Defending Against Tomorrow’s APTs

Adapted from SentinelOne

In my previous blog, I discussed the modern state of Advanced Persistent Threat (APT) groups, and in this one I will discuss the APT groups as they move forward.

As we saw this year, the present COVID-19 pandemic has created powerful opportunities for nations to hack and spy on one another. Quite aside from the power of phishing lures related to Coronavirus themes, the race to be first to obtain a vaccine has led to a number of incidents of espionage related to stealing IP from research laboratories. Based on recent evidence, it is likely that we will see further APT campaigns trying to take advantage of the security vulnerabilities brought about by workplace disruption – from office to home and back again – that at present do not seem to have any end in sight, and will certainly extend into 2021 at least.

Aside from pandemic-related matters, 2020 is a year that has seen widespread political, social, economic and climate disruption in the U.S., and to a certain extent in the U.K. and Europe, as well. All these are grist to the mill for cyber threat actors, who will seize on any opportunity to leverage current events to further their campaigns.

Defending the Enterprise in an Era of Cyber Uncertainty

It sounds like a grim picture, but enterprises are far from helpless or alone. Recent sanctions imposed on Iranian hackers by the U.S., proposed EU sanctions against Russian hacking, and joint announcements by officials in countries like U.S. and U.K. (such as a recent statement blaming China, Iran and Russia in attempts to steal COVID-19 vaccine research) signal greater international cooperation that will hopefully help in reducing such destructive activities.

There are a number of initiatives to protect the healthcare industry from cyber threats during COVID-19, as well as partnerships between nations, law enforcement agencies and public-private collaboration efforts that are also being developed to improve enterprise cybersecurity against advanced persistent threat actors.

At an organizational level, the time when it was possible to believe your organization may not be “interesting” to advanced attackers is well and truly behind us. Nation-state actors are hoovering up masses of data related to organizations and individuals simply because they can, and because they never know when it might be useful.

These nation-state actors rely heavily on social engineering to obtain credentials, deliver their payloads via emails (usually hidden within documents or images), and infect endpoints in order to obtain access to data and then exfiltrate it.

Given the diverse and increasing number of threats, companies need to ensure that they conduct full risk assessment, develop a security plan that includes incident response and business continuity contingencies, and deploy trusted technological solutions to ease the burden on staff.

How to Defend Against Them

Despite a mostly remote workforce due to shelter-in-place orders, it is still vital to build a layered defense that starts at the network and moves down the endpoint and then back up to the cloud. This is the part where I issue you a friendly warning that I will talk about SonicWall solutions.

When I talk about preventative measures, I usually start with the perimeter as traffic is passing into the network. If you’ve listened to my presentations before, I like to first talk about known threats and how SonicWall is identifying and creating definitions for around 140K new threats each business day. These are pushed to SonicWall devices and services to stop known threats, which usually solves around 99% of threats today. But when it comes to APTs and targeted attacks, these definitions may not help. Despite the fact that network firewalls and the storied Next-Generation Firewall have been on the market for some time, these work horses of security are still doing the lion’s share of protecting networks — first by scrubbing for known threats, and then by utilizing a variety of resources to stop attacks while managing traffic.

This is where additional technology is required to find unknown threats. This is usually a mix of heuristics on endpoints and sandboxes on the network. At SonicWall, we deploy a technology on nearly every service and product we sell called Capture Advanced Threat Prevention (Capture ATP) with Real-Time Deep Memory Inspection (RTDMI). In order for it to work, a file would have to hit a static check for presence on an allow or block list. If it is not on either, it is sent to either a Capture ATP point of presence (PoP) for examination by the cloud-based sandboxing technology, or to your on-premise Capture Security appliance (CSa) for examination. Capture ATP will examine files in parallel in multiple sandbox engines to look for malicious behavior and report back the results. In February 2018, we added RTDMI to Capture ATP at no additional charge. This technology tests files and code in memory to find results quicker and with more accuracy. Besides our private industry customers, it is this technology that our state, local and federal government customers rely on for safety, particularly against newly minted ransomware attacks.

With phishing the number-one vector in most compromises, phishing awareness training backed by advanced email security that can recognize known and unknown threats is a priority. How we handle classifying the known threats and unknown threats is listed above. It is the work of our Capture Labs team to create static definitions, and the work of Capture ATP to scout for the unknown.

With our work-from-home state of things, endpoint security may be your first and last line of defense. Unless you force your employees to route through the firewall via VPN or a cloud-based SASE solution, such as SonicWall Cloud Access Secure Access, to access the internet on their devices, odds are you will have to rely on endpoint security to keep them safe. SonicWall Capture Client is a lightweight, advanced heuristics-based endpoint security that looks at the system constantly (with around .1-.4% system usage) to check for malicious behavior with the intent of stopping attacks before they can execute. If something does cause damage, you can easily rollback the endpoint to its last-known clean slate.

Outside of the ability to block attacks whether or not they’ve been previously identified or not, a large focus recently has been adding the ability to catalog all the applications and vulnerabilities on all protected endpoints. APT attackers tend to focus on the latest exploits, since these should provide them with the largest and softest target to hit. This feature, called Application Vulnerability Intelligence, is vital for our customer base, particularly our enterprise and government customers, to mitigate the effects of a landed attack. Additionally, with its onboard content filtering technology, you can enforce your Web Content policies on the endpoint away from the perimeter, or just at least block access to all known malicious sites.

Beyond just listing a few SonicWall solutions in play here in the fight against APT groups, there are more solutions — from secure wireless to advanced reporting and analytics — that are great tools to discover and mitigate potential issues. For more information on these options, either view our website or contact our sales team, who will work with your existing networking and security technology partner or introduce to you one with the experience to meet your needs.


