Posts

6 Reasons to Switch to SonicWall Capture Client from Sophos Intercept X

While Sophos claims to be a leading next-generation antivirus solution, are they really able to protect your organization’s endpoints — not to mention the rest of your network ­— in today’s threat landscape?

SonicWall Capture Client, powered by SentinelOne, was designed to deliver stronger security with better functionality against ransomware and other advanced cyberattacks. Explore these six key reasons to switch to SonicWall Capture Client:

  1. Certified for business.
    Although Sophos Intercept X is recommended by NSS Labs, it is not certified by OPSWAT and AV-Test. SentinelOne, the core engine within Capture Client, is also recommended by NSS Labs and has certifications for OPSWAT and has AV-Test certifications for corporate use. Capture Client is also compliant with HIPAA and PCI mandates.
  2. True machine learning.
    Sophos only leverages machine learning as code executes on a system. In contrast, Capture Client applies machine learning before, during and after execution to reduce the risk of compromise to your endpoints, thereby better protecting your business.
  3. Real remediation.
    Sophos Intercept X relies on the Sophos Cleaner to restore potentially encrypted files. Not only can it be bypassed, but it is limited to using 60 MB of cache to save up to 70 “business” file types. Capture Client creates shadow copies of your data, which does not discriminate on size or file type. Capture Client rollback capabilities revert the impact of a malware attack, leaving the device clean and allowing the user to continue working — all without any risk of further damage.
  4. Firewall synergies.
    Although Sophos Endpoint Protection is closely linked to their next-generation firewall, this integration is lacking on Intercept X. Capture Client goes beyond the endpoint and has built-in synergies with SonicWall next-generation firewalls (NGFW). Although not required, when combined with a SonicWall next-generation firewall, it can enforce use of the client and redirect non-Capture Client users to a download page to update the endpoint.
  5. Easy digital certificate management.
    With more than 5 percent of malware using SSL/TLS encryption today, the inspection of encrypted traffic is vital. Sophos firewalls have limited SSL/TLS decryption capabilities, nor do they offer automated re-signing certificate distribution. Capture Client makes it easy to install and manage re-signing digital certificates required for SSL/TLS decryption, inspection and re-encryption.
  6. Better roadmap.
    In September 2018, SonicWall will add network sandboxing. Capture Client will be able to route suspicious files to the award-winning, multi-engine Capture Advanced Threat Protection (ATP) cloud sandbox service to more forcibly examine code in ways an endpoint can’t (e.g., fast- forward malware into the future). Administrators will be able to query known verdicts for the hashes of their suspicious files without having to upload them for analysis.

If you’d like to see for yourself the difference Capture Client makes over a limited and aging endpoint solution, contact us or ask your SonicWall partner representative for a one-month trial. Existing customers can log in to MySonicWall to begin the trial today.

Ready to ditch Sophos?

Strengthen your security posture today. Switch now and receive up to 30 percent* off of SonicWall Capture Client endpoint protection. It’s the smart, cost-effective approach for extending security to endpoints that exist outside of the network.

LEARN MORE

Inside the Cloud Sandbox: How Capture Advanced Threat Protection (ATP) Works

Last year, SonicWall discovered and created protections for more than 56 million new forms of malware.  Because it takes time to create and roll out hundreds of thousands of protections each day, something must be done to discover and stop unknown malware, namely zero-day attacks.

The answer is Capture Advanced Threat Protection (ATP), a cloud sandbox and a core part of the SonicWall Capture Cloud Platform. In order to stop new cyberattacks, this isolated environment — independent from your network — runs suspicious files to understand their objectives.

Because of its effectiveness, SonicWall makes it available on our firewalls, email security solutions, Secure Mobile Access (SMA) and Capture Client Advanced endpoint protection solutions. Each of these use Capture ATP in different ways:

  • For firewalls: In the case of the firewall, a broad range of file types are sent over if they are greylisted, which means 1) they have not been convicted by Gateway Antivirus (blacklisted) and 2) were not previously seen by the firewall in question (whitelisted).
  • For email security: Similarly, email security will automatically send unknown files arriving via email to Capture ATP for analysis before sending them along to inboxes.
  • For mobile access: If someone tries to upload a file to a shared drive (a common malicious attack vector), SMA will test the file to ensure it is clean before being accessible by others in the organization.
  • For endpoint protection: Last, Capture Client is an antivirus solution that continuously monitors the behavior of a system. Since it is common for malware to utilize evasion techniques (such as timing delays), sending suspicious files to Capture ATP is an intelligent way of eliminating malware before it executes.

