Posts

Bypassing Government Security Controls with Customized Malware

For a moment, think from the perspective of someone who wants to hack a government organization. Think of what they want to do. Seize critical records, encrypt the drive and hold it for ransom? Convert part of a resource into a cryptocurrency mining operation? Or, worse yet, attempt to disrupt or take down critical infrastructure (e.g., utilities, transportation systems, defense)?

As we explore the final theme of National Cybersecurity Awareness Month, “Safeguarding the Nation’s Critical Infrastructure,” I thought it would be valuable to go to a reliable source.

To get a better perspective of threats to critical infrastructure I interviewed a skilled hacker. This is his plan.

Recon & Recode

First, he said he would do reconnaissance on the organization to look for potential vulnerabilities. Makes sense.

But his next step is concerning. He’d take a form of malware he’d used before — or another they find for sale in an exploit kit designed to abuse a vulnerability — and customize it for that specific organization. Customization can be as simple as making a few cosmetic changes to the code or changing the programing to do something slightly different based on previous failed attempts.

This step is important. The new batch of code hasn’t been registered with any firewall vendor, antivirus vendor, security researcher, etc. The targeted organization can’t stop it if their security controls don’t have the ability to conduct behavioral code analysis with zero-day code detonation.

Furthermore, if someone wants to take it to the next level, this code should arrive via an encrypted channel in the hopes they don’t do Man-in-the-Middle (MITM) inspection of HTTPS traffic.  This can be delivered simply over social media or webmail.

Payload Delivery

Now it’s time for everyone’s favorite part: payload delivery. At the time of writing, I am looking at a publicly accessible online sales lead-generation database. At anyone’s fingertips are millions of names and email addresses for contacts at airlines, retailers to higher education. The malicious hacker can easily download 5,886 contacts from a state transportation department or 4,142 from a previously attacked Canadian agency.

If he wants, he could send an infected attachment asking some 526 contacts from a Singapore government agency to open it, or bait 2,839 faceless people at an unnamed health department to click on his malicious link.

Despite awareness training and efforts to keep systems up to date and patched, 11 percent of people will open the attachment according to a Verizon study. Within this population, there will be systems that he can infect and use as a launching point to get his malware to a target system — or at least give him backdoor access or a harvested credential to start working manually.

A hacker selects contacts for a phishing scam against an American county department of education.

How to Defend Against Customized Malware

This method is very similar to what we are seeing happen every day. Customized malware is the main reason why SonicWall discovered and stopped over 56 million new forms of malware in 2017.

In a government organization equipped with SonicWall technology, the email may first be stopped by email security based on the domain or other structures of the message, but you can’t take it for granted.

If the malware is delivered via attachment, SonicWall secure email technology can test the file in the Capture ATP cloud sandbox to understand what the file wants to do. SonicWall Email Security can also leverage Capture ATP to scan malicious URLs embedded in phishing attacks.

To learn more about this technology, read “Inside the Cloud Sandbox: How Capture Advanced Threat Protection (ATP) Works” and review the graphic below.

Protecting Endpoints Beyond the Firewall

But what about employees not behind the firewall? What if the malware is encrypted and the administrator did not activate the ability to inspect encrypted traffic (DPI-SSL)? What about an infected domain that servers fileless malware through an infected ad?

The answer to that is SonicWall Capture Client, a behavior-based endpoint security solution. The traditional antivirus (AV) that comes free with computers (e.g., Norton, TrendMicro, McAfee, etc.) is still around, but they only check files that are known to be malicious.

In an era of customized malware and creative distribution techniques, it is nearly obsolete. This is why government organizations in all countries favor using behavior-based antivirus called a number of things like Endpoint Protection Platforms (EPP) or Next-Generation Antivirus (NGAV).

These forms of AV look at what is happening on the system for malicious behavior, which is great against customized malware, fileless malware and infected USB sticks. NGAV solutions don’t require frequent signature updates and know how to look for bad activity and can shut it down, in many cases, before it executes.