It wasn’t all that long ago that the very existence of APTs was something shrouded in myth and secrecy, but with public disclosures and leaks of APT toolkits now in the public domain, it seems nation-state actors are not nearly so shy or retiring as they once were. Discussion of APT activity is now part of mainstream cyber discourse, with all sides seemingly content to openly acknowledge that cyber warfare between nations is part of the “new normal” that will be with us for some time to come.

Businesses need to understand that in our interconnected world, there is no such thing as being either “invisible” or “uninteresting” to advanced cyber attackers. Know it or not, like it or not, if you’re online storing and processing data, and engaged in any kind of commercial relationships, there’s an APT cyber threat actor out there interested in you, your data, your product, your clients and/or your providers.

While that might sound scary, fortunately APTs and their tactics, techniques and procedures are also no longer shrouded in mystery. APTs are just another threat actor we all have to deal with. We are not alone in this fight, and we are not defenseless, so long as we first recognize the threat and then take appropriate measures.

I invite you to continue reading one of SonicWall’s many solution briefs on a variety of subjects. Let me leave you with a few options that might direct you to something more specialized.

Black Friday Preview: As Holiday Shopping Thrives Online, Will Cybercriminals Move In?

Despite this year’s deluge of emails and commercials already proclaiming, “BLACK FRIDAY IS HERE!” there are still several days until the official start of the holiday shopping season.

The realities of 2020 have seen the traditional doorbuster-type frenzy give way to a more diffuse set of bargains throughout the month (and even as early as October). But in the U.S., the period between Thanksgiving evening and 11:59 p.m. the following Monday is still expected to reign supreme, as shoppers rush to get the year’s best prices on electronics, home goods and appliances.

This year’s holiday shopping season comes amid perhaps the biggest wave of financial uncertainty to hit the U.S. since the recession of the late aughts. Combined with the ongoing COVID-19 pandemic and an unpredictable political climate, it’s little surprise that this year’s holiday shopping revenue is expected to fall short of the $184 billion spent this time last year.

Even so, according to NerdWallet, 201 million Americans, or roughly 8 out of 10, are expected to take part in the holiday shopping season of 2020 and will generate a still very robust $167 billion in sales.

But they won’t be standing in line at the mall to do so. While the shift toward online shopping goes back to at least 2005, when the term “Cyber Monday” was coined by the National Retail Federation, this year will almost certainly accelerate this trend, as people are choosing to avoid crowds for safety, are quarantining or are prohibited by law from doing things like massing in front of retail stores.

According to Digital Commerce 360, during the first 10 days of November, customers already spent $21.7 billion online, a 21% year-over-year increase — and the period from Thanksgiving through Cyber Monday is expected to generate 35-40% more online shopping than last year. Roughly 66% of shoppers say they’ll make more purchases online in 2020, with over 95% of people expected to buy half or more of their gifts online.

But while this might be good to help control the spread of the pandemic, it’s also good for cybercriminals. For the past few years, SonicWall Capture Labs threat researchers have recorded a higher than usual number of attacks taking place over the holiday shopping period. For example, in 2019, between Nov. 25 and Dec. 2, there were 129.3 million malware attacks (a 63% increase over 2018.) In the U.S. specifically, both malware (130%) and ransomware attacks (69%) were up compared to 2018.

What will this year hold? While 2020 continues to defy predictability, there’s already trouble on the horizon. The last quarter for which we have data, Q3 2020, showed some disturbing trends: In September, malware had its biggest rally of the year, increasing by 59 million over August. Worse, the 20% YoY increase in ransomware we saw at the end of Q2 had widened to a 40% increase by the end of Q3, having been on a steady rise since June

While it might be tempting to think this level of cybercrime would suggest we’re nearing some sort of ceiling and won’t see the sorts of increases over Black Friday weekend that we’ve seen in the past, everything we know about cybercriminals in 2020 refutes that. The cybercriminals we’ve seen at work during the pandemic have been as opportunistic and crafty as any we’ve seen before. And they’ve shown no qualms about targeting those they perceive as vulnerable, whether it’s hospitals, local governments or individual remote workers.

Unfortunately, this means holiday shoppers, more bargain-hungry than ever and doing most or all of their shopping online, could prove tempting quarry indeed — particularly since many people will be using the same devices and networks to shop that they use to connect to their employers’ corporate networks.

Of course, we hope that cybercriminals instead decide to cut us a rare break in a trying year and just watch some football. But no matter what happens, SonicWall’s threat researchers will be watching.

Cybersecurity Alphabet Soup: SDP, ZTNA and SASE

The technology industry is a breeding ground for creating TLAs (Three-Letter Acronyms) and FLAs (Four-Letter Acronyms). So inviting a few more TLAs and FLAs to the party is just business as usual.

In recent years we’ve added SDP and ZTNA, and in 2020 a new term, SASE, has continued picking up momentum.

If you aren’t sure what all these terms mean, here’s a quick refresher:

Software-Defined Perimeter (SDP)

Software-Defined Perimeter (SDP), also called a “Black Cloud,” is an approach to computer security. It evolved from the work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG) Black Core Network initiative around 2007.


If you don’t care for technical jargon, just think of SDP as an architecture that separates the control plane from the data plane while connecting users to the network. This separation helps to achieve access control, asset isolation, high availability and scale.

Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is another security architecture in which only traffic from authenticated users, devices and applications is granted access to other users, devices and applications.


Do these sound similar to you?

