Posts

Bypassing Government Security Controls with Customized Malware

For a moment, think from the perspective of someone who wants to hack a government organization. Think of what they want to do. Seize critical records, encrypt the drive and hold it for ransom? Convert part of a resource into a cryptocurrency mining operation? Or, worse yet, attempt to disrupt or take down critical infrastructure (e.g., utilities, transportation systems, defense)?

As we explore the final theme of National Cybersecurity Awareness Month, “Safeguarding the Nation’s Critical Infrastructure,” I thought it would be valuable to go to a reliable source.

To get a better perspective of threats to critical infrastructure I interviewed a skilled hacker. This is his plan.

Recon & Recode

First, he said he would do reconnaissance on the organization to look for potential vulnerabilities. Makes sense.

But his next step is concerning. He’d take a form of malware he’d used before — or another they find for sale in an exploit kit designed to abuse a vulnerability — and customize it for that specific organization. Customization can be as simple as making a few cosmetic changes to the code or changing the programing to do something slightly different based on previous failed attempts.

This step is important. The new batch of code hasn’t been registered with any firewall vendor, antivirus vendor, security researcher, etc. The targeted organization can’t stop it if their security controls don’t have the ability to conduct behavioral code analysis with zero-day code detonation.

Furthermore, if someone wants to take it to the next level, this code should arrive via an encrypted channel in the hopes they don’t do Man-in-the-Middle (MITM) inspection of HTTPS traffic.  This can be delivered simply over social media or webmail.

Payload Delivery

Now it’s time for everyone’s favorite part: payload delivery. At the time of writing, I am looking at a publicly accessible online sales lead-generation database. At anyone’s fingertips are millions of names and email addresses for contacts at airlines, retailers to higher education. The malicious hacker can easily download 5,886 contacts from a state transportation department or 4,142 from a previously attacked Canadian agency.

If he wants, he could send an infected attachment asking some 526 contacts from a Singapore government agency to open it, or bait 2,839 faceless people at an unnamed health department to click on his malicious link.

Despite awareness training and efforts to keep systems up to date and patched, 11 percent of people will open the attachment according to a Verizon study. Within this population, there will be systems that he can infect and use as a launching point to get his malware to a target system — or at least give him backdoor access or a harvested credential to start working manually.

A hacker selects contacts for a phishing scam against an American county department of education.

How to Defend Against Customized Malware

This method is very similar to what we are seeing happen every day. Customized malware is the main reason why SonicWall discovered and stopped over 56 million new forms of malware in 2017.

In a government organization equipped with SonicWall technology, the email may first be stopped by email security based on the domain or other structures of the message, but you can’t take it for granted.

If the malware is delivered via attachment, SonicWall secure email technology can test the file in the Capture ATP cloud sandbox to understand what the file wants to do. SonicWall Email Security can also leverage Capture ATP to scan malicious URLs embedded in phishing attacks.

To learn more about this technology, read “Inside the Cloud Sandbox: How Capture Advanced Threat Protection (ATP) Works” and review the graphic below.

Protecting Endpoints Beyond the Firewall

But what about employees not behind the firewall? What if the malware is encrypted and the administrator did not activate the ability to inspect encrypted traffic (DPI-SSL)? What about an infected domain that servers fileless malware through an infected ad?

The answer to that is SonicWall Capture Client, a behavior-based endpoint security solution. The traditional antivirus (AV) that comes free with computers (e.g., Norton, TrendMicro, McAfee, etc.) is still around, but they only check files that are known to be malicious.

In an era of customized malware and creative distribution techniques, it is nearly obsolete. This is why government organizations in all countries favor using behavior-based antivirus called a number of things like Endpoint Protection Platforms (EPP) or Next-Generation Antivirus (NGAV).

These forms of AV look at what is happening on the system for malicious behavior, which is great against customized malware, fileless malware and infected USB sticks. NGAV solutions don’t require frequent signature updates and know how to look for bad activity and can shut it down, in many cases, before it executes.