In the case of SonicWall Capture Client, it can not only stop things before they happen, but also roll back Windows systems to a known good state if the endpoint is compromised. This is extremely helpful with ransomware since you can restore encrypted files and continue on as if the infection never happened. Also, like I mentioned above, Capture Client also makes use of Capture ATP in order to find and eliminate malware that is waiting to execute.

Ultimately, by using the SonicWall Capture Cloud Platform, government agencies and offices around the world are protected against the onslaught of new malware, which is often designed to penetrate their systems. For more information on what we do and or conduct a risk-free proof of concept in your environment, please contact us at sales@SonicWall.com or read this solution brief.


About Cybersecurity Awareness Month

The 15th annual National Cybersecurity Awareness Month (NCSAM) highlights user awareness among consumers, students/academia and business. NCSAM 2018 addresses specific challenges and identifies opportunities for behavioral change. It aims to remind everyone that protecting the internet is “Our Shared Responsibility.”

In addition, NCSAM 2018 will shine a spotlight on the critical need to build a strong, cyber secure workforce to help ensure families, communities, businesses and the country’s infrastructure are better protected through four key themes:

  • Oct. 1-5: Make Your Home a Haven for Online Safety
  • Oct. 8-12: Millions of Rewarding Jobs: Educating for a Career in Cybersecurity
  • Oct. 15-19: It’s Everyone’s Job to Ensure Online Safety at Work
  • Oct. 22-26: Safeguarding the Nation’s Critical Infrastructure

Learn more at StaySafeOnline.org.

How Everyone Can Implement SSL Decryption & Inspection

Since 2011, when Google announced it was switching to Hypertext Transfer Protocol Secure (HTTPS) by default, there has been a rapid increase in Secure Sockets Layer (SSL) sessions.

Initially, SSL sessions were reserved for only important traffic, where personal, financial or sensitive data was transferred. Now, it seems we can’t receive news or perform a simple search without an encrypted session.

In 2014 and 2015, SSL sessions accounted for about 52 percent of internet traffic. As cloud adoption grew, so did the SSL sessions. By 2017, SSL accounted for 68 percent of all internet traffic. Currently, SonicWall has seen encrypted traffic at almost 70 percent of the total traffic on the internet.

Secure sessions demonstrate that internet users are understanding and embracing session security and privacy. Unfortunately, as SSL sessions have increased, so have encrypted attacks. So far in 2018, SonicWall has seen a 275 percent increase of encrypted attacks since 2017. You find more numbers in the mid-year update of the 2018 SonicWall Cyber Threat Report.

What is DPI-SSL?

The modern cyber threat landscape requires a defense-in-depth posture, which includes SSL decryption capabilities to help organizations proactively use deep packet inspection of SSL (DPI-SSL) to block encrypted attacks.

However, even firewall vendors that claim to offer SSL decryption and inspection may not have the processing power to handle the volume of SSL traffic moving across a network today.

DPI-SSL extends SonicWall’s Deep Packet Inspection technology to inspect encrypted HTTPS and SSL/TLS traffic. The traffic is decrypted transparently, scanned for threats, re-encrypted and sent along to its destination if no threats or vulnerabilities are found.

Available on all SonicWall next-generation firewalls (Generation 6 or newer), DPI-SSL technology provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.

It is important to have a secure and simple setup that minimizes configuration overhead and complexity. There are two primary paths for implementing DPI-SSL.

Option 1: Remote Implementation

Enabling DPI-SSL can sometimes be complex. Diverse sites and programs use certificates differently, some of which may be affected by DPI-SSL capabilities.

To confirm you have DPI-SSL implemented properly, leverage the SonicWall DPI-SSL Remote Implementation Service to ensure seamless and effective implementation of SonicWall DPI-SSL services.

The Remote Implementation Service for SonicWall DPI-SSL deploys and integrates the product into your environment within 10 business days. This service is delivered by Advanced Services Partners who have completed training and demonstrated expertise in DPI-SSL implementation and configuration.

Option 2: Leverage Easy-to-Use Guidance

For those considering in-house implementation, SonicWall also provides a number of knowledge base (KB) articles and resources that walk you through the DPI-SSL implementation process. Some of the most popular include:

These KBs, and others found within SonicWall’s support section or through the DPI-SSL Remote Implementation Service, ensure every type of user or organization has the resources  to properly activate DPI-SSL within their infrastructure to mitigate encrypted cyberattacks.

