Posts

7 Factors to Consider When Evaluating Endpoint Protection Solutions

The threat landscape is evolving. Attackers are getting craftier with infiltrating secure environments. Is your endpoint protection able to keep up? In many cases, organizations just aren’t sure.

The increase in the number of cyberattacks targeting endpoints — and attackers using craftier methods to gain access to user machines — has lead to a highly competitive endpoint protection market. There’s plenty of confusion surrounding what differentiates one endpoint protection solution from another, let alone which product will meet your unique business needs.

Among the claims and counter-claims about which solution is best, the reality is that the right solution for your organization is not necessarily the one with the loudest voice in the marketplace.

Instead, consider whether your approach to endpoint protection matches that of the providers you evaluate. With rapid changes in the way malware and threat actors are compromising victims, which security solutions are keeping up?

Let’s take a look at seven basic checks that can help enhance endpoint compliance and lead to better protection against cyberattacks.

  1. Don’t underestimate the risks of mobility

    The traditional approach that legacy AV software is just there to protect your devices from malware and data loss creates a blind spot in defensive thinking. The task is to protect your network from both internal and external threats, and that includes the potential threat from end-user behavior when they’re mobile and off-network.

    Today, users who login from airports and cafés using public and open access points pose a greater threat to the corporate network.

    Modern, integrated security thinking understands that this means more than just anti-malware or AV coverage on the device. Off-network content filtering and media control are necessary adjuncts to protect your entire network, regardless of where the threat may come from.

    And in the event a verdict from the agent doesn’t have confidence, having a second layer of defense via a cloud-based malware analysis engine helps handle it in real-time.

  2. Avoid drowning in the noise of alerts

    Even today, some endpoint vendors still believe that the quantity — rather than the quality — of alerts is what should differentiate a superior product from the rest. But alerts that go unnoticed because they are swimming in a sea of hundreds of other alerts clamoring for attention are as good as no alerts at all.

    The Target Corporation learned this lesson at a great cost. False positives (i.e., the boy who cried wolf) condition weary admins and SOC specialists to “tune out” things that may be the next big threat because they simply cannot cope with the quantity of work.

    Rather than a security solution that provides hundreds of single alerts for each command with little or no context, choose one that provides a single alert with the telemetry and details of all the related commands — whether that be one or 100 — automatically mapped into the context of an entire attack storyline.

  3. Secure the endpoint locally

    We live in the age of the cloud, but malicious software acts locally on devices, and that’s where your endpoint detection needs to be, too.

    If your security solution needs to contact a server before it can act (e.g., get instructions or check files against a remote database), you’re already one step behind the attackers.

    Make sure that your endpoint protection solution has the capability to secure the endpoint locally by taking into consideration the behavioral changes and identify malicious processes without cloud dependency.

    And when using a cloud-based second layer, make sure the suspected threat is contained to eliminate impact while a verdict is made.

  4. Keep it simple, silly

    There’s power in simplicity, but today’s threat landscape is increasingly sophisticated. While some vendors think the number of tools they offer is a competitive advantage, it just increases the workload on your staff and locks knowledge into specialized employees who may one day take themselves — and that knowledge — elsewhere.

    You want to be able to eliminate threats fast and close the gaps without needing a large or dedicated SOC team. Look for endpoint protection that takes a holistic approach, builds all the features you need into a unified client and is managed by a user-friendly console that doesn’t require specialized training.

  5. Build for the worst-case scenario

    Let’s face it, ANY protection layer can fail. It’s the nature of the game that attackers will adapt to defenders. If you can’t see what your endpoints are doing, how can you be sure that one of them hasn’t been compromised?

    Has a remote worker clicked a phishing link and allowed an attacker access to your network? Is a vulnerability in a third-party application allowing cybercriminals to move around inside your environment undetected? Have you factored for attackers who have now embraced encrypted threats (e.g., HTTPs vectors) and acquired their own SSL certificates?

    The modern cyber threat landscape requires a defense-in-depth posture, which includes SSL/TLS decryption capabilities to help organizations proactively use deep packet inspection of SSL (DPI-TLS/SSL) to block encrypted attacks. DPI-SSL technology provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPs and other SSL-based traffic.

    In addition, drive visibility into application vulnerability risk and control over web content access to reduce the attack surface.

  6. Drive compliance across all endpoints

    It’s the quiet ones at the back you have to look out for. If your enterprise is 95% harnessed to one platform, it doesn’t mean you can write-off the business risk presented by the other 5% as negligible.

    Attackers are able to exploit vulnerabilities in one device and jump to another, regardless of what operating system the device itself may be running. To avoid the risk of vulnerable endpoints connecting to your corporate network, integrate endpoint security with your firewall infrastructure and restrict network access for endpoints that don’t have endpoint protection installed on the machine.

    Remember, you’re only as strong as your weakest link.

