Jason Palm presents a deep dive into SonicWall's new Capture ATP feature.
Links included in the presentation:
https://blog.cerdant.com/2017/06/28/ransomware-defense/
https://blog.cerdant.com/cerdant-security-conference/
https://blog.sonicwall.com/2016/09/defend-data-from-invaders/
https://www.sonicwall.com/en-de/lp/2017-sonicwall-annual-threat-report
2. May 11th, 2017
Cerdant Security
Conference
https://blog.cerdant.com/cerdant-security-conference/
Mike Johnson , President Jeremiah Johnson, Principal Engineer
Josh Skeens, Director of Engineering Dmitriy Ayrapetov, SW Product Mgmt.
https://blog.cerdant.com/2017/06/28/ransomware-defense/
May 12th
3. Challenge: Ransomware & Zero
Day Threats
Explosion of unknown, zero day threats
266.5 million ransomware attempts in Q4 2016
Hide in encrypted and unencrypted traffic
7.3 trillion SSL/TLS connections 2016
62% of web traffic in 2016 was encrypted
Target multiple environments including mobile and
connected devices
Designed to evade sandbox analysis and detection
WannaCry Killswitch
http://www.ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com
4. SonicWall Solution: Capture ATP
Advanced Threat Protection
Multi-engine cloud sandbox detects more threats than single sandbox technology
Virtualized sandbox
Full system emulation
Hypervisor level analysis
Broad file type analysis and operating system support
PE, MS Office, PDF, Archives, JAR, APK
Windows, Android, Mac OS
Can block until verdict at the gateway (HTTP/S only)
Rapid deployment of threat intelligence
Reporting and alerts
* What it is not…
Good afternoon, I hope everyone is enjoying themselves and has found the conference to be informative. My name is Jason Palm, I’m a Network Security Engineer here at Cerdant.
I will be discussing one of SonicWALL’s newest services: Capture Advanced Threat Protection, or what we simply refer to as Capture. I’ll be giving an overview of how you can Capture More and Fear Less.
I know how much everyone loves power point slides. I promise to keep them to a minimum. I’ll follow the slides, which explain the service, with a quick “demo” of what Capture looks like running on a SonicWALL and if we have time I’ll take any questions at the end.
This new service specifically addresses the challenge of dealing with Zero Day Threats. It is easier now more than ever to create malware that has never been seen before, thus bypassing traditional signature based detection. And since it is so easy, it is no problem for hackers to repackage their threats and launch them again once they have been detected and signatures created.
The rapid increase in Zero Day threats is also fueled by the profitability of ransomware. Ransomware-as-a-service is a real thing, making it very easy and affordable to launch successful ransomware campaigns.
Animation 1: According the the 2017 SonicWALL Annual Threat Report the SonicWALL GRID Threat Network observed a mind boggling increase in ransomware; from nearly 4 million attack attempts in 2015 to 638 million in 2016 (you can see here 266.5 million in the fourth quarter of last year alone).
Animation 2: As Jeremiah just discussed, the increase in SSL/TLS traffic is being leveraged by cyber criminals to deliver these malware variants. The decryption and inspection of that traffic is now a necessity. So, having a solution like SonicWALL that can incorporate decryption is a key component of dealing with these threats.
Animation 3: And we’re no longer dealing with just windows environments. Android is still a prime target and susceptible to multiple threats. We have to account for multiple operating systems.
Animation 4: A few years ago network sandboxes were a hot item in dealing with zero day threats. Those solutions have seen a serious decline in efficacy as new strains of malware are able to avoid sandbox analysis and detection, in most cases simply by recognizing they’re running in a virtual environment and then changing behavior accordingly.
The SonicWALL solution to this challenge is Capture ATP. Spoiler alert: it is awesome! It was named CRNs Network Security Product of the Year for 2016. It is a service that we here at Cerdant are recommending to all our customers and one that I feel is an absolute necessity. Jeremiah and I have actually been beta testing Capture for over a year, as soon as it was made available for beta testing, and were very involved in that process leading up to the product launch in August of 2016. I run this on my home SonicWALL and have been extremely impressed and happy with it; we run it at Cerdant’s office. From a deployment standpoint, every new SonicWALL we deploy we recommend using this service.
