It’s Time To Think Outside The Sandbox

Sandbox Technology

We’ve all heard claims of ‘silver bullet’ solutions to solve security problems. One of the most recent claims has been around the use of sandboxing technology alone to fight advanced malware and targeted threats.

The idea behind sandboxing is that you limit the impact malware can have by isolating an unknown or untrusted file, constraining it to run in a tightly controlled environment and watching it for suspect or malicious behaviour. Sandbox technology can mitigate risk, but it doesn’t remove it entirely.

One of the challenges with deploying a sandbox-only solution to deal with malware is that attackers are making it their job to understand security technologies, how they work, where they are deployed and how to exploit their weaknesses. This includes sandbox detection. The attack chain, a simplified version of the ‘cyber kill chain’, (the chain of events that leads up to and through the phases of an attack) illustrates how relying on a sandbox-only antimalware solution can create a false sense of security.

Survey

Attackers start with surveillance malware to get a full picture of your environment. This encompasses the extended network that also includes endpoints, mobile devices and virtual desktops and data centres, as well as the security technologies deployed, such as sandboxing.

Write

Based on this intelligence, attackers then create targeted, context-aware malware.

Test

They validate that the malware works as intended by recreating your environment to ensure the malware successfully evades the security tools you have in place, for example detecting if it is in a sandbox and acting differently than on a user system or not executing at all.

Execute

Attackers then navigate through your extended network, environmentally aware, evading detection and moving laterally until reaching the target.

Accomplish the mission

Be it to gather data or destroy, the attacker is positioned to maximise success of the mission.

Given the attack chain, we can quickly see that motivated and sophisticated attackers can and do defeat even multiple layers of detection technologies. In fact, the Verizon 2012 Data Breach Investigations Report found that in over half of the incidents investigated it took months – sometimes even years – for a breach to be discovered. That’s more than ample time for the attacker to accomplish the mission, remove evidence and establish a beachhead for subsequent attacks.

Detection will always be important, but these technologies only scan files once at an initial point in time to determine if they are malicious. If the file isn’t caught or if it evolves and becomes malicious after entering your environment, point in time detection technologies cease to be a factor in the unfolding follow-on activities of the attacker.

Thwarting attacks can’t be just about detection but also about mitigating the impact once an attacker gets in. You need to take a proactive stance to understand the scope of the damage, contain the event, remediate it and bring operations back to normal. Technologies that also enable continuous analysis and retrospective security are now essential to defeat malware.

  • Continuous analysis uses big data analytics to constantly gather and analyse files that have moved across the wire and into the network. Should a file pass through that was thought to be safe but later demonstrates malicious behaviour, you can automatically be alerted to take action.
  • Retrospective security uses this real-time security intelligence to determine the extent of the damage, contain it and remediate the malware. Compromises that would have gone undetected for weeks or months can be identified, scoped, contained and cleaned up rapidly.

When it comes to defending our networks today, it’s clear that silver bullet solutions don’t exist. Not a day goes by that we don’t read about another successful breach. Attackers are thinking outside of the sandbox and so must we.

Leon is a field product manager for Sourcefire. Prior to joining Sourcefire, Leon was involved in the design and development of open source (OSS) Intrusion Prevention Systems. Leon applies his strong background in UNIX security and protocol analysis to overcome the challenges of network security monitoring in the enterprise, specifically in the areas of network intrusion detection, threat mitigation, event analysis and vulnerability assessment. In the little spare time Leon finds, he is the lead contributor to the open source network traffic forensics project OpenFPC (Open Full Packet Capture).