In the case of SonicWall Capture Client, it can not only stop things before they happen, but also roll back Windows systems to a known good state if the endpoint is compromised. This is extremely helpful with ransomware since you can restore encrypted files and continue on as if the infection never happened. Also, like I mentioned above, Capture Client also makes use of Capture ATP in order to find and eliminate malware that is waiting to execute.

Ultimately, by using the SonicWall Capture Cloud Platform, government agencies and offices around the world are protected against the onslaught of new malware, which is often designed to penetrate their systems. For more information on what we do and or conduct a risk-free proof of concept in your environment, please contact us at sales@SonicWall.com or read this solution brief.


About Cybersecurity Awareness Month

The 15th annual National Cybersecurity Awareness Month (NCSAM) highlights user awareness among consumers, students/academia and business. NCSAM 2018 addresses specific challenges and identifies opportunities for behavioral change. It aims to remind everyone that protecting the internet is “Our Shared Responsibility.”

In addition, NCSAM 2018 will shine a spotlight on the critical need to build a strong, cyber secure workforce to help ensure families, communities, businesses and the country’s infrastructure are better protected through four key themes:

  • Oct. 1-5: Make Your Home a Haven for Online Safety
  • Oct. 8-12: Millions of Rewarding Jobs: Educating for a Career in Cybersecurity
  • Oct. 15-19: It’s Everyone’s Job to Ensure Online Safety at Work
  • Oct. 22-26: Safeguarding the Nation’s Critical Infrastructure

Learn more at StaySafeOnline.org.

How Everyone Can Implement SSL Decryption & Inspection

Since 2011, when Google announced it was switching to Hypertext Transfer Protocol Secure (HTTPS) by default, there has been a rapid increase in Secure Sockets Layer (SSL) sessions.

Initially, SSL sessions were reserved for only important traffic, where personal, financial or sensitive data was transferred. Now, it seems we can’t receive news or perform a simple search without an encrypted session.

In 2014 and 2015, SSL sessions accounted for about 52 percent of internet traffic. As cloud adoption grew, so did the SSL sessions. By 2017, SSL accounted for 68 percent of all internet traffic. Currently, SonicWall has seen encrypted traffic at almost 70 percent of the total traffic on the internet.

Secure sessions demonstrate that internet users are understanding and embracing session security and privacy. Unfortunately, as SSL sessions have increased, so have encrypted attacks. So far in 2018, SonicWall has seen a 275 percent increase of encrypted attacks since 2017. You find more numbers in the mid-year update of the 2018 SonicWall Cyber Threat Report.

What is DPI-SSL?

The modern cyber threat landscape requires a defense-in-depth posture, which includes SSL decryption capabilities to help organizations proactively use deep packet inspection of SSL (DPI-SSL) to block encrypted attacks.

However, even firewall vendors that claim to offer SSL decryption and inspection may not have the processing power to handle the volume of SSL traffic moving across a network today.

DPI-SSL extends SonicWall’s Deep Packet Inspection technology to inspect encrypted HTTPS and SSL/TLS traffic. The traffic is decrypted transparently, scanned for threats, re-encrypted and sent along to its destination if no threats or vulnerabilities are found.

Available on all SonicWall next-generation firewalls (Generation 6 or newer), DPI-SSL technology provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.

It is important to have a secure and simple setup that minimizes configuration overhead and complexity. There are two primary paths for implementing DPI-SSL.

Option 1: Remote Implementation

Enabling DPI-SSL can sometimes be complex. Diverse sites and programs use certificates differently, some of which may be affected by DPI-SSL capabilities.

To confirm you have DPI-SSL implemented properly, leverage the SonicWall DPI-SSL Remote Implementation Service to ensure seamless and effective implementation of SonicWall DPI-SSL services.

The Remote Implementation Service for SonicWall DPI-SSL deploys and integrates the product into your environment within 10 business days. This service is delivered by Advanced Services Partners who have completed training and demonstrated expertise in DPI-SSL implementation and configuration.

