Posts

How SonicWall Signature “Families” Block Emerging Ransomware Variants

When you look at the most damaging network security invasions over the last year, you see a recurring pattern: leaked government cyber tools being repurposed by cybercriminals. The compromised NSA toolset leaked by Shadow Brokers was devastating in many respects. These were highly targeted tools that many nation states wish they had the operational capacity to deploy.

But the tools developed by the NSA fell into criminal hands, who used them not for state-backed cyber espionage, but for capital gain. They repurposed these tools into WannaCry, Petya and, most recently, BadRabbit, as a means to install ransomware, encrypt information and keep it hostage until a targeted victim pays to release it, typically via Bitcoin.

Alas, sometimes victims pay and the data is still not released.  Sometimes, other actors see an organization has been held hostage and sends their own ransom demands, even though they are not affiliated with the original ransomware creators. The victim organization pays for this misdirection but still cannot unlock their files. They are out of the money and damages are incurred. “There is no honor among thieves,” as they say.

WannaCry, Petya and BadRabbit form a “family” of ransomware variants developed from the same leaked NSA tools. It is when there are these multiple attacks using the same family of exploits that SonicWall can give you breathing room and help you sleep at night.

To explain, first let me discuss how signatures work in our next-generation firewalls (NGFWs). Individual signatures exactly match bit patterns from IP-based frame payloads to detect a specific variant of malware. Our award-winning Capture ATP technology, a multi-engine network sandbox,  not only stops unknown and zero-day threats from entering networks, but also helps create new signatures for detecting emerging malware.

Few vendors look at both incoming and outgoing packets for malware, as it can be a large performance hit to do both. Most vendors are only concerned with traffic going from the internet to the trusted zones and only inspect this pattern. Yet SonicWall inspects every single packet in each direction.

Why? Well, if you own a network and somehow a device is compromised, the only way you will find out is by seeing what it sends out. Is it talking to a command-and-control server (C&C)? Is it sending malware out, as infected machines do? Without scanning every packet, you do not have visibility of your internal network. While it is important to block incoming malware, it’s also important to determine what machines may have been infected and are trying to send data outside your organization.

This brings us back to our “family” of signatures. Have you ever wondered why SonicWall uses a different naming convention than other well-known malware strands?  It’s because we find them first, and give them their own names. Other vendors do this too, but we are vastly different. I am proud to say that SonicWall is extremely competent in creating a family of signatures to cover many individual signatures with one pass. SonicWall uses a fast memory-tree lookup as packets pass through the NGFW with our family of signatures, so only one lookup is needed. This is an extremely fast method of traffic processing.

Sometimes in sales, we have to quote statistics in answer to questions, such as “How many signatures do you store on the firewall?” And we dutifully respond, “Over 32,000 locally, with more in the cloud.” But this only tells part of the story. With our family of signatures, one family will catch 100 or more variation of one signature.

Going back to WannaCry, SonicWall created a family that caught WannaCry right after it was announced to the public. Since the NSA leak variants caused Petya and BadRabbit derivatives, the family signature in your SonicWall firewall blocked all these new attack vectors.

Even though these new variants were targeted delivery to networks, SonicWall blocked all these different bit patterns as part of our WannaCry signature family.  The signature updates were performed in the background – as you enjoyed the holidays with your friends and family.

SonicOS 6.2.7 Delivers More Breach Prevention and Easier Management to Next-Gen Firewalls

There is no end to the danger of cyber-criminal activities, as long as there is an underground marketplace that makes it almost impossible for authorities to intervene and enforce law and order.  We continue to see our adversaries relentlessly going after money by developing and experimenting with different methods and tools against new and existing vulnerabilities, in preparation for the next phase of their business model. To deal with this cybercriminal activity and have greater network security, I am excited to announce SonicOS 6.2.7, which provides enhanced breach prevention, a new threat API, improved scalability and connectivity while simplifying management to ensure small businesses and large distributed enterprises receive a high quality-of-service level, increased on-demand capacity and connectivity and better security.

Here are some of the historical cyber attacks that require deeper network security:

  1. CVE logged nearly 4,000 new vulnerabilities with more than two-thirds of them associated with network attacks.
  2. Ransomware was spotted as far back as 2005, but rarely seen until its recent return to the world stage as the most popular payload for spam, phishing and exploit campaigns, collecting an estimated of $200 million in ransom payout globally so far. The fear of infections and subsequent business disruptions has forced institutions to begin augmenting their existing defense model to address this threat.
  3. According to NSS Labs, the malicious use of encryption is rapidly growing and allowing criminals to use it as an effective evasion technique. When encrypted connections are improperly managed and go uninspected, they become defenseless tunnels for concealing malware downloads and command and control (C&C) communication, spreading infections and most serious of all, extracting massive amounts of data.
  4. In November, the Mirai botnet management framework launched the largest mass-scale distributed denial of service (DDoS) attacks on record, using hundreds of thousands of Linux-based IoT devices that took down a major DNS service provider. IoT-based attack is anticipated to be one of the fastest growing and most prevalent attack vectors in 2017.
  5. A new breed of exploit kits surfaced leveraging cryptographic algorithms to encrypt and obfuscate landing pages and malicious payloads to spread ransomware at scale more effectively.