  7. Don’t trust blindly

    Blocking untrusted processes and whitelisting the known “good guys” is a traditional technique of legacy AV security solutions that attackers have moved well beyond, and businesses need to think smarter than that, too.

    With techniques like process-hollowing and embedded PowerShell scripts, malware authors are well-equipped to exploit AV solutions that trust once and allow forevermore. Endpoint protection needs to look beyond trust and inspect the behavior of processes executing on the device. Is that “trusted” process doing what it’s supposed to be doing or is it exhibiting suspicious behavior?

Endpoint protection integrated across your environment

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine powered by SentinelOne, Capture Client applies advanced threat protection techniques, such as machine learning, network sandbox integration and system rollback.

The solution uses automated intelligence to adapt and detect new strains of malware through advanced behavior analytics. It provides multi-layered defense against advanced threats, like fileless malware and side-channel attacks, using SentinelOne’s AI-driven behavioral analysis and SonicWall Real-Time Deep Memory InspectionTM (RTDMI) engine with the Capture Advanced Threat Protection (ATP) sandbox service.

The solution also delivers granular visibility into threat behavior, helping identify potential impact and remediation actions. A sound endpoint protection solution also should be paired with a defense-in-depth security strategy across all the key layers of transport, including email, network and cloud.

Inside the Modern Phishing Campaigns of 2019

The world of cybersecurity is dominated by headlines of malware, ransomware, data breaches, app vulnerabilities, IoT threats and botnet attacks. But phishing has been a serious threat since the early 2000s and is widely regarded as the most common attack vector for cybercriminals.

Today, phishing is not about volume. These email threats are now tuned to successfully trick a high-value target into taking a desired action: clicking on a malicious link, opening a malware-laden file, providing a password or authorizing financial transactions.

In the current cyber arms race, threat actors are constantly trying to get around security systems. In the context of email as a threat vector, phishing has evolved into spear-phishing, impersonation and Business Email Compromise (BEC) types of attacks. These messages are highly targeted with extensive social engineering efforts to carefully select and study the victim.

Global phishing volume down, attacks more targeted

Published in the 2019 SonicWall Cyber Threat Report, our Capture Labs threat researchers recorded 26 million phishing attacks worldwide, a 4.1 percent drop from 2017. During that time, the average SonicWall customer faced 5,488 phishing attacks.

2018 Global Phishing Volume

As businesses get better at blocking email attacks and ensuring employees can spot and delete suspicious emails, attackers are shifting tactics. New data suggests they’re reducing overall attack volume and launching more highly targeted phishing attacks (e.g., Black Friday and Cyber Monday attacks).

Explore the five common tactics phishers are using to steal credentials, deploy malware, infiltrate networks and damage brands.

  1. Malicious URLs and fake or spoofed websites
    With improvements in secure email solutions that mitigate phishing, cybercriminals are resorting to innovative methods to execute targeted attacks, such as using weaponized URLs in email to deliver malicious payloads or creating phishing websites with fake login pages to harvest user login credentials.In late 2017, it was reported that nearly 1.5 million phishing sites are created each month. And the detection of phishing sites has become harder because phishers are obfuscating phishing URLs with multiple redirections and URL shortners.

    In addition, about half of these phishing sites are using HTTPS and SSL certificates, which make it easier for cybercriminals to deceive their victims.

    Source: “PhishPoint: New SharePoint Phishing Attack Affects an Estimated 10% of Office 365 Users,” Avanan, August 2018.

    According to Microsoft’s security intelligence report, “attackers increasingly use popular document sharing and collaboration sites and services to distribute malicious payloads and fake login forms that are used to steal user credentials.”

  2. Phishing targeting Office 365 applications, users
    SaaS and webmail services are increasingly targeted by phishing campaigns. According to the Anti-Phishing Working Group (APWG), phishing that targeted SaaS and webmail services doubled in the fourth quarter of 2018.As Office 365 gains adoption as the most popular choice of cloud email platform across organizations of all sizes and verticals, it comes as no surprise that Microsoft is the most impersonated brand.

    “As Microsoft’s SEG market share increases, smart attackers will specifically target Microsoft’s defenses,” reports Gartner.

    This is not unconceivable because an Office 365 subscription is available to anyone with a credit card, making its security features very accessible to cybercriminals. This theoretically enables criminal groups to design phishing campaigns that can evade Microsoft’s native defenses. In fact, in another report, researchers found 25% of phishing emails bypass Office 365 security.

  3. Compromised credentials
    In January 2019, security researcher Troy Hunt discovered “Collection 1,” a trove of 773 million email addresses and 21 million passwords available for sale on Hacker Forum.These compromised user IDs and password combinations are used to carry out attacks from the inside. A common attack includes account takeover that involves threat actors compromising employee corporate credentials by either launching a credential phishing campaign against an organization or buying credentials on the Darkweb due to third-party data leaks. The threat actor can then use the stolen credentials to gain additional access or escalate privileges. Compromised credentials may remain undiscovered for months or years.
  4. Impersonation, CEO fraud and Business Email Compromise (BEC)
    According to the FBI, Business Email Compromise, or BEC, is a scam targeting businesses working with foreign suppliers and/or businesses regularly performing wire transfer payments. These sophisticated scams are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds.These types of attacks are hard to stop because they do not contain malicious links or attachments, but a message to the victim seemingly from a trusted sender requesting transfer of funds.