So what is it?
Animation 1: First of all, it is a cloud based service that extends the functionality of Generation 6 SonicWALLs. All that is needed to utilize this service is the proper firmware and a Capture license. This includes a multi-engine cloud sandbox. SonicWALL has incorporated technologies from VMRay and LastLine to build a virtualized sandbox, hypervisor level analysis, and full-system emulation that resists evasion tactics. Since SonicWALL hosts this environment it is scalable and will evolve, it is architecteded to dynamically add new malware analysis technologies as the threat landscape evolves.
Animation 2: It supports a broad range of file types as you can see here (Executables, Office, PDFs, Archives, JAR, and APK). It also has multiple OS support. This solves the problem of only having a single sandbox with a single OS, or trying to maintain multiple sandboxes.
Animation 3: Files are sent to this cloud environment for analysis. In order to prevent potentially malicious files from entering the network files those files can be held at the gateway until a verdict is determined on whether those file are malicious or not. This is an easily configured setting and once we get to the live demo you’ll have a chance to see that.
Animation 4: This service ties directly into the GRID Threat Network as part of SonicWALL’s existing ecosystem. When a file is identified as malicious, a signature is immediately available to firewalls with SonicWall Capture subscriptions to prevent follow on attacks. As a Capture “subscriber” this is a huge advantage, you’re not only leveraging the cloud to analyze and render verdicts on files from your network but you’re also taking advantage of what the Capture clouds sees from all Capture subscribers. In addition, the malware is submitted to the SonicWall Threat Intelligence Team for further analysis and inclusion with threat information into the Gateway Anti-Virus and IPS signature databases, which will be incorporated into those updates within 48 hours.
Animation 5: This service includes its own set of reports and alerts for quick notification of any malicious detections.
Animation 6: A quick word on what Capture ATP is not…
There is no affiliation with the Association of Tennis Professionals. It will improve your security, it will not improve your tennis game.
It is not useful for capturing Pokemon. This is one of our Analysts, Arvin in front of our lab. Has anyone here spoken with Arvin before? One of the nicest guys you’ll ever meet. When were were doing our in house training for Capture the Pokemon Go craze was in full swing. We actually used this in one of training slides. If you get a chance to tour the office after this and happen to see Arvin be sure to ask him if he has had any luck Pokemon hunting lately.
Now that we now what Capture is, let’s look at how it is incorporated into the Gen 6 SonicWALLs by discussing the traffic flow.
Animations 1 & 2: First, traffic enters the network and is decrypted (once again, it is essential to utilize DPI-SSL if we want insight into all traffic).
Animation 3: Second, that traffic is then run through the SonicWALL’s existing security services. If policies are in place to prevent specific traffic, or if known malicious traffic is detected, it is dropped. Simple services like Content Filtering and Botnet filtering are still highly effective at preventing traffic from known havens of malware. From a deployment standpoint you’d be surprised how many conversations I have with new customers on the necessity of simple content filtering alone. A lot of admins don’t want the hassle or have been instructed not to cause disruption for users. The SonicWALL CFS engine actually has a web category for sites listed as “Malware”. I can’t think of too many good reasons to allow all your users to reach known Malware sites.
Animations 4, 5, & 6: At this point we’ve kept out the known bad, we allow the known good, and then we have files that are in that grey area as being “unknown”. These files are sent to the Capture cloud for analysis and judgement. Depending on your settings those files will either be delivered while being analyzed, or held at the gateway until a verdict is rendered and then delivered.
Now, let’s zoom in to see how file analysis is taking place in the Capture cloud by using some real data. Has anyone seen the movie 300? You know, the movie with the 300 Spartans, none of whom wear shirts and they look like the only thing they do is Crossfit all day every day. Interestingly enough, that is what Jeremiah looks like when he has his shirt off. The reason I know this is because every time he installs a Supermassive he rips his shirt off and runs around the office yelling “THIS IS CERDANT!”.
