Tag: malware

Top 4 Email Security Solutions of 2020

Top 4 Email Security Solutions of 2020

The best email security solution ends up pulling a lot more weight than most network security services in 2020. Unless you live under a rock, you are increasingly aware of the ransomware scourge plaguing small businesses and enterprises alike. Email security targets advanced threats where they’re most likely to attack: your inbox. Thanks to social engineering schemes, your small business email service is a big, flashing target for hackers looking to infiltrate the network. Business emails are exceedingly vulnerable to advanced threats, like:

  • Phishing & spearphishing
  • Domain squatting
  • Cloud-based malware droppers
  • Business Email Compromise & account takeover
  • Impersonation & fraud

What makes email-borne attacks so efficient and how can you stop them in their tracks? We’ll break down the four best email security solutions of 2020, explain how they rebuff the bad guys, and help you find the email security solution that best fits your network needs.

How does email security keep you safe?

Email security solutions are often multi-faceted platforms that integrate several moving pieces to form a cohesive, defense-in-depth strategy. Email security monitors both inbound and outbound email traffic, allowing networks to scan the contents of messages and attachments to determine their intentions. Pair this with other fail-safes such as a cloud-based sandbox, anti-spam, and anti-malware services, and you’ve got a robust system that can keep an eye out not just for viruses, but also for sensitive data exfiltration and impersonation attempts.

Modern email security appliances and services offer multi-layered security by scanning all email contents, URLs, attachments, and headers with advanced analysis techniques. These techniques recognize threats based on their behavior, NOT by relying on known threat signatures. Just as the bad guys train to imitate the way you write messages, the best email security solutions are experts at spotting subtle clues in messages that betray malicious intentions.

What to look for in an email security solution

Email security solutions need to be more than just effective; they also must be user-friendly. Simplifying the challenges of network security is crucial to a network security infrastructure that meets your business goals. The best email security solution for small businesses is one that’s easy to setup and manage.

Other factors to look for in the best email security solution for your needs include:

  • Email spooling that allows for business continuity even during Internet loss or power outages
  • Message archiving to make regulatory compliance audits easier
  • Real-time threat intelligence updates that keep your email security constantly evolving
  • Task automation & robust reporting to effortlessly manage addresses, accounts, & user groups

Top 4 Email Security Solutions for Small to Mid-Sized Businesses


SonicWall Ransomware Solutions 2020

SonicWall TotalSecure Email

Key Features:

  • Industry-validated Capture Advanced Threat Protection sandbox stops ransomware & zero-day threats from ever reaching your inbox
  • Users protected from clicking on malicious links across any device or location with time-of-click URL protection
  • Granular Data Loss Prevention & compliance policies protect data

What makes SonicWall TotalSecure one of the Best Email Security Services in 2020?

SonicWall Email Security appliances and software provide multi-layered protection from inbound and outbound email threats and compliance violations by scanning all inbound and outbound email content, URLs and attachments for sensitive data. What’s more, they deliver real-time protection against ransomware, targeted phishing attacks, spoofing, viruses, malicious URLs, zombies, directory harvest, denial-of-service and other attacks.

TotalSecure Email leverages multiple, patented SonicWall threat detection techniques and a unique, worldwide attack identification network.


Sophos Ransomware Solutions 2020

Sophos Advanced Email Protection

Key Features:

  • Sophos Synchronized Security connects Sophos Email security with endpoint protection, delivering automated detection & clean-up
  • Compromised Mailbox Detection services detect outbound spam & malware to safeguard send reputation
  • Sophos Phish Threat gives you tools to test & train employees on cybersecurity awareness

What Qualifies Sophos Advanced Email Protection as one of the Best Email Security Services in 2020?

Sophos Email integrates in real-time with Sophos Central, an intuitive console for managing all your Sophos products. By extending Sophos Synchronized Security to your inbox, you ensure email security integrates into your entire network security posture.

Only Sophos Central lets you build and manage multiple lines of defense from email-borne threats, allowing you to respond to threats faster. This includes secure email, cybersecurity awareness training, and next gen endpoint protection, all from a single mobile-optimized portal.


Barracuda Logo

Barracuda Essentials – Email Security & Compliance

Key Features:

  • Real-time detection of dynamic threats constantly updates with 24×7 threat intelligence
  • Outlook plug-ins & mobile apps for easy user access
  • Barracuda Cloud Email Archiving integrates with Exchange & other cloud-based email services to create an indexed archive

What Qualifies Barracuda Essentials as one of the Best Email Security Services in 2020?

Barracuda Essentials filters and sanitizes all messages before delivery to your mail server. This protects your network from email-borne threats and social engineering before users even have a chance to click a link. Barracuda Essentials combines virus scanning, reputation checks, URL protection, spam scoring, real-time intent analysis, and other techniques to monitor threats across all potential attack vectors.


Fortinet Email Security Solutions 2020

Fortinet FortiMail Appliances

Key Features:

  • Outbreak protection, content disarm & reconstruction, sandbox analysis, & impersonation detection combined into a single hardened appliance
  • Prevent data loss with powerful, identity-based email encryption
  • Integrate with full suite of Fortinet products as well as third-party Fortinet Fabric Partners by sharing Indicators of Compromise across Fortinet Security Fabric

What Qualifies Fortinet FortiMail as one of the Best Email Security Services in 2020?

FortiMail secure email gateways stop volumetric and targeted cyber threats to secure dynamic attack surfaces. FortiMail also prevents the loss of sensitive information and simplifies regulatory compliance. Offered as high-performance physical and virtual appliances, FortiMail is flexible enough to deploy on-site or in the public cloud to meet a wide range of business goals and security needs.


Looking for the best email protection for your small business?

Give us a call at 866-957-2975 to find the perfect fit!

3 Best Ransomware Protection Solutions 2020

3 Best Ransomware Protection Solutions for Business 2020

Once your network is infected, ransomware encrypts files on afflicted endpoints, making it impossible to read or open them. The best ransomware protection for small businesses proactively hunts down and eliminates even never-seen-before ransomware long before an employee ever gets a chance to fall for it. Here are a few key features you should seek when comparing the best ransomware protection services available in 2020:

  • Advanced email security
  • Cloud-based sandboxing
  • Behavior-based scanning
  • Regular threat intelligence updates

Want to avoid shelling out big bitcoin to get your small business’s data back under control? Get a ransomware security solution that does more than just look out for known ransomware signatures.