For additional guidance, watch “Initial DPI-SSL Configuration,” a popular SonicWall Firewall Series Tutorial.

DPI-SSL Adoption

Thankfully, SonicWall is witnessing gradual adoption of DPI-SSL add-on services. To best protect your environment, pair DPI-SSL capabilities with the Capture Advanced Threat Protection (ATP) cloud sandbox, Gateway Antivirus, Content Filtering and Intrusion Protection Services (IPS). All available in the SonicWall Advanced Gateway Security Suite, which delivers everything you need to protect your network from advanced cyberattacks.

Combine these services with a trusted and secure end-point protection software, such as SonicWall Capture Client, and you can provide a robust security posture that can protect devices — even when they are not behind your firewall.

SonicWall Expands Scalability of its Next-Generation Firewall Platforms and DPI SSL to Address Encrypted Threats

Day after day, the number of users is growing on the web, and so is the number of connections. At the same time, so is the number of cyberattacks hidden by encryption. SonicWall continues to tackle the encrypted threat problem by expanding the number of SSL/TLS connections that it can inspect for ransomware.

Today, a typical web browser keeps 3-5 connections open per tab, even if the window is not the active browser tab. The number of connections can easily increase to 15 or 20 if the tab runs an online app like Microsoft SharePoint, Office web apps, or Google Docs. In addition, actions such as loading or refreshing the browser page may temporarily spike another 10-50 connections to retrieve various parts of the page. A good example this scenario is an advertisement heavy webpage that can really add connections if the user has not installed an ad blocker plugin. Also keep in mind that many ad banners in web pages embed a code to auto-refresh every few seconds, even if the current tab is inactive or minimized. That said, it makes a lot of difference how many browser tabs your users typically keep open continuously during the day and how refresh-intensive those pages are.

We can make some assumptions on the average number of connections for different types of users.  For example, light web users may use an average of 30-50 connections, with peak connection count of 120-250.  On the other hand, heavy consumers may use twice that, for up to 500 simultaneous connections.

If a client is using BitTorrent on a regular basis that alone will allocate at least 500 connections for that user (with the possibility to consume 2,000+ connections). For a mainstream organization it is safe to assume that on average 80% of the users are considered as light consumers, whereas the remaining 20 percent are heavy consumers. The above numbers will provide a ballpark of a few hundred thousand connections for a company of 1,000 employees – 3 to 5 times higher than the number of connections for the same organization a decade ago.

With all the changes in browser content delivery and presentation, as well as users’ advanced manipulation of the web and its content, it’s necessary for SonicWall to address the forever increasing demand in the number of connections to satisfy the customer need and provide them with a better user experience. In the recently released SonicOS 6.2.9 for SonicWall next-gen firewalls, our engineering team has increased the number of stateful packet inspection (SPI) and deep packet inspection (DPI) connections to better serve this need.

Below is the new connection count  for Stateful Packet Inspection connections for SonicWall Gen6 Network Security Appliance  (NSA) and SuperMassive Series firewalls in the new SonicOS 6.2.9 when compared to the same count in the previous 6.2.7.1:

SPI Connection Chart

In addition, the number of DPI connections has increased up to 150 percent on some platforms. Below is a comparison of the new connection count in SonicOS 6.2.9 against SonicOS 6.2.7.1.
DPI Connection Chart

Finally, for security-savvy network administrators we have provided a lever to increase the maximum number of DPI-SSL connections by foregoing a number of DPI connections. Below is a comparison of the default and maximum number of DPI-SSL connection by taking advantage of this lever.

Increase Max DPI SSL Connections Chart

We also enhanced our award winning Capture ATP, a cloud sandbox service by improving the user experience of the“Block Until Verdict” feature, which prevents suspicious files from entering the network until the sandboxing technology finishes evaluation.

In addition, SonicOS 6.2.9 enables Active/Active clustering (on NSA 3600 and NSA 4600 firewalls), as well as enhanced HTTP/HTTPS redirection.