Moreover, organizations are quickly embracing new technologies such as cloud and virtualization to advance their digital business ambition.  As they embrace these new technology platforms, they find themselves needing to augment their network architecture to meet new data, capacity and connectivity demands.

The biggest question now is what we can do differently in our cyberdefense model to scale performance, secure us from advanced threats and help enable organizations to grow and move securely forward. SonicWall introduces the latest update to its next-generation firewall SonicOS operating system, version 6.2.7.0.  Many of new features in the release are focused on three primary outcomes of the firewall system.

  1. Enhancing breach prevention capabilities
  • Deep packet inspection of SSH (DPI-SSH) to detect and prevent advanced encrypted attacks that leverage SSH, block encrypted malware downloads, cease the spread of infections, and thwart command and control (C&C) communications and data exfiltration
  • Threat API platform designed to receive any and all proprietary, OEM and third-party threat intelligence feeds to combat a wide variety of advanced threats such as zero-day, malicious insiders, compromised credentials, ransomware and APTs
  • Biometric authentication technology on the user mobile device such as fingerprints that cannot be easily duplicated or shared to securely authenticate the user identity for network access.
  • Additional security extensions include granular SSL controls and DPI-SSL of IPv6 encrypted traffic, DNS Proxy to securely control both incoming and outgoing DNS traffic to eliminate any potential DNS cache poisoning, DNS spoofing, and buffer overflow attacks transmitted through DNS commands and more
  1. Improving ease of use and management
  • Auto-provisioning VPN simplify and reduce complex distributed firewall deployments down to a trivial effort by automating the initial site-to-site VPN gateway provisioning while security and connectivity occurs instantly and automatically.  As an added advantage, policy changes are centrally managed and automatically updated on every VPN peer across the WAN environment.
  1. Increasing scalability and connectivity
  • Dell X-Series Switch extensibility enhanced network security flexibility and scalability that adapts to service-level increases and ensures network services and resources are continuously available and protected when capacity grows without having to upgrade the firewall system.

Download the SonicOS 6.2.7 today.

Sandbox Security; Nothing to Play With

Ransomware has forced organizations to rethink their security architecture.  Organizations are increasingly investing in security solutions that provide additional protection of sensitive data, as well as better visibility over network traffic and endpoint activity. According to IDC research, 60% of organizations surveyed indicated that modern endpoint and network security products such as network sandboxes were either a high priority or an extremely high priority over the next 12 months.

Network sandboxes are isolated environments where suspicious code can be examined and detonated to see what unidentified code wants to do on a potential system.  Over the past few years, sandboxing has become an integral part of the network security game plan but hackers have identified ways of evading detection which is something to consider in the evaluation process. In the video below, IDC’s Sean Pike, program vice president of IDC Security Products,  discusses network sandboxing and gives you key questions to ask when looking at this part of the network security equation.

IT Security Done Right Enables State and Local Governments

News reports about new data breaches have become an all too frequent occurrence.  But cyber attacks can’t and don’t stop state and local governments from getting on with the business of governing. It’s easy to fall into a state of paralytic fear about attacks and data breaches, but in the meantime, state and local governments need to deliver the services their citizens rely upon, and continue to leverage technology to expand and improve those services.

If IT security is viewed as a defense mechanism by government, and even by security professionals themselves, government doesn’t work at well as it needs to.  A more productive attitude is to view security as an enabler of ongoing and new information technology efforts, providing a secure foundation for governments to take advantage of new technologies, provide employees and citizens with the ability to access the services they need from any device, and most importantly, streamline and improve those services.

In other words, we at SonicWall want to help state and local government IT security to become the Department of Yes. Making this change in viewpoint, doing security the right way, is the subject of the Government Computer News article, Take a Positive Approach to Security.

In the article, SonicWall’s Ken Dang goes into detail on how to accomplish this. Improving protection of government assets needs to be coupled with improving legitimate access to resources, which in turn improves efficiency, a key consideration for resource-constrained IT departments. Ken discusses a contextual approach to access, in which requests are evaluated based on a case by case basis, with the particular user’s specific requests placed in the context of the time and place of the request itself.

For the contextual approach to be effective, access information needs to be shared among all the different security devices and solutions throughout the government’s IT.  It’s important to have the proper tools to do this – which we’re happy to provide –but it requires breaking down organizational silos, getting people used to the idea that security is done better when the groups responsible for the many different aspects of security cooperate and communicate.

Contextual security particularly mandates this relationship when it comes to networks and user identities. Without transparency and full awareness between the two, the opportunity to improve overall security posture becomes a lost opportunity. But when government IT embraces that transparency and awareness, and leverages its capabilities by inspecting every packet on the network, even encrypted packets (which bear an increasing share of attack exploits) – that’s the path to security done right.

Add up all the above, couple it with our cost-effective, easy to install, SonicWall next-generation firewalls and other network security solutions, and IT security for state and local governments moves away from being an obstacle and towards being an enabler of better, more effective and responsive government.