What is Ransomware Protection?

The best ransomware protection for businesses scans inbound and outbound traffic across your entire network, using artificial intelligence to monitor the behavior of files as they traverse and interact with other network resources. Ransomware protection solutions spot behavior that looks similar to malicious activity and further investigate it in nanoseconds. Faster than you can say mind palace, these solutions either allow or block file access based on that verdict.

What to Look for in a Ransomware Protection Service

The best ransomware protection systems include a cloud-based sandbox where suspicious files can be sent for disarmament or detonation. In other words, if your ransomware tool is even the least bit suspicious of a file, the system safely opens and inspects it without threatening your network health.

Additionally, the best ransomware services rely on artificial intelligence and machine learning to reach threat verdicts via behavior monitoring. This means that even if a strain of ransomware has never been seen by any other endpoint in the entire world, if it walks like ransomware, talks like ransomware, or displays any other tell-tale ransomware behavior, your ransomware protection should yank it aside for closer inspection. Traditional ransomware protection services fall back on known signatures that need to be constantly refreshed and can do nothing to stop zero-day threats.

Top 3 Ransomware Protection Services in 2020


SonicWall Ransomware Solutions 2020

SonicWall Capture Advanced Threat Protection (ATP)

Key Features:

  • Real-time threat intelligence updates with up-to-the-minute signatures
  • High security effectiveness & low false-positive rate against zero-days
  • Real-Time Deep Memory Inspection blocks mass-market malware

What Qualifies Capture ATP as one of the Best Ransomware Protection Services in 2020?

SonicWall Capture Advanced Threat Protection (available as an add-on for all SonicWall TZ or NSa firewalls) is a powerful cloud-based sandbox with malware-analysis that can detect evasive threats. Capture ATP blocks suspicious files at the gateway until a verdict is rendered.

SonicWall combines multi-layer sandboxing, Real-Time Deep Memory Inspection, full system emulation, virtualization techniques, and more to detect more threats than any single-engine sandbox available in 2020. On top of that, the low false-positive rate means it won’t block the legitimate files you need to do business.


Sophos Ransomware Solutions 2020

Sophos Intercept X Advanced with EDR

Key Features:

  • Highly-acclaimed malware detection engine driven by deep learning
  • Exploit prevention stops attackers from taking advantage of vulnerable software & apps
  • Root cause analysis visualizes where threats originate & how they move on the network

What Qualifies Sophos Intercept X Advanced with EDR as one of the Best Ransomware Protection Services in 2020?

Sophos Intercept X Advanced with Endpoint Detection & Response is a mouthful. But it’s also a comprehensive, defense-in-depth tool that combines advanced techniques to squash malware, ransomware, and zero days. Intercept X also uses behavioral analysis to stop boot-record attacks.

Plus, even if a system is already infected, CryptoGuard stops the encryption process and reverts (or rolls back) files back to their pre-infection state.


Fortinet Ransomware Solutions 2020

Fortinet FortiEDR & FortiSandbox

Key Features:

  • Integrates with all Fortinet Security Fabric components to protect digital attack surfaces
  • Provides actionable intelligence via automation to detect & respond to advanced threats
  • HUGE accolades from third-party testers such as NSS Labs, BPS, & ICSA Labs

What Qualifies FortiEDR with FortiSandbox as one of the Best Ransomware Protection Services in 2020?

Fortinet’s EDR & FortiSandbox establish a two-step sandboxing approach centered around artificial intelligence. These services first compare at-risk files against known and emerging malware with static analysis. Then, second stage analysis uncovers the full attack lifecycle by detonating the cyber payload in a virtual, quarantined environment.

Detail analysis maps any uncovered malware to Mitre ATT&CK framework with powerful investigation tools to help admins better visualize security events.


Look for the best ransomware protection for your small business?

Give us a call at 866-957-2975 to find the perfect fit!

Emotet: the Biggest Network Security Villain of 2019

The Biggest Villain of 2019

The U.S. Department of Homeland Security considers it to be among the most costly and destructive threats to U.S. businesses in 2019

It constantly evolves, using adaptation and versatility to grow stronger with each new iteration…

It leverages several attack vectors against multiple targets, giving it plenty of opportunities to secure a victory…

The Feared, the Elusive, the Tenacious Malware: Emotet.

Emotet is a sophisticated cyber attack that uses its skills as a shapeshifter to spread itself far and wide across the Internet. The US Department of Homeland Security estimates that organizations in 2019 have shelled out as much as $1,000,000 per incident to recover from an Emotet attack. With big baddies from seasons past like WannaCry and Petya still fresh in the memory, businesses must now turn their attention to the security world’s 2019 season antagonist: Emotet.

What do Marvel’s Ultron and Emotet have in common?

You may defeat them now, but they always come back stronger, smarter form than before! Just like the comic villain Ultron, featured in Marvel’s 2015 “Avengers: Age of Ultron,” Emotet always finds a way to make itself more dangerous. This complicated malware has been constantly evolving since its humble origin story as an upstart banking trojan in 2014. In fact, Sophos Labs detected and identified over 4,500 different varieties of Emotet carrying unique payloads in January alone.

Emotet gives itself multiple chances to win. It spreads across networks, propagating itself through email spam and lateral movement, using your devices as remote zombies. Emotet collects contacts and browsing data. It can even act as a decoy for nastier attacks. Emotet isn’t picky; the malware can carry whatever malware is paying out top dollar at the time. Whether it’s TrickBot malware, QBot banking trojans, BitPayment ransomware, or something even more nefarious, Emotet is an ideal delivery system for payloads of all kinds. It’s flexible. It’s persistent. And it always comes back stronger!

The Emotet malware’s principal delivery method is through fake emails. One wrong click or careless attachment download lets Emotet get a foot in the door and from there, it begins its primary objective: spread to other devices on the network. Once infected, your inbox will start spitting out malicious emails to everyone in your contact list, providing Emotet with opportunities to infect far and wide. During this process, your email domain reputation plummets!

