A quick thought on how good Sandboxing technologies are ?

These days we hear lot about Advanced Persistent Threat (APT) mitigation techniques and the solutions that could protect us from Zero Day Attacks. Last couple of years the main focus was on Sandboxing solutions. We normally place firewall, IPS/IDS, HIPS, Antivirus solutions as a part of Defence in Depth principle. The limitation in this is most IPS/IDS, HIPS or Antivirus solutions detect and block known malwares as most of them are signature based security solutions. If they don’t have a corresponding signature, then the attack will go unnoticed and will result in exploiting vulnerabilities. I always believe in a principle – Prevention is better than cure.

Think about a hacker. They are not fools. :-) They know that most of the organizations have deployed all these basic layers of protection and will think about using advanced techniques. They will go for a technique where they modify malwares to have unrecognizable signatures to evade the traditional security measures. Once they are able to bypass these systems, they will look for vulnerabilities.

Here comes our old friend “Zero Day Vulnerability”.“Zero-day vulnerabilities” are previously undetected flaws in the software that do not have a current patch or fix. This means if a hacker knows about this vulnerability and if it exists in our organization environment, once they are able to bypass our security systems, they can exploit it. The vulnerability period can be from hours to days till the vendor release a patch or fix. If your organization does not have a good patch management policy, this is where your organization is going to struggle. Having said that, some zero day attacks will carefully execute over a longer period of time to avoid discovery.

Sandboxing is one solution that will help us in mitigating this. In Defence in Depth principle, Sandboxing adds an extra layer of protection as it will divert untrusted files from unverified third parties into a separate, secure environment.  Sandboxing captures an executable file or document and activates that file in a virtual machine or “emulator. In that environment, they can be inspected for malicious code. Based on that inspection, the attachments, files or applications are either allowed or rejected from moving further into the network. This important security technique prevents malicious files or programs from damaging your network or confiscating your information.                                                                                                                                      

Seems to be a good technique, right? Do you think this is good enough to protect from the hackers.

Good Hackers recognize that these safeguards exist on most of the networks and implement evasion techniques. They will write malware that knows whether it is inside a sandbox and with the help of a script it will instruct the malware not to install until it knows it is outside of the sandbox and on an actual end point device. There is another technique hackers will use, “Sleep Timer”. With the help of "Sleep Timer", malware will only open after hours, weeks or days. Once it is moved out from sandbox environment categorizing it as safe, after some hours or days, it will start executing it. Some malwares execute based on the mouse movement which is not possible with most of the sandboxing environments.  This clearly proves that the current technologies are not good enough to protect us from attackers.

Now, what is the option?  Here, the major challenge for us is to address the evasion techniques.

We need to look for a solution that will do deep malware inspection that too in the CPU level which will help to detect the threats earlier before the evasion techniques come into play. And an important thing we should consider while selecting the solution is about its performance. The concern I have heard about some sandboxing solution was about the delay. We don’t want a business interruption due to a security technology we have placed. Due to this, I have heard about many organizations configure to use Sandboxing solutions in “Detect mode” which I think is very risky. We should always use it in “Prevent mode” and also ensure that we should not have any business interruption due to this.

There are many advanced sandboxing solutions available in the market now. Now it is evident that traditional sandboxing technologies are not good enough to prevent the malicious attacks. We should look forward to implement proactive, preventative technologies to block malware from entering the network that would give evasion resistant CPU-level detection, with no business interruption thereby to protect our business without compromising efficiency. This would be a good solution to be considered in your security budget for this year.

Authored by Aju Nair

Rate this article: 
Average: 2.4 (7 votes)
Article category: