Office Documents are Still Not Safe for Cybersecurity

/0 Comments/in /by

Emotet is back. Word, Excel and other Office 365 files are still a critical cyberthreat vector. How do we stop it?

Although it was almost a week late, Tom finally received the pricing proposal from Tetome Supply.

He was excited to begin reviewing it. However, he knew from the quarterly cybersecurity courses that he should be cautious. So he carefully studied the email address and name of the sender and made sure that the attachment was a Word document and not a .exe file. He was further reassured by the email’s text, in which the sender thanked him for being patient and inquired about his new puppy.

Tom was sipping his morning coffee as he scanned the headlines from the day on his smartphone. A message appeared on the monitor informing Tom that the .doc had been created in iOS and that he must enable editing and content. Finally, he could see the contents of his document, but it also set off a chain reaction.

As far as Tom knew, the document only contained the pricing information. Nothing indicated that Emotet was downloaded from a compromised website by a Powershell command. Or that Trickbot had been used to backup Emotet.

It was too late. When Tom opened his laptop a few days later, a note informed him that all his files were encrypted and that the hackers would not unlock them until Tom paid $150,000 in bitcoin. The note was signed by Ryuk.

No time for a sigh of relief.

For the first half of 2019, malicious PDFs showed an edge over malicious Office 365 files, outpacing them 36,488 to 25,461. Then in 2020, the number of PDFs dipped 8% over the same period in 2019 while the number of malicious Microsoft Office files skyrocketed to 70,184 — a 176% increase.

Wired Magazine once labeled Emotet the most dangerous malware in the entire world. So no surprise that back in January 2021, law enforcement from every major country launched a massive effort to disrupt Emotet’s infrastructure found embedded in servers and computers in more than 90 countries. The effort resulted in the arrest of criminals and confiscation of equipment, cash, and even rows of gold bars accumulated by the gangs.

Indeed, utilization of Microsoft Office files in attacks fell. According to the 2022 SonicWall Cyber Threat Report, PDFs returned as the preferred attack vector with a 52% increase in malicious utilization and malicious Microsoft Office files decreased by 64%. This trend was a marked reversal and yet, there was no time for even a sigh of relief.

A graph showing the rise of never-seen-before malware variants.

Emotet attacks are back.

According to recent reports by Bleeping ComputerThreatpost and the Sans Technology Institute, within 10 months since the high-profile January 2021 takedown, Emotet is back with a vengeance. Threat actors are actively distributing infected Microsoft Office documents, ZIP archives and other files laden with Emotet code.

While it is still too early to see a data trend, anecdotally we see significant changes such as encryption of malware assets and new strategy that includes targeted phishing attacks that include reply-chain emails, shipping notices, tax documents, accounting reports or even holiday party invites.

In less than 10 months, previous eradication efforts were erased and now we’re back to square one.

How to protect from malicious Office 365 files.

Even with serious threats on the fly, there are several simple things you can do to protect yourself and others on your network. You can start by changing your Office 365 settings to disable scripts and macros and keeping your endpoints and operating system up to date with the latest patches for Windows.

You can set a business policy not to transfer documents and other files via email. You can also keep up with Microsoft’s regular distribution of patches and updates. We all get busy, but when we let our updates lapse, we’re literally allowing attacks targeting these vulnerabilities to succeed.

We can also take stronger steps to strengthen our resistance to attack. 2021 was another banner year for SonicWall’s patented Real-Time Deep Memory Inspection™ (RTDMI) technology which detected 442,151 total never-before-seen malware variants in 2021, a 65% increase over 2020’s count and an average of 1,211 per day.

A graph showing new malicious file type detections in 2021.

Capture ATP, 100% Captures, and 0% False Positives.

The best part about RTDMI is that it is integrated with SonicWall’s Capture Advanced Threat Protection (ATP). And in quarterly third-party testing by ICSA Labs, RTDMI identified 100% malicious threats without posting a single false positive for five quarters in a row.

Capture ATP with RTDMI leverages proprietary memory inspection, CPU instruction tracking and machine learning capabilities to recognize and mitigate never-before-seen cyberattacks, including threats that do not exhibit any malicious behavior and hide their weaponry via encryption — attacks that traditional sandboxes will likely miss.

This is particularly important in cases such as Tom’s, as Trickbot and Emotet both use encryption to hide their misdeeds. Emotet can also determine whether it’s running inside a virtual machine (VM) and will remain dormant if it detects a sandbox environment.

Three Keys to Modern Cyberdefense: Affordability, Availability, Efficacy

/0 Comments/in /by

(Our previous supply-chain updates can be found here and here.)

If you’ve ever been to a small-town mechanic, chances are you’ve seen the sign: “We offer three types of service here — Good, Fast and Cheap. Pick any two!”

In cybersecurity, this can be framed as “Affordability, Availability and Efficacy,” but the idea is the same — when making your choice, something’s got to give.

The effects of this mentality are sending ripples across the cybersecurity industry. At the 2022 RSA Conference, Joe Hubback of cyber risk management firm ISTARI explained that based on his survey, a full 90% of CISOs, CIOs, government organizations and more reported they aren’t getting the efficacy promised by vendors.

Several reasons for this were discussed, but most came back to this idea of compromise —buyers want products now, and they’re facing budget constraints. So, they often believe the vendors’ claims (which tend to be exaggerated). With little actual evidence or confirmation for these claims available, and little time to evaluate these solutions for themselves, customers are left disappointed.

To make the buying process more transparent and objective, Hubback says, vendor solutions should be evaluated in terms of Capability, Practicality, Quality and Provenance. While his presentation didn’t reference the Affordability-Availability-Efficacy trifecta directly, these ideas are interconnected — and regardless of whether you use either metric or both, SonicWall comes out ahead.