If so, it’s because they do have a lot in common — but since they were initiated by different organizations, they have different terminologies. There are some subtle differences as well. For example, when John Kindervag from Forrester first talked about Zero Trust in the year 2010, he talked about “Zero Trust Network Architecture.” The zero-trust principle, “never trust, always verify,” was envisioned as a way to address the broken traditional trust model.

Today’s ZTNA, Zero Trust Network Access, is a way to achieve Zero Trust for access — in other words, you would still need to inspect the traffic to achieve complete Zero Trust.

SDP, on the other hand, provides a much more prescriptive architecture (see below) that separates the control plane and the data plane.

Source: Cloud Security Alliance

Once this separation is in place, it’s easier to control access to the network based on various parameters such as user, device, time of the day, location, etc. The SDP architecture also mandates granting least-privileged access defined by the granular policies.

So, if you think about ZTNA carefully, you will realize that it actually uses the concept of SDP.

Secure Access Service Edge (SASE)

The term SASE was introduced by Gartner in August 2019, in its “The Future of the Network Security is in the Cloud” research report.


As defined by Gartner analysts, SASE combines network security functions (such as SWG, CASB, FWaaS and ZTNA) with WAN capabilities (e.g., SD-WAN) to support the dynamic security needs of organizations.

Source: The Future of the Network Security Is in the Cloud

These capabilities are delivered primarily as a service (aaS) and based upon the identity of the entity, real-time context and security/compliance policies.

Does that term SASE feel like an umbrella term, then? If so, that’s because IMO it is.

Today, the biggest challenge for all cybersecurity vendors (SonicWall included) is to demonstrate that they have SDP, ZTNA and SASE solutions so that their customers don’t feel like they are missing out on innovative new trends.

As a result, we have following types of vendors, which originated in different cybersecurity domains, all trying to pitch their solutions as SDP, ZTNA and SASE.

  1. Cloud-delivered cybersecurity vendors – Recent additions to the ecosystem
  2. IdP vendors – Identity Providers
  3. SD-WAN vendors – Software-defined networking players
  4. New vendors – New companies that get added the ecosystem (as purists) with every new wave of acronyms
  5. Traditional cybersecurity vendors – Birthright indisputable, right? J

So, does SonicWall provide SDP, ZTNA or SASE solution(s)?

Hell yes! What kind of question is that?

To learn more about SonicWall’s ZTNA solution, check out our newly launched Cloud Edge Secure Access. You can be up and running in just a few minutes!

Cybersecurity News & Trends

This week hackers targeted hardware and software, with attacks on WordPress sites, printers, CPUs and the popular game “Among Us” making headlines.

SonicWall in the News

SonicWall Stresses Zero Trust, Zero Touch in 2020 — ChannelPro Network

  • A look at SonicWall’s business strategy in 2020, particularly SonicWall’s Cloud Edge solution, its Boundless 2020 virtual event, and commentary from Bill Conner and Dmitriy Ayrapetov.

Best Firewalls For Small Businesses — Business Pundit

  • Business Pundit has recognized SonicWall’s TZ firewall as the “Best Overall Firewall.”

SonicWall Refreshes Low Ends of TZ and NSa Firewall Portfolios and Unveils Zero Trust SonicWall Cloud Edge Secure Access — ChannelBuzz

  • SonicWall adds Cloud Edge Secure Access solution and new TZ and NSa firewalls to its lineup.

Firewalls And ZTNA Solution Protect Working Environments — LANline

  • LANline offers a closer look at SonicWall’s new NSFirewalls and ZTNA solution news.

SonicWall Expands Cybersecurity with New TCO Firewalls — APN News

  • SonicWall announced the expansion of its Capture Cloud Platform with the addition of the high-performance NSa 2700 firewall, three new cost-effective TZ firewall options and SASE offering debut.

Industry News

The 10 Coolest Cybersecurity Startups Of 2020 — CRN

  • Perimeter 81, who teamed up with SonicWall to create the Cloud Edge Secure Access solution, made CRN’s list of Coolest Cybersecurity Startups of 2020.

Cybersecurity Industry in Detroit Is Growing and Mentors Are Starting With Young People — Detroit Free Press

  • In an article on how Detroit’s cybersecurity industry is growing, Bill Conner offers cybersecurity tips for remote work.

Egregor ransomware bombards victims’ printers with ransom notes — Threatpost

  • The Egregor ransomware uses a novel approach to get a victim’s attention after an attack: it shoots ransom notes from all available printers.

Bitcoin hits nearly three-year peak, homes in on record — Reuters

  • Bitcoin has soared to its highest level since December 2017 as the asset’s perceived quality as a hedge against inflation lured institutional and retail demand.

Trump fires CISA chief Chris Krebs, who guarded the 2020 election from interference and domestic misinformation — Cyberscoop

  • President Donald Trump on Tuesday said he had fired Chris Krebs, a widely respected Department of Homeland Security official who helped protect the 2020 election from hacking and disinformation, the latest in a series of purges.

Forget Imposters. Among Us Is a Playground for Hackers — Wired

  • James Sebree, a researcher for security firm Tenable, on Tuesday published a blog post laying out a slew of relatively simple, hackable vulnerabilities in Among Us.

Hackers are actively probing millions of WordPress sites — Bleeping Computer

  • Unknown threat actors are scanning for WordPress websites with Epsilon Framework themes installed on over 150,000 sites and vulnerable to Function Injection attacks that could lead to full site takeovers.

Ransomware Operator Promotes Distributed Storage for Stolen Data — Dark Reading

  • The criminals behind the DarkSide ransomware-as-a-service operation say the system will be harder to take down.