Now that we have covered a bit of context, we’ll now explain how it works once one of these solution sets has either automatically sent a suspicious file to Capture ATP or an administrator has manually submitted a file for analysis.

Step One: Verdict Check

At the time of writing, the Capture ATP sandbox service receives over 1.5 million requests to test suspicious files each business day.

The first stop for these files is a verdict check. SonicWall summarizes each file (sent via encryption) it sees as a hash and retains a verdict for that hash indefinitely and does not save your files. By keeping a verdict for each hash (for each file), we are able to quickly send a conviction or acquittal back to the submitting solution or administrator within milliseconds. Of the millions of submissions SonicWall sees each week, only around 45 percent are unique, so this step is vital.

Step Two: Community Check

If we have never seen a file before it doesn’t mean someone else hasn’t. We check for convictions for the file’s hash against a pool of over 60 virus scanners to see if they found this file to be malicious.

Note: SonicWall doesn’t send your files to anyone for analysis.

Step Three: Dynamic Processing

If we haven’t seen it before (verdict check) and no one else has seen it before (community check), we run it through multiple engines simultaneously. This is where the fun begins, because we can do so many unique things with the code that a firewall or an endpoint can’t, such as fast-forward it to look for timing delays or break it apart in memory and examine the sequences.

Capture ATP was designed to be a multi-engine environment because of the common use of evasion tactics used in malware. Academically, the concept of a sandbox is easy to grasp, but once you understand their inner workings you can design code to slip past what they check for or not activate if you sense that the code is not on a normal system.

Getting past one sandbox is moderately difficult. Evading multiple engines, which in turn have multiple ways to find malware, should be nearly impossible.

In order to find the most evasive malware, Capture ATP runs code with hypervisor-level analysis, full-system emulation, virtualization and with SonicWall’s patent-pending Real-Time Deep Memory Inspection (RTDMITM). This is done to see what code wants to do from the application, to the OS, and down to the firmware.

In an ideal world, every piece of malware we find would be detected by all technologies in use, but that is not always the case. Just remember my old adage, “Security doesn’t exist, only speed bumps.” Just like the Great Wall of China was eventually by passed by the Mongol horde, so are digital defenses by digital threats.

The Results

It is after this three-step process that we help deliver clean traffic to endpoints, inboxes, shared drives and servers and ensure endpoints stay secure by eliminating threats before they activate. By applying signature-based defenses in front of behavior-based defenses, we are able to protect the world against an onslaught of cyberattacks.

A good real-world example was the initial set of WannaCry attacks. The ransomware attack became famous for taking out 16 NHS hospitals in the UK (secured by a competitor).

However, the NHS sites protected by SonicWall were running without disruption from the attack. We stopped this attack three weeks in advance because our Capture Labs research team created protections against the SMB vulnerability and the WannaCry variant they found in the wild.

So, when the attacks started, they were stopped by internal defenses (e.g., firewalls). But what about Versions 2, 3, 16 or 18, etc.? These were discovered and stopped by Capture ATP.

To better understand how Capture ATP is protecting organizations against attacks like Meltdown, please read our solution brief on Real-Time Deep Memory Inspection.

Capture Cloud Platform: A Security Ecosystem that Harnesses the Power of the Cloud

We have fantastic advancements in technologies right now. With software-defined everything (SDx) and cloud becoming more accessible and affordable, both large and small organizations can effectively execute their digital business strategies with greater ease and speed.

As new applications, systems and SDx architecture are deployed to advance the digital business, many organizations also find themselves retooling their cyber security model to maintain the health and defense of their networks and services.

Organizations now must have complete knowledge, visibility and control of the security ecosystem, and the capacity to manage and remove cyber risks that can be disruptive and disastrous to the business.