Availability: Supply-Chain Constraints and Lack of Inventory

Order and install times have always been a consideration. But the current climate has led to a paradox in modern cybersecurity: With cyberattack surfaces widening and cybercrime rising, you really ought to have upgraded yesterday. But in many cases, the components you need won’t be in stock for several months.

While many customers are being locked into high-dollar contracts and then being forced to wait for inventory, this isn’t true for SonicWall customers: Our supply chain is fully operational and ready to safeguard your organization.

SonicWall is currently fulfilling 95% of orders within three days.

Procurement Planning & Forecasting

“We’re hearing more often than not that our competitors don’t have the product on the shelf, but we’ve been managing this for over two years,” SonicWall Executive Vice President of Operations Yew-Joo Hoe said.

In autumn of 2020, as lead times began to creep up, SonicWall’s operations department immediately began altering internal processes, changing the way it works with suppliers and ships goods, and even re-engineering some products to deliver the same performance with more readily available components.

So now, even amid remarkable growth — 2021 saw a 33% increase in new customer growth, along with a 45% rise in new customer sales — SonicWall is currently fulfilling 95% of orders within three days.

But even as we’ve zeroed in on supply-chain continuity, our dedication to the Provenance of our supply chain has been unwavering. We aim to secure, connect and mobilize organizations operating within approved or authorized regions, territories and countries by ensuring the integrity of our supply chain from start to finish.

SonicWall products are also compliant with the Trade Agreements Act in the U.S., and our practices help ensure SonicWall products aren’t compromised by third parties during the manufacturing process.

Affordability: The Two Facets of TCO

SonicWall’s goal is to deliver industry-leading TCO. But this is more than a marketing message for us — we put it to the test.

SonicWall recently commissioned the Tolly Group to evaluate the SonicWall NSsp 13700, the NSsp 15700, the NSa 2700 and more against equivalent competitor products. Each time, the SonicWall product was named the better value, saving customers thousands, tens of thousands and even hundreds of thousands while delivering superior threat protection.

But we also recognize that the measure of a product’s affordability extends beyond the number on an order sheet, to how much labor that solution requires. Hubback summarized the idea of Practicality as “Is this actually something I can use in my company without needing some kind of Top Gun pilot to fly it and make it work?” With cybersecurity professionals getting harder to find, and their experience becoming more expensive every day, the ideas of Practicality and Affordability have never been so intertwined.

Fortunately, SonicWall has long recognized this association, and we’ve built our products to reduce both the amount of human intervention and the required skill level needed to run our solutions.

Innovations such as Zero-Touch Deployment, cloud-based management, single-pane-of-glass interfaces, simplified policy creation and management, and one-click rollback in the event of a breach have brought increased simplicity to our portfolio without sacrificing performance or flexibility.

Efficacy: How It’s Built and How It Performs

Hubback’s final two criteria, Quality and Capability, describe how well a solution is built, and how well it can do what it promises. Taken together, these form the core of what we think of as Efficacy.

While Quality is the most enigmatic of Hubback’s criteria, it can be reasonably ascertained based on a handful of factors, such as longevity, customer satisfaction and growth.

With over 30 years of experience, SonicWall is a veteran cybersecurity leader trusted by SMBs, enterprises and government agencies around the globe. In the crowded cybersecurity market, this sort of longevity isn’t possible without quality offerings — and our quantity of repeat purchasers and scores of customer case studies attest to the high standards we maintain for every solution we build.

In contrast, Capability can be very easy to judge — if a vendor chooses to put its products to the test. Independent, third-party evaluation is the gold standard for determining whether products live up to their promises. And based on this metric, SonicWall comes out on top.

To provide customers objective information about its performance, SonicWall Capture ATP with RTDMI has been evaluated by third-party testing firm ICSA Labs, an independent division of Verizon. For the past seven consecutive quarters, the solution has found 100% of the threats while issuing only a single false positive. SonicWall has now earned more perfect scores — and more back-to-back perfect scores — than any other active vendor.

Today, thousands of organizations will shop for new or upgraded cybersecurity solutions. While they may differ in size, industry, use case and more, at the end of the day, they’re all looking for basically the same thing: A reliable solution that performs as advertised, at a price that fits within their budget, that can be up and running as soon as possible.

There will always be those who tell you that you can’t have everything; that the center of this Venn diagram will always be empty. But at SonicWall, we refuse to compromise — and we think you should, too.

BEC Attacks: Can You Stop the Imposters in Your Inbox?

/0 Comments/in /by

If asked which of the threat types tracked by the FBI causes the most financial damage, most people would say ransomware.

They’d be wrong.

In 2021, the FBI’s Internet Crime Complaint Center (IC3) received 19,954 Business Email Compromise (BEC) reports, with adjusted losses totaling almost $2.4 billion. That’s an average of more than $120,270 per incident, compared with just under $13,200 per incident for ransomware attacks.

Since the FBI began tracking these threats in 2013, tens of billions in financial losses have been recorded, resulting from nearly 170,000 incidents in 178 countries.

So why hasn’t this threat risen to the notoriety of ransomware?

During many ransomware attacks, business operations grind to a halt. When a company loses access to customer information, payment systems and mission-critical applications, it often becomes clear in short order that something is wrong.

But BEC attacks are comparatively silent. Even when these attacks have a huge impact on an organization’s bottom line, operations can generally continue as usual. As a result, businesses frequently opt to keep these attacks out of the public eye to avoid risking reputation damage and loss of trust.

