Posts

Advancing Beyond Hygiene to Next-Gen Email Protection Services

This story originally appeared on MSSP Alert and was republished with permission.


Most of us have a love-hate relationship with email. It’s been around for what seems like forever and while new channels of communication like Slack are making inroads, email is still the primary means of communicating in most organizations.

Since it is so ubiquitous, we know it will be a primary target of malicious attackers. Because of the attack surface area, attackers have been targeting email as a point of entry into organizations for over a decade. Most companies have responded with some form of email security solution. However, there seems to be a disconnect in outcomes versus goals in the industry.

For instance, 90 percent of current attacks against organizations use spear phishing as the primary means of breaching those organizations, yet most people would say they have email security in place.

Preventing Spam is Only the First Step

The major problem we are having as a security industry is that most people believe they have “security” for their email systems, but what they really have is hygiene. Email hygiene can be defined as “the process of keeping the inbox clean by keeping spam and unwanted advertisements away.”

It’s easy to think that hygiene is security because when email was new, spam was the major source of annoyance and security breaches — we’ve all dealt with Nigerian prince scams.

According to a recent FBI Public Service Announcement, business email compromise is a $12 billion problem today. Anti-malware and anti-spam are hygiene tools provided for free by cloud service providers, such as O365 and G Suite, as part of their mailbox functionality, but these tools do not stop evolving, sophisticated attacks.

Unfortunately, security industry nomenclature to customers hasn’t changed. The consequence has been continual breaches in organizations that believe they have security in place, but the reality is the hygiene solutions they have in place aren’t up to the task of stopping advanced email penetration techniques.

We need to move our language more toward discussing hygiene solutions and advanced email security solutions. What customers need isn’t email security (aka hygiene) but next-generation email security focused on identifying advanced threats. A next-gen email security solution should include:

  • Targeted phishing and email fraud protection
  • Unknown threat detection capabilities beyond just a “sandbox”
  • Compatibility beyond on-premises email server to O365, Gmail, etc.
  • Outbound protection to minimize potential data leakage
  • Hygiene capabilities as needed

Next-Gen Email Security Opportunity

While education is required, customers are starting to realize the need to supplement the native security functionalities with dedicated advanced threat protection (ATP) capabilities.

Gartner says over 50 percent of customers will look for dedicated security tools. MSSPs should look to provide a next-gen email security solution to their customers. This not only solves a real customer problem, but can also:

  • Increase your monthly recurring revenue with a next-gen email security solution as an additional value-added service for your customer
  • Lower analyst workload by blocking threats proactively
  • Enable better translation to real business impact – email addresses are associated with real people in the business rather than just an IP address
  • Reduce risk of liability – if customers are better protected, the chance of a significant breach is lower
  • Ride on the Microsoft Office 365 wave

The transition to Microsoft Office 365 (O365) is interesting as it both presents an opportunity and creates additional fear, uncertainty and doubt in the market. Businesses realize the benefits of moving their IT to the cloud (lower total cost of ownership, easier management, etc.) and email Exchange server was one of the first to move to the cloud.

However, O365 customers are often unsure of the level of security they get. An SMB customer typically evaluates the two Exchange Online Protect plans (EOP 1 and EOP 2). Let’s see what the customer is paying for:

  • In EOP 1, for $4/user/month, customers get the mailbox functionality and known malware protection included with anti-spam and anti-virus. Customer must upgrade to EOP 2 plan at $8/user/month for the addition of DLP functionality.
  • What’s not included is the ATP sandbox. If a customer wants that protection against today’s advanced threats, he needs to pay an additional $2/user/month for the add-on service.