Once a system is infected, Emotet calls back home and initiates a malware download for whatever payload it’s been built to carry. In this call back step, Emotet may also take the opportunity to lift your contact lists and browser data to be sold off on the black market. With its versatility, constant evolution, and multiple victory conditions to meet, Emotet is a truly tricky foe.

Perhaps its most dangerous use, though, is as a smokescreen. Due to the fast-acting nature of Emotet, its rapid expansion sends network administrators into a frenzy to prevent further compromise. Some cyber attackers use this period of panic as a chance to initiate a targeted ransomware attack. By the time the initial Emotet chaos has been stabilized, ransomware like BitPaymer has already used the distraction to get a stranglehold on the organizations’ data.

Defeating Emotet

Call us old-school, but Firewalls.com believes the bad guys should always lose in the end. Most single solutions are ill-equipped to deal with Emotet. Between its versatility, speed, and ability to assault multiple targets, you’ll need a whole team to take it down. If you’re thinking the Avengers, think again. Sophos Synchronized Security with Sophos Heartbeat is just the band of network defending heroes to call if you want to send the baddies packing.

Try Synchronized Security Free for 30 Days

Sophos protects against Emotet at every point in the attack chain. Synchronized Security means that your endpoints and your firewall communicate with each other in real-time to provide comprehensive and instantaneous response to threats. This constant pulse of communication between endpoints and the network is called the Sophos Heartbeat. The moment an attack is detected, Sophos Heartbeat instantly relays details back to XG Firewall in order to isolate the machine, shut it off from the network, and begin remediation.

Sophos Email Protection blocks spam both inbound and outbound. Leveraging threat intelligence from SophosLabs, Sophos email protection identifies malicious emails like those that propagate Emotet and shuts threats down before they hit the inbox. Active threat protection, malicious attachment sandboxing, and time-of-click URL protection all come standard with Sophos Central Email Advanced, giving your inbox all the superpowers it needs to shut down Emotet at its point of entry.

Try Sophos Email Free for 30 days

Read Sophos Email Datasheet

If a single endpoint becomes infected, Sophos Intercept X springs into action, isolating the device before Emotet has a chance to spread across the network. Intercept X is super smart, harnessing deep learning capabilities to anticipate new threats and predict security threats before they happen. Intercept X cuts off the opportunity for lateral movement and gets to work cleaning up the infected systems. Sophos Intercept X Advanced consolidates protection and Endpoint Detection and Response (EDR) into a single solution with guided incident response.

Try Intercept X Free for 30 days

Read Intercept X Advanced Datasheet

XG Firewalls feature advanced cloud-based sandboxing to examine and detonate payloads in a quarantined environment. XG Firewall is the overwatch command center that communicates in real time with endpoints thanks to the Sophos Heartbeat. AI-powered behavioral monitoring lets XG Firewalls detect behaviors consistent with Emotet and pre-emptively block all currently known IP addresses with Emotet. With advanced protection guarding the point-of-entry, individual endpoints, and at the network level, your Sophos team makes short work of Emotet.

 Try XG Firewalls Free for 30 days

Read XG Firewall Datasheet

Since these programs were designed to work as one well-oiled machine, all of these layers of Sophos protection occur automatically. This provides a comprehensive, zero-touch response that addresses advanced threats at every step of the attack chain. This dream team of Sophos Email, Intercept X, and XG Firewalls ensures Emotet never sees the Endgame. That means your story always gets its happy conclusion. And automatic, real-time, zero touch response means your IT guy can go grab lunch.


5 Big Takeaways from the SonicWall 2018 Cyber Threat Report

The 2018 SonicWall Cyber Threat Report was just released and we’re here to break down this massive report into bite-size morsels for you to chew on. Each year, SonicWall Capture Labs publishes an in-depth look at the trends, changes, & tech that shaped the cyber threat landscape over the previous year and they use their findings to predict the volatile threat landscape that organizations can expect to traverse in the coming year. Predict your own cyber security future by understanding these 5 key takeaways from the 2018 Cyber Threat Report.

1. Ransomware

Wave goodbye to the cyber security war that you once knew. No, it’s not over. It’s just a little different now. Despite headline-worthy attacks rocking Europe and North America, 2017 was a year of retreat and regroup for threat actors. No longer happy to play the numbers game, criminals have instead turned their focus towards innovation. While overall ransomware attacks dropped, the number of unique variants increased in 2017.

The number of ransomware attacks detected in 2017 by SonicWall Capture Labs totaled 183.6 million, a 71% drop compared to 2016. Nonetheless, of those detected hits, SonicWall discovered one never-before-seen variant for every 250 known threats it encountered. This means that ransomware is becoming more versatile. In 2018, expect the trend to continue, meaning your organization will be defending from fewer attempts, but each attempt will be smarter and more cunning than previous years.

What does this mean for me?

If you’re not already using a cloud-based sandbox, 2018 is the year to jump on the wagon. Zero-day threats may well become the new norm, meaning you’re only partially protected if you still depend on signature updates and patches. As the threat landscape shifts from quantity to quality, it is paramount that organizations stay ahead of the wave.

2. Malware

Where ransomware has taken a step back to catch its breath, malware filled the void in 2017, rebounding from the significant dip witnessed in 2016. From 2015 to 2016, malware attacks dropped from 8.19 billion occurrences to 7.87 billion, a statistic initially interpreted as a signal that malware was on the decline. 2017, however, saw a roaring return with over 9.32 billion malware attacks logged by SonicWall Capture Labs.

Malware in 2017 did have some unique features compared to past specimens. With the fall from grace of Adobe Flash sweeping a huge category of vulnerabilities and exploits into the trash, malware authors designated Microsoft as their new punching bag. Attacks against old targets like Acrobat Reader and Reader DC are down. Meanwhile, attacks targeting Word, Excel, and other Office products are ramping up.

Second, threat actors have seemingly joined the green movement by making recycling a big aspect of malware lifecycles. No, we’re not talking about scraps of trash, but malware code itself being reused, rehashed, and rewritten. The SonicWall Cyber Threat Report refers to this phenomenon as “malware cocktails.” Such cocktails are created by mixing and matching snippets of code or functionality from several malware kits and splicing them into new Frankenstein-esque creations.

