Posts

RSA Conference 2018: Live on Facebook

RSA Conference 2018 is a flurry of lights, sounds and information. It’s easy to get lost in the buzz and miss what you really want to see. In case you fall into this category — or weren’t able to make the trip to San Francisco at all — we streamed an entire presentation from SonicWall malware expert Brook Chelmo live on Facebook.

Read more

RSA Conference 2018: SonicWall is Hot

Fresh off of April’s massive SonicWall Capture Cloud Platform launch, SonicWall has been featured in a pair of CRN articles highlighting the hottest products at RSA Conference 2018.

The SonicWall Capture Cloud Platform is lauded in CRN’s “10 Hot New Cloud Security Products Announced at RSA 2018” listing. CRN recaps the platform’s ability to integrate security, management, analytics and real-time threat intelligence across SonicWall’s portfolio of network, email, mobile and cloud security products.

Complementing that accolade, a pair of new SonicWall products were listed in the “20 Hot New Security Products Announced at RSA 2018” category. The new SonicWall NSv virtual firewall (slide 7) and SonicWall Capture Client (slide 12) endpoint protection were showcased.

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine powered by SentinelOne, Capture Client delivers advanced threat protection techniques, such as machine learning and system rollback.

SonicWall Network Security virtual (NSv) firewalls protect all critical components of your private/public cloud environment from resource misuse attacks, cross virtual machine attacks, side channel attacks and common network-based exploits and threats. It captures traffic between virtual machines (VM) and networks for automated breach prevention and establishes access control measures for data confidentiality and ensures VMs safety and integrity.

How to Stop Fileless Malware

In 2017, SonicWall Capture Labs discovered 56 million new forms of malware from across the globe. Threat actors are constantly creating updates to known versions of malware to get past defenses that rely on identifying malware (i.e., signatures). The forms of security that stop malware and ransomware based on signatures are only effective if they can identify the strain.

Since malware authors don’t want to continually update their code and have attacks in flight fail, they often resort to creating fileless malware as a highly effective alternative.

What is fileless malware?

Fileless malware has been around for some time, but has dramatically increased in popularity the last few years. These malware leverage on-system tools such as PowerShell, macros (like in Microsoft Word and Excel), Windows Management Instrumentation or other on-system scripting functionality to propagate, execute and perform whatever tasks it was developed to perform.

The problem for the business

One of the reasons fileless malware is so powerful is that security products cannot just block the systems or software that these are utilizing. For example, if a security admin blocked PowerShell, many IT maintenance tasks would be terminated. This makes it impossible for signature-based security solutions to detect or prevent it because the low footprint and the absence of files to scan.

How can SonicWall stop fileless malware?

The key is not to look at the file but, instead, look at how it behaves when it runs on the endpoint. This is effective because although there is a large and increasing number of malware variants, they operate in very similar ways. This is similar to how we educate our children to avoid people based on behavior instead of showing them a list of mug shots every time they leave home.

SonicWall Capture Client, powered by SentinelOne, is a next-generation antivirus endpoint protection platform that uses multiple engines, including static and behavioral AI, to stop malware before, during and even after execution. It also offers the ability to roll back an endpoint to a state before the malware got on to or activated on the system.

In the face of fileless malware, the full behavioral monitoring approach is amazing at detecting and preventing this type of attack because it is agnostic to the attack vector.

How does it work?

SonicWall actively monitors all activities on the agent side at the kernel level to differentiate between malicious and benign activities. Once Capture Client detects malicious activity, it can effectively mitigate an attack and, if needed, roll back any damage, allowing the user to work on a clean device.

Conclusion

Ultimately, adversaries will always take the shortest path to compromise endpoints to ensure the highest return with the least amount of effort. Fileless malware is quickly becoming one of the most popular ways to do so. It is not enough to just block essential operations like PowerShell.

You need anti-virus software that fully monitors the behavior of a system to prevent attacks utilizing exploits, macro documents, exploit kits, PowerShell, PowerSploit and zero-days vulnerabilities locally and without dependence to network connectivity.