Powering Your Advanced Email Protection Service with SonicWall

This opportunity is ripe, so it’s important that you not only find an effective technology, but a partner that will help you enable your service quickly. To protect against today’s advanced threats, SonicWall’s award-winning solution provides a multi-layered defense mechanism:

  • A multi-engine sandbox to catch the most evasive of malware. Our sandbox supports and scans extensive file attachment types and can scan over 70 percent of the files in under five seconds.
  • To stop spoofing attacks, business email compromise and email fraud, powerful email authentication, including SPF, DKIM and DMARC, is automatically included.
  • In-house anti-phishing, anti-spam and multiple anti-virus technologies protect against known threats.
  • Real-time threat intelligence feeds powered by Capture Labs that include signatures of newly found threats and IP based reputation for URL filtering.

Purpose-Built for MSSPs

The SonicWall secure email platform is built with MSSPs in mind to not only reduce the cost of management, but to ensure your brand is at the forefront:

  • Multi-tenant platform with flexible deployment options – hardware, software, virtual and cloud
  • Customizable branded experience
  • Integration with restful APIs and syslog alerting
  • Built-in O365 integration

The SonicWall SecureFirst MSSP program will help you implement the email security solution quickly, reduce time to market and take advantage of this great market opportunity. Some of what the MSSP program includes:

  • Service description templates
  • MSS pricing option
  • MSS specific setup and operation guides

MSSPs have a major opportunity here to educate their market on the differences between hygiene and security. And SonicWall’s MSSPs are doing exactly that.

A case in point: According to Erich Berger of Secure Designs Inc., a SonicWall SecureFirst MSSP Partner: “Within an hour of being installed it saved one particular customer from an Emotet infostealer malware variant.”

Foreshadow Vulnerability (L1TF) Introduces New Risks to Intel Processors

A group of 10 threat researchers have disclosed a trio of new Spectre-based vulnerabilities that affect Intel chipsets. Named Foreshadow, the threats leverage a CPU design feature called speculative execution to defeat security controls used by Intel SGX (Software Guard eXtensions) processors.

“At its core, Foreshadow abuses a speculative execution bug in modern Intel processors, on top of which we develop a novel exploitation methodology to reliably leak plaintext enclave secrets from the CPU cache,” the research team published in its 18-page report Aug. 14.

The vulnerabilities are categorized as L1 Terminal Faults (L1TF). Intel published an overview, impact and mitigation guidance, and issued CVEs for each attack:

The research team found that Foreshadow abuses the same processor vulnerability as the Meltdown exploit, in which an attacker can leverage results of unauthorized memory accesses in transient out-of-order instructions before they are rolled back.

Conversely, Foreshadow uses a different attack model. Its goal is to “compromise state-of-the-art intra-address space enclave protection domains that are not covered by recently deployed kernel page table isolation defenses.”

“Once again, relentless researchers are demonstrating that cybercriminals can use the very architecture of processor chips to gain access to sensitive and often highly valued information,” said SonicWall President and CEO Bill Conner. “Like its predecessors Meltdown and Spectre, Foreshadow is attacking processor, memory and cache functions to extract sought after information. Once gained, side-channels can then be used to ‘pick locks’ within highly secured personal computers or even third-party clouds undetected.”

 

Does SonicWall protect customers from Foreshadow?

Yes. If a customer has the Capture Advanced Threat Protection (ATP) sandbox service activated, they are protected from current and future file-based Foreshadow exploits, as well as other chip-based exploits, via SonicWall’s patent-pended Real-Time Deep Memory Inspection (RTDMITM) technology.

“Fortunately, prior to Meltdown and Spectre being made public in January 2018, the SonicWall team was already developing Real-Time Deep Memory Inspection (RTDMITM) technology, which proactively protects customers against these very types of processor-based exploits, as well as PDF and Office exploits never before seen,” said Conner.

RTDMI is capable of detecting Foreshadow because RTDMI detection operates at the CPU instruction level and has full visibility into the code as the attack is taking place. This allows RTDMI to detect specific instruction permutations that lead to an attack.

“The guessed-at branch can cause data to be loaded into the cache, for example (or, conversely, it can push other data out of the cache),” explained Ars Technica technology editor Peter Bright. “These microarchitectural disturbances can be detected and measured — loading data from memory is quicker if it’s already in the cache.”