But although ransomware still dominates security news, the growing frequency, volume and cost of BEC attacks have begun attracting more attention.

As a result, BEC attacks have become a top threat concern for many organizations today, according to a recent SonicWall-sponsored white paper by Osterman Research. “How to Deal with Business Email Compromise” reports primary research data from an in-depth customer survey of 119 respondents, each of which has direct knowledge of how their organization is addressing or planning to address the risk of BEC.

The results from this study offer a look at how security influencers and decision-makers are taking BEC into account when formulating their spending plans for the next 12 months. For example, while just 46% of organizations said they considered protecting against BEC attacks “important” or “extremely important” 12 months ago, 76% said they considered it important or extremely important today.

Image describing BEC Importance

80%

Organizations indicating that protecting against BEC attacks in 2023 is of high importance

The data also shows that three-fifths of organizations in the study view protecting against BEC attacks as one of their top five security priorities.

62%

Organizations ranking protecting against BEC attacks as one of their top five priorities.

How BEC Attacks Fly Under the Radar

But what makes BEC attacks so dangerous when compared with other forms of cyberattacks? And why are they harder to stop?

BEC is a specialized type of phishing attack that relies on social engineering. They often use a proven pretexting technique to engineer a quick introduction and establish a believable scenario in order to manipulate the victim to take a specific action.

While these attacks can target employees at any level of an organization, they generally start with an attacker impersonating a person with authority, such as a CEO or CFO, a manager, or a supplier. The attacker uses the authority figure’s identity to start a chain of plausible (but fake) requests to gain monetary payment. This typically involves instructing someone in accounts payable, someone in HR or even someone with a company credit card to pay a fake invoice, transfer funds, send gift cards or make payroll payouts. The urgent tone of these messages encourages the victim to respond or act quickly, bypassing any checks and balances that may be in place.

Compared with other forms of cyberattacks, BEC attacks are among the hardest to detect because the threat signals are far less obvious. Relying on trickery and impersonation, the approach is very subtle, and the actual delivery generally doesn’t use weaponized URLs or malicious attachments, which are easily detected.

In addition, the email content and the delivery mechanism are usually of higher quality and often tailored to target a specific person or persons. With little to no apparent sign of a threat, these messages can bypass most email security filters to reach the inbox — and the absence of any sort of alert, such as a contextual warning advising them to exercise caution, leaves the victim more vulnerable to falling for the scam.

Because so many of these scams are successful, their use has grown dramatically — today, roughly 80% of companies targeted by BEC attacks each year. While there isn’t much you can do to avoid being targeted, there’s plenty you can do to safeguard your organization’s finances. To learn more about BEC attacks and how to stop them, check out our webinar, “Can You Stop the Imposters in Your Inbox?

Anti-Ransomware Day: What Can We Do to Prevent the Next WannaCry?

/0 Comments/in /by

On May 12, 2017, attackers identified a vulnerability in a Windows device somewhere in Europe — and in the process, set off an attack that would ultimately impact roughly 200,000 victims and over 300,000 endpoints across 150 countries. The devastation wrought by WannaCry caused financial losses of roughly $4 billion before the strain was halted by an unlikely hero just hours later. But perhaps most devastating of all was that it was completely preventable.

To help raise awareness about ransomware strains like WannaCry and the steps needed to combat them, INTERPOL in 2020 teamed up with cybersecurity firm Kaspersky to declare May 12 Anti-Ransomware Day. By taking a few important steps, organizations can help stop the next major ransomware attack, averting the potential for downtime, reputational damage, fines and more.

“Cybercrime and cybersecurity may seem like a complex issue that is difficult to understand unless you are an expert in the field — this is not the case. INTERPOL’s campaign aims to demystify these cyberthreats and offer simple, concrete steps which everybody can take to protect themselves,” INTERPOL’s Director of Cybercrime Craig Jones said.

What’s Changed Since WannaCry?

In the years since the infamous attack, ransomware has continued to grow. In 2021, SonicWall Capture Labs threat researchers recorded 623.3 million ransomware attempts on customers globally. This represents an increase of 105% from 2020’s total and a staggering 232% since 2019.

And while ransomware was a hot topic worldwide due to attacks such as WannaCry and NotPetya, which would begin its own savage trek across the globe just six weeks later, ransomware volume in 2017 was less than a third of what it was in 2021.

Weakened, but Still Wreaking Havoc

While variants such as Ryuk, SamSam and Cerber made up 62% of the ransomware attacks recorded by SonicWall in 2021, WannaCry lives on — and in surprising numbers. By now, five years on, the number of vulnerable Windows systems should be virtually zero. A patch for the EternalBlue vulnerability exploited by WannaCry was released two months prior to the attack, and Microsoft later took the unusual step of also releasing patches for Windows systems that were old and no longer supported.

But in 2020, SonicWall observed 233,000 instances of WannaCry, and in 2021, 100,000 hits were observed — indicating that there are still vulnerable Windows systems in the wild that need to be patched.

We Can Worry … Or Get to Work

What made WannaCry so successful was that many organizations at the time took a set-it-and-forget-it approach to IT, leaving vulnerable hundreds of thousands of endpoints that could otherwise have been patched prior to the attack. But while patching is a crucial part of any cybersecurity strategy, it can’t work alone — there are still a number of other steps organizations need to take to bolster their odds against the next big ransomware attack.