To learn more, download the in-depth data sheet, “SonicWall Capture Client powered by SentinelOne.”

Webinar: Stop Fileless Malware with SonicWall Capture Client

Join SonicWall and SentinelOne cyber security experts to learn how to stay safe from advanced cyber threats like fileless malware.

6 Ways Malware Evades Detection – And How to Stop Them

One of the key characteristics of advanced malware is the use of many tactics to evade detection. In addition to defeating signature-based detection products and behavior-based detection tools, there are hundreds of evasion techniques advanced malware uses to avoid detection. Moreover, a malware object will typically deploy multiple tactics.

While there are hundreds of specific tactics to evade detection, they fall into six key categories.

  1. Stalling delays
    With this tactic, the malware remains idle to defeat timer-based recognition. Most virtualized sandboxes can detect if malware calls the OS sleep function, but they can’t spot evasion if the malware performs the delay internally without calling the OS. Full CPU emulations, “bare-metal” detect these behaviors with unrivaled accuracy. This is very effective against a well-known competitor.
  2. Action-required delays
    This tactic delays malicious activity pending a specific user action (e.g., mouse click, open or close a file or app). Most virtualized sandboxes will not detect malware waiting on user action.
  3. Intelligent suspension of malware
    Unlike simple stalling techniques, this category includes sophisticated evasion techniques that discover the presence of a sandbox and suspend malicious actions to avoid detection. Malware waits until it has completed penetration of the host or machine before injecting, modifying or downloading code; decrypting files; moving laterally across network; or connecting to C2 servers.
  4. Fragmentation
    This tactic splits malware into fragments, which only execute when reassembled by the targeted system. As virtualized sandboxes typically evaluate fragments separately, each fragment appears harmless, thus evading detection.
  5. Return-oriented programming (ROP)
    An ROP evasion tactic modifies the stack (memory addresses of code to be executed next), thus injecting functionality without altering the actual code. ROP evasions delegate the execution of its malicious code to other programs, instead of the malware program, thereby hiding it from conventional detection.
  6. Rootkits
    A rootkit is an application (or set of applications) that hides malicious code in the lower OS layers. Most virtualized sandboxes do not monitor what an OS does with calls from applications, so the malicious actions performed by a rootkit will generally go undetected.

Because of the increased focus on developing evasion tactics for malware, organizations should apply a multi-engine approach to analyzing suspicious code, especially to find and stop ransomware and credential theft.

The award-winning SonicWall Capture Advanced Threat Protection (ATP) multi-engine sandbox efficiently discovers what code wants to do from the application, to the OS, to the software that resides on the hardware. This approach includes Lastline® Deep Content Inspection™ technology, along with two other complementary engines.

Learn more about how Lastline technology — which earned the highest achievable score in NSS Labs’ 2017 Breach Detection Systems group test —  adds a key layer to Capture’s unique capabilities. Read our Solution Brief: Overcoming Advanced Evasion of Malware Detection.

How to Hide a Sandbox: The Art of Outfoxing Advanced Cyber Threats

Malware often incorporates advanced techniques to evade analysis and discovery by firewalls and sandboxes. When malware sees evidence that dynamic analysis is occurring, it can invoke different techniques to evade analysis, such as mimicking the behavior of harmless files that are typically ignored by threat detection systems.

Traditional sandboxing approaches that signal their own presence — for example, by instrumenting underlying virtual machines (VM) to intercept malicious function calls — make the analysis environment visible. This can trigger an action by malware to conceal itself.

Because of the increased focus by malware authors on developing evasion tactics, it is important to apply a multi-disciplinary approach to analyzing suspicious code, especially for detecting and analyzing ransomware and malware that attempt credential theft.

SonicWall’s award-winning Capture Advanced Threat Protection (ATP) multi-engine sandbox platform efficiently discovers what code wants to do from the application, to the OS, to the software that resides on the hardware. In fact, SonicWall formed a partnership with VMRay to leverage their agentless hypervisor-level analysis technology as one of the three powerful Capture ATP engines. The VMRay technology executes suspicious code, analyzes changes within the memory of a system to detect malicious activity, while resisting evasion tactics and maximizing zero-day threat detection.