To be successful, cache timing must be “measured” by the attack or it can’t know what is or is not cached. This required measurement is detected by RTDMI and the attack is mitigated.

In addition, RTDMI can also detect this attack via its “Meltdown-style” exploit detection logic since user-level process will try to access privileged address space during attack execution.

Notice

SonicWall customers with the Capture Advanced Threat Protection (ATP) sandbox service activated are NOT vulnerable to file-based Foreshadow processor exploits.

How does Foreshadow impact my business, data or applications?

According to Intel’s official L1TF guidance, each variety of L1TF could potentially allow unauthorized disclosure of information residing in the SGX enclaves, areas of memory protected by the processor.

While no current real-world exploits are known, it’s imperative that organizations running virtual or cloud infrastructure, as well as those with sensitive workloads, apply microcode updates released by Intel (linked below) immediately. Meanwhile, SonicWall Capture Labs will continue to monitor the malware landscape in case these proofs of concept are weaponized.

“This class of attack is something that will not dissipate,” said Conner. “Instead, attackers will only seek to benefit from the plethora of malware strains available to them that they can formulate like malware cocktails to divert outdated technologies, security standards and tactics. SonicWall will continue to innovate and develop our threat detection and prevention arsenal so our customers can mitigate even the most historical of threats.”

What is speculative execution?

Speculative execution takes place when processors execute specific instructions ahead of time (as an optimization technique) before it is known that these instructions actually need to be executed. In conjunction with various branch-prediction algorithms, speculative execution enables significant improvement in processor performance.

What is L1 Terminal Fault?

Intel refers to a specific flaw that enables this class of speculative execution side-channel vulnerabilities as “L1 Terminal Fault” (L1TF). The flaw lies in permissions checking code terminating too soon when certain parts of the memory are (maliciously) marked in a certain manner.  For more information, please see Intel’s official definition and explanation of the L1TF vulnerability.

Are chips from other vendors at risk?

According to the research team, only Intel chips are affected by Foreshadow at this time.

What is Real-Time Deep Memory Inspection (RTDMI)?

RTDMI technology identifies and mitigates the most insidious cyber threats, including memory-based attacks. RTDMI proactively detects and blocks unknown mass-market malware — including malicious PDFs and attacks leveraging Microsoft Office documents — via deep memory inspection in real time.

“Our Capture Labs team has performed malware reverse-engineering and utilized machine learning for more than 20 years,” said Conner. “This research led to the development of RTDMI, which arms organizations to eliminate some of the biggest security challenges of all magnitudes, which now includes Foreshadow, as well as Meltdown and Spectre.”

RTDMI is a core multi-technology detection capability included in the SonicWall Capture ATP sandbox service. RTDMI identifies and blocks malware that may not exhibit any detectable malicious behavior or hides its weaponry via encryption.

To learn more, download the complimentary RTDMI solution brief.

How do I protect against Foreshadow vulnerability?

Please consult Intel’s official guidance and FAQ. To defend your organization against future processor-based attacks, including Foreshadow, Spectre and Meltdown, deploy a SonicWall next-generation firewall with an active Capture ATP sandbox license.

For small- and medium-sized businesses (SMB), also follow upcoming guidance provided via the new NIST Small Business Cybersecurity Act, which was signed into law on Aug. 14. The new policy “requires the Commerce Department’s National Institute of Standards and Technology to develop and disseminate resources for small businesses to help reduce their cybersecurity risks.”

NIST also offers a cybersecurity framework to help organizations of all sizes leverage best practices to better safeguard their networks, data and applications from cyberattacks.

Stop Memory-Based Attacks with Capture ATP

To mitigate file-based processor vulnerabilities like Meltdown, Spectre and Foreshadow, activate the Capture Advanced Threat Protection service with RTDMI. The multi-engine cloud sandbox proactively detects and blocks unknown mass-market malware and memory-based exploits like Foreshadow.

