How sandboxing can help in the fight against cybercrime

Author: David De Laine, ANZ Regional Managing Director, Check Point Software

Barely a day goes by without new reports of organisations falling victim to cyber-attacks. Data breaches, network outages and system disruptions have become an unfortunate reality of the modern digital world.

While some organisations are aware of these threats and take preventative action, most will not even know something has happened until it’s too late. Attackers can hide malware inside documents, websites, servers, and networks that users readily access without a second thought. Disruption can occur before anyone is aware a threat even exists.

Constant threats

A particular cause of concern is zero-day attacks. These sophisticated attacks involve cybercriminals making use of previously undetected vulnerabilities in software that do not have a current patch or fix. The attacks typically aim to compromise an operating system, a database management system or a specific application. Zero-day attacks do not have a known signature and therefore can pass through antivirus tools and intrusion prevention systems without detection. Some zero-day attacks are carefully executed over a long period of time to avoid discovery while gradually stealing highly valuable information.

Another type of attack that can be highly dangerous to organisations is advanced persistent threats (APTs). Typically targeting large organisations or nation states, APTs involve multiple attack techniques that can occur over days, weeks, months, or even years. They become difficult to detect because they comprise multiple small events which individually may seem harmless. Designed to infiltrate systems while evading detection, APTs allow attackers to target an organisation and gain access to particular assets over an extended period of time.

The sandbox solution

An increasingly popular approach to the challenge of preventing cyber attacks is sandboxing.

Just like a sandbox is a safe environment for children to play without destroying other parts of the backyard, a digital sandbox is a safe environment in which suspicious files can be examined to prevent them from wreaking havoc on critical IT systems and data. Sandboxing has emerged as a powerful cyber security tool.

Sandboxing involves the capture of an executable file or document which is then opened within a secure virtual machine or emulator. In this controlled environment, potential threats are run to see exactly how the executing software behaves. This undertaken without the risk of the threat accessing production systems or the organisation's core network.

For detecting unknown threats, sandboxing is very a effective and necessary approach. As the modern threat landscape continues to evolve, sandboxing will become an integral part of every organisation’s overall security strategy.

It must be remembered, however, that not all sandboxes are equal . Some traditional sandboxing solutions can detect unknown malware but do not actually block it. At the same time, cybercriminals know sandbox solutions are being used to detect malware and so will implement evasion techniques.

Another common approach used is to build sleep timers into malware, allowing it to open minutes – or even days – after infection and long after the file has been marked as safe. Other common techniques include malware that notices mouse movements, or that encrypts threats in email attachments. Security solutions must continue to evolve in order to stay ahead of such attacks.

The advanced sandbox

While traditional sandboxes detect attacks in both executable files and data files alike, advanced sandboxes add the capability to detect malware in data files before that malware is fully deployed. The sandbox watches activity at the processor instruction level during the exploit phase while the malware is trying to obtain unlawful execution privileges from the operating system.

Advanced sandboxing solutions combine traditional capabilities with the power of exploit-focused sandboxing. This delivers a powerful solution with evasion-resistant protection that detects and also blocks unknown malware.

An advanced sandboxing solution incorporates CPU-level protection which focuses on the exploitation stage of the attack. This allows an organisation to detect and block advanced persistent threats and zero-day threats, as well as sophisticated malware that can evade detection by traditional sandbox technologies alone.

This advanced solution also shares information on newly identified malware with cloud intelligence networks, enabling connected organisations to rapidly protect themselves. With a plethora of new attack methods, understanding the difference between traditional and advanced sandboxing is important when building a secure network.

A continuing battle

As the techniques used by cybercriminals evolve and become smarter, so too must the technology that is keeping organisations secure.

Sandboxes address the serious problems of unknown malware, advanced persistent threats and zero-day attacks - much of which can bypass traditional antivirus technologies. Sandboxes detect and block these attacks before they have a chance to infiltrate your network.

Many organisations have protected their systems and data by implementing antivirus software, firewalls, and network segmentation. However recent high-profile breaches show these solutions are no longer enough. Potential threats need to be analysed before they are allowed to enter an organisation's network, and sandboxing achieves this by promptly locking down malicious files while allowing safe ones through.

For an organisation to remain secure in a constantly changing threat landscape, sandboxing must become part of its overall security strategy. In the ongoing battle between hackers and security professionals, attackers are increasingly utilizing more sophisticated tools such as new zero-day attack methods and custom variants of existing malware to circumvent traditional sandboxing technology and slip into their victims’ infrastructures undetected.

These new attack vectors require a proactive approach with advanced solutions and deep-inspection technologies such as sandboxes with CPU-level capabilities that not only catch known threats, but identify and stop those which were unknown.

Tags threatsmalwarecyber criminalscyber attacksCPUssystem failurenetwork outagesandboxingAPTshacker attacks

Show Comments