How VMRay enhances Capture ATP

VMRay brings an agentless hypervisor-based approach to dynamic malware analysis. The hypervisor is the underlying computing platform that creates, runs and manages virtual machines on the underlying hardware. Most sandboxing solutions use a hypervisor as a launch pad for either the emulators or virtual machines that are hooked and monitored.

Figure 1 VMRay runs as part of the hypervisor on top of the host OS

VMRay takes a different approach to sandbox analysis by monitoring the activity of the target machine, entirely from the outside, using Virtual Machine Introspection (VMI). VMRay combines CPU hardware virtualization extensions with an innovative monitoring concept called Intermodular Transition Monitoring (ITM) to deliver agentless monitoring of VMs running a native OS without emulation or hooking (to avoid being detected by advanced malware). VMRay runs as part of the hypervisor on top of the host OS, which, in turn, is running on bare metal.

Because VMs in the sandbox aren’t instrumented, threats execute as they would in the wild, and the analysis is invisible — even to the most evasive strains of malware.

VMRay’s agentless hypervisor-based approach provides four key benefits to the SonicWall Capture ATP cloud service:

  • Resistance to evasive malware
  • Detailed analysis results
  • Extraction of IOCs
  • Real-time, high-volume detection

To learn more about these benefits in greater detail, read the Solution Brief: Five Best Practices for Advanced Threat Protection.

SonicWall First to Identify 73 Percent of New Malware with Capture ATP Sandbox

Last month, I wrote how we found nearly 26,500 new forms of malware and shared some general stats.  Let’s take a look at the new threats found by SonicWall’s network sandbox, Capture Advanced Threat Protection (ATP).

While the general number of new threats dropped, there were some interesting figures and trends to point out.

Of the 16,115 new forms of malware and zero-day attacks:

  • Only 4,321 were known by one other security firm (that we partner with), just moments before us
  • This means over 73 percent (11,794) were never seen until SonicWall identified them

This is very encouraging because it demonstrates three important points:

  1. The SonicWall customer base of Capture ATP subscribers are protecting each other by serving up samples before researchers can find them
  2. The technology is working wonderfully
  3. The month-over-month data proves that SonicWall is your best defense against new threats

Interestingly, last year at this time, I was finding a lot of ransomware versions by the big boys, such as Locky & Cerber. Now we are seeing attacks from copycat malware authors who conduct smaller attacks. The overall numbers are down, but the number of cybercriminals involved are up. As a result, a lot of ransomware attacks may fly under the radar.

Plus, this is what is now hitting the radar: credware.

What is Credware?

Credware is a term for a type of malware that is designed to steal credentials — and I’m finding a lot of credware every day, in many formats. I see new forms of spyware and a lot of Trojans that are going after all of those saved passwords in browsers. Since Chrome is harder to attack, hackers are targeting saved passwords in Firefox, Safari, Opera, Internet Explorer, and Edge. (See below).

Infected Documents

Hackers are adding their new versions of malware inside of document, such as Microsoft Word and PDFs. On a typical day, I saw that roughly 3-6 percent of new malware samples are found in these file types, but I have noticed a large increase as the days progressed.

Some days, as much as 39.3 percent of malware is found in digital documents, mostly Office files. Even if I set a high baseline of 5 percent, you can see how some days have an alarming rate of malicious documents (See below).

What is also surprising about this data is that you would expect a lot of this to be found in email traffic. Although most of it was, a lot of it was not, especially PDFs. In fact, on Sept. 26, 82 percent of malicious PDFs were found online by protected customers.

This data comes on the heels of SonicWall improving its backend performance for how quickly we can examine and return a verdict for PDFs. As we look back at the data, I’m happy to announce that the median time to process a file is around one second, and 71.3 percent of all files in September were processed with a verdict in under five seconds.

If you’d like more information on how you can add Capture ATP to protect your network and network based endpoints read: Executive Brief: Why network sandboxing is required to stop ransomware.