    The FBI Internet Complaint Center (IC3) reported last summer that from October 2013 to May 2018, total losses worldwide for known BEC scams hit $12.5 billion.

  5. Malicious PDF files and Office doc attachments
    Email attachments are a popular delivery mechanism for malicious payloads, such as ransomware and never-before-seen malware. SonicWall Capture Labs threat researchers recently found a substantial increase of malicious or fraudulent PDF files.These fraud campaigns take advantage of recipients’ trust in PDF files as a “safe” file format that is widely used and relied upon for business operations. I recommend reading “New PDF Fraud Campaign Spotlights Shifting Cybercriminal Phishing Tactics, written by Dmitriy Ayrapetov, Executive Director of Product Management, to learn more about these types of phishing campaigns and how you can stop them.

Approfondimenti sulle moderne campagne di phishing del 2019

Il mondo della cibersicurezza è dominato dalle notizie relative a malware, ransomware, violazioni di dati, vulnerabilità delle applicazioni, minacce portate sull’Internet delle cose e attacchi botnet. Ma il phishing è stato una seria minaccia sin dai primi anni 2000 ed è ampiamente considerato il vettore di attacco più utilizzato dai cibercriminali.

Attualmente, non si tratta di una questione di volumi, ma questo tipo di minacce di posta elettronica si è specializzato con successo nell’indurre fraudolentemente dei bersagli di elevato valore a compiere determinate azioni: fare clic su un collegamento dannoso, aprire un file contenente del malware, fornire una password o autorizzare transazioni finanziarie.

Nell’attuale corsa ai ciberarmamenti gli autori delle minacce stanno cercando costantemente di aggirare i sistemi di sicurezza. Per quanto riguarda la posta elettronica come vettore delle minacce, il phishing si è evoluto in attacchi di tipo spear-phishing, impersonazione e compromissione delle email aziendali (BEC). Si tratta di messaggi con obiettivi altamente specifici e notevole impegno sul versante dell’ingegneria sociale per scegliere e studiare accuratamente le vittime.

Volume globale di phishing in calo, con attacchi più mirati

I nostri ricercatori di Capture Labs che si occupano delle minacce hanno registrato 26 milioni di attacchi di phishing su scala mondiale, con un calo del 4,1% rispetto al 2017, secondo i dati pubblicati nel Rapporto SonicWall 2019 sulle ciberminacce. Durante tale periodo, il cliente medio SonicWall si è trovato a dover affrontare 5.488 attacchi di phishing.

Volume globale di attacchi di phishing nel 2018

Dato che le imprese stanno diventando sempre più capaci di bloccare gli attacchi via email, mettendo i dipendenti in grado di individuare e cancellare i messaggi sospetti, i cibercriminali stanno cambiando tattica. I nuovi dati indicano che stanno riducendo il volume complessivo di attacchi e lanciando attacchi di phishing molto più mirati (es., attacchi Black Friday e Cyber Monday).

Vediamo quali sono le cinque tattiche più comuni utilizzate dai phisher per sottrarre credenziali, installare malware, infiltrare le reti e danneggiare i marchi.

  1. URL dannosi e siti web falsi o spoofing dei siti web
    Per via dei miglioramenti delle soluzioni di sicurezza della posta elettronica che riducono il phishing, i cibercriminali stanno cercando metodi innovativi per eseguire attacchi mirati, come utilizzare URL come arma nei messaggi di posta elettronica per installare contenuti dannosi o creare siti web di phishing con false pagine di login per acquisire credenziali di accesso degli utenti. Alla fine del 2017 è stato riferito che ogni mese sono stati creati 1,5 milioni di siti di phishing. Rilevare i siti di phishing è diventato sempre più difficile poiché i phisher dissimulano gli URL di phishing con tutta una serie di reindirizzamenti e di URL abbreviati.Inoltre circa la metà dei siti di phishing utilizza certificati HTTPS e SSL, che facilitano ai cibercriminali il compito d’ingannare le loro vittime.
    Fonte: “PhishPoint: New SharePoint Phishing Attack Affects an Estimated 10% of Office 365 Users,” Avanan, August 2018.

    Secondo il rapporto di Security Intelligence di Microsoft “per gli attacchi vengono usati con sempre maggiore frequenza i siti di condivisione dei documenti e di collaborazione più noti per distribuire contenuti dannosi e falsi moduli d’accesso allo scopo di sottrarre le credenziali degli utenti”.