  • Update: Whenever possible, enable automatic updates on applications and devices on your network — both for operating systems and for any other apps in your ecosystem.
  • Upgrade: The older an operating system gets, the more malware and other threats are created to target them. Retire any software or hardware that is obsolete or no longer supported by the vendor.
  • Duplicate: All important data should be backed up to a place inaccessible by attackers. Having adequate and up-to-date backups on hand significantly eases recovery in the event of a ransomware attack.
  • Educate: A staggering 91% of all cyberattacks start with someone opening a phishing email. Teach employees to be wary any time they receive an email, particularly one with an attachment or link.
  • Safeguard: By taking the above steps, most attacks can be prevented, but not all. They’re called “best practices” and not “universal practices” for a reason: If any are allowed to lapse — or new methods are found to circumvent them — organizations will need a strong last line of defense. An advanced, multi-layer platform that includes endpoint security, next-gen firewall services, email security and secure mobile access can work to eliminate blind spots and eradicate both known and unknown threats.

“In the past two years, we have seen how cybercriminals have become bolder in using ransomware. Organizations targeted by such attacks are not limited to corporations and governmental organizations — ransomware operators are ready to hit essentially any business regardless of size,” Jones said. “To fight them, we need to educate ourselves on how they work and fight them as one. Anti-Ransomware Day is a good opportunity to highlight this need and remind the public of how important it is to adopt effective security practices.”

Enjoy the Speed and Safety of TLS 1.3 Support

/0 Comments/in /by

The best products tend to stick around for a while. In the first two years that the Ford Mustang was manufactured, 1965 and 1966, roughly 1.3 million cars rolled off assembly lines in Dearborn, Mich.; Metuchen, N.J.; and Milpitas, Calif. Of those, a remarkable 350,000 are still on the road today — and with proper care, still getting from Point A to Point B just as well as they did during the Johnson Administration.

But aesthetics aside, does that make them a good choice for a daily driver today? In a crash test with any modern vehicle (or a race with any of today’s Mustangs), the first-generation Mustang would be completely overwhelmed. Safety features we take for granted, such as airbags, lane-keep assist, blind spot detection and anti-lock brakes, are absent. These cars might do fine for the occasional Sunday spin around town. But would you put your family in one?

When a product forms the boundary between something precious and grave disaster, you want that product to be as safe as possible. This also holds true for another Milpitas innovation: SonicWall firewalls. To know whether your current choice is still the right choice, it helps to look at what innovations have occurred since then, and whether they were incremental improvements or giant leaps forward. In the case of TLS 1.3 encryption support, it’s unquestionably the latter.

TLS 1.3 is the latest version of transport layer security, which offers reliable encryption for digital communications over the internet. And as with the Mustang before it, modern innovations have led to sizeable leaps in two areas: safety and performance.

TLS 1.3: Safety First

Since the original SSL technology was introduced in 1994, each new version has worked to solve the problems of the previous versions while also maintaining compatibility with those versions. But, unfortunately, maintaining backward compatibility meant leaving in many unnecessary or vulnerable ciphers.

These legacy ciphers made the encryption susceptible to attack, offering attackers a vector through which to circumvent newer security advances in favor of older and weaker protection. A few of the ciphers that persisted up through TLS 1.2 were so weak that they allow an attacker to decrypt the data’s contents without having the key.

TLS 1.3 represents a fundamental shift in this philosophy. Due to a sharp increase in attacks, such as Lucky13, BEAST, POODLE, Logjam and FREAK, which depend on such vulnerabilities for transmission, the Internet Engineering Task Force (IETF) opted to remove these ciphers altogether — and the resulting TLS 1.3 is vastly more secure because of it.

It’s also more private. In previous versions, including 1.2, digital signatures weren’t used to ensure a handshake’s integrity — they only protected the part of the handshake after the cipher-suite negotiation, allowing attackers to manipulate the negotiation and access the entire conversation.

In TLS 1.3, the entire handshake is encrypted, and only the sender and the recipient can decrypt the traffic. This not only makes it virtually impossible for outsiders to eavesdrop on client/server communications and much harder for attackers to launch man-in-the-middle attacks, it also protects existing communications even if future communications are compromised.

TLS 1.3: Safety Fast

With TLS 1.3, the handshake process isn’t just more secure — it’s faster, too. The four-step handshake required with TLS 1.2 necessitated two round-trip exchanges between systems, introducing latency and taking up bandwidth and power.

These slowdowns especially affected the growing class of Internet of Things (IoT) devices, which have trouble handling connections requiring lots of bandwidth or power, but also tend to need encryption most due to weak onboard security.

However, with just a single key exchange and significantly fewer supported ciphers, TLS 1.3 uses considerably less bandwidth. And because it requires just one round trip to complete the handshake, it’s significantly faster. TLS 1.3’s zero round trip time (0-RTT) feature is even quicker: On subsequent visits, it offers a latency time equal to that of unencrypted HTTP.

Is Your Firewall Up to the Task?

Experts estimate that 80-90% of all network traffic today is encrypted. But many legacy firewalls lack the capability or processing power to detect, inspect and mitigate cyberattacks sent via HTTPs traffic at all, let alone using TLS 1.3 — making this a highly successful avenue for hackers to deploy and execute malware.

According to the 2022 SonicWall Cyber Threat Report, from 2020 to 2021, malware sent over HTTPS rose a staggering 167%. All told, SonicWall recorded 10.1 million encrypted attacks in 2021 — almost as many as in 2018, 2019 and 2020 combined.

With an average of 7% of customers seeing an encrypted attack in a given month, the odds your organization will be targeted by an attack this year are enormous. But if your firewall cannot inspect encrypted traffic — and increasingly, if it cannot inspect TLS 1.3 — you’ll never know it until it’s too late.