Whether your organization is a startup of 50 users or an enterprise of few thousand employees, SonicWall is always considering its customers’ needs and strives to better serve you by constantly improving our feature set and offerings.

For all of the feature updates in SonicOS 6.2.9, please see the latest SonicOS 6.2.9 data sheet (s). Upgrade today.

Are You Seeing This? Uncovering Encrypted Threats

Night vision goggles. Airport x-ray machines. Secret decoder rings. What do they all have in common? Each helps you find something that is hidden, whether it’s an object or code that someone may not want you to discover. Your organization’s security solution needs to perform in a similar manner by inspecting encrypted traffic. Here’s why.

Over time, HTTPS has replaced HTTP as the means to secure web traffic. Along the way there have been some inflection points that have spurred on this transition such as when Google announced it would enable HTTPS search for all logged-in users who visit google.com. More recently, Google began using HTTPS as a ranking signal. Other vendors including YouTube, Twitter and Facebook have also made the switch. If you read articles on the use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption the latest numbers typically indicate that a little over 50% of all web traffic is now encrypted and that percentage is expected to continue growing. At SonicWall, data gathered by our Global Response Intelligence Defense (GRID) Threat Network shows the percentage to be a little higher, around 62%. We found that as web traffic grew throughout 2016, so did SSL/TLS encryption, from 5.3 trillion web connections in 2015 to 7.3 trillion in 2016. Like others, we also expect the use of HTTPS to increase.

On one hand, this is good news for everyone. Securing web sessions, whether the user is making a financial transaction, sending/receiving email or simply surfing the Internet, is a good thing. It’s also good business for organizations such as online retailers who receive sensitive personal and financial information from their customers and need to secure it from hackers. On the other hand, cyber criminals are now hiding their attacks in encrypted web traffic. Threats such as malware, intrusions, and ransomware are able to pass through the network undetected if they’re hidden using encryption. Cyber criminals are also using encryption to receive communications back from infected systems.

Given organizations’ growing trend toward HTTPS and its use by hackers to steal information, it makes sense to have a security solution in place that can decrypt and scan SSL/TLS-encrypted traffic for threats. Not everyone does, however, especially smaller organizations. According to Gartner’s Magic Quadrant for Unified Threat Management (UTM) from August 2016, the research and advisory company estimates that “Less than 10% of SMB organizations decrypt HTTPS on their UTM firewall. This means that 90% of the SMB organizations relying on UTM for web security are blind to the more advanced threats that use HTTPS for transport.”

Let’s add a little more fuel to this. By now most people have heard of the “Internet of Things.” The idea is that we have all manner of devices available that can connect to the Internet and send/receive data. No longer is it just our PC, laptop, smartphone and tablet. It’s our TV, car, refrigerator, watch, security camera. Essentially anything that’s Internet-enabled. The number of connected devices is growing rapidly. Gartner forecasts there will be 8.4 billion connected “things” in use in 2017 and by 2020 that number will grow to 20.4 billion. That’s a lot of things that can be potentially taken over by malware delivered through encrypted traffic.

Here’s the big question every organization needs to ask. “Does our security solution (typically a firewall) have the ability to decrypt SSL/TLS-encrypted web traffic, scan it for threats, use deep packet inspection technology to stop malware, and do it all with little or no performance hit?” If your firewall is three years old or more, the answer is likely no. Legacy firewalls may decrypt the traffic and do some threat detection, but not prevention. Or, it may do everything that’s required, just very slowly which isn’t good either. The firewall shouldn’t be a bottleneck.

In his blog titled, “DPI-SSL: What Keeps You Up at Night?” my colleague Paul Leets states, “We must look into encrypted packets to mitigate those threats.” And he’s right. We need to be able to “see” into encrypted traffic in order to identify threats and eliminate them before they get into the network. And it needs to be done in real time. We call this automated breach prevention and it’s what our lineup of next-generation firewalls delivers. To learn more about automated breach prevention and how SonicWall next-generation firewalls decrypt SSL/TLS-encrypted traffic and scan for and eliminate threats without latency, visit the “Encrypted Threats” page on our website. Secret decoder ring not required.