A network-based sandbox is one of the most popular and mature products in the cybersecurity market. It is effective for detecting, stopping, and investigating Advanced Persistent Threat (APT) incidents while facilitating the analysis of suspicious files over time.
As part of its evolution, this technology is gradually merging with Distributed Deception Platform (DDP) products geared toward deploying an infrastructure of dummy targets. It is also shaping up to be one of the key sources of data for Security Information and Event Management (SIEM) as well as Extended Detection and Response (XDR) solutions.
Sandboxes debuted in 2012 and dominated the ecosystem of anti-APT mechanisms until 2018, when the concept of XDR emerged. A network sandbox dynamically analyzes suspicious files placed in its isolated environment and aggregates information about these objects. The output is a detailed report that can be examined by a specialist or forwarded to tools like SIEM, XDR, or Security Orchestration, Automation, and Response (SOAR) for further processing.
How well does a modern sandbox counter real-world targeted attacks? Which deployment option works best: on-premises or in the cloud? What systems do sandboxes interact with, and over what protocols? What evasion methods do attackers use? Is a sandbox customizable? Without further ado, let’s find out.
Sandbox 101
Essentially, a sandbox is an isolated digital territory to which an object, such as a suspicious email attachment, is submitted for analysis. Its main purpose is to inspect items placed in it, collect network events for further scrutiny, and process the amassed data. Every event is checked in accordance with predefined policies.
A sandbox gathers as much context and telemetry as possible from sensors spread throughout the network. These sensors can include any devices or applications, for instance, a mail gateway, smartphones, workstation agents, or a firewall that sends files for a check-up.
Static analysis does not always detect malicious code. Sandboxing allows you to deploy a sample and examine its behavior dynamically. It fends off all types of malicious code, from backdoors and Trojan downloaders to banking malware and even ransomware.
Its enormous usage landscape spans computers, mobile devices, applications, operating systems, and more. In most scenarios, the sandbox is placed in the demilitarized zone (DMZ) segment between the perimeter firewall and the network core.
Many users wonder how a sandbox differs from a traditional antivirus. It dynamically analyzes harmful objects in a segregated network environment and allows them to manifest themselves as much as possible. An antivirus or an endpoint detection and response (EDR) solution aims to block malware and its actions, serving as the next echelon of protection. The fundamental thing is that malicious items must not reach the workstation.
Technical features of network sandboxes
Whereas sandbox settings are unique to each organization, the common denominator across all use cases is that this security instrument should block malicious objects and analyze suspicious files without long delays. At the same time, the risks of false positives and the disruption of business processes must be taken into account.
There are several pre-filtering options: work scenarios for each employee, file format, context, and reputational checks (if the object has been examined before). The pre-filtering policies are also configured for sensors so that some of the files that should not roam over the network can be cut off at the level of specific devices.
A sandbox should be able to handle a wide range of objects, including links, multimedia, and any items the customer is using. Meanwhile, analyzing files larger than 200 – 400 MB dynamically is pointless. Specialized solutions are available for inspecting them, although this is rarely necessary.
Detection scenarios
Sandboxes are incredibly effective for identifying malware, vulnerabilities in a corporate DNS server that pave an adversary’s way to the domain controller, and things like flaws in the Google Play library that allow mobile apps to elevate their privileges, thereby helping attackers hide their traces in communications.
Additionally, sandboxing makes it easy to detect backdoors in process memory dumps, where behavioral analysis usually fails. At the same time, sometimes sandboxes find nothing in file signatures, but behavioral analysis reveals the danger.
Sandbox evasion techniques in criminals’ repertoire
Vendors are constantly improving their emulation of natural processes in an isolated environment so that their sandboxes are indistinguishable from real hosts. Here are the main methods attackers use to detect and bypass these traps:
- Environment parameters – looking for signs of a hypervisor and evaluating the amount of RAM, hard drive size, uptime, etc.
- User activity in the system – analyzing document and browser history, clipboard, the number of open windows, and software installed.
- Behavioral analysis – scrolling through content, pressing buttons, moving the cursor with a mouse or keyboard.
- Processor features – timings and certain computational operations that work smoothly in an emulated area but may cause errors when handled by a physical processor.
Justifying the purchase of a sandbox solution
This is a conversation about your risks. There are different types of customers: some agree to buy the product right after learning things like the financial consequences of the WannaCry ransomware outbreak. Others are a bit more skeptical and look for extensive analytics – they need to see as much information about an object as possible in a single report: source code, connections, metadata, memory handling, etc.
The best way to convince hesitant customers to purchase a sandbox is to offer them a pilot project so that they can check out the benefits in practice. This tactic often demonstrates that the tools used fail and that the sandbox is necessary to optimize the defenses. It is equally important to emphasize that the sandbox is only a piece of the large enterprise security toolset.