Hackers can use just-fixed Intel bugs to install malicious firmware on PCs — Ars Technica

  • Vulnerabilities allowed hackers with physical access to override a protection Intel built into modern CPUs that prevents unauthorized firmware from running during the boot process. Known as Boot Guard, the measure is designed to anchor a chain of trust directly into the silicon to ensure that all firmware that loads is digitally signed by the computer manufacturer.

In Case You Missed It

Making Sense of Today’s APT Groups

Adapted from SentinelOne

In recent months, there has been a marked uptick in nation-state cyber activity. Recently, we’ve learned that Chinese hackers stole information from Spanish centers working on COVID-19 vaccines. The U.S. Justice Department has indicted five Chinese nationals and two Malaysians who targeted over 100 companies, organizations and individuals in 14 countries. Three Iranian nationals have been indicted on charges of hacking U.S. aerospace and satellite companies, and APT39 has been spying on Iranian dissidents. Two additional Iranian hackers were also indicted for defacing multiple websites with pro-Iranian propaganda.

This surge in nation-state hacking activity is not a blip but a discernible trend. Attacks attributed to nation-state backed Advanced Persistent Threat (APT) groups have increased not only in terms of volume but also in scope and sophistication. The problem has been exacerbated because of COVID-19 and its impact on the global economy and international relations.

Concerns about APT groups used to be a niche topic discussed primarily by government security experts and the cybersecurity industry, but now it has reached mainstream awareness, as can be seen by statements from U.S., U.K. and other Western government officials. Most recently, Australian Defense Minister Linda Reynolds made a public statement expressing concerns that malicious cyberattacks against Australian businesses and government agencies from a state-based actor, believed to be China, had increased over the past two months.

In my personal experience with Russian ransomware authors, attacks on German, English and American private, corporate and government targets from the former Soviet Union have and will continue to be a consistent threat. Additionally, the biannual SonicWall Cyber Threat Report always shows clear evidence of these findings, since it gathers real threat data from over 1.1 million sensors located in over 215 countries and territories. What would be interesting to know is if these APT groups also fund themselves with ransomware to supplement their budgets from their government. We’ve seen this with North Korea, but the picture is unclear with Russian, Iranian and Chinese APT groups.

Making Sense of a Chaotic World

Reading all these headlines can be confusing. Who is attacking who, why and how? Let’s try to break down the different nation-state activities in cyberspace.

Sabotage – The virtual can break out into the physical when nations use cyber means to cause damage to computer systems or physical systems of other nations. Attacks on critical infrastructure have increased sharply in the last two years. Among them, a tit-for-tat between Israel and Iran: an Iranian attack on Israel’s water infrastructure led to Israeli retaliation against the port of Shahid Rajaee, a reminder — should anyone have forgotten Stuxnet — that nations are not averse to launching cyberattacks with destructive force on those they perceive as enemies.

Classic Espionage – Good old-fashioned spying is a much more common activity than sabotage. Nations have been spying on each other since forever, but today much of the old ‘spy-craft’ activities are conducted in cyberspace. Data theft is easier, cheaper and relatively risk-free when you’re behind a keyboard hacking into a server in a different country and protected by the laws and security services of your own government.

Global Political Influence – Nations have long used psyops to gain an advantage over other countries, but cyberspace has given them the means to do so on a scale that was never dreamt of before. Nations can interfere with political processes in other countries with little regard and great reward. For example, nation-state actors meddling in the Scottish independence referendum, U.K. Brexit referendum, and the U.S. 2016 and 2020 elections are well-documented.

Regional Politics – Nations also want to exert strength in cyberspace to resolve (or escalate) regional conflicts. Chinese cyberattacks on Indian entities followed a skirmish between the two nations in the mountainous border region of Ladakh that resulted in dozens of casualties. Ukrainian security services reported in 2019 that Russian-backed Gamaredon APT had repeatedly targeted Ukrainian military and law enforcement agencies and individuals. Gamaredon reportedly launched at least 482 cyberattacks against Ukrainian critical infrastructure targets in a Russian-backed campaign to pursue a proxy war in cyberspace without incurring the political fallout of an actual, boots-on-the-ground military campaign.

Industrial Espionage – Unlike “classic” espionage, this activity is specifically aimed at closing the economic gap between nations by stealing intellectual property, then using it to either copy and reproduce technology or gain other unfair commercial advantages. China has been widely accused of engaging in spying on Western businesses, government agencies and technology companies for just this purpose. For example, desiring to build its own stealth jet, the Asian superpower is believed to have stolen the proven design of the US F-35 to shorten development and “time to market.” It’s been estimated that theft of American trade secrets by China costs the U.S. somewhere in the region of $300 billion to $600 billon every year.

Crime – Some nations are under extreme financial burden, made worse by international sanctions, so they resort to cybercrime to fill their coffers. North Korea is notorious for utilizing cybercrime for such purposes, and recently launched yet another campaign aimed at stealing money from U.S. banks and ATMs. Other APT Lazarus campaigns have focused on stealing cryptocurrencies and impersonating cryptocurrency exchanges. Unlike many other APTs, Lazarus writes malware that targets macOS users, too, as Apple’s platform is increasingly used by C-suite executives and others wary of the plethora of Windows malware.

The future

Stay tuned for part two of this blog, where I discuss the future of APT groups and how we defend against them, then and now. For more information on the use of endpoint security in the defense of advanced threats, read our solution brief Fitting Endpoint Security to Your Organization.

Storms Ahead: The Dark Side of the Rush to the Cloud

Despite being constantly referred to as “the new normal,” the changes wrought by the COVID-19 pandemic are usually expressed in terms of endings. The end of the office. The end of the shopping mall. The end of the all-you-can-eat buffet. But there are some cases in which the pandemic has actually brought about growth—for example, the home office. Toilet paper. And the cloud.