  2. Gli attacchi di phishing prendono di mira applicazioni ed utenti di Office 365
    Saas e servizi webmail stanno diventando il bersaglio sempre più ambìto delle campagne di phishing. Stando a quanto riferisce l’Anti-Phishing Working Group (APWG), gli attacchi di phishing ai danni di SaaS e servizi webmail sono raddoppiati nel quarto trimestre del 2018. Non sorprende che di pari passo con la crescente diffusione di Office 365 come piattaforma di posta elettronica per cloud  presso le aziende di ogni dimensione e quelle verticali Microsoft sia il marchio più impersonato.“Man mano che aumenta la quota di Microsoft nel mercato dei gateway di posta elettronica sicura (SEG), gli autori degli attacchi intelligenti prendono di mira in modo specifico le difese Microsoft” sostiene Gartner.La cosa non è assurda perché chiunque possieda una carta di credito può sottoscrivere un abbonamento ad Office 365, il che ne rende le caratteristiche di sicurezza decisamente accessibili ai cibercriminali, e, in linea teorica, consente ai gruppi criminali di mettere a punto campagne di phishing in grado di aggirare le difese Microsoft native. In effetti, in un altro studio i ricercatori hanno riscontrato che il 25% delle email di phishing aggirano la sicurezza di Office 365.
  3. Compromissione delle credenzialiA gennaio del 2019 i ricercatori di Troy Hunt hanno scoperto “Collection 1”, un lotto di 773 milioni di indirizzi di posta elettronica e 21 milioni di password in vendita su Hacker Forum. Queste combinazioni di ID e password compromesse vengono utilizzate per condurre attacchi dall’interno. Un attacco tipico comprende la sottrazione di account, che consiste nella compromissione delle credenziali aziendali di un dipendente da parte degli autori dell’attacco lanciando una campagna di phishing delle credenziali contro un’azienda o acquistando le credenziali stesse sul Darkweb a seguito di sottrazioni di dati ad opera di terzi. Gli autori dell’attacco possono utilizzare le credenziali sottratte per ottenere nuovi accessi o ulteriori privilegi. Le credenziali compromesse possono non venire scoperte per mesi e persino anni.
  4. Impersonazione, frodi a carico dei CEO e compromissione della posta elettronica aziendale (BEC)
    Secondo l’FBI la compromissione della posta elettronica aziendale (BEC) è uno scam ai danni di aziende che utilizzano fornitori esteri e/o effettuano regolarmente bonifici internazionali. Questi scam sofisticati vengono perpetrati dai criminali compromettendo gli account di posta elettronica con tecniche d’ingegneria sociale o d’intrusione informatica per effettuare bonifici non autorizzati. Si tratta di attacchi difficili da bloccare perché non contengono collegamenti o allegati dannosi ma un messaggio alla vittima che sembra provenire da un mittente affidabile che chiede di effettuare un bonifico.L’FBI Internet Complaint Center (IC3) ha reso noto l’estate scorsa che da ottobre 2013 a maggio 2018 il totale mondiale delle perdite dovute a scam BEC di cui si è venuti a conoscenza ha raggiunto i 12,5 miliardi di dollari.
  5. Allegati dannosi costituiti da file PDF e documenti Office
    Gli allegati ai messaggi di posta elettronica sono un sistema molto diffuso per l’installazione di contenuti dannosi come ransomware e malware fino a quel momento sconosciuti. I ricercatori di SonicWall Capture Labs hanno recentemente osservato un aumento sostanziale dei file PDF dannosi o fraudolenti. Questa campagna fraudolenta sfrutta la fiducia dei destinatari nei confronti dei file PDF, considerati documenti in formato sicuro ampiamente utilizzati e ritenuti affidabili nelle operazioni commerciali. Consiglio di leggere “New PDF Fraud Campaign Spotlights Shifting Cybercriminal Phishing Tactics”, scritto da Dmitriy Ayrapetov, Executive Director of Product Management, per conoscere ulteriori aspetti di questi tipi di campagne di phishing ed imparare a bloccarli.

Stopping PDF Attacks: 5 Ways Users & Organizations Can Work Together

Leveraging malicious PDFs is a great tactic for threat actors because the file format and file readers have a long history of exposed and, later, patched flaws.

Because of the useful, dynamic features included in the document format, it’s reasonable to assume further flaws will be exposed and exploited by adversaries; these attacks may not go away for some time. Furthermore, there’s no way for the average user to diagnose a benign or malicious PDF as it opens.

Since the average SonicWall customer will see nearly 5,500 phishing and social engineering attacks targeting their users each year, it’s vital to remain vigilant about the dangers of PDFs and deploy advanced security to prevent attacks.

Why are malicious PDFs being used in cyberattacks?

In many kinds of malicious PDF attacks, the PDF reader itself contains a vulnerability or flaw that allows a file to execute malicious code. Remember, PDF readers aren’t just applications like Adobe Reader and Adobe Acrobat. Most web browsers contain a built-in PDF reader engine that can also be targeted.