To help make the cloud journey powerful, agile and safe, SonicWall developed its Capture Cloud Platform to address CISOs’ top three cyber security priorities:

  1. Give actionable cyber threat intelligence to help better understand security risks and quickly respond to them
  2. Reduce security silos by consolidating and integrating security technologies
  3. Manage cyber risk with greater visibility and control

Integrated Security, Management & Analytics

The core value of the Capture Cloud Platform is the integration of several key capabilities with our cloud-based centralized management, reporting and analytics services, including the Capture Advanced Threat Protection (ATP) sandbox, which includes Real-Time Deep Memory Inspection (RTDMITM) technologies, and Capture Labs and Capture Threat Network threat intelligence services.

This all-in-one approach enables our complete portfolio of high-performance hardware, virtual appliances and clients to harness the power, agility and scalability of the cloud and allows organizations to:

  • Drive end-to-end visibility and share intelligence across a unified security framework
  • Proactively protect against known and unknown cyberattacks (e.g., zero days)
  • Gain contextual awareness to detect and respond to security risks with greater speed and accuracy
  • Make informed security policy decisions based on real-time and consolidated threat information

SonicWall Capture Cloud Platform service-oriented architecture tightly unifies the current and future SonicWall security and management services organizations needs to run an efficient security operation center (SOC). It eases and, in most cases, automates the governance of their network, endpoints and cloud security services with single-pane-of-glass (SPOG) experience.

10 Components of the Capture Cloud Platform

Organizations are empowered by Capture Cloud Platform to make the shift from the old on-premises world of IT into the new hybrid cloud-as-a-service world by coalescing SonicWall security solutions with simple, common management tools that not only help achieves desired security and operational goals but also real business values.

Currently, Capture Cloud Platform is comprised of 10 key SonicWall security and service components:

  1. Capture Security Center
  2. Real-Time Cyber Threat Intelligence
  3. Capture Client
  4. Capture ATP
  5. Cloud App Security
  6. Management & Analytics
  7. NSv Series virtual firewalls
  8. NSa Series hardware firewalls
  9. Web Application Firewall (WAF)
  10. MySonicWall & Licensing (credentials required)

The combination of these services delivers mission-critical layered cyber defense, threat intelligence, analysis and collaboration, and common management, reporting and analytics, that work synchronously together.

This help organizations stay on top of the cyber threat landscape, protect sensitive information, meet compliance, and maintain normal service operations while moving the company’s digital transformation forward safely.

Visit our Capture Cloud Platform to get detailed information on each of the solution values and learn how the platform can securely accelerate your cloud journey.

IoT & Mobile Threats: What Does 2017 Tell Us About 2018?

“SPARTANS! Ready your breakfast and eat hearty. For tonight, WE DINE IN HELL!!”

Remember this passionate line by King Leonidas from the movie “300”? We are at the brink of another war — the modern cyber arms race. You need to gear up and be prepared for the thousands of malicious “arrows” that shoot down on you.

This cyber arms race is aimed against governments, businesses and individuals alike, and it’s comprised of different types and forms of cyber attacks. These attacks grow more sophisticated each year, with over 12,500 new Common Vulnerabilities and Exposures (CVE) reported in 2017 — 78 percent of which were related to network attacks.

It’s critical we learn from the past experiences — successes and failures. So, what can 2017 teach us to be better prepared in 2018? Let’s first look at the hard data.

According to the 2018 SonicWall Cyber Threat Report, SonicWall Capture Labs detected 184 million ransomware attacks and a 101.2 percent increase in new ransomware variants from more than 1 million sensors across more than 200 countries. The increase in new variations signifies a shift in attack strategies.

In addition, SonicWall Capture Labs logged 9.32 billion malware attacks. Network attacks using encryption tactics are also on the rise. Without the ability to inspect such traffic, an average organization would have missed over 900 file-based attacks per year hidden by SSL/TLS encryption.

IoT attacks loom

Internet of Things (IoT) threats and memory attacks are also impending challenges that we face across wired and wireless solutions. According to Gartner, by 2020, IoT technology will be in 95 percent of electronics for new product designs.

Recently, Spiceworks performed a survey that resulted in IoT devices being the most vulnerable to Wi-Fi attacks. This makes IoT and chip processors the emerging battlegrounds. IoT was also a big target as “smart” (pun intended) hardware is not updated regularly and is often physically located in unknown or hard-to-reach places, leading to memory attacks and vulnerabilities.

