Posts

How SonicWall Signature “Families” Block Emerging Ransomware Variants

When you look at the most damaging network security invasions over the last year, you see a recurring pattern: leaked government cyber tools being repurposed by cybercriminals. The compromised NSA toolset leaked by Shadow Brokers was devastating in many respects. These were highly targeted tools that many nation states wish they had the operational capacity to deploy.

But the tools developed by the NSA fell into criminal hands, who used them not for state-backed cyber espionage, but for capital gain. They repurposed these tools into WannaCry, Petya and, most recently, BadRabbit, as a means to install ransomware, encrypt information and keep it hostage until a targeted victim pays to release it, typically via Bitcoin.

Alas, sometimes victims pay and the data is still not released.  Sometimes, other actors see an organization has been held hostage and sends their own ransom demands, even though they are not affiliated with the original ransomware creators. The victim organization pays for this misdirection but still cannot unlock their files. They are out of the money and damages are incurred. “There is no honor among thieves,” as they say.

WannaCry, Petya and BadRabbit form a “family” of ransomware variants developed from the same leaked NSA tools. It is when there are these multiple attacks using the same family of exploits that SonicWall can give you breathing room and help you sleep at night.

To explain, first let me discuss how signatures work in our next-generation firewalls (NGFWs). Individual signatures exactly match bit patterns from IP-based frame payloads to detect a specific variant of malware. Our award-winning Capture ATP technology, a multi-engine network sandbox,  not only stops unknown and zero-day threats from entering networks, but also helps create new signatures for detecting emerging malware.

Few vendors look at both incoming and outgoing packets for malware, as it can be a large performance hit to do both. Most vendors are only concerned with traffic going from the internet to the trusted zones and only inspect this pattern. Yet SonicWall inspects every single packet in each direction.

Why? Well, if you own a network and somehow a device is compromised, the only way you will find out is by seeing what it sends out. Is it talking to a command-and-control server (C&C)? Is it sending malware out, as infected machines do? Without scanning every packet, you do not have visibility of your internal network. While it is important to block incoming malware, it’s also important to determine what machines may have been infected and are trying to send data outside your organization.

This brings us back to our “family” of signatures. Have you ever wondered why SonicWall uses a different naming convention than other well-known malware strands?  It’s because we find them first, and give them their own names. Other vendors do this too, but we are vastly different. I am proud to say that SonicWall is extremely competent in creating a family of signatures to cover many individual signatures with one pass. SonicWall uses a fast memory-tree lookup as packets pass through the NGFW with our family of signatures, so only one lookup is needed. This is an extremely fast method of traffic processing.

Sometimes in sales, we have to quote statistics in answer to questions, such as “How many signatures do you store on the firewall?” And we dutifully respond, “Over 32,000 locally, with more in the cloud.” But this only tells part of the story. With our family of signatures, one family will catch 100 or more variation of one signature.

Going back to WannaCry, SonicWall created a family that caught WannaCry right after it was announced to the public. Since the NSA leak variants caused Petya and BadRabbit derivatives, the family signature in your SonicWall firewall blocked all these new attack vectors.

Even though these new variants were targeted delivery to networks, SonicWall blocked all these different bit patterns as part of our WannaCry signature family.  The signature updates were performed in the background – as you enjoyed the holidays with your friends and family.

Three Tough Questions You Must Ask About HTTPS to Avoid Cyber Attacks

Preventing your organization from being the victim of an inevitable cyber-attack is paramount so it is important for us to kick off this blog with an important risk question.

Do you know whether or not your organization‘s firewall is inspecting HTTPS traffic traversing its networks?

I have polled this question on numerous webinars I have conducted over the past year. The results consistently showed the majority of organizations have yet to perform HTTPS inspection as part of their defense strategy. With HTTPS on the rise, accounting for nearly two-third of your organization’s internet traffic today, hackers have expanded their craft to use the protocol to obfuscate their attacks and malware from security systems. Your timely response to this new threat could mean the difference between experiencing a material breach versus successfully averting one. Of course, the latter would be desirable. So, should you have the slightest doubt about your organization’s security posture to deal with encrypted threats, I want you to immediately pause and resume reading this post after you have spoken to your IT security leaders. I’d like you to raise your concerns about the potential millions of intrusions and tens of thousands of malware attacks launched against your organization each and every hour – many of which are likely new versions of ransomware delivered inside of HTTPS sessions. If the firewall is not inspecting this traffic, it would not have the ability to understand what is inside that traffic – whether a file is benign or malicious, credit cards being stolen or financial and health records were being shared with an external system. I hope you return to this blog with a sigh of relief that your organization is not among the majority of respondents that do not.

You got the good news that your organization is inspecting HTTPS traffic. The next logical question is:

“Has your organization experienced frequent network service disruptions or downtime as a result of a total collapse of your firewall performance when inspecting HTTPS traffic?”

Inspecting encrypted traffic is not without its set of big challenges. There are two key components of HTTPS inspection that severely impact firewall performance – establishing a secure connection and decrypting and later re-encrypting packets for secured data exchange. Unlike inspecting internet traffic in plain text, encrypted traffic introduces six additional compute processes that must occur before data is sent back and forth between a client’s browser and the web server over an HTTPS connection. Each process is highly complex and compute-intensive. Most firewall designs today don’t provide the right combination of inspection technology and hardware processing power to handle HTTPS traffic efficiently. They often collapses under the load and subsequently disrupt business-critical operations. According to NSS Labs, the performance penalty on a firewall when HTTPS inspection is enabled can be as high as 81 percent. In other words, your firewall performance is degraded to a level that it is no longer usable.

This leads us to the final and most important question:

“How can you scale firewall protection to prevent performance degradation, lag and latency of your network when inspecting HTTPS traffic?”

The right answer begins with the right inspection architecture as the foundation. Most modern firewalls today have deep packet inspection (DPI) capability claiming to solve many of the above security and performance challenges. However, not all firewalls perform equally or as advertised in the real world. In fact, many of them have inherent design inefficiencies that reduce their ability to handle today’s massive shift towards an all-encrypted Internet. You have one of two choices when it comes to inspection technology. These are Reassembly-Free Deep Packet Inspection (RFDPI) and Packet Assembly-based. Each uses different inspection method to scan and analyze data packets as they pass the firewall. You will quickly discover the performance of most firewalls will collapse under heavy HTTPS load. To avoid a post-deployment surprise, my recommendation is to do your due diligence. Thoroughly qualify and measure all firewalls under consideration and select one that meets both your desire level of performance and security effectiveness without hidden limitations. These are fundamental metrics that you want to heavily scrutinize when selecting a firewall to perform HTTPS inspection. Establishing the right firewall foundation will give you the agility to scale your security layer and solve the performance burden of inspecting HTTPS traffic inside your data center operations.

Uncovering evasive threats hiding inside encrypted network traffic is central to the success of your network defense. For more detail information, read our Executive Brief titled, “The Dark Side of Encryption – Why your network security needs to decrypt traffic to stop hidden threats.”