In other cases, attackers might leverage AcroForms or XFA Forms, which are scripting technologies used in PDF creation that were intended to add useful, interactive features to a standard PDF document. To the average person, a malicious PDF looks like another innocent document and they have no idea that it is executing code. According to Adobe, “One of the easiest and most powerful ways to customize PDF files is by using JavaScript.”

If you are a threat actor reading this, you are well versed in the above. And your victims are not. If you are an administrator responsible for keeping threats out and their damage to a minimum, it’s time to take some necessary precautions.

Stop PDF attacks with user-side prevention

First, there are a couple of things users can do to help reduce exposure to PDF-based attacks. Most readers and browsers will have some form of JavaScript control that will require adjustment.

  • Change you preferences. In Adobe Acrobat Reader DC, for example, you can disable Acrobat JavaScript in the preferences to help manage access to URLs.
  • Customize controls. Similarly, with a bit of effort, users can also customize how Windows handles NTLM authentication.

While these mitigations are “nice to have” and certainly worth considering, these features were added, just like Microsoft Office Macros, to improve usability and productivity. Therefore, be sure that you’re not disabling functionality that is an important part of your own or your organization’s workflow.

Stop PDF attacks with company-wide protections

Thankfully, SonicWall technology can quickly decode PDFs to see what the malware wants to really do, such as contact malicious domains or steal credentials. Here are three key ways organizations can limit exposure to PDF-based attacks.

  • Implement advanced email security. The first line of defense against malicious PDFs is email security. SonicWall offers cloud, hosted and on-premises email security solutions. SonicWall leverages advanced security controls to examine files, senders, domains and URLs to look for malicious activity.
  • Use endpoint protection. SonicWall recommends using advanced endpoint security, such as Capture Client powered by SentinelOne, to constantly monitor the behavior of a system to scout for malicious behavior. Capture Client stops threats before they execute and has great EDR capabilities to stop them as they do, see where they came from, and remediation steps, such as rollback in case they fully do.
  • Identify new threats. One thing that separates SonicWall from the rest is our patent-pending Real-Time Deep Memory InspectionTM (RTDMI). RTDMI operates in parallel with the SonicWall Capture Advanced Threat Protection (ATP) sandbox service. This is just one of our parallel engines in the sandboxing environment that gives us the ability to quickly get a verdict on any suspicious piece of code as it operates in memory, including malicious PDFs and Office files.

Malicious PDFs will be around for the foreseeable future, but through advanced security and good end-user awareness, your company will be better suited to prevent attacks.

For a more technical view on this, I recommend reading Philip Stokes’ blog from SentinelOne that inspired and supplied part of the content for this story. I also recommend watching our on-demand webinar, “Best Practices for Protecting Against Phishing, Ransomware and Email Fraud.”

5 Tips to Keep You Cybersecure During Holiday Travel

The holiday season is one of the busiest times of the year for travel, which means it’s also one of the most vulnerable times of the year for travelers’ belongings, including sensitive personal data.

Those looking forward to spending time away from the office and relaxing with friends and family are likely making plans to secure their belongings at home, but what about securing devices and data?

Year-to-date attack data through November 2018 shows an increase in attacks across nearly all forms of cybercrime, including increases in intrusion attempts, encrypted threats, and malware attacks.

Below are some simple ways to consider protecting your cyber assets and have peace of mind during a well-earned holiday break.

  1. Lock Devices Down
    While traveling, lock all your mobile devices (smartphones, laptops, and tablets) via fingerprint ID, facial recognition, or a PIN number. This will be the first line of defense against a security breach in the event that any of your devices have been momentarily misplaced or forgotten.
  2. Minimize Location Sharing
    We get it! You want to share the fun memories from your trip with your friends and family on social media. However, excessive sharing, especially sharing of location data, creates a security threat at home.If you’re sharing a photo on a boat or at the Eiffel Tower, it’s easy for a criminal to determine you’re not at home or in your hotel room, which leaves your personal property left behind vulnerable to theft of breach. If you must share location data, wait until after you have returned home to geotag that selfie from your trip.
  3. Bring Your Own Cords and Power Adapters
    Cyber criminals have the ability to install malware in public places such as airport kiosks and USB charging stations. If you are unable to find a secure area to charge your devices or you are unsure of the safety of the charging area, power your device down prior to plugging it in.
  4. Disable Auto-Connect
    Most phones have a setting that allows a device to automatically connect to saved or open Wi-Fi networks. This feature is convenient when used at home, but can leave your device vulnerable to threat actors accessing these features for man-in-the-middle attacks.Disable the auto-connect features on your devices and wipe saved network SSIDs from the device prior to your trip to avoid exploitation.
  5. Be Cautious of Public Wi-Fi
    Free Wi-Fi access can often be found at coffee shops and in hotel lobbies as a convenience to travelers, but unencrypted Wi-Fi networks should be avoided. Before you connect to a new Wi-Fi source, ask for information regarding the location’s protocol and if you must use a public Wi-Fi connection, be extra cautious.Use a VPN to log in to your work networks and avoid accessing personal accounts or sensitive data while connected to a public Wi-Fi source.