IoT ransomware attacks are alone on the rise and gain control of a device’s functionality. While many of the IoT devices may not hold any valuable data, there is a risk for owners or individuals to be held at ransom for personal data. Gartner also predicts, through 2022, half of all security budgets for IoT will go to fault remediation, recalls and safety failures rather than protection.

There are many smart devices and IoT devices in the market that connect over Wi-Fi, such as cameras, personal and TVs. Imagine an attack on your personal privacy and a hacker gaining control over your device. Distributed Denial of Service (DDoS) attacks still remain a major threat to these devices. Each compromised device can send up to 30 million packets per second to the target, creating an IoT powered botnet.

In fact, at one point in 2017, SonicWall Capture Labs was recording more than 62,000 IoT Reaper hits each day. Considering there could be an estimated 6 billion mobile devices in circulation by 2020, it wouldn’t be totally surprising if the next wave of ransomware targets mobile devices,

How to secure wired, wireless and mobile networks

It is critical to secure your network, both from a wireless and wired perspective. Total end-to-end security is the key to prevent such attacks from happening in the first place. To survive this cyber war, you can follow certain best practices to ensure your protection:

  • Layer security across your wired, wireless, mobile and cloud network
  • Deploy next-gen firewalls that can provide real-time intrusion detection and mitigation
  • Patch your firewalls and endpoint devices to the latest firmware
  • Secure your IoT devices to prevent device tampering and unauthorized access
  • Educate your employees on the best practices
  • Change default login and passwords across your devices

SonicWall solutions include next-generation firewalls, 802.11ac Wave 2 access points, secure mobile access appliances and the Capture Advanced Threat Protection (ATP) cloud sandbox service, all of which combine to provide an effective zero-day threat protection ecosystem.

To protect customers against the increasing dangers of zero-day threats, SonicWall’s cloud-based Capture ATP service detects and blocks advanced threats at the gateway until a verdict is returned. In addition, Capture ATP also monitors memory-based exploits via Real-Time Deep Memory InspectionTM (RTDMI). With innovative SonicWall solutions, rest assured your IoT and mobile devices are protected for the cyberwar.

Download the 2018 SonicWall Cyber Threat Report

The cyber arms race is a challenge we face together. And it’s the core reason we’re committed to passing our findings, intelligence, analysis and research to the global public via the SonicWall 2018 Cyber Threat Report.

READ THE FULL REPORT

What is the Difference Between Traditional and Next-Generation Anti-Virus?

In previous webcasts and blogs, I’ve spoken of a woman who was the victim of a terrible ransomware attack as well as an intrusion on her computer. It was her first computer breach in over 25 years of business.

When these happened, she was running traditional anti-virus and minimal network security in front of her endpoints. These two attacks, which she believes cost her around $50,000 in damages, were alarming wakeup calls to the realities of today’s threat landscape.

One of the lessons learned by people like Elizabeth over the past three years of the ransomware age is that traditional signature-based anti-virus solutions are lacking the power to combat today’s flood of evasive malware.

This is why SonicWall is excited to launch our Capture Client, a client security solution that leverages the SentinelOne Endpoint Protection engine, powered by static and behavioral artificial intelligence, to deliver next-generation anti-virus (NGAV) capabilities.

So, what exactly is a NGAV solution, and why does it matter?

No signatures

Traditionally, anti-virus solutions (AVs) have required frequent (daily or weekly) updates of their signature databases to protect against the latest threats. Capture Client uses a static artificial intelligence (AI) engine to determine if new files are threats before they can execute. In addition, it has a behavioral AI engine to protect against file-less threats (e.g., PowerShell scripts, macros within documents, lateral movement, etc.).

No weekly updates

These AI engines do not require daily/weekly updates, as they “degrade” very gracefully over time. This is because the behavior analysis engines do the work instead of matching files to an ever-aging database of file IDs.

Even if customers upgrade their agents only once a year, they will have much greater protection than what traditional AV is able to provide. With the power of SentinelOne’s AI models, today’s zero-day attacks are instantly convicted by models developed in the past. This is the benefit of a mathematical approach to malware prevention, detection and response versus legacy, signature-based approaches.

