Some recent estimates are putting the hacking industry at three to five times the size of the market for cyber-security. So it’s fair to say that this is a profitable time to be a cybercriminal – and a productive one, too. With multitudes of files, email messages (and more importantly, email attachments) moving between individuals and organizations every day, there’s plenty of scope for unsuspecting victims to be lured into traps or lax behavior, and for malicious code to be transmitted.
In hopes of protecting their systems and data, many organizations have been relying on firewalls, anti-virus software, the segmenting of networks, and other measures. But with attackers now prepared to play a waiting game and stage sustained assaults on a scale that’s bigger than their component parts, traditional security methods are finding it difficult to cope.
Hackers today also have access to funds and resources that enable them to more effectively probe for undiscovered weaknesses in software and operating systems, and to custom tailor malicious code.
With known malware being downloaded every six minutes, and previously unknown malware now being downloaded every 34 seconds on average, there’s a real need for security technologies that match the ingenuity and staying power of the tools available to cyber-criminals. One of these techniques is sandboxing.
What is Sandboxing?
Just as the sandbox in a back yard can keep children safe and separate from what’s going on around them, digital sandboxing sets up a safe environment where suspicious files and programs may be studied to determine their effect – without compromising critical systems and data. Executable files and documents may be captured and isolated in a virtual machine or “emulator”, where they are run and subjected to a deep analysis.
Sandboxing is a strong avenue of defense in an environment that’s becoming increasingly treacherous.
Individuals and organizations are locked in a constant battle with cyber-criminals. In the past year alone, some researchers have recorded a 73% increase in recorded instances of unique malware – code that was previously unseen in many cases, and spread across a variety of operating systems and devices.
It’s impossible to protect against the unknown – and the current wave of cyber-threats includes attacks that even the most powerful anti-virus, anti-bot, or intrusion prevention systems (IPS) can’t stand up against.
Previously undetected vulnerabilities in software that the manufacturers haven’t issued a patch or fix for are the target of zero-day attacks. Systems remain vulnerable for as long as it takes for the flaws to be discovered and any compromise to them to be noticed – and until the software vendor releases a fix. This period could be anywhere from several hours to several months, or years.
Attacks may target specific applications, an operating system, database, or platform. The zero-day attack vector won’t have a recognizable file signature, so it remains undetected by standard anti-virus or other signature-based technologies, IPS and other analysis methods.
Existing exploits may also be encrypted, tweaked, or disguised to produce unknown strains of malware with signatures that won’t appear on any security database.
Advanced Persistent Threats (APTs)
Nation states or organizations with significant funding and resources may use multiple attack techniques over a sustained period, to target rival governments, individuals, or corporate bodies. The attacks may consist of many small events which in themselves seem relatively minor, but are all actually part of an orchestrated campaign.
The goal is typically sabotage, or gaining access to critical data and assets. And the tools employed are specifically designed to be evasive, infiltrating systems without detection, and engineered to avoid drawing the attention of conventional security solutions.
The prevalence of zero-day attacks and advanced persistent threats highlights the dilemma facing security solutions which rely on spotting known activities or the file signatures associated with known variants of malware: If the malicious activity is unseen, unknown, or based on malware which hasn’t previously been encountered in the wild, any such protections effectively become useless.
That’s why cyber-criminals are enjoying such success from using tactics which involve the creation of unknown malware, and the use of malicious code and targeted attacks designed to evade the defenses offered by signature-based security and analysis tools.
Traditional sandboxing deployments run suspicious files in an environment outside the network, which imitates the operating system (OS) under which those files would typically be run. Sandbox tools are then used to simulate the various conditions under which a user might open or run the suspect file. Throughout the process, there’s monitoring to observe if these actions trigger anything dubious or unanticipated.
Some first generation sandboxes can detect unknown malware, but lack the capability to actually block it. And these OS-level solutions tend to be slow, and can only detect malware once it’s running – which could be at a catastrophic stage for your business, if it’s been running undetected for any length of time.
Knowing this, attackers have responded with malware capable of detecting the presence of virtual sandboxes, which simply doesn’t run once it senses its location, and delayed action tools that may not act as malware for several days, weeks, or months – effectively remaining invisible to standard tests. Other malware variants can record and respond to mouse movements, encrypt malware into email attachments, etc.
Sandboxing has had to evolve. Advanced sandboxing solutions don’t only rely on operating system-level tools for detection and blocking. They also monitor activity at the CPU instruction level, when an exploit first attempts to gain privileges from the operating system to allow it to run. By working at the CPU level and focusing on exploits, advanced sandboxes can detect unknown malware in data files before it has a chance to execute, and deploy the tools needed to block it.
Advanced sandboxing goes beyond the traditional OS-level analysis by examining activities in the CPU of the sandbox host to detect the use of exploitation techniques. It also detects malware activity at the assembly code level, before the malicious code has a chance to run. So the chances of attackers avoiding detection are reduced to practically nil.
Detection is quicker and more accurate than simple OS-level analysis, and the attacker’s evasion tactics aren’t allowed to extend to the sandbox – so malware can’t bide its time and port itself onto endpoint devices once it leaves. Focusing on the exploitation stage of an attack allows the detection of threats before infection can occur, and permits the detection and blocking of APTs, zero-day threats, and advanced malware which employs evasion tactics.
Using the Cloud for Sandboxing
Running threat emulations in a sandbox environment may consume considerable resources, so some organizations move this process to the cloud – either as part of a hosted infrastructure, or contracted out to a specialist cloud-based security consultant. Typically, files may be sent to a cloud-based service for emulation and analysis via a secure gateway, or agent software at the client level.
Concerns about privacy or regulatory compliance conditions may require testing to be done in-house – in which case cloud resources may be tapped via dedicated client software installed at an organization’s premises.
Sharing Threat Intelligence
Once a threat is uncovered through advanced sandboxing, the malware involved is no longer unknown, and may be assigned a file signature to be added to the database for other security tools and deployments. Sandboxing may not be required to uncover future attempts to use this malware, which can now be detected by anti-virus programs or intrusion prevention systems.
It’s a good practice for information about newly discovered threats to be shared with other organizations, and advanced sandboxing solutions typically come with reporting tools and links to major online threat intelligence databases.
An all-round security solution for the current threat environment should be a combined affair, with anti-virus, personal and network firewalls, intrusion detection and/or prevention working in concert with an advanced sandboxing deployment that’s proof against the latest threats (known and unknown) – one that’s configured to inspect a wide range of file formats and to block malicious files from gaining access to systems and networks.
Share this Post