Cybercrime is Trending up During the Holiday Season

For the 2018 holiday shopping season, SonicWall Capture Labs threat researchers collected data over the nine-day Thanksgiving holiday shopping window and observed a staggering increase in cyberattacks, including a 432 percent increase in ransomware and a 45 percent increase in phishing attacks.

LIVE WORLDWIDE ATTACK MAP

Visit the SonicWall Security Center to see live data including attack trends, types, and volume across the world. Knowing what attacks are most likely to target your organization can help improve your security posture and provide actionable cyber threat intelligence.

October 2018 Cyber Threat Data: Web App Attacks, Ransomware Continue Upward Trend

Throughout 2018, we’ve been sharing monthly updates on the cyber threat data recorded and analyzed by SonicWall Capture Labs, highlighting cyberattack trends and tying it back to the overall cyber threat landscape.

Now, cyber threat intelligence from the SonicWall Capture Security Center is even deeper. The tool now provides empirical data on cyberattacks against web applications. In an increasingly virtual and cloud-connected world, protecting web apps is just as critical as defending more traditional networks.

In October, the overall number of web application attacks continued to rise sharply. We tracked over 1.8 million web app attacks, more than double the volume of attacks for the same time period in 2017.

One factor influencing this is the continued growth explosion of the Internet of Things (IoT), which has added billions of connected devices online, each bringing new and unique potential for vulnerabilities and weaknesses.

While the headline-grabbing news often focuses on processor attacks like Spectre or Meltdown, companies that aren’t using security measures, like SonicWall Capture Advanced Threat Protection with Real-Time Deep Memory Inspection (RTDMI), can leave their standard applications exposed and vulnerable to cybercriminals who are always looking for a weakness.

The volume of ransomware attacks also continued its global upward trend in October. So far in 2018 we’ve seen over 286 million worldwide attacks, up 117 percent from 132 million this time last year. On an individual customer level, that’s 57 attacks per day per customer, an increase from only 14 in October last year.

The growing frequency and complexities of cyberattacks paint a dire picture for global businesses of all sizes. The good news is that by assessing your business’s cybersecurity risk, improving overall security behavior, and ensuring that you are utilizing the right cybersecurity solutions for your business, it’s possible to protect your business from most data breaches.

October Attack Data

Globally, the SonicWall Capture Threat Network, which includes more than 1 million sensors across the world, recorded the following 2018 year-to-date attack data through October 2018:

  • 9.2 billion malware attacks (44 percent increase from 2017)
  • 3.2 trillion intrusion attempts (45 percent increase)
  • 286.2 million ransomware attacks (117 percent increase)
  • 23.9 million web app attacks (113 percent increase)
  • 2.3 million encrypted threats (62 percent increase)

In October 2018 alone, the average SonicWall customer faced:

  • 1,756 malware attacks (19 percent decrease from October 2017)
  • 819,947 intrusion attempts (17 percent increase)
  • 57 ransomware attacks (311 percent increase)
  • 8,742 web app attacks (185 percent increase)
  • 152 encrypted threats (12 percent increase)
  • 12 phishing attacks each day (19 percent decrease)

SonicWall Capture Security Center

SonicWall cyber threat intelligence is available in the SonicWall Security Center, which provides a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins. This view illustrates the pace and speed of the cyber arms race.

The resource provides actionable cyber threat intelligence to help organizations identify the types of attacks they need to be concerned about so they can design and test their security posture ensure their networks, data, applications and customers are properly protected.

Report: Business Email Compromise (BEC) Now A $12.5 Billion Scam

Email continues to be the top vector used by cybercriminals, and business email compromise (BEC) is gaining traction as one of the preferred types of email attacks.

BEC attacks do not contain any malware and can easily bypass traditional email security solutions. For cybercriminals, there is no need to invest in highly sophisticated and evasive malware. Instead, they engage in extensive social engineering activities to gain information on their potential targets and craft personalized messages.

What makes these attacks dangerous is that the email usernames and passwords of corporate executives are easily available to cybercriminals on the dark web, presumably due to data breaches of third-party websites or applications.

“Through 2023, business compromise attacks will be persistent and evasive, leading to large financial fraud losses for enterprises and data breaches for healthcare and government organizations,” says Gartner in their recent report, Fighting Phishing – 2020 Foresight 2020.

What is Business Email Compromise?

BEC attacks spoof trusted domains, imitate brands and/or mimic corporate identities. In many cases, the emails appear from a legitimate or trusted sender, or from the company CEO typically asking for wire transfers.

According to the FBI, BEC is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. This is a very real and growing issue. The FBI has put up a public service announcement saying that BEC is a $12.5 billion scam.