SonicWall Supports TLS 1.3 Encryption

SonicWall Gen 7 firewalls bring a lot to the table: They combine higher port density and greater threat throughput with comprehensive malware analysis, unmatched simplicity and industry-leading performance. But among the biggest game-changers in Gen 7 (and its predecessors capable of running SonicOS Gen 6.5) is its support for TLS 1.3 encryption.

SonicWall NGFWs with SonicOS Gen 6.5 and later offer full TLS inspection, decrypting data, checking it for potential threats, and then re-encrypting it for secure transmission — all while ensuring you retain optimal performance and comprehensive visibility.

After all, as in the case of the classic Mustang, there’s no blind spot detection for firewalls that can’t handle today’s encrypted traffic — and these legacy solutions are easily outclassed when going head-to-head. Don’t let yesterday’s firewalls leave unprotected gaps in your network: Upgrade to SonicWall Gen 7 today.

 

Understanding the MITRE ATT&CK Framework and Evaluations – Part 2

/0 Comments/in /by

(Note: In Part 1, we explained the MITRE ATT&CK framework and how security products are evaluated for detection efficacy and efficiency. Check it out here if you haven’t already.)

With attacks rising almost across the board, ensuring your security posture is up to date has never been more critical. But as a CISO, navigating through various cybersecurity vendors’ positions can be a real challenge. How can you know that you’re actually getting what you’re paying for? Here are a few critical pointers:

  • Be wary of excessive misses, delays and config changes: Vendors that have lots of delays are getting credit for detections using means typically outside of the tool’s normal workflow — which means your people will have to do the same thing. Vendors with lots of config changes felt the need to modify their detection capabilities in the middle of the test. Try to understand whether these changes are understandable or if the test was being gamed.
  • Be wary of high Telemetry numbers and low Techniques numbers: Vendors that trumpet their big Telemetry numbers without many Techniques have a tool that does not automate the correlation of events. This means your people will have to do it manually or that there may be significant delays and inaccuracy in connecting the dots. Delays here lead to delays in response, and that leads to more risk.
  • Be wary of vendors that invent their own scoring systems: We’ve seen many vendors obfuscating poor results with statistics and numbers that make them look good but are complete nonsense. Stats like “Context per alert” and “100% Detection” (when a closer look shows there clearly were missed detections) are silly. Read the fine print.

Capture Client and the MITRE ATT&CK Framework

SonicWall’s Capture Client is powered by SentinelOne, which delivers best-in-class autonomous endpoint protection with next-gen antivirus, EDR (endpoint detection and response), and Deep Visibility. SentinelOne has been a participant in the MITRE ATT&CK Evaluations since 2018 and was a top performer in the 2022 Evaluations (emulating Wizard Spider and Sandworm threat groups). Here is a quick summary of how SentinelOne leads in protection against the attacks better than any other vendor.

  1. Autonomous Protection Instantly Stops and Remediates Attacks
    Security teams demand technology that matches the rapid pace at which adversaries operate. MITRE Protection determines the vendor’s ability to rapidly analyze detections and execute automated remediation to protect systems.
    Delivered 100% Protection: (9 of 9 MITRE ATT&CK tests)
    Source: www.sentinelone.com
  2. The Most Useful Detections are Analytic Detections
    Analytic detections are contextual detections that are built from a broader data set and are a combination of technique plus tactic detections.
    Delivered 100% Detection: (19 of 19 attack steps)
    Delivered 99% – Highest Analytic Coverage: (108 of 109 detections)
    Source: www.sentinelone.com
  3. Detection Delays Undermine Cybersecurity Effectiveness
    Time plays a critical factor whether you’re detecting or neutralizing an attack. Organizations that want to reduce exposure need to have real-time detections and automated remediation as part of their security program.
    Delivered 100% Real-time (0 Delays)

    Source: www.sentinelone.com
  4. Visibility Ensures That No Threats Go Undetected
    Visibility is the building block of EDR and is a core metric across MITRE Engenuity results. In order to understand what’s going on in the enterprise as well as accurately threat hunt, cybersecurity technology needs to create a visibility aperture. The data needs to be accurate and provide an end-to-end view of what happened, where it happened, and who did the happening regardless of device connectivity or type.

Conclusion

The MITRE Engenuity ATT&CK Evaluations continue to push the security industry forward, bringing much-needed visibility and independent testing to the EDR space. As a security leader or practitioner, it’s important to move beyond just the numbers game to look holistically at which vendors can provide high visibility and high-quality detections while reducing the burden on your security team. CISOs will find these product-centric tenets to be compatible with the spirit of MITRE Engenuity’s objectives:

  1. EDR Visibility and Coverage Are Table Stakes: The foundation of a superior EDR solution lies in its ability to consume and correlate data economically and at scale by harnessing the power of the cloud. Every piece of pertinent data should be captured — with few to no misses — to provide breadth of visibility for the SecOps team. Data, specifically capturing all events, is the building block of EDR and should be considered table stakes and a key MITRE Engenuity metric.
  2. Machine-Built Context and Correlation Is Indispensable: Correlation is the process of building relationships among atomic data points. Preferably, correlation is performed by machines and at machine speed, so an analyst doesn’t have to waste precious time manually stitching data together. Furthermore, this correlation should be accessible in its original context for long periods of time in case it’s needed.
  3. Console Alert Consolidation Is Critical: “More signal, less noise” is a challenge for the SOC and modern IR teams who face information overload. Rather than getting alerted on every piece of telemetry within an incident and fatiguing the already-burdened SOC team, ensure that the solution automatically groups data points into consolidated alerts. Ideally, a solution can correlate related activity into unified alerts to provide campaign-level insight. This reduces manual effort, helps with alert fatigue and significantly lowers the skillset barrier of responding to alerts. All of this leads to better outcomes for the SOC in the form of shorter containment times and an overall reduction in response times.