What does it mean for me?

Take your signature-based scans and toss them out the window. It’s high time you switch over to behavior scanning. Most cyber security brands worth their weight are relying more heavily on machine learning, deep system scans, and real-time protection. Both SonicWall’s Capture ATP & Sophos’ Sandstorm make use of the latest deep learning capabilities to identify, probe, and judge data in fractions of a second. Much like our response to ransomware above, the key to steering clear of a malware infection will be in an organization’s ability to stay dynamic.


Speaking of malware, another important shift in the threat landscape is malware’s ability to hide itself behind encryption. Encryption, specifically through SSL/TSL protocol, has accelerated, with over 60% of web traffic now encrypted. Soon, Google Chrome will begin marking all unencrypted pages as “not secure.” All signs point towards a future where SSL/TSL secured sites are the normal and malicious traffic is no exception.

What does it mean for me?

According to the report, organizations that lack the ability to inspect encrypted traffic missed, on average, over 900 attacks hidden by SSL/TSL encryption in 2017. In addition, many attack kits are leveraging custom encryption languages, making it even more problematic to parse out their payload.

Stateful inspection and bad policy configuration are no longer effective if you want to catch all of the attacks. In 2018, an organization will rely heavily on its ability to inspect encrypted traffic. It may be wise to get a second set of eyes to review your NGFW configuration to ensure your network is set up to deal with encrypted threats.

4. Internet Of Things

We wrote up a comprehensive article on IoT in 2017 that takes an in-depth look at the developments and dangers surrounding the Internet of Things. Since then, exploits with very scary names such as Meltdown and Reaper have emerged. Unfortunately, IoT-enabled products continue to be produced with little to no regard for cyber security. Expect to see the weaponization of IoT clusters for use in botnet DDoS attacks.

What does it mean for me?

Honestly, we’re not sure. The bad guys have not yet figured out how to best make use of this emergent attack vector. Whatever the future may hold for IoT, one thing we know for certain is that we will one day regret the short-sightedness of pumping all of these network-enabled devices into public hands with scant oversight of security risks. SonicWall Capture Labs has put forth at least one solution, which we’ll outline next.

5. Real-Time Deep Memory Inspection (RTDMI)

SonicWall has demonstrated its inventiveness over and over throughout the years with a strong portfolio of patents. Most notable is their patented Reassembly-Free Deep Packet Inspection, a method that allows simultaneous scanning of data chunks through multiple processing engines, changing DPI services of old from bottlenecks into high-speed security checkpoints. In 2018, SonicWall continued their proud tradition of innovation by opening new battlegrounds in the fight against cyber crime in advanced technologies such as IoT, chip-based threats, & mass market malware with the introduction of their patent-pending Real-Time Deep Memory Inspection.

There’s not a whole lot of information about RTDMI released so far, but the few snippets of features we were able to find hinted at potential capabilities. RTDMI is located in the Capture cloud and has been quietly operating for a few months now, so if you’re currently running Capture ATP you’re already under RTDMI’s silent watch.

RTDMI can detect and block malware that conceals its malicious behavior behind encryption. By scanning these encrypted threats in real time and forcing them to expose their intentions in processor memory, RTDMI promises to root out even the best disguised attacks. According to the threat report, the act of exposing, detecting, and blocking these kinds of advanced threats takes place in a timescale of under 100 nanoseconds.

What’s this mean for me?

Again, we’re not sure yet. But you should find this news reassuring at the least. RTDMI demonstrates that SonicWall is already working to solve the emerging threats of tomorrow. We’ll keep bugging SonicWall for more information on and we’ll let you know what we find out about this mysterious new patent-pending tech.

There is one common thread linking all of this information: set-it-and-forget-it is dead. Cyber safety in 2018 equates to dynamic, real-time, advanced tech focused efforts. Still relying on a legacy firewall or bare bones subscriptions? We recommend you start weighing your options. And if this all sounds expensive to you, consider softening the upfront costs by partnering with a Security-as-a-Service team where everything you need to stay secure is provided at a much lower cost monthly subscription.


3 Things All Organizations Should Learn from the SophosLabs 2018 Malware Forecast

WannaCry. NotPetya. KRACK. BadRabbit–with all the new friends we made in 2017, organizations have to wonder what the new year has in store in regards to cyber security. A meteoric rise in ransomware has the healthcare industry on its toes. Corporate email breach rates are soaring. Surely there must be someone that can help us make sense of it all!

Well, Sophos can. A few months ago SophosLabs released its 2018 Malware Forecast. In this week’s blog post, we’ll look at the data, the predictions, and what business owners should take away from the research. Ready to get secure and stay secure in 2018? Keep reading to learn how you can pull it off.

3 Key Points of the SophosLabs Malware Forecast

1. Ransomware-as-a-Service is the New Normal

The real boogeyman in the world of cyber security is no longer individual hackers, but the toolkits and custom code they distribute. The Dark Web is littered with DIY exploit kits and pre-built ransomware payloads just waiting to be aimed and fired, for a price. Any Joe Shmoe off the street can bring a hospital campus to a grinding halt, even if they can’t tell a secure socket from an electrical socket. Ransomware-as-a-Service is an all-inclusive heist-in-a-box that even low-tier baddies can use to separate your organization from its wallet.

Just how commodified has ransomware become? Well, why not watch the world’s first commercial for a ransomware toolkit?

What It Means for You

More attempts. More spam. More danger lurking around every corner. Sure, these DIY exploiters may not have the expertise or dedication that hackers of old once touted, but cyber crime in 2018 is a numbers game. Expect to see the total number of attempted attacks rise as ransomware-as-a-service kits multiply and the entry threshold for cyber criminals lowers.

2. Windows is Still Vulnerable

As the author of the report states, “the Windows threat landscape hasn’t changed much in the past year…” Realistically, that’s no better news than claiming the yapping dog next door hasn’t been barking much louder than usual. One important trend that SophosLabs reported was an increased concentration of attack payloads nested in Microsoft Office applications such as Word and Excel. Droppers like these execute macros inside Windows documents to deliver their payload, turning innocent-looking files into landmines. If anything, these improvements in the world of Office exploits translate into shorter attack time frames and more efficient exploits.