SonicWall at Black Hat 2018

Now in its 21st year, Black Hat USA promises to bring together 17,000 information security experts to provide attendees with the very latest in cyber research, development and trends. This six-day event begins with four days of training for security practitioners of all levels (Aug. 4-7) followed by the two-day main event including briefings, business hall, arsenal and more (Aug. 8-9).

SonicWall is excited to be attending this year’s Black Hat event in Las Vegas. We’ll be providing attendees with hands-on experiences and showcasing our newest solutions. Visit us at Booth 564 in the Shoreline Hall to chat with our experts and explore the latest in security trends, threat intelligence and powerful cyber security solutions that help protect organizations in a fast-moving cyber arms race.

Live Demos

The SonicWall booth will feature five demo stations showcasing products across our entire portfolio, including the new SonicWall Capture Security Center. Our security experts will be on hand to take you through our Capture Cloud Platform, Capture ATP with Real-Time Deep Memory Inspection™ , Capture Client and our the newest next-generation firewall (NGFW) solutions.

Featured Presentations

Join our in-booth team to hear our featured presentation: “Keeping pace with the ever-changing threat landscape.” Our experts will go inside SonicWall Capture Labs telemetry data to provide insight into the advances being made by both security professionals and cybercriminals. In this session we’ll dig into the data, provide actionable insights and share our vision for automated real-time breach detection and prevention.

Each day, SonicWall will be joined by a special guest speaker: Daniel Bernard, VP of Business & Corporate Development, at SentinelOne. Learn how SonicWall and SentinelOne together ensure automatic remediation of malicious attacks, such as ransomware, in the event of infection by reversing system and file modifications.

Time Presentation
Wednesday
10:30 a.m.- 2 p.m. Keeping Pace with the Shifting Threat Landscape
2 p.m. Special Guest Speaker: Daniel Bernard, VP, SentinelOne
2:30-6:30 p.m. Keeping Pace with the Shifting Threat Landscape
Thursday
10.30 a.m. – 2 p.m. Keeping Pace with the Shifting Threat Landscape
2 p.m. Special Guest Speaker: Daniel Bernard, VP SentinelOne
2:30 p.m.- 4:30 p.m. Keeping Pace with the Shifting Threat Landscape

It wouldn’t be Vegas without a little magic and the chance for some winnings. Each day at Booth 564, in addition to our demos and presentations, we’ll have exclusive giveaways and even an illusionist. Join us and leave armed with the best cybersecurity information and some exclusive SonicWall swag like power banks, webcam covers, pens, notebooks and even fake bitcoin.

To keep up with us at the show, follow @SonicWall on Twitter and look for the hashtag #BHUSA.

Business Hall Hours

Mandalay Bay, Las Vegas | Booth 564

  • Wednesday, August 8: 10 a.m.- 7 p.m. PDT
  • Thursday, August 9: 10 a.m.- 5 p.m. PDT

Business Hall Access

  • Briefings Pass and/or Trainings Pass holders have unlimited access to the Business Hall and all Features
  • A Business Pass is available for purchase to individuals without Briefings and/or Trainings Passes and grants unlimited access to the Business Hall and all Features.

All Times PDT

Helpful resources

How to Stop Fileless Malware

In 2017, SonicWall Capture Labs discovered 56 million new forms of malware from across the globe. Threat actors are constantly creating updates to known versions of malware to get past defenses that rely on identifying malware (i.e., signatures). The forms of security that stop malware and ransomware based on signatures are only effective if they can identify the strain.

Since malware authors don’t want to continually update their code and have attacks in flight fail, they often resort to creating fileless malware as a highly effective alternative.

What is fileless malware?

Fileless malware has been around for some time, but has dramatically increased in popularity the last few years. These malware leverage on-system tools such as PowerShell, macros (like in Microsoft Word and Excel), Windows Management Instrumentation or other on-system scripting functionality to propagate, execute and perform whatever tasks it was developed to perform.