Cloud adoption plans were already well underway by the time the COVID-19 pandemic began. But while most companies already had a digital transformation strategy in place, in many cases the new work reality wrought by the pandemic resulted in these plans being accelerated. For example, when businesses were forced to adopt remote work practically overnight, businesses drastically increased their dependence on cloud-based services, particularly videoconferencing and collaboration apps such as Zoom, Microsoft Teams and Slack.

During the first quarter of 2020, software company Flexera asked 750 global cloud decision makers and users about their cloud usage to get a better picture of who was moving to the cloud, how quickly they were moving, and some of the challenges they were facing. The resulting data shows a digital transformation landscape approaching maturity and largely delivering on its promises to improve the ways work gets done. But while problems stemming from unfamiliarity and inexperience are decreasing, more perennial problems have begun taking their place — particularly the complexity of securing the cloud, and the many and varied dangers businesses can face if they fail to do so.

IDG’s 2020 Cloud Computing Study found that 92% of organizations say their IT environment is at least somewhat in the cloud, with 38% saying they’re completely or nearly all in the cloud today. This finding was borne out by Flexara’s conclusions. In their 2020 State of the Cloud report1, Flexara reported that businesses in almost all industries leverage cloud computing, with more than half reporting they use cloud heavily and have reached the advanced cloud maturity level. Only 10% of respondents reported still being in the planning stage of their respective cloud strategies.

Notably, for the first time in the history of their State of the Cloud report, Flexara found that none of the respondents said they lacked cloud plans.

Just as significant is the speed at which companies are moving to the cloud. The IDG study found that 60% of respondents said they expected to be completely or nearly all in the cloud in 18 months, while Flexara’s respondents reported 53% of their workloads are run in a public cloud — a number they expected to rise to 60% over the next year.

Half of the Flexara study respondents’ data is housed in a public cloud, and is forecasted to rise 8% during the same time period.

While previous Flexara studies have found some respondents were reluctant to put sensitive consumer or corporate financial data in the cloud, more than half of the organizations surveyed this year said they’ll consider moving at least some of this type of data to the cloud.

Similar cloud research conducted by global research and advisory firm Gartner offers a look at the financial implications of digital transformation. Gartner’s data shows that the global public cloud market is expected to grow from $227.8 billion to $266.4 billion year over year, the largest portion of which will be allocated to SaaS offerings.

While findings from Flexara’s 2019 State of the Cloud report showed “managing cloud spend” and “governance” as the top cloud challenge, the most recent study showed that security had moved into the top spot for both SMBs and enterprises. 81% of respondents reported security as a challenge, including 83% of enterprises. In fact, “security” appeared in the top 3 concerns in every maturity category, from beginner to advanced.

Clearly, cloud maturity doesn’t solve all cloud challenges — particularly when attackers are getting more and more inventive when it comes to attacks on the cloud. But there is a lot you can do to safeguard your cloud usage and get the most out of your cloud investment. To learn more, register for the upcoming Mindhunter webinar.

1 © 2020 Flexera. All rights reserved. This work by Flexera is licensed under a Creative Commons Attribution 4.0 International License.

Cybersecurity News & Trends

This week, SonicWall expanded its Capture Cloud Platform with four new firewalls and a new Zero-Trust security solution.

SonicWall in the News

SonicWall Expands Boundless Cybersecurity With New High-Performance, Low-TCO Firewalls; Company Debuts Cloud-Native Ztna Solution to Secure Work-From-Anywhere Environments — Company Press Release

  • SonicWall today announced the expansion of its Capture Cloud Platform with the addition of the high-performance NSa 2700 firewall, three new TZ firewall options, and SonicWall Cloud Edge Secure Access, which delivers easy-to-deploy, easy-to-use zero-trust security.

SonicWall Capture Advanced Threat Protection Collects ICSA Labs Certification — Company Press Release

  • For the third consecutive quarter, cloud-based Capture Advanced Threat Protection (ATP) sandbox service has been vigorously tested in the detection of today’s most evasive threats and awarded the coveted ICSA Labs Advanced Threat Defense certification.

The 2020 Tech Innovators Awards — CRN

  • SonicWall was recognized as the winner of the networking category for its TZ570 and TZ670 series (slide 22) and was a finalist in the security network category for its Network Security Services Platform 15700 (slide 37).

Cybersecurity Industry in Detroit Is Growing and Mentors Are Starting With Young People — Detroit Free Press

  • In an article on how Detroit’s cybersecurity industry is growing, Bill Conner offers cybersecurity tips for more secure remote work.

Four New SonicWall Firewalls Announced — Storage Review

  • Storage Review covers SonicWall’s latest launch, focusing on Cloud Edge Secure Access and four all-new firewalls.

SonicWall Research: Ransomware, IoT Malware Attacks On The Rise — MSSP Alert

  • In a feature article on SonicWall’s Q3 Threat Data, MSSP Alert spotlights the surge in ransomware and IoT malware.

Industry News

Campari Site Suffers Ransomware Hangover — ThreatPost

  • Italian spirits brand Campari has restored its company website following a recent ransomware attack.

Ragnar Locker Ransomware Gang Takes Out Facebook Ads in Key New Tactic — Threat Post

  • Following the Nov. 3 ransomware attack against Campari, Ragnar Locker group took out public Facebook ads threatening to release stolen data.

Pressure grows to reinstall White House cyber czar — The Hill

  • Pressure to reinstate a cyber czar within the White House is growing, with bipartisan allies lining up on Capitol Hill to push such a proposal.