What It Means for You

Like years past, the most likely attack vector against your organization in 2018 will be an attachment in your inbox. However, expect phishing attempts that are more deceptive, more persuasive, and, should you fall victim, more unforgiving. Tag teamed with a blossoming ransomware-as-a-service sector and we can expect Windows exploits that are deployed more dynamically than ever. The turnaround time is shrinking between when new vulnerabilities are discovered and attack payloads being built to exploit them.

3. Cybercriminals As Opportunistic Hunters

The bad guys are wasting less of their time on targets that won’t pay up. That’s bad news for those of us that don’t have the luxury of choice. The healthcare, government, and education industries will have inescapable targets looming over their heads throughout 2018. Healthcare in particular is already attacked more frequently than any other sector. Each instance of ransomware attack is an experiment in which criminals are learning who will convert into a sale and which targets are least prepared.

What It Means for You

Cyber crime is a growing industry and like any budding industry, they are piecing together their target audience and exploring strategies to shorten their “sales funnel.” With ransomware, that’s accomplished by targeting critical infrastructure, medical records, and sensitive financial information. If your industry touches on those goalposts, you’ve probably made it onto the bad guys’ shortlist.

How Can I Prepare for 2018?

Adware, spyware, and viruses are all very much real and salient worries. But let’s not kid ourselves about who the big bad final boss is on this level: ransomware. Any industries that could find themselves staring down the barrel of a custom-design exploit kit should be preparing for that possibility by putting preventative measures in place. Step one is as easy as learning as much as possible about ransomware, so why not hop over to our article “Ransomware Warfare: How to Protect Your Files From Hostage Takers” to brush up on your safety basics?

Sophos Intercept X is a powerful weapon that most organizations should be adding to their arsenal. Intercept X is designed to run alongside any other endpoint applications on your system, so most network environments will welcome it. Intercept X is built to go toe-to-toe with zero day threats because Sophos analyzes threats based on behavior rather than known signature. Behavior-based scanning ensures that even if an attack has never been documented before, it’s still going to get the ax if it walks like ransomware, talks like ransomware, and smells like ransomware. In an era of bespoke and rapid-deployment ransomware, we can no longer rely on only fighting the enemies we’re familiar with.

However, the most impressive feature of Intercept X is its ability to literally roll back damage from ransomware that lands on your system. Even if ransomware makes it onto your network and manages to encrypt a few files, Intercept X will be able to shut the attack down, restore your files, and reverse the damage right before your eyes. In fact, you can watch it demonstrated in this one-minute video:

Remember, an organization is only as secure as its employees make it. Human error will occur. Honest mistakes happen. But if the worst happens, Intercept X will be there to clean up.

Learn more about Intercept X or take it for a FREE 30-day trial

3 Things to Learn from Google’s Latest Report on Stolen Credentials

Over the last year, Google has teamed up with University of California, Berkley and the International Computer Science Institute to collect, analyze, and report data on the contemporary landscape of black-hat email credential theft. In a period between March 2016 and March 2017, Google anonymously inserted themselves into private forums, credential trading markets, and dark web paste sites in order to learn how the bad guys, looking to steal your login and password information, are operating and evolving in the modern era. Or, as Kurt Thomas et al, authors of the study, put it, Google’s newest study “presents the first longitudinal measurement study of the underground ecosystem fueling credential theft and assesses the risk it poses to millions of users.” So, what’s that all mean for you? Let’s break down the numbers and outline 3 major take-away’s from Google’s study to understand how miscreants are trying to compromise your email security.

This study analyzed databases of purportedly stolen email credential information throughout 2016. Of these datasets, roughly 788,000 instances were the result of keyloggers, 12.4 million were sourced from phishing kits, and 1.9 billion credentials stolen in larger data breaches.

1. The Bad Guys Are Staying Up-To-Date. Are You?

If you’ve considered beefing up your security infrastructure but decided that it’s probably safe to lag a year or two behind the latest technology, you’re being outclassed by the competition. Online black-hat forums distribute pre-built phishing kits and keyloggers with thousands of variants and iterartions to ensure that they stay on the cutting-edge of cyber crime. Google’s study identified over 4,000 different strains of phishing kits available in 2016, and that’s only the variants they DID find.

The bad guys aren’t making off with only information from old, unused, or abandoned accounts. 7% to 25% of recovered credentials matched the current login credentials of the accounts they were stolen from. (Don’t worry, Google made sure to reset any compromised accounts they identified!) Phishing kits in particular showed troubling results in this area: a whopping 25% of the stolen data that Google reviewed matched current, usable login credentials. The study concluded that victims of phishing kits are 400 times more likely to be successfully hijacked than an average user.

2. Corporate Phishing is a Cyber Gold Rush

Prospector Jeevekins was right about the dangers of unsecure email

That old prospector was right when he warned us all about the dangers of social engineering in the age of communication. During their research period, Google detected 234,887 instances of potentially valid credentials being transmitted to an exfiltration point (bad guys’ email) per week. Read that statement again. Not 234,887 attempts. 234,887 successful transmissions of potentially valid credentials per week. The estimated success rate for a phishing kit is 9%.

  • Phishing kits were largely aimed at victims located in the United States, with just shy of 50% of identified victims’ geolocations based in the U.S.
  • 83% of phishing kits collect geolocation data in addition to login credentials
  • 40% collect financial information such as credit card data
  • 18% collect phone numbers
  • 16% collect User-Agent data such as the browser, device, and platform in use at the time of the attack
  • 9% collect social security numbers

3. “Stronger Passwords” Can Only Do So Much

Increasingly, organizations are coming to terms with the fact that a simple login/password combination is the bare bones when it comes to email security. Even hashed passwords based on salt values are proving flimsy under scrutiny, with Google’s report estimating that almost 15% of the stolen credentials in their study were hashed using MD5 and 10% with SHA-1 cryptographic hash functions.

To make matters worse, it can hardly be said that victims are learning from their mistakes. Research indicated that of victims that had their credentials stolen, only 3% later chose to switch to a two-factor authentication process as opposed to a simple login/password combination.

What Can I Do About It?

