SonicWall – Equifax Data Breach: What Can We Learn?
Equifax just rolled into the history books as the victim of one of the most widespread and dangerous data breaches of all time. The breach happened on March 10, 2017, at which time the cyber criminals leveraged the critical remote code execution vulnerability CVE-2017-5638 on Apache Struts2. This attack highlights the value of an Intrusion Prevention System (IPS) and virtual patching security technologies.
SonicWall developed definitions for this vulnerability for our Intrusion Prevention Service and afterward saw a large growth of IPS hits by the beginning of the third week of March 2017. The first lesson we can gain from the data is how quickly hackers rush to exploit a critical vulnerability (see chart below).
Every announcement of this magnitude is like Black Friday for hackers. Also, seeing this one attack highlights how, in 2016, SonicWall blocked over 2.6 trillion IPS attacks on customer systems.
This means if there is a critical patch you either need to install it ASAP or have an automated solution in place that can block related attacks such as IPS (Learn how IPS works) until you can do so. This is the same lesson everyone should have learned years ago, if not since WannaCry. In fact, had people patched after WannaCry, none of us would have heard of NotPetya.
However, many believe that the conventional wisdom of patch and train is ultimately not working. If manual patching of vulnerable systems worked, why would the number of breaches continue to escalate?
A 2016 survey from Black Hat showed that even people who rate themselves as very knowledgeable about IT security can be coerced into clicking phishing links in emails. So, it seems that training alone is not the answer either.
We at SonicWall think there is a better way. We believe in automating as much of the protection as possible — on the network, for email, for mobile users, on Wi-Fi and at the endpoint. That is why we built our automated real-time breach prevention and detection platform. It’s why we believe in cloud-based, zero-day protection, and also why we built the Capture Advanced Threat Protection sandbox service into every element of our platform.
So, what can you do to keep yourself safe against these IT weak spots? Here is a list of best practices for staying safe in today’s dynamic, fast-moving threat landscape:
- Implement automated real-time breach prevention. Deploy SonicWall next-generation firewalls with Gateway Anti-Virus and Intrusion Prevention Services (GAV/IPS) to stop known attacks like those on the critical Apache Struts2 vulnerability. SonicWall’s Deep Learning Algorithm, which learns from over 1 million sensors deployed around the globe, with the ability to push out real-time updates within minutes within GAV/IPS.
- Use cloud-based sandboxing. Leverage SonicWall Capture ATP, our multi-engine cloud sandbox to discover and stop unknown attacks, such as new ransomware attacks.
- Inspect TLS/SSL traffic. Because of the rise in malware being encrypted, always deploy SonicWall Deep Packet Inspection of all TLS/SSL (DPI-SSL) traffic. This will enable SonicWall security services to identify and block all known ransomware attacks.
- Defend against phishing attacks. Implement advanced email security, such as SonicWall Email Security, that leverages malware signatures to block email-borne threats that are often used to deliver malware. It is estimated that 65 percent of all ransomware attacks happen through phishing emails, so this needs to be a major focus when giving security awareness training.
- Filter malicious content and sources. Customers should activate SonicWall Content Filtering Service to block communication with malicious URLs and domains, which work similar to the way botnet filtering disrupts C&C communication.
- Never stop patching. Apply the latest patches on all of your systems. Implement policy to ensure it happens and be consistent in verifying it is being followed.
- Improve attack awareness. Train your users to shut off their computers if they suspect a malware infection. While their machine is likely compromised, this practice well help limit malware from using the endpoint as a launching point into the network.
- Back up data. It is always a good idea to maintain current backups of all critical data to allow recovery in the event of a ransomware event. For larger organizations, build redundant disaster recovery and business continuity plans to ensure operations are not impacted.
For more information, download 10 Ways to Securely Optimize Your Network.