Option 2: Leverage Easy-to-Use Guidance

For those considering in-house implementation, SonicWall also provides a number of knowledge base (KB) articles and resources that walk you through the DPI-SSL implementation process. Some of the most popular include:

These KBs, and others found within SonicWall’s support section or through the DPI-SSL Remote Implementation Service, ensure every type of user or organization has the resources  to properly activate DPI-SSL within their infrastructure to mitigate encrypted cyberattacks.

For additional guidance, watch “Initial DPI-SSL Configuration,” a popular SonicWall Firewall Series Tutorial.

DPI-SSL Adoption

Thankfully, SonicWall is witnessing gradual adoption of DPI-SSL add-on services. To best protect your environment, pair DPI-SSL capabilities with the Capture Advanced Threat Protection (ATP) cloud sandbox, Gateway Antivirus, Content Filtering and Intrusion Protection Services (IPS). All available in the SonicWall Advanced Gateway Security Suite, which delivers everything you need to protect your network from advanced cyberattacks.

Combine these services with a trusted and secure end-point protection software, such as SonicWall Capture Client, and you can provide a robust security posture that can protect devices — even when they are not behind your firewall.

What is the Difference Between Traditional and Next-Generation Anti-Virus?

In previous webcasts and blogs, I’ve spoken of a woman who was the victim of a terrible ransomware attack as well as an intrusion on her computer. It was her first computer breach in over 25 years of business.

When these happened, she was running traditional anti-virus and minimal network security in front of her endpoints. These two attacks, which she believes cost her around $50,000 in damages, were alarming wakeup calls to the realities of today’s threat landscape.

One of the lessons learned by people like Elizabeth over the past three years of the ransomware age is that traditional signature-based anti-virus solutions are lacking the power to combat today’s flood of evasive malware.

This is why SonicWall is excited to launch our Capture Client, a client security solution that leverages the SentinelOne Endpoint Protection engine, powered by static and behavioral artificial intelligence, to deliver next-generation anti-virus (NGAV) capabilities.

So, what exactly is a NGAV solution, and why does it matter?

No signatures

Traditionally, anti-virus solutions (AVs) have required frequent (daily or weekly) updates of their signature databases to protect against the latest threats. Capture Client uses a static artificial intelligence (AI) engine to determine if new files are threats before they can execute. In addition, it has a behavioral AI engine to protect against file-less threats (e.g., PowerShell scripts, macros within documents, lateral movement, etc.).

No weekly updates

These AI engines do not require daily/weekly updates, as they “degrade” very gracefully over time. This is because the behavior analysis engines do the work instead of matching files to an ever-aging database of file IDs.

Even if customers upgrade their agents only once a year, they will have much greater protection than what traditional AV is able to provide. With the power of SentinelOne’s AI models, today’s zero-day attacks are instantly convicted by models developed in the past. This is the benefit of a mathematical approach to malware prevention, detection and response versus legacy, signature-based approaches.

No recurring scans

Apart from the management overhead of updating signatures, traditional AVs also recommend recurring disk scans to make sure threats did not get in. These recurring scans are a big source of frustration for the end users, as their productivity is impacted during the scans. With Capture Client, these recurring scans are not required at all. End-users get much better performance and, in many cases, do not even know or experience any slowdown caused by the AV.

No performance overhead

Another reason for the poor performance of traditional AVs is that they became bloated by implementing many features, such as endpoint firewall, full-disk encryption, etc. Many of these features are now available on modern operating systems. Capture Client was designed to orchestrate OS functionality instead of replicating it. This also translates into a much better end-user experience.

No cloud dependence

Another limitation of traditional AVs is their reliance on cloud connectivity for best protection. Signature databases have grown so large that it is no longer possible to push the entire database down to the device. So, they keep the vast majority of signatures in the cloud, and only push the most prevalent signatures down to the agent.