These numbers may be grim, but so long as organizations are as dedicated to email security as the bad guys are to stealing data, there is hope. Increasing usage of two-factor authentication as well as password management apps mean that the business world’s approach to cyber security is begrudgingly moving past the bare minimum. An even more secure future can be found in various email security subscriptions, encryption services, and anti-virus/anti-spam clients. Here are a couple recommendations for products that can prevent your login credentials from winding up on a black market spreadsheet.

Email Encryption

Email encryption is the process of encrypting the content of outbound messages in order to prevent 3rd party entities from intercepting and reading that data. In many cases, this means that the readable plain text has been scrambled into a cipher text which can only be unjumbled by a private key held by a recipient that matches the public key attached to the encrypted data. Email encryption services are usually subscription services that entail additional features and services in addition to message encryption.

  • Record ID Matching: Scans outbound content for sensitive information before delivery
  • Attachment Scanning: Probes potentially harmful attachments to ensure safety before opening
  • Predefined Compliance Policies: Built-in policies designed to be easily deployable for common problems and compliance issues such as HIPPA or PCI
  • Approval Boxes: Allows you to preview unverified emails before they are opened onto your network


TotalSecure Email

SonicWall TotalSecure Email provides complete protection for both inbound and outbound e-mail by providing award-winning anti-spam, anti-virus, anti-phishing, and policy and compliance management in one easy-to-use solution. For larger organizations there is simply no easier way to get complete email security. TotalSecure is a comprehensive package that holistically protects your inbox’s attack surfaces from every conceivable angle of attack by bundling several useful subscriptions together into a single strategy.

  • McAfee Anti-Virus: To keep the bugs at bay
  • SonicWall Time Zero: Protection from zero-day threats, focusing on the time frame between initial detection and receiving signature-based solutions
  • Corporate Phishing Protection: Uniquely identifies phishing attempts and enables admin to handle them independently from spam
  • Email Policy Management: Allows admin to quickly create and enforce corporate compliance policies
  • End-User Spam Management: Delegates spam management to end-users, reducing false positives and easing the load on your IT guys


Want to see Google’s research for yourself? Download the PDF.

Taming the Hidden Cobra: The DPRK’s malware brigade

What is Hidden Cobra?

While it may sound like the final technique learned from Jackie Chan in a young adult movie, Hidden Cobra is actually the moniker given to state-sponsored actors executing cyber crime activities on behalf of the North Korean government. Before federal agencies reported on the activities of DPRK’s Hidden Cobra, the group was dubbed by the private sector as Lazarus Group or Guardians of Peace. Hidden Cobra is an extension of the North Korean government and targets both public and private entities with malware, data wipers, DDoS, and SMB worm tools. Known variants of Destover, Duuzer , and Hangman exploits are common modus operandi for Hidden Cobra. In addition, Hidden Cobra is notorious for their use of powerful DDoS attacks with their denial-of-service tool, DeltaCharlie.

Flushing Out the Snake

Hidden Cobra tends to target systems that run older, unpatched operating systems. The lack of firmware updates and plethora of attack surfaces found in obsolete Microsoft operating systems makes for low-hanging fruit the serpents are able to reach. A Technical Alert issued by the Department of Homeland Security and Federal Bureau of Investigation includes a database of recognized IP addresses and network signatures that they consider Indicators of Compromise (IOCs).

Indicators of Compromise

[Clicking will begin a .csv download]

In addition to these IOC’s, DHS has published a Malware Analysis Report detailing the unique functionalities and common tactics demonstrated by Hidden Cobra actors.

MAR 10132963

[Clicking will open a .pdf]

Known Vulnerabilities

Like real snakes, we have accumulated antidotes for a majority of the Hidden Cobra’s venoms. The following Common Vulnerabilities and Exposures (CVEs) are typical susceptibilities targeted by Hidden Cobra:

If Adobe Flash and Microsoft Silverlight are no longer necessary applications in your system, we highly recommend removing these programs completely.

Delta Charlie

Perhaps the most perilous tool operated by Hidden Cobra is their DDOS tool, DeltaCharlie. Sporting a standard botnet infrastructure, DeltaCharlie is used to launch DNS attacks, NTP attacks, and CGN attacks. DeltaCharlie disguises itself as a svchost service. The tool can download and operate macros, alter its own structure, and perform denial-of-service attacks on command.

If You’ve Been Targeted

Report the attack to DHS or FBI – Federal agencies are very interested in keeping tabs on the activity of North Korea’s state-sponsored cyber warfare adjuncts. You can report malware to the DHS here. They will certainly appreciate the information.
Review visitor logs for IOCs – If you suspect Hidden Cobra is responsible for a raid on your network, cross-check records from your perimeter defenses against those IP addresses outlined in the Indicators of Compromise spreadsheet provided above.
Run YARA – For readers unfamiliar with YARA, it is a tool developed by malware researchers to detect attack signatures. The Technical Alert issued by DHS and FBI include a variety of YARA rule definitions that can quickly and effectively track down signs of Hidden Cobra malware.

Preventing Hidden Cobra Attacks

Limit admin privilegesWe’ve talked about this one before. When an attacker gets into your system, you don’t want everyone inside carrying around skeleton keys.
Update your firmware – Hm. This one sounds familiar too. The straight-forward warning: the older your operating system, applications, or security patches, the more likely you are to be on the receiving end of cyber crime. This is as self-explanatory as comparing a modern digital security system to a string of rattling cans strung across the lawn.
Go invite-only for your applications– The practice of whitelisting applications drastically cuts down potential attack surfaces in your network. In short, whitelisting is allowing only prescreened applications access to your system. If it’s not on the list, it stays outside.
Leverage your firewall – Firewalls provide gateway security, content filtering, IP whitelisting, application controls, user groups, and more. There are a vast number of security options available to organizations to protect their data against the likes of Hidden Cobra, but most of them require a firewall appliance to operate. Think of your firewall as the command center of your security infrastructure. Next-generation firewalls are platforms designed to provide all of the security resources you need in one powerful appliance, known as Unified Threat Management.

Learn about UTMs offered by our manufacturer partners!