Zoom settles charges with FTC over deceptive security practices — Cyberscoop

  • The FTC has reached a deal with Zoom to settle allegations that the communications technology company misrepresented its security and privacy protections.

How to Avoid Paying Ransomware Ransoms — Data Center Knowledge

  • As private experts and government officials advise against indulging the bad guys, here are some tips for following that advice.

Treasury Asks if External Cyber Acts Qualify for Terrorism Risk Insurance Program — Nextgov

  • A request for comment reflects recommendations made by the Cyberspace Solarium Commission.

Major ransomware strain jumps from Windows to Linux — SC Magazine

  • A recently discovered file-encrypting Trojan, built as an executable and linkable format (ELF), encrypts data on machines controlled by Linux-based operating systems.

Hospital network hit by cyber attack restoring services — The Washington Times

  • Computer experts at the University of Vermont Medical Center are working to restore systems disabled in a cyberattack that has affected the hospital’s ability to provide some cancer treatments.

Vietnamese hacking group OceanLotus uses imitation news sites to spread malware — Cyberscoop

  • Suspected Vietnamese government-linked hackers are behind a series of fake news websites and Facebook pages meant to target victims with malicious software.

Microsoft Exchange Attack Exposes New xHunt Backdoors — Threat Post

  • An attack on the Microsoft Exchange server of an organization in Kuwait revealed two never-before-seen PowerShell backdoors.

U.S. seizes over $1 billion in bitcoin tied to ‘Silk Road’ — Reuters

  • The U.S. Justice Department announced it had seized over $1 billion worth of bitcoin associated with the underground online marketplace Silk Road.

Ransomware Attacks Surge 40% Globally In Q3: Report — Express Computer

  • While overall malware volume declined for the third consecutive quarter, ransomware attacks globally surged 40% to reach 199.7 million hits in the third quarter of this year.

In Case You Missed It

New SonicWall Products Drive Innovation; Offer Greater Flexibility, Performance and Low TCO

With the ever-evolving security needs of our customers and partners, SonicWall is committed to staying ahead of the curve, leveraging the latest technologies to bring you solutions that keep you safer, more agile and more productive no matter where or how work gets done.

Our mission to help customers know the unknown, gain unified visibility and control, and leverage disruptive economics to do more with less is what drove Boundless Cybersecurity earlier this year.

As the next step in our commitment to Boundless Cybersecurity, we’re introducing a new series of products designed to help meet your unique cybersecurity and business needs — all while giving you more choice and budget flexibility.

Multi-gigabit threat performance for mid-sized networks: SonicWall NSa 2700

Earlier this year, we released new NSsp 15700, TZ670 and TZ570 firewalls built around our new SonicOS 7.0 architecture. Now, we’re bringing this same game-changing OS to small- to medium-sized businesses (SMB) and mid-sized networks.

The new SonicWall NSa 2700 firewall offers industry-leading performance and the highest port density in its class, with TLS 1.3 support that stops cyberattacks and eliminates bottlenecks.

For enterprises that have grown beyond the capacity of the TZ series, the NSa 2700 offers enterprise-grade security without the need for an enterprise-scale appliance — or the price tag that goes with it. The NSa 2700 mid-range firewall offers a full high-availability (HA) solution without traditional HA prices and delivers 3Gbps threat inspection throughput at a fraction of the price of the second-best next-generation firewall in its class.

To learn more about SonicWall NSa 2700, click here.

Cost-effective SD-Branch solutions: SonicWall TZ270, TZ370 and TZ470

Cybercriminals have shifted from focusing on large enterprises to targeting any organization they think they can gain access to — meaning you can no longer rely on size to protect you.

Designed for SMBs including distributed enterprises with SD-Branch locations, SonicWall’s Generation 7 TZ models combine industry-validated security effectiveness with best-in-class price performance.

These new TZ firewall appliances offer all the user-friendliness and critical management capabilities of SonicOS 7.0. And despite their smaller size (and price tag), the new TZ appliances allow you to connect and secure up to 1 million connections (35,000 concurrent connections on SSL/TLS with DPI-SSL enabled).

Like their larger counterparts, the new TZ firewalls pack a lot of power, with 2.5 gigabit interfaces on the TZ470 and gigabit interfaces on the TZ370 and TZ270. All are available in wired and wireless models with 802.11ac Wave2, supporting integrated SD-WAN and offering expandable storage of up to 256 GB, Zero-Touch Deployment, and single-pane-of-glass management using our recently launched Network Security Manager.

TZ firewalls are also 5G- and LTE-ready, with a convenient USB 3.0 for 5G connectivity with several LTE and 5G modules from various ISPs qualified.

To learn more about SonicWall’s full range of new TZ firewalls, click here.

Zero-trust security that’s easy to deploy and use: SonicWall Cloud Edge Secure Access

The adoption of remote work, tighter collaborations with partners and BYOD have redefined perimeter security — and in today’s boundless enterprise, enforcing security policies has never been more challenging.

While VPN is a smart choice for specific deployment scenarios, it introduces its own set of challenges. While securing the perimeter is crucial, it’s no longer enough: To truly protect your network, cybersecurity must go wherever work gets done, and extend to wherever your assets reside.

With Cloud Edge Secure Access, SonicWall delivers easy-to-deploy, easy-to-use zero-trust security for site-to-site and hybrid cloud connectivity. This robust, cloud-native Secure Access Service Edge (SASE) offering can be configured by IT admins in as little as 15 minutes, and self-installed by end users in just 5 minutes.