Furthermore, end users frequently work in cafés, airports, hotels and other commercial facilities. In most of these cases, the Wi-Fi provider is supported by ad revenues, and encourage users to download the host’s tools (i.e., adware) to get free connectivity. These tools or the Wi-Fi access point can easily block access to the AV cloud, which poses a huge security risk. Capture Client is fully autonomous and protects the user in these situations. The efficacy of the agent isn’t impacted by its connection to the internet.

NGAV for endpoints

I invite you to learn more about Capture Client, which not only provides NGAV capabilities, but also seamlessly integrates with SonicWall firewalls and related capabilities, such as DPI-SSL certificate management, firewall enforcement and firewall-independent, cloud-based reporting.

To learn more, download the “SonicWall Capture Client powered by SentinelOne” data sheet.

Equifax Data Breach: What Can We Learn?

Equifax just rolled into the history books as the victim of one of the most widespread and dangerous data breaches of all time. The breach happened on March 10, 2017, at which time the cyber criminals leveraged the critical remote code execution vulnerability CVE-2017-5638 on Apache Struts2. This attack highlights the value of an Intrusion Prevention System (IPS) and virtual patching security technologies.

SonicWall developed definitions for this vulnerability for our Intrusion Prevention Service and afterward saw a large growth of IPS hits by the beginning of the third week of March 2017. The first lesson we can gain from the data is how quickly hackers rush to exploit a critical vulnerability (see chart below).

Every announcement of this magnitude is like Black Friday for hackers. Also, seeing this one attack highlights how, in 2016, SonicWall blocked over 2.6 trillion IPS attacks on customer systems.

This means if there is a critical patch you either need to install it ASAP or have an automated solution in place that can block related attacks such as IPS (Learn how IPS works) until you can do so. This is the same lesson everyone should have learned years ago, if not since WannaCry. In fact, had people patched after WannaCry, none of us would have heard of NotPetya.

However, many believe that the conventional wisdom of patch and train is ultimately not working. If manual patching of vulnerable systems worked, why would the number of breaches continue to escalate?

A 2016 survey from Black Hat showed that even people who rate themselves as very knowledgeable about IT security can be coerced into clicking phishing links in emails. So, it seems that training alone is not the answer either.

We at SonicWall think there is a better way. We believe in automating as much of the protection as possible — on the network, for email, for mobile users, on Wi-Fi and at the endpoint. That is why we built our automated real-time breach prevention and detection platform. It’s why we believe in cloud-based, zero-day protection, and also why we built the Capture Advanced Threat Protection sandbox service into every element of our platform.

So, what can you do to keep yourself safe against these IT weak spots? Here is a list of best practices for staying safe in today’s dynamic, fast-moving threat landscape:

  • Implement automated real-time breach prevention. Deploy SonicWall next-generation firewalls with Gateway Anti-Virus and Intrusion Prevention Services (GAV/IPS) to stop known attacks like those on the critical Apache Struts2 vulnerability. SonicWall’s Deep Learning Algorithm, which learns from over 1 million sensors deployed around the globe, with the ability to push out real-time updates within minutes within GAV/IPS.
  • Use cloud-based sandboxing. Leverage SonicWall Capture ATP, our multi-engine cloud sandbox to discover and stop unknown attacks, such as new ransomware attacks.
  • Inspect TLS/SSL traffic. Because of the rise in malware being encrypted, always deploy SonicWall Deep Packet Inspection of all TLS/SSL (DPI-SSL) traffic. This will enable SonicWall security services to identify and block all known ransomware attacks.
  • Defend against phishing attacks. Implement advanced email security, such as SonicWall Email Security, that leverages malware signatures to block email-borne threats that are often used to deliver malware. It is estimated that 65 percent of all ransomware attacks happen through phishing emails, so this needs to be a major focus when giving security awareness training.
  • Filter malicious content and sources. Customers should activate SonicWall Content Filtering Service to block communication with malicious URLs and domains, which work similar to the way botnet filtering disrupts C&C communication.
  • Never stop patching. Apply the latest patches on all of your systems. Implement policy to ensure it happens and be consistent in verifying it is being followed.
  • Improve attack awareness. Train your users to shut off their computers if they suspect a malware infection. While their machine is likely compromised, this practice well help limit malware from using the endpoint as a launching point into the network.
  • Back up data. It is always a good idea to maintain current backups of all critical data to allow recovery in the event of a ransomware event. For larger organizations, build redundant disaster recovery and business continuity plans to ensure operations are not impacted.