PHISHING ALERT: The Better Business Bureau warns members about fraudulent emails

Companies are being urged to think twice before opening notices of complaint from the BBB as an intense phishing campaign ramps up targeting business owners. An email from Central Indiana branch of the BBB issued statements claiming that the “BBB name and logo are being fraudulently used by criminals” in a social engineering scheme.

Fraudulent emails are delivered under the guise of a violation complaint. Over 100 malicious websites have been shut down in response to attempts over the last few days.

Here are signs that you’re being targeted:

1. Check BBB emails to ensure details look legitimate. Poor formatting, typos, grammar mistakes, and generic form field greetings are all signs of a phishing email.
2. Double-check the sender’s email address. Does it appear accurate?
3. Do not click, save, or open any attachments or links.
4. Social engineers take advantage of fear, urgency, and doubt to rush targets into a rash decision. If an email asks you to take a specific action (like opening an attachment) to maintain your account or rating, think twice.

If you believe that you may be the target of a phishing email, follow these steps:

1. Delete the email and ensure that you empty your recycling bin.
2. If you clicked any links or opened attachments, immediately change your log-in credentials.
3. Watch your finances. If you see any unexpected transactions, you may want to investigate further.
4. Ensure that your endpoint protection is running with all available updates installed.

With proper understanding of social engineering practices, you can stay safe even against emerging threats.

Here’s a quick look at one of the inbox impostors:

bbb phishing social engineering email firewalls cyber security

The silver lining

Phishing is a topic to discuss in your workplace. This BBB scam represents a prime example of social engineering and cyber security safety that can be dissected for your team. Building a culture of cyber security in the workplace is a best practice that every business should keep on its to-do list. We encourage you to print the sample email provided above, highlight the tell-tale clues of social engineering, and hold a discussion with your staff about email security.

If you found a suspicious BBB notification in your inbox, do your part by reporting the email to phishing@council.bbb.org.

Fortunately, you don’t have to worry about fraudulent emails when you use SonicWall’s TotalSecure Email Protection.


The History of Orpheus’ Lyre: A tale as old as time, a vuln as old as Windows

The world of cyber security and classic Hellenistic Greece are colliding. We are speaking, of course, about the Orpheus’ Lyre security hole making rounds in security news. We’re sounding the Gjallarhorn in hopes that you’ll join us down in the info sec underworld as we discover what three-headed dogs, Thrace, and the granddaddy of the modern guitar have in common with your network.

Setting the Stage – the Classical Age

Orpheus – First mentioned by a sixth-century epic poet named Ibycus and later made famous by Thebian lyric poet Pindar, Orpheus is an epic hero popular in ancient Greek myth. Orpheus is known as a legendary musician with the ability to trick, persuade, and charm his way around obstacles thanks to his supernatural lyre playing. The lyre, which is how the ancient Romans played Wonderwall at insulae parties, is a predecessor of the guitar often mistaken for a harp.

The most famous story of Orpheus is that of rescuing his wife, Eurydice, from the underworld. When Eurydice is attacked by a satyr (mischievous goat-man played by Danny Devito in Disney’s “Hercules”), she falls into a pit of vipers, is bitten on the heel, and succumbs to their venom. Stricken with grief, Orpheus plays a song so mournful that the gods themselves are moved to tears. They offer him advice: descend into the underworld yourself and strike a deal to get Eurydice back. Orpheus descends into the underground, soon finding himself face-to-face with the ferocious Cerberus, guardian of the gates into the underworld. Orpheus tames Cerberus with some hot lyre riffs and snags an appointment with Hades, lord of the underworld, to successfully negotiate the return of Eurydice to the world of the living. Unfortunately, the tale takes a turn south from there with Orpheus falling for the classic religious no-no of “looking behind you” while fleeing. Because he peeks back over his shoulder during their exit from the underworld despite clear warning from Hades, Eurydice vanishes forever. Orpheus is later torn apart by a wandering band of vicious feral women upset by Orpheus snubbing their favored rock n roll god.

Cerberus – The hound of hell, three-headed guardian of the underworld, son of Tartarus-bound Typhon and Echidna. Cerberus has made cameos in “Harry Potter & the Philosopher’s Stone”, several Disney movies, and most every RPG game with a summoning system. This tri-skulled canine is among the most prominent icons for gatekeeping and security around. In the legends of Orpheus, Cerberus succumbs to the honey-sweet grooves of a lyre to allow the legendary musician to pass where countless others had failed.

Heimdallr – Heimdallr and his namesake are only peripheral references in our story, so let’s make this quick. Heimdallr is a Norse god that carries a giant horn, Gjallarhorn, and is said to be an ever-vigilant sentry watching for the inevitable approach of Ragnarok, which is like a Rammstein music video version of the apocalypse.

Setting the Stage – The Information Age

Orpheus’ Lyre – Orpheus’ Lyre is the name given to an exploit present in the Kerberos network security protocol. A patch for Orpheus’ Lyre was published with the Windows July 2017 security patches.

Kerberos – Kerberos is a security protocol that has been utilized by Windows for over 20 years. Kerberos is a “ticket” system in terms of security. Rather than exchanging unique authentications between the several servers that you may request access to, Kerberos acts as a central authority, distributing “server tickets” that come pre-written with encrypted data detailing what server you requested access to, how long your authentication is valid, and more. Think of Kerberos as the guy whose only job is tear your ticket stub off at the movie theater. You can go buy your movie tickets at the will-call desk, on Fandango, or from the sketchy guy out front who for some reason has 60 extra tickets to “The Emoji Movie.” But if you want into a screening room (server), you must stop at the kiosk in the lobby and have your ticket checked.

Heimdal – Heimdal is one of two common variants of Kerberos. The other variant, MIT Kerberos, was developed by the Massachusetts Institute of Technology and is leveraged by Windows for a majority of network security uses while Heimdal Kerberos is generally supported by smaller operating systems. While the July 2017 Windows security patch addressed exploits in MIT Kerberos, Heimdal Kerberos is still at risk. Look for patches for Heimdal to be released by Apple in the future.

How does it work?

Great, so some cyber attackers came up with clever pet names for their project. What’s this thing actually do?