Types of BEC or Email Fraud

Email has been around since the 1960s and the current internet standard for email communication —  Simple Mail Transfer Protocol (SMTP) — was not designed to authenticate senders and verify the integrity of received messages. Therefore, it’s easy to fake or “spoof” the source of an email. This weak sender identification will continue to present opportunities for creative attacks.

For example, here is a screenshot of a recent spoofing email that I encountered. The messaging seemingly originated from my colleague. The displayed sender’s name invokes an immediate recognition for the recipient. But a closer examination of the sender’s domain reveals the suspicious nature of the email.

Now, let’s look at the different types of spoofing techniques a threat actor might use to initiate an attack:

Display Name Spoofing
This is the most common form of BEC attack. In this case, a cybercriminal tries to impersonate a legitimate employee, typically an executive, in order to trick the recipient into taking an action. The domain used could be from a free email service such as Gmail.

Domain Name Spoofing
This includes either spoofing the sender’s “Mail From” to match that of the recipient’s domain in the message envelope, or using a legitimate domain in the “Mail From” value but using a fraudulent “Reply-To” domain in the message header.

Cousin Domain or Lookalike Domain Spoofing
This type of attack relies on creating visual confusion for the recipient. This typically involves using sister domains such as “.ORG” or “.NET” instead of “.COM,” or swapping out characters, such as the numeral “0” for the letter “O,” an uppercase “I” for a lowercase “L.” This is also sometimes referred to as typosquatting.

Compromised Email Account or Account Take Over (ATO)
This is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds or data theft.

Best Practices for Stopping BEC Attacks

Concerned your organization could fall prey to business email compromise? Here are some email security best practices that you can implement to protect against sophisticated BEC attacks.

  1. Block fraudulent emails by deploying Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-Based Message Authentication, Reporting and Conformance (DMARC) capabilities.
  2. Enable multi-factor authentication and require regular password changes to stop attacks from compromised accounts.
  3. Establish approval processes for wire transfers.
  4. Deliver periodic user-awareness training for a people-centric approach to combat email attacks.

How to Stop Email Spoofing

Whether it’s CEO fraud, forged emails, business email compromise (BEC), impostor emails or impersonation attacks, all email spoofing attacks present a dangerous risk to organizations. Review the solution brief to gain four key best practices to help mitigate the email spoofing attacks that impact your business.

May 2018: Cyberattack Volume Continues to Rise, Ransomware Attempts Jump 299 Percent

The very latest cyber threat intelligence for May 2018 depicts increases in a number of attack areas, particularly when comparing against 2017 cyber threat data. Through May 2018, the SonicWall Capture Labs threat researches have recorded:

Global Cyberattacks — May 2018

  • 2 million malware attacks (64 percent year-over-year increase)
  • 9 million ransomware attacks (78 percent year-over-year increase)
  • 238,828 encrypted threats (142 percent year-over-year increase)

Global Cyberattacks — Year to Date

  • 5 billion malware attacks (128 percent increase )
  • 2 million ransomware attacks (299 percent increase)
  • 2 million encrypted threats (283 percent increase)

To put these numbers in a more practical light, it’s helpful to break them down by customer. In May 2018 alone, the average SonicWall customer faced:

  • 2,302 malware attacks (56 percent year-over-year increase)
  • 62 ransomware attacks (69 percent year-over-year increase)
  • Almost 94 encrypted threats
  • Over 14 phishing attacks per day

With each passing month, cybercriminals continue to perpetrate cyberattacks at an ever-accelerating rate. It is interesting to note that although encrypted traffic is actually down slightly when compared with last year, encrypted threats have more than doubled. This points to cybercriminals who are more aware of the efficacy of encrypting their attacks.

In addition, phishing attacks have increased by almost 40 percent since last month. To better educate your end users and follow secure email best practices, use the phishing IQ test to increase their suspicions when opening emails, particularly from unknown senders.

As the cyber war continues between threat actors and security professionals, arming your organization with the latest cyber threat intelligence is critical to implementing or improving a sound security posture. As long as vulnerabilities exist, there are threat actors working to exploit them.

Find Threat Metrics When You Need Them

Would you like to keep up-to-date on threat metrics, security news and worldwide cyberattacks? The SonicWall Security Center has all of this and more.

VISIT THE SECURITY CENTER

Phishing Threats – How to Identify and Avoid Targeted Email Attacks

Phishing threats have been around for years. By now anyone can easily detect a fake email, right?

Wrong. How confident are you that you wouldn’t divulge your password, credit card info or online identity? Here is a quick refresher on phishing threats and what you can do to protect yourself.

What is Phishing?

As you may already know, phishing threats involve malicious emails that attempt to get you to disclose your personably identifiable information (PII) to compromise your personal identity or corporate data.

Hackers create emails that look like official communications from familiar companies. These are sent to millions of unsuspecting addresses in hopes that someone will follow the links and share sensitive information that the hackers can exploit. These phishing emails employ a variety of techniques.