For a first-hand look at how Capture Client delivers best-in-class protection and detection, click here for a free trial.

How SonicWall’s Supply-Chain Strategies Are Slicing Wait Times

/0 Comments/in /by

Cybersecurity customers in 2022 occupy an increasingly uneasy middle ground. On one side are elected officials, news writers and security professionals all urgently warning that attack surfaces are widening, cybercrime is rising, and you really ought to have upgraded your security posture yesterday. And on the other side are equally urgent warnings from cybersecurity vendors that the components you need to do exactly that … won’t be in stock for several months.

With reports of wait times already stretching into 2023, how can you ensure your organization is prepared to face today’s cyberattacks?

“If you want a firewall next year, call them. If you want one next week, call us.”

The outlook for SonicWall customers, however, is quite different. Products are in stock when they’re needed, and time from order to receipt is a small fraction of what’s being estimated with other vendors.

Currently, SonicWall is fulfilling 95% of orders within 3 days.

Before the pandemic, this sort of lead time was admirable; today, it’s nearly unheard-of. Even more remarkable, SonicWall has achieved this track record during a period of record sales. The introduction of SonicWall’s Gen 7 product line, along with exceptional third-party testing results and industry accolades, has fueled a 33% increase in new customer growth and a 45% increase in new customer sales.

To understand why this is such an accomplishment, it helps to understand why today’s supply-chain environment has ensured such lead times are the exception rather than the rule.

The Ongoing Struggles of the Supply Chain

The COVID-19 pandemic is often discussed as having a “ripple effect,” like a rock being dropped in the water. But when it comes to the effects on manufacturing and shipping, it’s more like an earthquake, with unpredictable aftershocks unleashing chaos in greater magnitude than the original event.

Material shortages, cost increases and shipping challenges have been felt across the board, and roughly 94% of the Fortune 1000 have seen pandemic-related supply-chain disruptions

In a world where few things are manufactured in the same place they’re ultimately purchased, shipping is among the most crucial links in the supply chain. There is currently a 12-plus-week door-to-door ocean freight delivery extension — and those delays are continuing to grow as consumer spending increases and congestion worsens.

The Port of Los Angeles last year saw more containers than any year in its history, surpassing the previous high-water mark by 13%. While numbers aren’t yet in for March 2022, January and February 2022 have both set new records, suggesting that this year may be even busier.

This volume has created unprecedented strain: During the past few months, The New York Times reports that container ships have been stuck at ports for a week on average, up 4% compared with all of 2021 and an increase of 21% over the start of the pandemic.

The outlook isn’t much better once containers move inland: reports of trains backed up for dozens of miles aren’t uncommon, and trucking companies are facing a worker shortage nearly 80,000 strong.

And while all industries have been shaken up, security vendors and other tech companies have been especially vulnerable to the worldwide shortage of computer chips, with many companies simply unable to supply products to meet their customers’ security needs.

SonicWall’s Secret Weapon: Preparation

But if everyone is experiencing these problems, what are people doing about it? Not much, as it turns out. When consulting firm Alix Partners surveyed 3,000 CEOs in early 2022, fewer than half reported that they were taking longer-term action to ameliorate supply-chain challenges, while a majority said they were instead relying on short-term solutions.

SonicWall has been able to succeed in this climate because it bucked this trend — and it did so early on. The company’s current goal is that any product ordered be “on the shelf” and ready to ship. This has required SonicWall to change many of its internal processes, as well as how the company works with suppliers and ships goods — a process that began long ago.

More than 18 months ago, SonicWall’s operations department began noticing an increase in lead times. The shift was subtle at first, starting with a few decommits from suppliers that were missing their targets by a week or two. Suppliers weren’t yet officially announcing that lead times were going up, but these delays were enough to propel the company’s supply-chain management team into action.

At that time, the company planned roughly six to nine months out. To accommodate increasing delays, the outlook was increased to about 12 months, and since then it’s been extended up to 16 months for some products. These projections have helped ensure that if one part of the supply chain slows down or breaks, partners and customers are impacted as little as possible.

At the same time, SonicWall began working with its suppliers to identify at-risk components, and quickly set about redesigning products (without impacting performance or capabilities) to take advantage of readily available supplies. Using available components not only eases manufacturing, it also eliminates the possibility that a delay at the factory could create timing issues that could plague the process from start to finish.

SonicWall has also embraced flexibility when it comes to shipping. Because the time from when products are picked up from a supplier’s warehouse until the time they arrive at a SonicWall warehouse has increased from four weeks to eight to 12 weeks, supply-chain managers are constantly on the lookout for which ports are likely to be the least congested two to three months from now. And when it becomes difficult to find storage containers or book freight on time, products are also shipped by air when necessary.

While many of SonicWall’s competitors are struggling to fill orders, these steps have ensured that SonicWall has a strong inventory of products on hand and is able to provide customers with the solutions they need, when they need them. If your current security vendor can’t deliver, reach out to a SonicWall expert — you could be up and running by this time next week.

World Backup Day: Because Real Life Can Have Save Points Too

/0 Comments/in , /by

You’ve been playing for hours. You’ve faced two tough enemies in a row, and all signs indicate you’re about to take your remaining 12 hit points straight into a boss fight.

Up ahead a glowing stone beckons like a glimmering oasis.

“Would you like to save your progress?” a popup asks as you approach.

Um. YES!

But as obvious a choice as that seems, when the same opportunity presents itself in real life, a shocking number of people don’t take advantage of it.