For more information, download 10 Ways to Securely Optimize Your Network.

SonicWall Expands Scalability of its Next-Generation Firewall Platforms and DPI SSL to Address Encrypted Threats

Day after day, the number of users is growing on the web, and so is the number of connections. At the same time, so is the number of cyberattacks hidden by encryption. SonicWall continues to tackle the encrypted threat problem by expanding the number of SSL/TLS connections that it can inspect for ransomware.

Today, a typical web browser keeps 3-5 connections open per tab, even if the window is not the active browser tab. The number of connections can easily increase to 15 or 20 if the tab runs an online app like Microsoft SharePoint, Office web apps, or Google Docs. In addition, actions such as loading or refreshing the browser page may temporarily spike another 10-50 connections to retrieve various parts of the page. A good example this scenario is an advertisement heavy webpage that can really add connections if the user has not installed an ad blocker plugin. Also keep in mind that many ad banners in web pages embed a code to auto-refresh every few seconds, even if the current tab is inactive or minimized. That said, it makes a lot of difference how many browser tabs your users typically keep open continuously during the day and how refresh-intensive those pages are.

We can make some assumptions on the average number of connections for different types of users.  For example, light web users may use an average of 30-50 connections, with peak connection count of 120-250.  On the other hand, heavy consumers may use twice that, for up to 500 simultaneous connections.

If a client is using BitTorrent on a regular basis that alone will allocate at least 500 connections for that user (with the possibility to consume 2,000+ connections). For a mainstream organization it is safe to assume that on average 80% of the users are considered as light consumers, whereas the remaining 20 percent are heavy consumers. The above numbers will provide a ballpark of a few hundred thousand connections for a company of 1,000 employees – 3 to 5 times higher than the number of connections for the same organization a decade ago.

With all the changes in browser content delivery and presentation, as well as users’ advanced manipulation of the web and its content, it’s necessary for SonicWall to address the forever increasing demand in the number of connections to satisfy the customer need and provide them with a better user experience. In the recently released SonicOS 6.2.9 for SonicWall next-gen firewalls, our engineering team has increased the number of stateful packet inspection (SPI) and deep packet inspection (DPI) connections to better serve this need.

Below is the new connection count  for Stateful Packet Inspection connections for SonicWall Gen6 Network Security Appliance  (NSA) and SuperMassive Series firewalls in the new SonicOS 6.2.9 when compared to the same count in the previous 6.2.7.1:

SPI Connection Chart

In addition, the number of DPI connections has increased up to 150 percent on some platforms. Below is a comparison of the new connection count in SonicOS 6.2.9 against SonicOS 6.2.7.1.
DPI Connection Chart

Finally, for security-savvy network administrators we have provided a lever to increase the maximum number of DPI-SSL connections by foregoing a number of DPI connections. Below is a comparison of the default and maximum number of DPI-SSL connection by taking advantage of this lever.

Increase Max DPI SSL Connections Chart

We also enhanced our award winning Capture ATP, a cloud sandbox service by improving the user experience of the“Block Until Verdict” feature, which prevents suspicious files from entering the network until the sandboxing technology finishes evaluation.

In addition, SonicOS 6.2.9 enables Active/Active clustering (on NSA 3600 and NSA 4600 firewalls), as well as enhanced HTTP/HTTPS redirection.

Whether your organization is a startup of 50 users or an enterprise of few thousand employees, SonicWall is always considering its customers’ needs and strives to better serve you by constantly improving our feature set and offerings.