No seriously, this data was compiled from a single day sampling of 300 companies who are utilizing Capture.
1. So, in a single day these 300 companies sent a total of 28,800 files not know to the firewall to Capture for analysis. If you’re doing some quick math that roughly averages 100 files per company.
2. 18,100 were unique and will go through pre-filtering process before being sent to the sandbox.
3. So, if we’re saying 18,100 are unique. What happened to the other 10,700 files? Those were known or duplicates to the Capture service and didn’t require further processing. The file verdict was returned to the firewall and the file blocked or released per policy. This is where the sharing of info in the Capture cloud comes into play. As files are analyzed in the cloud hashes for those files are created and stored.
4. Now, of those unique files 15,450 were identified as good after further pre-filtering and allowed to pass through into the network. This includes comparison against a real-time list to see if anyone SW collaborates with knows about these files.
5. 130 were fairly new malware known by Capture pre-filter but not the firewall’s static-filters at the time of scan but will very soon.
6. After all pre-filtering the remaining 2,520 were sent to the multi-engine sandbox for analysis. In the demo shortly we’ll some details of what kind of anlysis is going on. Of these files most were identified as good and hashes created and added to the database so they don’t have to be analyzed again (further adding to the pre-filtering base of information).
7. In this example, six were found to be never-before-seen malware (aka Zero Day Threats).
These six were a mixture of Trojans, ransomware (Locky) and other malware.
In near real-time, six hashes for the newly discovered malicious files were submitted to the Capture database and all other Capture ATP subscribers immediately protected from follow-on attacks. These files were also sent to the SonicWall GRID team to analyze and create signatures to be added to the GAV and IPS updates within 48 hours.
This leads to one of the biggest question we get: What is the amount of data that is sent to the cloud and the speed of the service. In short, the speed of cloud-based analysis is fast:
1. Two seconds was the median processing time per file.
2. 83% of files are analyzed with a verdict in under five seconds.
3. An average of 32.6 MB was uploaded for each organization; the equivalent of watching a 10-minute YouTube video.
4. To understand the plight of the 300, they will see 2,450 new malware variants in a year which is more than eight per network.
Ok, enough with the slides. Let’s get logged into a demo SonicWALL and take a look at the Capture settings and reports. Disclaimer: this is a demo box with extensive testing for Capture, so we’ll be seeing an inordinate amount of malicious files as opposed to a production box (I would hope).
First we’ll look at the settings. As you can see Capture is simply another menu item in the SonicWALL GUI. The service is basically Enable or Disable. As you can see here it ties directly into GAV. It is worth pointing out that an active GAV subscription is required for Capture to operate. It operates using the same specified protocols as GAV.
We have the ability to specify the file types to include for Capture analysis using a simple checkbox. We can customize file size restrictions as well as object and hash exclusions.
Of particular note is the custom blocking behavior. This is where we can enable the ability to “Block Until Verdict”, meaning that file downloads via HTTP/S will not be allowed to complete until a verdict has been rendered. In either case, if a malicious file is detected an alert email will be sent to the specified recipients.
With that in mind, let’s take a look at the status window to get an idea of what the real time reporting entails. This is accessible via the SW GUI or via mysonicwall.com. This status windows shows file scanning history for the past 30 days, by hovering over the bar graph for any given day we get the number of files scanned and the % of those that were malicious. As mentioned, this particular device shows a high number of malicious detections due to testing.
Below this we have some file information. You can immediately see which files were analyzed and determined either “clean” or “Malicious”. By clicking on an individual file we get a specific information on that file.
Clean File 5/4 @ 10:2 AMMalicious File 5/2 @ 9:00 AM – get.vbn
This new service is highly effective and extremely simple to deploy. SonicWALL has done an outstanding job of addressing a very serious problem with a solution that adds a lot of value to existing devices without the need for additional hardware.