What Do You Have to Lose?

The digital revolution has brought about unprecedented efficiency and convenience, ridding us of the need for bulky filing cabinets, media storage, photo albums, rolodexes and more. But every time we outsource the storage of our data to the cloud, we become a little more reliant on digital devices that are anything but infallible.

According to WorldBackupDay.com, more than 60 million computers worldwide will fail this year, and more than 200,000 smartphones—113 every minute—will be lost or stolen. But while the devices themselves are replaceable, their contents often aren’t. Imagine what could be at stake: All the photos you’ve taken of your children over the past two years. Every message you ever sent your spouse, all the way back to the very beginning. The last voicemail you ever got from your grandmother. All could disappear in an instant, even when associated with cloud accounts, as experienced below.

But the loss isn’t always just sentimental. Sometimes it’s professional too, as journalist Matt Honan found out in 2012. Honan used an iCloud account for his data, but had no backups — and when hackers gained access to the account, they remotely wiped his phone, tablet and computer. They also took over and deleted his Google account. “In the space of one hour,” Honan told Wired, “my entire digital life was destroyed.”

Good Backups Are Good Business

Businesses have fallen victim to devastating data loss, as well. In 1998, Pixar lost 90% of its film “Toy Story 2,” then in progress, due to the combination of a faulty command and insufficient backups.

And when social media/bookmarking site Ma.gnolia.com experienced a database failure resulting in the loss of all user data, it ultimately shuttered the company. “I made a huge mistake in how I set up my [backup] system,” founder Larry Halff said of the incident. 

The Cultural Cost of Insufficient Backups

While World Backup Day’s primary goal is to encourage people to create and check their backups, it also aims to spark discussion of an enormous task: how to preserve our increasingly digital heritage and cultural works for future generations.

Due to insufficient archiving and backup practices, many cultural properties have already disappeared. For example, an entire season of the children’s TV show “Zodiac Island” was lost forever when a former employee at the show’s internet service provider deleted over 300GB of video files, resulting in a lawsuit over the ISP’s lack of backups.

And decades before, a similar fate befell the now-iconic sci-fi series “Dr. Who.” The Film Library of Britain and BBC Enterprises each believed the other party was responsible for archiving the material. As a result, the BBC destroyed its own copies at will, resulting in the master videotapes of the series’ first 253 episodes being recorded over or destroyed. Despite the existence of secondary recordings and showrunners obtaining copies from as far away as Nigeria, 97 episodes are still unaccounted for and presumed lost for good.

How to Ensure Your Digital Future Today

With so much at stake, you’d think almost everyone would back up their data at least occasionally. This isn’t the case, however. According to WorldBackupDay.com, only about 1 in 4 people are backing up their data regularly, and an astounding 21% have never made a backup.

This phenomenon is also seen at the corporate level. While 45% of companies have reported downtime from hardware failure and 28% reported a data loss event in the past 12 months, FEMA reports that 1 in 5 companies don’t have a disaster recovery/business continuity plan (and thus don’t typically have current backups.) With 20% of SMBs facing catastrophic data loss every five years, being left unprepared is much less an “if” than a “when.”

The difference in outcome for these businesses is stark. Ninety-three of businesses that experienced data loss and more than ten days of downtime filed for bankruptcy within a year. But 96% of businesses that had a disaster recovery plan fully recovered operations.

While a good backup plan will require ongoing attention, today is a great day to start — and even one backup is a tremendous improvement over no backups at all. The World Backup Day website is full of information on online backup services, external hard drive backup, computer backup, smartphone backup, creating a NAS backup, and other methods of preserving your data.

If you’re like many IT professionals and already understand the importance of backups, today’s a perfect day to test your backups out and make sure they’re still fully operational. It’s also a good opportunity to share the importance of backups with bosses, colleagues and friends.

After all, if you’re an individual, you won’t get an “extra life” to go back and relive all the memories you might lose if your device fails. And if you’re a small- or medium-sized business owner and lose all your data, having backups might be the difference between “Continue” and “Game Over.” On World Backup Day and every day, the choice is up to you.

To learn more about backups, visit WorldBackupDay.com.

Cyberattacks on Government Skyrocketed in 2021

/0 Comments/in , /by

Over the past several years, cybersecurity researchers (including those at SonicWall) have noted a growing shift away from the “spray-and-pray” tactics that dominated much of the past decade, to a more targeted “big-game hunting” approach.

We’ve seen the effects of this strategic transition for a little while, as attackers have increasingly looked for targets that would cause the most disruption, that would have the most valuable information, and so on. And accordingly, in 2021 cybercriminals focused a lot of their attention on local, state and federal governments.

The year’s headlines offered snapshots of this trend, as threat actors launched attacks on a diverse set of targets including the governments of Indonesia and Israel, India’s prime minister, Belgium’s ministry of defense, Australia’s government-owned telecommunications systems, and multiple U.S. defense firms.

But a look at the exclusive threat data from the 2022 SonicWall Cyber Threat Report tells a larger picture about when, how and how much government customers are being targeted as compared with those in other industries.

Ransomware

In 2021, global ransomware volume skyrocketed, rising 105% year over year. But while “The Year of Ransomware” spared no country, region or industry, the stats were particularly grim for those in government. Ransomware attempts among government customers rose a staggering 1,885% — more than double the increase seen in healthcare (+755%), education (152%) and retail (21%) combined.

Malware

For 2020 to 2021, global malware — affecting all customers across all regions and industries — fell 4%. But among government customers, malware actually increased 94%. The percentage of SonicWall customers targeted further highlights this rise: Each month, an average of 19.6% of government customers saw a malware attempt.