Built around a Least-Privilege Access philosophy, SonicWall Cloud Edge Secure Access lets you limit access to only those who need it. With the power to control and protect network access to both managed and unmanaged devices based on identity, location and device parameters, you can now protect sensitive areas of your network and secure your resources without sacrificing productivity or flexibility.

And if you’re worried about DDoS, SlowLoris or SYN Flood, don’t be. Because it’s supported by over 30 global points of presence and built on Software-Defined Perimeter (SDP) core architecture, SonicWall Cloud Edge Secure Access is impervious to common cyberattacks.

SonicWall Cloud Edge Secure Access also proactively monitors environments, automatically activating a secure access connection in public Wi-Fi hotspots, further securing remote work by automatically securing unsecure Wi-Fi hotspots.

To learn more about SonicWall Cloud Edge Secure Access, click here.

Increased visibility and simplified multitenant management: Capture Client 3.5

Designed for MSSPs/MSPs, as well as enterprise customers that manage multiple tenants, Capture Client 3.5 endpoint protection offers simplified management of multiple tenants, translating to lower operational costs and faster response times.

With Capture Client 3.5, you can create and deploy new tenants through the adoption of baseline policies, while also offering customers the flexibility to build and deploy custom policies for specific tenants.

By offering a quick snapshot of the health of all tenants, Capture Client 3.5 provides administrators the ability to see infections and vulnerabilities instantly. The solution also offers more granular views, displaying which version of Capture Client is installed on each endpoint, which devices are online, what web content categories or domains get the most blocks, and which users cause the most alerts.

To learn more about SonicWall Capture Client 3.5, click here.

The ultimate firewall management tool, on-prem or SaaS: Network Security Manager (NSM) 2.1

With SonicWall NSM 2.1, we’re making centralized firewall management even better, bringing greater control and ease to your security operations center (SOC).

NSM 2.1 adds several new enterprise management capabilities, along with several options for NSM on-premises deployment. By leveraging a unified code base, firewall management is simplified regardless of whether you choose a SaaS or on-prem deployment.

This release also features Role-Based Access Controls (RBAC) for granular access based on device or user, Golden Templates to convert device configurations to your principal set, and Approval Workflow to help you roll out sanctioned security policies with a controlled and auditable process.

With the added security of two-factor authentication (2FA) and the continuous monitoring of Intelligent Platform Monitoring (IPM) system, NSM 2.1 does more than ever to ensure your network is protected, and running and performing optimally.

To learn more about SonicWall NSM 2.1, click here.

While SonicWall is excited to introduce these new products, we’d also like to thank our partners, who provided the valuable input that drove our innovations. Everything we do and everything we dream of at SonicWall is for our partners and customers, and we’re proud to offer you even more products and solutions to drive your business.

SonicWall TZ270/370/470: Accelerating Digital Transformation for SMBs & Secure SD-Branches

Small businesses and distributed branch offices want to embrace the latest technological developments as much as larger businesses do. But while organizations are working hard to adopt and take advantage of digital transformation, there are several challenges specific to SMBs and branches.

For one, traditional small businesses or branches cannot keep up with today’s continuously evolving cyberattacks. These threats are increasingly targeted and strategized to maximize return on investment, exploiting the ever-increasing attack surface and new attack vectors to become stealthier and more dangerous.

Secondly, the surge of mobile and IoT devices connecting to the network has led to network performance degradation and unpredictable application performance.

Finally, the traditional branch and WAN market is undergoing a massive disruption with the adoption of cloud applications. SD-WAN technology has been a major catalyst in providing the required cloud application performance at significantly lower costs. But adopting multiple point products for security and SD-WAN poses interoperability, deployment, management and visibility challenges that add to the overall cost and time spent to roll out solutions across branches.

An integrated approach is critical for a smooth digital transformation. While there are many products that claim to feature capabilities supporting digital transformation, few offer a complete feature set with high performance at a low total cost of ownership.

Introducing TZ270, TZ370 and TZ470 – integrated SD-Branch platforms with industry-leading performance

In August, we expanded our TZ series with the addition of the TZ570 and TZ670, designed for modern branches. Today, we’re excited to add even more new products to the TZ line of secure SD-Branch appliances. The SonicWall TZ270, TZ370 and TZ470 (and their wireless counterparts, the TZ270W, TZ370W and TZ470W) feature state-of-the-art hardware specially designed to handle the requirements of small businesses and modern software-defined branches.







The groundbreaking performance capabilities of the new TZ series appliances allow automated real-time breach detection and prevention, as well as TLS/SSL decryption and inspection, all over multi-gigabit wired and 802.11ac Wave 2 wireless networks. TZ470 is the first desktop form-factor firewall in its class to include multi-gigabit interfaces. In addition to high port density, high-speed processors and robust onboard memory, the new TZ Series appliances include expandable storage of up to 256GB, perfect for small businesses and secure SD-Branches.

Specifications at a glance:

  • Up to 2.5Gbps of threat prevention performance
  • 10GbE interfaces
  • 11ac Wave 2 wireless
  • Expandable storage up to 256GB
  • USB 3.0 super speed ports for 5G/LTE USB modems

The new TZ appliances are powered by SonicOS 7.0. Launched in August, this completely reimagined operating system provides multiple new features, including support for the new TLS 1.3 encryption standard. More details about the new SonicOS 7.0 can be found here.

Integrated approach for digital transformation

So how do the new TZ270, TZ370 and TZ470 help businesses with digital transformation?

We know that threats are continually evolving. More than simply a replacement for its predecessor, the new TZ series lineup delivers award-winning security solutions with third-party certifications and reviews that meets the need for high-speed threat prevention. Advanced threats such as unknown and zero-day attacks concealed in encrypted web traffic are thwarted using Capture, SonicWall’s cloud-based, multi-engine sandboxing service with patent-pending Real-Time Deep Memory Inspection™ (RTDMI) technology.