No recurring scans

Apart from the management overhead of updating signatures, traditional AVs also recommend recurring disk scans to make sure threats did not get in. These recurring scans are a big source of frustration for the end users, as their productivity is impacted during the scans. With Capture Client, these recurring scans are not required at all. End-users get much better performance and, in many cases, do not even know or experience any slowdown caused by the AV.

No performance overhead

Another reason for the poor performance of traditional AVs is that they became bloated by implementing many features, such as endpoint firewall, full-disk encryption, etc. Many of these features are now available on modern operating systems. Capture Client was designed to orchestrate OS functionality instead of replicating it. This also translates into a much better end-user experience.

No cloud dependence

Another limitation of traditional AVs is their reliance on cloud connectivity for best protection. Signature databases have grown so large that it is no longer possible to push the entire database down to the device. So, they keep the vast majority of signatures in the cloud, and only push the most prevalent signatures down to the agent.

Furthermore, end users frequently work in cafés, airports, hotels and other commercial facilities. In most of these cases, the Wi-Fi provider is supported by ad revenues, and encourage users to download the host’s tools (i.e., adware) to get free connectivity. These tools or the Wi-Fi access point can easily block access to the AV cloud, which poses a huge security risk. Capture Client is fully autonomous and protects the user in these situations. The efficacy of the agent isn’t impacted by its connection to the internet.

NGAV for endpoints

I invite you to learn more about Capture Client, which not only provides NGAV capabilities, but also seamlessly integrates with SonicWall firewalls and related capabilities, such as DPI-SSL certificate management, firewall enforcement and firewall-independent, cloud-based reporting.

To learn more, download the “SonicWall Capture Client powered by SentinelOne” data sheet.

RSA Conference 2018: Endpoint Protection Top of Mind

Daniel Bernard at RSA Conference 2018

SentinelOne’s Daniel Bernard explains the importance of SonicWall Capture Client endpoint protection, powered by SentinelOne, at the SonicWall booth during RSA Conference 2018 at the Moscone Center.

Endpoint protection has been a cyber security standard for years. But during RSA Conference 2018 at the Moscone Center, it’s clear that it remains a core security challenge for many organizations. Likewise, many cyber security vendors are offering new and better ways to protect end points.

While technology for machine learning, artificial intelligence, cloud and application security all still had their place in the RSA speaking sessions, a new era of endpoint protection that’s connected, transparent and easy to manage was on display.

So much so, SonicWall and technology partner SentinelOne shared speaking sessions in one another’s booth to show off SonicWall Capture Client and integrated SentinelOne capabilities, like continuous behavioral monitoring and unique rollback capabilities.

This type of endpoint protection is required to mitigate the most modern cyber attacks, including malware, fileless malware and ransomware — even when encrypted to avoid detection.

Unified end point protection

Brook Chelmo at RSA Conference 2018

SonicWall malware expert Brook Chelmo demonstrates the power of the SonicWall Capture Security Center during a session at the SentinelOne booth at RSA Conference 2018.

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine powered by SentinelOne, Capture Client delivers advanced threat protection techniques, such as machine learning and system rollback.

Integration with SonicWall next-generation firewalls deliver zero-touch deployment and enhanced endpoint compliance. Plus, it enables enforcement of DPI-SSL by deploying trusted certificate roots to each endpoint.

Connected through the cloud

But SonicWall Capture Client is more than a simple endpoint protection product. Its biggest differentiator is the way it’s connected, unified and streamlined through the SonicWall Capture Cloud Platform.

The SonicWall Capture Cloud Platform combines the global security intelligence of the Capture Threat Network with the cloud-based management, reporting and analytics of the SonicWall Capture Security Center and the advanced threat prevention of the multi-engine Capture Advanced Threat Protection sandbox. This enables the complete SonicWall portfolio of high-performance hardware, virtual appliances and clients to harness the power of the cloud.

To learn more, download the in-depth data sheet, “SonicWall Capture Client powered by SentinelOne.”

RSA Conference 2018: Live on Facebook

RSA Conference 2018 is a flurry of lights, sounds and information. It’s easy to get lost in the buzz and miss what you really want to see. In case you fall into this category — or weren’t able to make the trip to San Francisco at all — we streamed an entire presentation from SonicWall malware expert Brook Chelmo live on Facebook.