Qualifications required to work with a sandbox
If the product has a competently designed interface and a comprehensive support section, a high qualification of an employee is not necessary. Basic tech skills and a general understanding of InfoSec workflows should suffice. A higher level, though, is needed to handle incidents and conduct investigations.
The reports are typically very easy to interpret, containing elements like the MITRE matrix, desktop recordings, and object reputation. Since all the information is aggregated and optimized, such a report saves a good deal of time. Some vendors offer sandbox training so security employees can get the hang of all built-in controls.
Does a sandbox really protect against APT attacks?
With its in-depth event analysis capabilities, a sandbox forms a solid layer of defense against sophisticated incursions. A malicious object can switch signatures and circumvent antiviruses, but its behavior remains just about the same, which is what the sandbox shows. That said, a key objective for every vendor is to enhance the “enticing” quality of their sandbox. The aim is to get malware to reveal as much of itself as possible within a controlled, safe environment.
Does removing macros from an Excel document break it?
Indeed, the Content Disarm and Reconstruction (CDR) technology can filter out macros that are not malicious, thus tampering with the format of an Excel document. To prevent this from happening, you need to configure trusted sources at the email gateway or change the CDR mode.
How often must basic detection mechanisms be fine-tuned to address new sandbox evasion techniques?
Detection rules are generally updated once or twice a month, and the frequency of software updates depends on the development cycle (as a rule, every three or four months). The machine learning module gets new information one or two times a day. Details about the reputation of websites and nodes are updated approximately every five minutes.
Does a sandbox require Internet access, and how does this affect the detection quality?
A sandbox should work in both cases because it applies to closed and open loops alike. In general, Internet access is highly recommended for deeper analysis because many malicious objects download their code from outside the infrastructure via a proxy server. Residential proxies and special secure tunnels, which hackers often establish, deserve particular attention.
What devices send objects to a sandbox, and what protocols are used for the exchange?
The classic list includes firewalls, mail gateways, workstations, and Web Application Firewalls (WAFs). Many standard protocols are supported: Syslog, ICAP, SMTP, NFS, etc. You can use an API to integrate the sandbox with almost any environment and all modern security tools.
Does a sandbox return a hash or a signature?
It depends on how exactly the signature is generated. In practice, a signature alone is insufficient, and you need a memory dump or other data. A hash sum is more effective because SIEM, firewalls, and other network security tools can handle it.
A signature is just as important because every vendor’s signature database is constantly updated so that it takes less time to detect a threat and block its lateral movement. A hash works faster in preventive actions, and a signature is a more aggregated kind of information that takes longer to generate.
What information does a sandbox collect and send to the vendor?
It amasses as much information as possible about an object and its behavior to facilitate both static and dynamic analysis. A few examples are metadata and the connections being established. The customer usually specifies the range of data sent to the vendor because some information is sensitive.
Can sandboxing be fully automated?
Full automation is impossible at this point. An expert should be involved, at least as a verdict validator. If we are talking about protection against APT attacks and other complex incidents, a sandbox will not ensure proper results without human expertise.
Sandbox market predictions
In the future, sandboxes will become more intelligent and easier to use, and their protection power will be enhanced with machine learning modules. The tool’s verdict will not be delayed a few minutes as it is now. It will be generated instantly, for example, even before a user finishes downloading a file. Also, as previously stated, this tech is moving towards tighter integration with DDP platforms.
Five years ago, this tool was primarily used for APT prevention. Hackers have taken their attacks several steps further ever since, and sandboxing is now becoming a security component that forms a comprehensive tier of protection. XDR and EDR solutions have come to the fore in terms of thwarting targeted attacks, analyzing the behavior of a network as a whole rather than a specific object.
With the sandbox being a standard attribute of infrastructure protection, these products will become more affordable down the road, and businesses will be increasingly opting for sandbox-as-a-service offerings from trusted vendors. Security industry players will rethink sandbox customization and integration with DDP solutions. Hardware requirements will likely undergo optimization, which is a prerequisite for reducing the detection speed. The approach to context analysis will also get an overhaul.
This technology will integrate more closely with cloud security solutions. Such a combination is both convenient and budget-friendly.
Conclusion
A sandbox is one of the most important building blocks of corporate infrastructure protection. Not only does it block the spread of a malicious object, but also structures a significant amount of dynamic analysis data, passing it over to a specialist for further evaluation or to other security products via standard exchange protocols.
The sandbox is compatible with almost all operating systems and devices. In the future, the increasing use of machine learning modules will accelerate both the investigation and the issuance of a verdict. Sandboxing cannot be entirely automated, relying on the involvement of a specialist with InfoSec experience.
Cloud solutions provided on a sandbox-as-a-service basis are among the main evolution vectors for this technology. A tighter overlap with DDP platforms and strengthening machine learning modules are also important trends. The global sandboxing market is growing rapidly and is projected to double in the next two years. These tools are also expected to become more affordable over time.
Read the full article here