Ransomware: Are You Protected From the Next Outbreak?

Will you be ransomware’s next victim? Can ransomware encrypt your data and hold it hostage until you pay a ransom?

Organizations large and small across industries and around the globe are at risk of a ransomware attack. The media mostly reports attacks at large institutions, such as the Hollywood Hospital that suffered over a week offline in 2016 after a ransomware attack encrypted files and demanded ransom to decrypt the data. However, small businesses are affected also. In fact, Kaspersky research reported that small and medium-size businesses were hit the hardest, 42 percent of them falling victim to a ransomware attack over a 12-month period. Of those, one in three paid the ransom, but one in five never got their files back, despite paying. Whether you are part of a large organization or a small business, you are at risk.

The recent WannaCry ransomware attack was the largest ransomware campaign ever. In the course of a weekend, WannaCry spread to over 250,000 computers in 150 countries, crippling operations at hospitals, telecom providers, utility companies, and other businesses around the globe.

Once primarily an issue for Windows desktops, ransomware attacks have now occurred across many device types and operating systems, including KeRanger, a ransomware variant that emerged in 2016 that targeted Apple OS X. This variant was hidden in a compromised version of the Transmission BitTorrent client and affected about 6,500 computers within a day and a half.

These attacks often start with an internet file download or email attachment that seems innocuous but actually is hiding malware that encrypts files. End user productivity grinds to a halt and your help desk lights up. Worse, your business can suffer both financially and also from damage to your reputation.

Can your security solutions protect from this threat? Maybe. Legacy security technologies are often signature based, great for detecting “known” malware, but ineffective against “unknown” or zero-day attacks. To better detect unknown threats, security professionals are adding an additional layer of security and deploying advanced threat detection technologies, such as network sandboxes specifically SonicWall Capture ATP, that analyze the behavior of suspicious files and uncover hidden malware. To learn more about what it takes to keep malicious code out of your network, read our whitepaper: Why Network Sandboxing is Required to Stop Ransomware.

Looking Ahead to Black Friday: Fortify Your Network Security

One of my first customers in IT was a large retailer, with more than a thousand stores. This was at a time when e-commerce was just beginning, at least for large, traditional retailers. Giving their customers the ability to purchase on the web was still a year or two away.

This retailer made about 90 percent of its annual revenue between Thanksgiving and New Year’s Day. That was “Season”, and the entire year’s IT schedule was built around getting ready for Season. Any and all hardware upgrades, OS changes, and software updates were to be completed and locked in by mid October. Change control during Season was very simple: No changes unless something broken absolutely had to be fixed, you were able to make a 100% solid case for the change, and not doing the change would impact revenue. Otherwise, hold off until January.

Retail’s a lot more complex these days, and brick-and-mortar is only one of the revenue-generating retail channels. Still, Season remains Season. And it all begins with Black Friday. Estimates of 2015’s revenue for the first two days of Season, including Black Friday, top $4 billion in the U.S., with about a third of that coming from online sales. More than 150 million shoppers purchased online during the 2015 Thanksgiving holiday weekend.

Clearly, this is not a time to have security issues with your infrastructure, and especially so with your payment systems, whether online or POS systems in your stores.

The relevant compliance standard is PCI DSS (Payment Card Industry Data Security Standard). Version 3.1 takes effect on June 30, and includes a number of changes from the previous version (3.0). These include, with some exceptions, removal of SSL and early versions (1.0 and 1.1) of TLS, along with some additional clarifications of existing requirements, a number of which are common sense clarifications (For example, don’t send unencrypted account numbers in a text message. You think?).

Complying with PCI DSS is a good way to reduce your business’s risk of cyber attack, but it’s really only a waypoint toward better security, not an end in and of itself. That’s a point SonicWall Security’s Tim Brown, our CTO and a SonicWall Fellow, makes in an on-demand webcast highlighting the changes to PCI DSS in version 3.1, so that you can be best prepared for Black Friday. We offer SonicWall network security solutions to help you stay PCI compliant, and improve security well beyond the PCI basics. And staying in line with 3.1 will put you in better shape to have a more secure, successful Black Friday, Cyber Monday, and holiday Season. It will also prepare you for PCI DSS 3.2, which includes additional clarifications and new requirements, particularly around multifactor authentication for anyone having access to cardholder data. While 3.2 succeeds 3.1 as a standard for assessments as of this October, its new requirements will not be mandated until February 2018 until then, they’ll just be considered best practices.