For all of the feature updates in SonicOS 6.2.9, please see the latest SonicOS 6.2.9 data sheet (s). Upgrade today.

Are You Seeing This? Uncovering Encrypted Threats

Night vision goggles. Airport x-ray machines. Secret decoder rings. What do they all have in common? Each helps you find something that is hidden, whether it’s an object or code that someone may not want you to discover. Your organization’s security solution needs to perform in a similar manner by inspecting encrypted traffic. Here’s why.

Over time, HTTPS has replaced HTTP as the means to secure web traffic. Along the way there have been some inflection points that have spurred on this transition such as when Google announced it would enable HTTPS search for all logged-in users who visit google.com. More recently, Google began using HTTPS as a ranking signal. Other vendors including YouTube, Twitter and Facebook have also made the switch. If you read articles on the use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption the latest numbers typically indicate that a little over 50% of all web traffic is now encrypted and that percentage is expected to continue growing. At SonicWall, data gathered by our Global Response Intelligence Defense (GRID) Threat Network shows the percentage to be a little higher, around 62%. We found that as web traffic grew throughout 2016, so did SSL/TLS encryption, from 5.3 trillion web connections in 2015 to 7.3 trillion in 2016. Like others, we also expect the use of HTTPS to increase.

On one hand, this is good news for everyone. Securing web sessions, whether the user is making a financial transaction, sending/receiving email or simply surfing the Internet, is a good thing. It’s also good business for organizations such as online retailers who receive sensitive personal and financial information from their customers and need to secure it from hackers. On the other hand, cyber criminals are now hiding their attacks in encrypted web traffic. Threats such as malware, intrusions, and ransomware are able to pass through the network undetected if they’re hidden using encryption. Cyber criminals are also using encryption to receive communications back from infected systems.

Given organizations’ growing trend toward HTTPS and its use by hackers to steal information, it makes sense to have a security solution in place that can decrypt and scan SSL/TLS-encrypted traffic for threats. Not everyone does, however, especially smaller organizations. According to Gartner’s Magic Quadrant for Unified Threat Management (UTM) from August 2016, the research and advisory company estimates that “Less than 10% of SMB organizations decrypt HTTPS on their UTM firewall. This means that 90% of the SMB organizations relying on UTM for web security are blind to the more advanced threats that use HTTPS for transport.”

Let’s add a little more fuel to this. By now most people have heard of the “Internet of Things.” The idea is that we have all manner of devices available that can connect to the Internet and send/receive data. No longer is it just our PC, laptop, smartphone and tablet. It’s our TV, car, refrigerator, watch, security camera. Essentially anything that’s Internet-enabled. The number of connected devices is growing rapidly. Gartner forecasts there will be 8.4 billion connected “things” in use in 2017 and by 2020 that number will grow to 20.4 billion. That’s a lot of things that can be potentially taken over by malware delivered through encrypted traffic.

Here’s the big question every organization needs to ask. “Does our security solution (typically a firewall) have the ability to decrypt SSL/TLS-encrypted web traffic, scan it for threats, use deep packet inspection technology to stop malware, and do it all with little or no performance hit?” If your firewall is three years old or more, the answer is likely no. Legacy firewalls may decrypt the traffic and do some threat detection, but not prevention. Or, it may do everything that’s required, just very slowly which isn’t good either. The firewall shouldn’t be a bottleneck.

In his blog titled, “DPI-SSL: What Keeps You Up at Night?” my colleague Paul Leets states, “We must look into encrypted packets to mitigate those threats.” And he’s right. We need to be able to “see” into encrypted traffic in order to identify threats and eliminate them before they get into the network. And it needs to be done in real time. We call this automated breach prevention and it’s what our lineup of next-generation firewalls delivers. To learn more about automated breach prevention and how SonicWall next-generation firewalls decrypt SSL/TLS-encrypted traffic and scan for and eliminate threats without latency, visit the “Encrypted Threats” page on our website. Secret decoder ring not required.