Read more

What is the Difference Between Traditional and Next-Generation Anti-Virus?

In previous webcasts and blogs, I’ve spoken of a woman who was the victim of a terrible ransomware attack as well as an intrusion on her computer. It was her first computer breach in over 25 years of business.

When these happened, she was running traditional anti-virus and minimal network security in front of her endpoints. These two attacks, which she believes cost her around $50,000 in damages, were alarming wakeup calls to the realities of today’s threat landscape.

One of the lessons learned by people like Elizabeth over the past three years of the ransomware age is that traditional signature-based anti-virus solutions are lacking the power to combat today’s flood of evasive malware.

This is why SonicWall is excited to launch our Capture Client, a client security solution that leverages the SentinelOne Endpoint Protection engine, powered by static and behavioral artificial intelligence, to deliver next-generation anti-virus (NGAV) capabilities.

So, what exactly is a NGAV solution, and why does it matter?

No signatures

Traditionally, anti-virus solutions (AVs) have required frequent (daily or weekly) updates of their signature databases to protect against the latest threats. Capture Client uses a static artificial intelligence (AI) engine to determine if new files are threats before they can execute. In addition, it has a behavioral AI engine to protect against file-less threats (e.g., PowerShell scripts, macros within documents, lateral movement, etc.).

No weekly updates

These AI engines do not require daily/weekly updates, as they “degrade” very gracefully over time. This is because the behavior analysis engines do the work instead of matching files to an ever-aging database of file IDs.

Even if customers upgrade their agents only once a year, they will have much greater protection than what traditional AV is able to provide. With the power of SentinelOne’s AI models, today’s zero-day attacks are instantly convicted by models developed in the past. This is the benefit of a mathematical approach to malware prevention, detection and response versus legacy, signature-based approaches.

No recurring scans

Apart from the management overhead of updating signatures, traditional AVs also recommend recurring disk scans to make sure threats did not get in. These recurring scans are a big source of frustration for the end users, as their productivity is impacted during the scans. With Capture Client, these recurring scans are not required at all. End-users get much better performance and, in many cases, do not even know or experience any slowdown caused by the AV.

No performance overhead

Another reason for the poor performance of traditional AVs is that they became bloated by implementing many features, such as endpoint firewall, full-disk encryption, etc. Many of these features are now available on modern operating systems. Capture Client was designed to orchestrate OS functionality instead of replicating it. This also translates into a much better end-user experience.

No cloud dependence

Another limitation of traditional AVs is their reliance on cloud connectivity for best protection. Signature databases have grown so large that it is no longer possible to push the entire database down to the device. So, they keep the vast majority of signatures in the cloud, and only push the most prevalent signatures down to the agent.

Furthermore, end users frequently work in cafés, airports, hotels and other commercial facilities. In most of these cases, the Wi-Fi provider is supported by ad revenues, and encourage users to download the host’s tools (i.e., adware) to get free connectivity. These tools or the Wi-Fi access point can easily block access to the AV cloud, which poses a huge security risk. Capture Client is fully autonomous and protects the user in these situations. The efficacy of the agent isn’t impacted by its connection to the internet.

NGAV for endpoints

I invite you to learn more about Capture Client, which not only provides NGAV capabilities, but also seamlessly integrates with SonicWall firewalls and related capabilities, such as DPI-SSL certificate management, firewall enforcement and firewall-independent, cloud-based reporting.

To learn more, download the “SonicWall Capture Client powered by SentinelOne” data sheet.

Download Datasheet

Phishing Emails: The Spear of the Cyber Attack

As we know, email is the most popular attack vector used by threat actors to carry out targeted cyber attacks. In fact, more than 90 percent of cyber attacks start with a phishing email campaign. It is the easiest way for a cyber criminal to enter a network and execute tactics to accomplish an objective — be it data exfiltration, delivering a malicious payload or phishing for credentials.

Using social engineering, the tactics of accomplishing these objectives are highly sophisticated and targeted. Email is a primary collaborative tool to share documents, such as PDFs and Microsoft Word files, and URLs that could be weaponized with malware. Logically, phishing has evolved with this user behavior.