Keep in mind the analogy above in regard to Kerberos being the primary ticket-checker of a Windows network security apparatus. Since these are packets of encrypted data, however, let’s add that these tickets are being transported in opaque envelopes. When a data packet approaches Kerberos, the security protocol opens the envelope, records the information inside, and routes the packet to its destination. However, there’s a bit of a catch. Some of that data, seemingly innocuous stuff like which server you’re traveling to, is also written on the outside of the envelope in plain text.
So what if someone could convince the ticket-checker, Kerberos, that the plain text data scribbled on the outside of the envelop is actually the secure data encrypted inside? Or, in the case of Orpheus’ Lyre, enough data to receive a positive authentication and gain open-ended access to a server. Now you have a packet slipping past the ticket-checker carrying an envelope with mysterious contents. And you know what happens when someone figures out how to sneak something around gateway security!

For reasons unknown to the modern world, when Kerberos was designed long ago, they felt the need to duplicate some data from inside the packet and paste it as plain text on the outside of the packet. The Orpheus’ Lyre exploit takes advantage of this short-sighted slip by convincing Kerberos that the plain text authentication data (which can be easily modified) is, in fact, the encrypted data inside, which cannot be modified. In short, Orpheus’ Lyre takes advantage of the fact that Kerberos will be forced to choose between two sets of similar data and the exploit influences Kerberos to choose the version that attackers are able to modify.

So the attacker buys a movie ticket for “The Emoji Movie” at 8:00 pm. He grabs an eraser and snubs out the modifiable data on the envelop and writes “Dunkirk” at 8:30. He approaches Kerberos, the ticket-checker, flashes him the modified data in a convincing manner, and strolls on into the lobby. Now that the attacker is granted access, they are free to mosey about the corridors, popping their head into whatever screening room they feel like.

Or, to carry the theme of Greek mythology, Orpheus descends into the underworld and charms Cerberus, the hell hound, with his magical lyre and is free to traipse around the land of the dead at his leisure.

How do we keep Orpheus and his Lyre out?

Luckily, Microsoft has done most of the leg work for you. The Windows July 2017 patch CVE-2017-8495 includes a fix for Orpheus’ Lyre, at least in regards to MIT Kerberos. If you do not use Windows, keep an eye peeled for a patch coming down the pipe from Apple. As long as you are a good cyber security warrior and keep your security patches updated, you should be fine!

update vulnerability exploit

Looking for a hell-hound of your own to guard your network?


Ransomware Warfare: How to protect your files from hostage takers

Ransomware represents one of the greatest threats to your data with studies indicating that ransom takers are specifically turning their focus towards smaller networks. Fox Business claims that 43% of ransomware targets in 2015 were small to medium-sized businesses. With the recent trouncing received by the IT world at the hands of WannaCry, network invaders are becoming emboldened to encrypt your data and stash it away until you pay up. And with a staggering 70% of business owners deciding to fork over the money, the incentive is strong. Ransomware is making a killing and your network may be next in front of the firing squad. But with the right know-how and cyber security culture in your office, you can survive the bloody war against malware.

Firewalls Ransomware 101
“If you know the enemy and know yourself, you need not fear the result of a hundred battles.” –Sun Tzu, about ransomware


How to Stay Safe

File Backup & Recovery Process

Businesses often become so wrapped up in the fight against malware that they forget the old-fashioned dangers of the world: floods, fires, famines (okay, maybe not so much), break-ins, mobile devices dropped down airplane toilets, tablets crushed in a fit of furious rage following a nasty Yelp review. The list goes on. Luckily, your IT department has years worth of readily available file backups, right? Just as we continue practicing tornado drills and fire evacuations, we should perpetually practice procedures for catastrophic data loss. Understand your recovery process and ensure that file backup is delegated to an accountable party. If the worst should happen and you find your files locked away by the Ransomware Bogeyman, you can let out a sigh of relief knowing that multiple copies of your precious data are stowed away in the closet or on the cloud.


Did you know that banks leave thousands of dollars in cash just sitting on the street corner every day? Yes, ATMS nationwide go unrobbed routinely because they are locked down tighter than Fort Knox. Good news! This approach can work for your data as well. By encrypting the data on your network, you can prevent network intruders from walking away with your files even if they manage to force their way into the system. Imagine the look on a burglar’s face when he walks into a house where everything is locked up in heavy-duty safes.

Disable Macros

Microsoft disabled the automatic execution of macros in email attachments years ago, and for good reason. An example of social engineering, some phishers will attempt to persuade users into enabling macros on email attachments. If ever you are encouraged to enable macros, the request should be treated as more than a red flag. It’s a whole red flag factory. Double-check that your email settings have disabled macros.


The classic rule of thumb for attachments is to never open one if you’re unfamiliar with the sender. VBA droppers are an increasingly common delivery system for ransomware and can be packed away within several layers of file types like Russian nesting dolls or a data-thieving turducken. Even if you receive a harmless PDF file, that PDF file can hold an executable to launch a Microsoft Word file, which in turn is setup to launch an RTF file, and so forth until a VBA Dropper lands on your computer before you know what’s happened. So yes, it is time to have another all-hands meeting to drone on and on about not opening attachments from strangers. Seriously, your users are still opening suspicious attachments. Right this second (probably).

Administrator Access

Your custodian doesn’t require administrator-level access to your network. In fact, very few of your employees should be given this level of clearance. The reason why? If attackers do manage to break in, you don’t want all of your users walking around with skeleton keys. Mitigate potential damage to your system by ensuring that employees are able to access and utilize the tools they need without requiring administrative access. For a better look at how not to tighten up your administrative model, check out how the NSA took a crack at it.

System Updates & Patches

WannaCry was a painful learning experience for many network administrators. For those of you still unaware, Microsoft released a patch that prevented the exploits targeted by WannaCry on March 14, 2017, a full two months before the May 12th ransomworm tore the world a new one. There is a very solid line separating those affected by the worm and those that were not: those of us who made it out unscathed (all of Firewalls.com’s customers, btw) kept our security patches up to date!

The war against ransomware is never-ending and we understand if morale is low. But your network is too important to leave to chance. The data doesn’t lie: ransomware attacks are on the rise and their campaign is turning towards small and medium-sized businesses. Let Firewalls.com be your private army in the battle against ransomware. We’re mean. We’re lean. We’re bad guy fighting machines.