Cyber Security News & Trends

This week, SonicWall named one of the 10 coolest IoT security vendors, Health Care has a huge cybersecurity problem, and LockerGoga is spreading fast.

SonicWall Spotlight

2019 Internet of Things 50: 10 Coolest IoT Security Vendors – CRN

  • CRN name SonicWall as one of the 10 coolest IoT security vendors of 2019.

A Closer Look at LockerGoga, the Ransomware Crippling Industrial Giants – Verdict (UK)

How K–12 Schools Can Use Next-Generation Content Filtering to Keep Students Safe – EdTech Magazine

  • EdTech magazine looks at the evolving content filtering services available for K-12 schools. With older services no longer supplying adequate security and often over-blocking content, they recommend modern granular tools like SonicWall’s Content Filtering Services (CFS) which allows multiple, customized policies and categories.

Cyber Security News

Health Care’s Huge Cybersecurity Problem – The Verge

  • With health care increasingly relying on internet connected devices many hospitals simply do not have adequate cybersecurity plans in place. The Verge investigates the risks to the healthcare system posed by cyberattacks, including already successful implementations of WannaCry and NotPetya.

Yahoo Strikes $117.5 Million Data Breach Settlement After Earlier Accord Rejected – Reuters

  • Yahoo strikes a revised settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history. The new settlement includes at least $55 million for victims’ out-of-pocket expenses and other costs, $24 million for two years of credit monitoring, up to $30 million for legal fees, and up to $8.5 million for other expenses.

Cybersecurity Testing Exercise for EU Elections – Government Europa

  • The European Parliament has deployed a series of cybersecurity tests in anticipation of the European elections in May aiming to test the efficacy of crisis response protocols and explore new ways of detecting and preventing online cyberattacks.

Largest Leak in History: Email Data Breach Exposes Over Two Billion Personal Records – CPO Magazine

  • Estimates for the volume of records exposed in the recent Verifications.io data breach have climbed from initial reports of 763 million records to a little over two billion records, setting a new world record.

Norsk Hydro Repairs Systems and Investigates After Ransomware Attack – Wall Street Journal

  • Norwegian aluminum and energy company Norsk Hydro confirmed a LockerGoga ransomware attack in March crippled the company’s global operations.

Dragonblood Vulnerabilities Disclosed in WiFi WPA3 Standard – ZDNet

  • The security researchers who previously disclosed the 2017 KRACK attack on the WiFi WPA2 standard have now released details on a group of vulnerabilities on WiFi WPA3, dubbing them “Dragonblood”.

In Case You Missed It

RTDMI Evolving with Machine Learning to Stop ‘Never-Before-Seen’ Cyberattacks

If I asked you, “How many new forms of malware did SonicWall discover last year?” What would be your response?

When I pose this question to audiences around the world, the most common guess is 8,000. People are often shocked when they hear that SonicWall discovered 45 million new malware variants in 2018, as reported in the 2019 SonicWall Cyber Threat Report.

The SonicWall Capture Labs threat research team was established in the mid-‘90s to catalog and build defenses for the massive volume of malware they would find each year. Because our threat researchers process more than 100,000 malware samples a day, they have to work smart, not hard. This is why SonicWall Capture Labs developed technology using machine learning to discover and identify new malware. And it continues to evolve each day.

How Automation, Machine Learning Stops New Malware

Released to the public in 2016, the SonicWall Capture Advanced Threat Protection (ATP) sandbox service was designed to mitigate millions of new forms of malware that attempt to circumvent traditional network defenses via evasion tactics. It was built as a multi-engine architecture in order to present the malicious code different environments to detonate within. In 2018, this technology found nearly 400,000 brand new forms of malware, much of which came from customer submissions.

In order to make determinations happen faster with better accuracy, the team developed Real-Time Deep Memory InspectionTM (RTDMI), a patent-pending technology that allows malware to go straight to memory and extract the payload within the 100-nanosecond window it is exposed. The 2019 SonicWall Cyber Threat Report also mapped how the engine discovered nearly 75,000 ‘never-before-seen’ threats in 2018 alone — despite being released (at no additional cost to Capture ATP customers) in February 2018.

‘Never-Before-Seen’ Attacks Discovered by RTDMI in 2018

Image source: 2019 SonicWall Cyber Threat Report

Using proprietary machine learning capabilities, RTDMI has become more and more efficient at identifying and mitigating cyberattacks never seen by anyone in the cybersecurity industry. Since July 2018, the technology’s machine learning capabilities caught more undetectable cyberattacks in every month except one. In January 2019, this figure eclipsed 17,000 and continues to rise in 2019.

Year of the Processor Vulnerability

Much like how Heartbleed and other vulnerabilities in cryptographic libraries introduced researchers and attackers to a new battleground in 2014, so were the numerous announcements of vulnerabilities affecting processors in 2018.

Since these theoretical (currently) attacks operate in memory, RTDMI is well positioned to discover and stop these attacks from happening. By applying the information on how a theoretical attack would work to the machine learning engine, RTDMI was able to identify a Spectre attack within 30 days. Shortly thereafter, it was hardened for Meltdown. With each new processor vulnerability discovered (e.g., Foreshadow, PortSmash), it took RTDMI less and less time to harden against the attack.

Then, in March 2019, while much of the security world was at RSA Conference 2019 in San Francisco, the Spoiler vulnerability was announced. With the maturity found within RTDMI, it took the engine literally no time at all to identify if the vulnerability was being exploited.

Although we have yet to see these side-channel attacks in the wild, RTDMI is primed for the fight and even if there is a new vulnerability announced tomorrow with the ability to weaponize it, this layer of defense is ready to identify and block side-channel attacks against processor vulnerabilities.

Image source: 2019 SonicWall Cyber Threat Report

Scouting for New Technology

Now, if you are not a SonicWall customer yet and are evaluating solutions to stop unknown and ‘never-before-seen’ attacks (i.e., zero-day threats), ask your prospective vendors how they do against these types of attacks. Ask how they did on Day 1 of the WannaCry crisis. As for the volume of attacks their solutions are finding, ask for evidence the solution works in a real-world situation, not just as a proof of concept (POC) in a lab.

If you are a customer, Capture ATP, which includes RTDMI, is available as an add-on purchase within many of our offerings from the firewall, to email, to the wireless access point. You read that correctly: right on the access point.

We believe in the technology so much that we place it in everything to protect your networks and endpoints, such as laptops and IoT devices. This is why large enterprises, school districts, SMBs, retail giants, carrier networks and service providers, and government offices and agencies trust this technology to safeguard their networks, data and users every day.