With built-in SD-WAN provided at no additional cost, the new TZ series can effectively replace expensive WAN connection technologies and standalone SD-WAN appliances to provide application performance for critical cloud applications through QoS features. Additionally, the use of multi-gigabit interfaces in conjunction with SonicWall Switches and SonicWave access points ensure networks can keep up with the high bandwidth needs rising from the increased mobile devices.

SonicWall Network Security Manager (NSM) offers a centralized management and analytics platform through cloud and on-prem form factors. Small businesses with limited IT staff and lack of cybersecurity skillset can take advantage of the Zero-Touch deployment and unified policy enforcement offered by NSM to save both time and money on deployment. Consolidated security across edge, access and endpoint networks — using TZ series firewalls, SonicWall switches, SonicWave access points and Capture Client endpoint client, all managed through a single pane of glass— amplifies cross-product visibility and control. This end-to-end security stack provides a strong, unified security posture that eases management and offers peace of mind, all at a lower TCO than similar solutions currently on the market.

Test-drive the technology

Test drive the new TZ Series-based solution on SonicWall live demo:

To learn more about the new TZ Series, watch the launch video or visit

New SonicWall NSa 2700: High Performance and Consolidated Security at Lower TCO

2020 has brought exponential growth in network traffic, including a 25% to 35% spike in March alone. As the demands on network firewalls continue to increase, many have struggled to keep up without becoming a bottleneck. Meanwhile, cybercriminals are becoming increasingly successful at breaching perimeter defenses using advanced techniques like encrypted threats and embedded malware.

To address this changing cybersecurity landscape, some companies have deployed multiple security point products. According to CSO Online, enterprises have an average of 75 products deployed to secure their network and cloud infrastructure. But these disparate point products pose challenges of their own, including management complexity and lack of interoperability — which in turn have led to an explosion in overall operating costs.

Today’s enterprises need a next-generation firewall that can accommodate the continuing increase in network traffic, while at the same time consolidating security controls to stop evasive threats.

Introducing SonicWall NSa 2700: A Gen 7 NGFW for Medium and Distributed Enterprises

The SonicWall Network Security Appliance (NSa) 2700 is a next-generation firewall (NGFW) that delivers industry-leading performance at the lowest total cost of ownership in its class. NSa 2700 protects mid-size networks with comprehensive integrated security services like malware analysis, encrypted traffic inspection, cloud application security and reputation services. It also supports centralized management with a truly intuitive single user interface, significantly improving operational efficiency.

SonicWall NSa 2700 includes advanced networking features such as HA/clustering, SD-WAN, dynamic routing, and virtual routing and forwarding. It combines validated security effectiveness and best-in-class price performance in a single rack unit appliance with high port density. In short, medium enterprises can now get the performance, networking and security capabilities they need from their next-generation firewalls without breaking the bank.

NSa 2700 Next Generation Firewall Highlights

Appliance at a glance

NSa 2700 is an energy-efficient, reliable appliance in a compact 1U chassis. Powered by the next-generation SonicOS 7.0 operating system, it is capable of processing millions of connections while delivering multi-gigabit threat prevention throughput. The following are a few high-level features that make NSa 2700 an attractive option for medium and distributed enterprises:

  • 16 x 1 GbE interfaces
  • 3 x 10 GbE interfaces
  • 3 Gbps of threat prevention performance
  • 6 Gbps of application inspection performance
  • 5 million stateful and 500,00 DPI connections
  • 21,500 connections per second
  • Dedicated management port

Powered by the new SonicOS 7.0

The SonicWall NS2700 runs on SonicOS 7.0, a new operating system built from the ground up to deliver a modern user interface, intuitive workflows and user-first design principles. SonicOS 7.0 provides multiple features designed to facilitate enterprise-level workflows, easy configuration, and simplified and flexible management — all of which allow enterprises to improve both their security and operational efficiency.

SonicOS 7.0 features:

More details about the new SonicOS 7.0 can be found here.

NSa 2700 Deployment Options

SonicWall NSa 2700 has two main deployment options for medium and distributed enterprises:

Internet Edge Deployment

In this standard deployment option, SonicWall NSa 2700 protects private networks from malicious traffic coming from the Internet, allowing you to:

  • Deploy a proven NGFW solution with highest performance and port density (including 10 GbE connectivity) in its class
  • Gain visibility and inspect encrypted traffic, including TLS 1.3, to block evasive threats coming from the Internet — all without compromising performance
  • Protect your enterprise with integrated security, including malware analysis, cloud app security, URL filtering and reputation services

Medium and Distributed Enterprise Deployment

The SonicWall NS2700 supports SD-WAN and can be centrally managed, making it an ideal fit for medium and distributed enterprises. By leveraging NSa’s high port density, which includes 10 GbE connectivity, enterprises can support distributed branches and wide area networks. This deployment allows organizations to:

  • Provide direct secure Internet access to distributed branch offices instead of back-hauling through corporate headquarters
  • Allow distributed branch offices to securely access internal resources in corporate headquarters or in a public cloud, significantly improving application latency
  • Reduce complexity and improve operations by using a central management system, which is accessed through an intuitive, single-pane-of-glass user interface

Overall Solution Value

The new NSa 2700 offers enterprises a best-in-class next-generation firewall with high speed and port density, all at a lower total cost of ownership. With integrated security services like malware analysis, URLF and cloud application security, NSa 2700 offers enterprises superb protection from advanced threats.

To learn more about the new NSa 2700, watch the video or click here.