Skip to main content

The Development of Today’s Malware

A major challenge of network security is that it’s easier now more than ever to create malware that has never been seen before, thus bypassing traditional signature-based detection. Hackers can easily repackage their threats and launch them again once they have been detected and signatures created.

The rapid increase in Zero-Day threats is also fueled by the profitability of ransomware. Ransomware-as-a-service is a real thing, making it very easy and affordable to launch successful ransomware campaigns. There are now entire business models, including customer service, built around these types of offerings.

According to the 2017 SonicWall Annual Threat Report, the SonicWall GRID Threat Network observed a mind-boggling increase in ransomware; from nearly 4 million attack attempts in 2015 to 638 million in 2016.

And we’re no longer dealing with just Windows environments. Android is still a prime target and susceptible to multiple threats. We have to account for multiple operating systems.

A few years ago, network sandboxes were a hot item in dealing with zero-day threats. Those solutions have seen a serious decline in efficacy as new strains of malware are able to avoid sandbox analysis and detection, in most cases simply by recognizing they’re running in a virtual environment and then changing behavior accordingly.

There are a lot of challenges involved, and the SonicWall solution to this challenge is Capture ATP (Advanced Threat Protection). It is a service that we here at Cerdant are recommending to all our customers and one that we feel is an absolute necessity.

So what is Capture ATP?

First of all, it is a cloud-based service that extends the functionality of Generation 6 SonicWall’s. All that is needed to utilize this service is the proper firmware and a Capture license. This includes a multi-engine cloud sandbox. SonicWall has incorporated technologies from VMRay and LastLine to build a virtualized sandbox, hypervisor level analysis, and full-system emulation that resists evasion tactics. Since SonicWall hosts this environment it is scalable and will evolve, it is architected to dynamically add new malware analysis technologies as the threat landscape evolves.

It supports a broad range of file types (Executables, Office files, PDFs, Archives, JAR, and APK) smf has multiple OS support. This solves the problem of only having a single sandbox with a single OS or trying to maintain multiple sandboxes. This service includes its own set of reports and alerts for quick notification of any malicious detections.

Files are sent to this cloud environment for analysis. In order to prevent potentially malicious files from entering the network, those files can be held at the gateway until a verdict is determined on whether those files are malicious or not.

This service ties directly into the GRID Threat Network as part of SonicWall’s existing ecosystem. When a file is identified as malicious, a signature is immediately available to firewalls with SonicWall Capture subscriptions to prevent follow on attacks. As a Capture subscriber this is a huge advantage, you’re not only leveraging the cloud to analyze and render verdicts on files from your network but you’re also taking advantage of what the Capture clouds sees from all Capture subscribers. In addition, the malware is submitted to the SonicWall Threat Intelligence Team for further analysis and inclusion with threat information into Gateway Anti-Virus and IPS signature databases.

Is it resource intensive?

One of the most common question we get: What is the amount of data that is sent to the cloud and the speed of the service? In short, the speed of cloud-based analysis is fast:

  1. Two seconds was the median processing time per file.
  2. 83% of files are analyzed with a verdict in under five seconds.
  3. An average of 32.6 MB was uploaded daily for each organization; the equivalent of watching a 10-minute YouTube video.

Is it effective?

In a sampling of 300 companies in a single day Capture ATP was able to identify and prevent 6 zero-day threats and prevent follow-on attacks for subscribers.

This new service is highly effective and extremely simple to deploy. SonicWALL has done an outstanding job of addressing a very serious problem with a solution that adds a lot of value to existing devices. We recommend deploying Capture ATP as an effective Ransomware/Zero-Day Threat defense and our experienced engineers can work with you to ensure our experience translates into a smooth deployment process for you.