How email attachments are weaponized

File attachments, such as Microsoft Word documents and Adobe PDFs, have the ability to include embedded URLs, macros and scripts. This makes it possible for these files to work as executable malware. These malicious file attachments are used as delivery vehicles for ransomware and other zero-day threats. Here are some of the most popular methods files can be weaponized:

Embedded macros and scripts that hide malicious payloads
First, attackers embed a macro that obfuscates malicious payloads in the document. They then use personal information gathered through social engineering to mislead the user into enabling the macro content to run and infect the victim’s computer. These exploits take advantage of software vulnerabilities and then launch the intended payload to infect the computer.

Embedded macros and scripts that download malware from external sites
Documents can also be embedded with scripts that call external Command & Control (C&C) servers or websites to download malware inconspicuously. Often, these downloaded payloads take the form of ransomware, trojans, infostealers or botnets that make your system part of the malicious networks that carry out attacks on behalf of cyber criminals.

Fake attachments and embedded links
In some cases, attackers send documents or fake attachments, such as a PDF or a Word file, with embedded URLs. After clicking on the URL, the victim is redirected to a sign-in page that looks and feels authentic. These sign-in pages are well crafted and designed to deceive even educated users. Unsuspecting victims often fall prey by entering their credentials into the sign-in page.

High-profile phishing attacks

Google, January 2017
This phishing scam targeting Google users was clever and deceiving. Victims received an email that seemed to come from a familiar contact. The email included a legitimate file attachment that looked like a PDF or Word document. But the attachment was, in fact, an image with an embedded URL. Victims who clicked the attachment for a preview were redirected to a well-designed Google sign-in page that looked authentic. The fake page prompted the victim to enter credentials that enabled the cyber criminals to compromise the user’s Google account.

DocuSign, May 2017
A company that provides digital document-signature services, DocuSign, was the victim of a targeted phishing campaign. Users received an email that appeared to come from DocuSign and included a “Review Document” link. Once the link was clicked, a weaponized Word document with embedded malicious macro was downloaded. When the user enabled the content, the macro called a C&C server to download malware payload stealthily onto the victim’s computer.

Netflix, November 2017
Toward the end of last year, Netflix made the headlines for all the wrong reasons. A successful and sophisticated phishing campaign targeted the streaming service’s subscribers. This attack did not include any file attachments. Instead, attackers crafted a personalized email informing them that their account was suspended. They were asked to take an action by clicking on a fake link that redirected the then to a well-designed web page to collect credentials and credit card information.

Pyeongchang Olympics, January 2018
The 2018 Winter Olympics in Pyeongchang, South Korea, was one of the first victims of 2018 via a deadly, targeted spear-phishing attack. Appearing to be sent by National Counter-Terrorism Center (NCTC), the email included an attachment — a malicious Microsoft Word document with the original file name 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc (“Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”). This spear-phishing campaign’s objective was to establish back doors into the networks once the victim opened the Microsoft Word document attachment.

How to stop phishing and other email attacks

Email security is no longer just about blocking mass spam and phishing campaigns. The above incidents indicate the evolution of how cyber criminals use email as a threat vector, and how they use the versatility of PDFs and Microsoft documents to their advantage.

These are advanced email threats that are carefully planned and highly targeted attacks. Traditional anti-spam and signature-based anti-malware simply cannot stop these attacks.

A multi-layered security approach provides the best defense against these email threats. The layers should include advanced threat protection features, such as sandbox analysis for email file attachments and embedded URLs, and email authentication technologies such as SPF, DKIM and DMARC.

It is also true that not all sandboxes offer equal protection. The cloud-based SonicWall Capture Advanced Threat Protection (ATP) service blocks the most evasive malware with its multi-engine approach.

Capture ATP now includes the recently announced, patent-pending Real-Time Deep Memory Inspection (RTDMITM) technology. RTDMI blocks malware that does not exhibit any malicious behavior or hides its weaponry via encryption.

By forcing malware to reveal its weaponry in memory, the RTDMI engine proactively blocks mass-market, zero-day threats and unknown malware utilizing real-time memory-based inspection techniques. This means, by design, RTDMI can sniff out malware obfuscated within PDF files and Microsoft Office documents by threat actors.

With high performance, fast scan times and block-until-verdict capability, Capture ATP offers comprehensive protection against advanced cyber threats.