Learn more about the changes in PCI DSS 3.1, and how they can help your business prepare for Black Friday. View Focusing on security to meet compliance: responding to changes in PCI DSS 3.1.

6 Cybersecurity Tips Any Business Can Learn From PCI-DSS

I started this year speaking and writing about how retail establishments can protect themselves from the rising tide of malware. I continue this train of thought by considering the Payment Card Industry Data Security Standard (PCI-DSS) as a general guidance to protect any small business.

Instead of looking at PCI-DSS as guidelines for protecting cardholder data, consider it as guidance for protecting any critical data. You may wonder what critical data you have, or think that you may have nothing of value to cyber thieves. And yet any business has at least one of the following types of critical data that cybercriminals want, which means that any business “including yours” is a potential target:

  • Employee records
  • Customer records
  • Intellectual property
  • Access (user names, passwords, etc.) to partner networks (the easiest way to breach a big company many be through a small partner)
  • Access (user names, account numbers, passwords, etc.) to your bank account

Therefore, PCI-DSS guidelines can be a starting point for any business, retail or not. (I say a “starting point” because even if you are PCI-compliant as, I believe, Target was when they were breached, it does not mean you are secure.) At a high level, PCI-DSS guidelines provide some excellent places to start when looking to protect critical data. Looking at the six high-level guidelines for PCI-DSS, I have some thoughts:

  1. Build and maintain a Secure Network and SystemsThis one is pretty straightforward: build your network with an eye on security starting at the planning phase. Often businesses take a money saving approach and not structure their network for growth. This is a short-term view that often costs more money down the road. Often, in order to maximize performance, security settings are turned off. When looking at your network, make sure you are able to build it under the security umbrella. Looking at the cost of a breach, security is a very low-cost investment.
  2. Protect Cardholder DataIn the spirit of this blog, let me replace “Cardholder Data” with “Critical Data.” Making sure critical data is handled in a secure way would include encryption of your data and isolating it from those not qualified to access it. Again, something learned from Target.
  3. Maintain a Vulnerability Management ProgramAnti-virus should be something you require on all devices that can access network resources. This includes phones. I am sure we will see a newsworthy breach that starts with a compromised phone. There is a recent trend to deliver ransomware to phones. For both personal and professional reasons an antivirus on all your internet accessible devices is common sense.
  4. Implement Strong Access Control MeasuresIf you leave your freshly baked pie in the window, someone is going to take it. The aroma of your critical resources should be kept behind locked doors. It is more than passwords; the ability to see who is using these passwords will help you keep assets secure. This leads me to:
  5. Regularly Monitor and Test NetworksThere are many reputable organizations that can test your defenses. I have seen many of them offer inexpensive or free services to show you where you have vulnerabilities. Let the experts help you.
  6. Maintain an Information Security PolicySecurity is a critical business issue and should be considered integral to the organization. As you talk about products or new ways to expand your business, make sure that you do it in the context of a secure environment. After the fact and ad hoc security may leave you thinking you are protected when you actually are not.

I would hasten to add one more thing: implement an ongoing education program to build security awareness in the organization. As we all become more educated in proper cyber-hygiene, it becomes harder for criminals to compromise your organization.

The PCI guidance is something that is a great starting point for any business looking for a roadmap to security. If you are looking for more information, you might want to check out this webinar that Tim Brown, executive director and CTO of SonicWall Security, delivered on PCI – Focusing on security to meet compliance responding to changes in PCI DSS 3.1.

iPower Technologies Arrests Hidden Malware from Body Cameras with SonicWall Firewalls

Note: This is a guest blog by Jarrett Pavao CEO iPower Technologies Inc., a Premier Partner for SonicWall Security, in South Florida.