Government devices were increasingly attacked last year, as well. In 2021, IoT malware increased 6% globally — but among government customers, these attacks spiked 46%. Government customers were second only to those in education in terms of how likely they were to see an attempted attack, with an average of roughly 9% of customers targeted by IoT malware each month.

Cryptojacking

Unfortunately, IoT malware attacks aren’t the only way that cybercriminals leverage government customers’ devices against them. Cryptojacking, a type of attack in which cybercriminals use a victim’s device to mine cryptocurrency without their knowledge or consent, also spiked last year, buoyed by record-high cryptocurrency prices.

Global cryptojacking volume in 2021 jumped 19% year-over-year, reaching the highest point ever recorded by SonicWall Capture Labs threat researchers. But this jump disproportionately affected those involved in government: Cryptojacking attempts on government customers rose 709% in 2021.

Governments Fight Back

But as cyberattacks on government continued to increase in 2021, efforts at the state, federal and local level increasingly turned to strengthening defenses . At least 45 U.S. states considered their own cybersecurity bills in 2021, up 18% from 2020. And many of their cybersecurity efforts were bolstered by the passage of a historic U.S. infrastructure bill in November 2021, which included $1 billion for state, local, tribal and territorial cybersecurity.

Advances were made at the federal level, as well. U.S. President Joe Biden signed an executive order in May 2021 aimed at modernizing the government’s response to cyberattacks, joining Japan, Australia, Germany and countless other countries in passing measures to improve national security in 2021.

Biden reiterated his commitment to cybersecurity, particularly concerning the nation’s infrastructure, in a statement last week:

“From day one, my administration has worked to strengthen our national cyberdefenses, mandating extensive cybersecurity measures for the federal government and those critical infrastructure setors where we have authority to do so, and creating innovative public-private partnerships and initiatives to enhance cybersecurity across all our critical infrastructure.

“My administration will continue to use every tool to deter, disrupt and, if necessary, respond to cyberattacks against critical infrastructure,” Biden said.

As part of the United States’ increased focus on cybersecurity, the Department of Justice in June announced the formation of its Ransomware and Digital Extortion Task Force, increasing the resources and personnel available for pursuing cybercriminals. As a result of the efforts made by this task force and other enforcement agencies, members of the REvil ransomware gang, the Trickbot group, the DarkSide ransomware group and more were brought to justice in 2021.

Third-Party ICSA Testing – Perfect Score Number 4

/0 Comments/in , , /by

SonicWall Capture ATP with RTDMI identified all malicious samples with no false positives — four times in a row.

As those in the cybersecurity industry know, ICSA doesn’t grade on a curve: testing rounds with no perfect scores are common, and the standards are both objective and unforgiving. It’s highly unusual for any vendor solution to identify 100% of malicious threats without flagging a single benign sample.

So when SonicWall’s Capture Advanced Threat Protection (ATP) with patented Real-Time Deep Memory Inspection (RTDMI)™ did just that in Q1 2021, it was quite the accomplishment.

Then we did the same thing in Q2, Q3 and Q4, becoming the first cybersecurity vendor in history to earn four consecutive perfect scores in Standard ICSA Labs Advanced Threat Defense (ATD) testing.

How ICSA Testing Works

Standard ICSA Labs Advanced Threat Defense (ATD) testing is designed with vendor solutions in mind, and helps determine new threats traditional security products do not detect. Eligible security vendors are tested quarterly for a minimum of three weeks. During that time, the ICSA Labs subjects advanced threat defense solutions to hundreds of test runs. The test set is comprised of a mixture of new threats, little-known threats and innocuous applications and activities.

Q4 2021’s testing cycle was particularly rigorous. Over 32 days of continuous testing, a SonicWall NSa 3600 NGFW with Capture ATP was subjected to 1,625 total test runs. During this time, SonicWall Capture ATP detected all 801 of the malicious samples, including the 432 threats that were four hours old or less. The testing also included 824 innocuous apps — none of which were improperly categorized as malicious by Capture ATP.

As a result, SonicWall received the highest ranking in this category, concluding a full year of perfect scores and eight consecutive ICSA certifications for SonicWall Capture ATP.

Capture ATP: Superior Threat Detection

Third-party testing cycles like these become even more important as cyberattacks become increasingly sophisticated and stealthy. The introduction of state-sponsored attacks in particular has changed the game, and what used to be no more than a hobby or a source of secondary income has turned into a full-time job. As a result, we are seeing a slew of complex and refined never-before-seen attacks that are capable of passing through the defenses of many organizations.

This highlights two tenets of modern cybersecurity:  the importance of sandboxing technology for a security vendor and the fact that not all technologies are created equally.

SonicWall Capture ATP — a cloud-based service available with SonicWall firewalls — detects and can block advanced threats at the gateway until verdict. This service is the only advanced threat-detection offering that combines multi-layer sandboxing (including SonicWall’s RTDMI™ technology), full-system emulation and virtualization techniques in order to analyze suspicious code behavior.

A graph showing the results of malware variants found by SonicWall Capture ATP

This combination allows Capture ATP to detect more threats than single-engine sandbox solutions, which are compute-environment specific and susceptible to evasion. And because it incorporates AI and machine learning technologies, it’s constantly becoming more effective.

For example, 141,390 never-before-seen malware variants were recorded in Q4 2021 — more than any quarter on record. A total of 442,151 total never-before-seen malware variants was identified in 2021, a 65% increase over 2020’s count and an average of 1,211 per day.

The full ICSA Labs report can be downloaded here. To learn more about SonicWall Capture ATP with RTDMI, visit our website.