The problem for the business

One of the reasons fileless malware is so powerful is that security products cannot just block the systems or software that these are utilizing. For example, if a security admin blocked PowerShell, many IT maintenance tasks would be terminated. This makes it impossible for signature-based security solutions to detect or prevent it because the low footprint and the absence of files to scan.

How can SonicWall stop fileless malware?

The key is not to look at the file but, instead, look at how it behaves when it runs on the endpoint. This is effective because although there is a large and increasing number of malware variants, they operate in very similar ways. This is similar to how we educate our children to avoid people based on behavior instead of showing them a list of mug shots every time they leave home.

SonicWall Capture Client, powered by SentinelOne, is a next-generation antivirus endpoint protection platform that uses multiple engines, including static and behavioral AI, to stop malware before, during and even after execution. It also offers the ability to roll back an endpoint to a state before the malware got on to or activated on the system.

In the face of fileless malware, the full behavioral monitoring approach is amazing at detecting and preventing this type of attack because it is agnostic to the attack vector.

How does it work?

SonicWall actively monitors all activities on the agent side at the kernel level to differentiate between malicious and benign activities. Once Capture Client detects malicious activity, it can effectively mitigate an attack and, if needed, roll back any damage, allowing the user to work on a clean device.

Conclusion

Ultimately, adversaries will always take the shortest path to compromise endpoints to ensure the highest return with the least amount of effort. Fileless malware is quickly becoming one of the most popular ways to do so. It is not enough to just block essential operations like PowerShell.

You need anti-virus software that fully monitors the behavior of a system to prevent attacks utilizing exploits, macro documents, exploit kits, PowerShell, PowerSploit and zero-days vulnerabilities locally and without dependence to network connectivity.

To learn more, download the in-depth data sheet, “SonicWall Capture Client powered by SentinelOne.”

Webinar: Stop Fileless Malware with SonicWall Capture Client

Join SonicWall and SentinelOne cyber security experts to learn how to stay safe from advanced cyber threats like fileless malware.

Capturing the World’s Latest Malware so You Can Fear Less

If anyone ever needs proof on how effective SonicWall Capture Labs is, look back to the WannaCry ransomware attack in May 2017, and just last week the NotPetya malware. In contrast to over 250,000 endpoints compromised in over 150 countries, SonicWall customers with active security subscriptions were largely unaffected.

Why were they unaffected?

Our customers were protected because SonicWall had identified and created signatures for all exploits of the SMB vulnerability, as well as early versions of WannaCry, weeks in advance. Any of our customers with active Gateway Anti-virus and Intrusion Prevention System (GAV/IPS) services received those signatures automatically, and thereby blocked this ransomware variant and the worm that spread it across the globe. This was possible because SonicWall Capture Labs gathers millions of samples of malware in order to protect our customers from the latest threats.

In 2016, SonicWall’s Capture Labs Threat Research processed over 60 million unique pieces of malware that were previously unknown to us.  This included versions of polymorphic malware, newly developed malicious code and zero-day attacks. The result of this work created countless signatures and other countermeasures that protected our customers from the latest attacks across our product portfolio.

So where does SonicWall get all of these malware samples?

With over 1 million sensors placed around the world, our Capture Labs Research Team receives the largest amount of data from real customer traffic. Our SonicWall Capture Advanced Threat Protection (ATP) Service is a network sandbox that runs suspicious code to find unknown malicious code. Business networks will encounter an average of 28 new, zero-day versions of malware over a calendar year, Capture ATP is designed specifically to prevent this.

In addition, SonicWall participate in numerous industry collaboration efforts such as the Microsoft MAPP program so our researchers receive new verified threats before the public. We also actively engage in numerous international threat research communities and freelance researchers so our in-house team possesses samples of uncommon attacks and vulnerabilities.

Read this eBook to learn how to protect against ransomware with a multi-layer threat elimination chain to stop known and discover unknown malicious code targeting your organization.