To learn more about our analysis of the cyber arms race, and what you can expect in 2018, download a complimentary copy of the 2018 SonicWall Cyber Threat Report.

Download the 2018 SonicWall Cyber Threat Report

The cyber arms race is a challenge we face together. And it’s the core reason we’re committed to passing our findings, intelligence, analysis and research to the global public via the SonicWall 2018 Cyber Threat Report.

A New Cyber Security Certification: SonicWall Network Security Administrator Course

SonicWall has spent the last 12 months deeply focused on training and enablement for our partners, customers and employees. Based on student feedback and market requirements, the company’s Education Services Organization is introducing the SonicWall Network Security Administrator (SNSA) course; a completely new training course and certification exam that will replace the Network Security Basic Administration (NSBA) class.

The SNSA training curriculum is designed to teach students specific SonicWall network security technology. The course will provide students with the skills to successfully implement and configure SonicWall firewall appliances and security services.

Improvements included with SNSA:

  • Two days of instructor-led classroom training, with 80 percent hands-on labs and 20 percent lecture
  • Six hours of online learning modules, which may be completed before or after the classroom portion
  • Based on the recently released SonicOS 6.5 firmware
  • Generic network security theory is removed and provided in supplemental training material

Consistent SonicWall training across the globe

To support the launch of the SNSA course, SonicWall Education Services is also launching a new Authorized Training Partner (ATP) strategy to enhance consistency in the delivery of training content and guidance. This new strategy encompasses:

  • Coverage provided by three global strategic training partners, augmented by key regional partners
  • Global fulfillment of materials and virtual labs via a single strategic training partner
  • Price adaptation to fit local-market currencies and demand
  • SonicWall global ATP managers to ensure content, delivery and lab experience are consistent worldwide
  • Proctoring service to ensure certification authenticity for both students and sponsoring partners

What happened to Network Security Basic Administration (NSBA)?

For the last 10 years, SonicWall offered a series of technical certification courses to its partners, customers and employees. The core certification training was focused on foundational understanding of network security, particularly basic administration found in the SonicWall Network Security Basic Administration (NSBA) course.

With a focus on training network security administrators, NSBA provided students with a broad overview of network security technology and the skills needed to configure and administer a basic SonicWall firewall appliance.

While this course satisfied initial learning objectives, student feedback indicated the content was not sufficient to meet the needs of deeper skillsets (e.g., installation, management and troubleshooting). Students left the course feeling they needed additional in-depth technical training and expertise.

In addition, due to a widespread number of ATPs around the world, student experience varied by geography and instructor. The changes to the course and the improvement of the ATP strategy ensure SonicWall will deliver best-in-class technical training to its partners and customers.

For individuals who completed the NSBA exam and hold a current CSSA certification, SonicWall will continue to acknowledge these important certifications through March 2020. Students wishing to re-certify an expiring CSSA certification will, however, be required to complete the new SNSA course and certification.

To enroll in the new SNSA program, students may access the newly launched external SonicWall University site.

SonicWall Security Certification Courses

SonicWall offers other training and certification courses to support the needs of our partners, customers and employees. These include:

Network Security Advanced Administration (NSAA) Course

Designed to further enhance an individual’s network security technical skills, the NSAA course is available to students who have achieved either the CSSA or the SNSA certification.

This two-day, instructor-led course provides students with the latest information on application control, bandwidth management, troubleshooting and advanced networking. Completion of this course prepares students to complete the Certified SonicWall Security Professional (CSSP) certification exam.

Secure Mobile Access Basic Administration (SMABA) Course

The SMABA course provides students with the technical skills necessary to administer and manage SonicWall Secure Mobile Access (SMA) appliances.

The SMABA course covers the use of Appliance Management Control to provide secure access — to any application from any network — based on secure authentication and authorization policies. Completion of this course prepares students for the Certified SonicWall Security Administration (CSSA-SMABA) certification exam.

Secure Mobile Access Advanced Administration (SMAAA) Course

Recommended for engineers or administrators of SonicWall SMA devices installed in larger networks, the SMAAA course provides students with in-depth technical training covering deployment options, authentication and authorization policies and troubleshooting.

Completion of this course prepares students for the Certified SonicWall Security Professional (CSSP-SMAAA) certification exam.