How to Spot Phishing Attacks

The best way to protect yourself from phishing threats is to recognize and avoid these common phishing tactics:

  • Generic greetings: The opening lines of phishing emails are often very vague and general in nature.
  • Typos or Poor Grammar: A poorly written email is less likely to have come from a legitimate company. In addition, do not be tricked if the email happens to include a legitimate-looking logo.
  • Urgency: Phishing emails often sound alarmist, trying to scare you into taking action (and sharing your information) immediately.
  • Fake Links: Phishing emails routinely obscure the URL addresses, and instead take you to an unsecured site where your sensitive data is solicited. To see exactly where a link will take you, simply hover over it. If in doubt, don’t click it. Instead, open a new browser session and manually enter the address (i.e., don’t copy and paste) you want to visit.
  • Attachments: Delivered via email attachments, malware that is executed (i.e., the attachment is opened) allows a hacker to exploit vulnerabilities on your computer Never open an attachment unless you are sure it is legitimate, safe and expected. Be cautious with any unexpected invoices from companies you’re not familiar with, as attachments might contain malware that installs upon opening.
  • Spoofed Sender: Makes it easier for a hacker to impersonate someone you’d normally trust (e.g., coworker, bank, government agency)

Take the Phishing IQ Test

Interested in seeing how well you are at telling the difference between a legitimate website and one that is a phishing attempt? Take the SonicWall Phishing IQ Test to find out.

Take Control of Your Network During the Holiday Shopping Season

It’s the holiday season and that means we’re all busy with fun activities. Take online shopping for example. Many of us will do it between Black Friday and New Year’s, even for just a little while. Some of us do it at work. When employees spend time shopping online during work hours it presents challenges for any organization. Perhaps the three biggest challenges are network security, employee productivity and bandwidth consumption.

How popular is online shopping? Last year, data from the National Retail Federation (NRF) revealed that retail holiday buying increased 4.1% to just over $600 billion. Much of that shopping was done online. This year the NRF is forecasting retail sales of $630 billion, up 3.7% over 2014. According to an NRF survey almost half of all holiday shopping, whether it’s making a purchase or merely browsing, will again be done online this year. Let’s take a look at the impact this has on organizations and the steps you can take to overcome the challenges online shopping poses.

Network security

  • Malware – Employees who shop online at work inadvertently create opportunities for malicious attacks directed at your network and your organization. The most common threats are viruses, worms, Trojans and spyware.
  • Phishing – Phishing is an email fraud method in which the perpetrator sends out a legitimate-looking email in an attempt to gather personal and financial information from unsuspecting recipients.
  • Malicious advertising – Commonly referred to as “malvertising,” this threat uses online advertising to spread malware which can then capture information such as credit card and social security numbers from infected machines.

Employee productivity

  • The big drain – With workers bringing their own smartphones and tablets into the office, we’re seeing an increased blurring of the line between work life and personal life as employees exercise more freedom to use these devices for personal activities such as online shopping during work hours. When they’re shopping on company time it means they’re not working so their productivity has decreased.

Bandwidth consumption

  • Disappearing bandwidth – With about half of your employees shopping online during the holidays, the bandwidth available to critical applications on your network is going to disappear. Therefore, it’s critical to prevent vital bandwidth from being consumed by non-productive web use.

While you can’t completely eliminate threats to your network, drops in productivity and misuse of valuable bandwidth, there are measures you can take that are well within the reach of your organization simply by practicing good digital hygiene. Here are five things your organization can do to reduce the risks of a successful attack while maintaining productivity levels and conserving bandwidth.

  1. Help employees learn how to avoid malvertising and recognize phishing emails. Be on the lookout for suspicious emails and links, especially those requesting sensitive information.
  2. Educate employees to use different passwords for every account. Establish policies for strong passwords such as guidelines regarding password length, the use of special characters and periodic expiration, and reduce the number of passwords through single sign-on.
  3. Because many attacks are based on known vulnerabilities in browsers including Internet Explorer, as well as in plug-ins and common apps, it’s critical to apply updates and patches promptly and reliably. They will contain fixes that can block exploits.
  4. Make sure you install an intrusion prevention system and gateway anti-malware technology on your network. They add important layers of protection by blocking Trojans, viruses, and other malware before they reach the company network. They can also detect and block communications between malware inside the network and the cybercriminal’s server on the outside.
  5. Take back control of your network by limiting the use of your bandwidth to business-related activities. There are several technologies available such as content and URL filtering that can be used to prevent employees from visiting websites dedicated to shopping and other non-productive topics. Also, application control provides the tools to restrict the use of applications such as social media to employees who have a business reason to use them.

SonicWall offers a complete range industry-leading next-generation firewalls that secure your network from threats and give you the controls to keep employee productivity high and bandwidth focused on business-critical applications. To learn more about how these solutions can help you during the holiday shopping season and beyond, please visit our website.