Every day viruses, malware and trojans infect IT infrastructure through a growing number of mobile devices. With the growth of Internet of Things (IoT), this threat is rapidly increasing. We are faced with viruses potentially infiltrating almost every connected device – even brand-new law enforcement body cameras.

That’s right, even the people sworn to protect are exposed to these threats. Here at iPower Technologies, we never ceased to be amazed at the lengths that the bad guys will go to break into networks. That’s why it’s important that organizations have comprehensive network security that protects their associates whether they are working in the field, at home or in the office. As more of our everyday devices become “smart” and “connected”, they bring great convenience to our private and professional lives, but also provide an access point to infect entire networks and wreak havoc. This potential threat may even come from new equipment straight out of the box.

As the CEO of iPower Technologies, my team based in Boca Raton recently discovered malware on the body cameras used by one of our law enforcement clients. As a SonicWall Security Premium Partner, we follow strict protocols and we regularly audit and scan our clients’ IT infrastructure and endpoint devices, including body cameras used by our law enforcement customers. With SonicWall next-generation firewalls, we were able to detect the virus before it infected the entire network and potentially put critical data at risk. These cameras leverage geolocation/GPS capabilities, meaning that the malware could be used to track law enforcement locations.

Discovery: Conficker Worm

We discovered the malware during testing of body camera equipment for one of our law-enforcement clients. iPower engineers connected the USB camera to one of our computers. When he did that, multiple security systems on our test environment were alerted to a new threat. It turned out to be a variant of the pervasive Conficker worm and we immediately quarantined it. A second camera was connected to a virtual lab PC with no antivirus. The SonicWall next-generation firewall immediately notified iPower of the virus’ attempt to spread on the LAN and blocked the virus’ from communicating with command-and-control servers on the public internet.

Prevention

Like body armor that peace officers wear, taking precautions and preventive measures is the best defense to stopping and limiting damage from attacks. Fortunately for our clients, my iPower team has the expertise to recognize active threats along with the support of the  SonicWall Threat Research team to prevent successful attacks. In this specific case, the threat was stopped before it could do any damage and an alert for the Confiker worm was issued.

Any network with a properly deployed  SonicWall next-gen firewall would have contained the attack to a local device, such as the USB port, and not to the entire network.

Sonicwall Next Generation firewalls have multiple security features including the ability to inspect encrypted traffic, and leverage deep packet inspection (DPI) technology. See the diagram below for an example of how to prevent a virus or worm like Conficker from spreading from a PC to your servers:

Examine Smart Devices before Deploying

It’s a matter of policy for us at iPower to test all equipment before we install on a client’s network. If you don’t have a test environment – or have access to one – I strongly suggest that you make the investment. It can pay for itself in preventing embarrassing events at the client site, as well as increase internal staff knowledge that can then be applied in the real world. So do test every device you plan to install or connect to your client’s network.

Make that sure testing is a matter of policy by having a strict written policy regarding the implementation of any new hardware or software. Test any new systems being added to your corporate network in a sandbox environment prior to deployment. We don’t know for sure how the malware got onto the body cameras. It could have happened in any number of the manufacture, assembly and – ironically – QA testing stages. I think the most likely reason is due to lack of manufacture controls and outsourced equipment production. It seems innocuous enough. It’s just a camera, but the potential of the worm could have devastating, even tragic, ramifications if it had been able to gain remote code execution inside a network. Attackers could then harvest police database for Personal Identifiable Information (PII). This can be used to forge fake identities, etc.

This threat is real and growing. When you extrapolate this threat out to common smart devices, such as connected refrigerators and thermostats and the general lack of security knowledge in the home and SMB markets, you have a potentially massive challenge. So again, any device that will be placed on the same network as servers, databases, or could potentially access a corporate network need to be checked out and properly aligned with security best practices.The best way to do this is careful network design, including intra-VLAN inspection on SonicWall next-generation firewalls is a great way to protect critical infrastructure from high risk PCs and IoT devices.