In our previous post on network honeypots, we discussed an important defensive strategy that uses this simulated server to trap unsuspecting attackers. Sandbox security is a complement to this strategy.
The idea, as with honeypot network security, is relatively simple to explain but difficult to execute. It involves a special virtual machine that is kept in isolation from the rest of your network resources. Its sole purpose is to be a miniature laboratory to observe malware behavior. Security researchers have been using such sandboxes to analyze malware for many years. Because the sandbox is a controlled environment, its code can be dissected line by line without worrying about potential harm to other computers.
The sandbox concept began to be incorporated into various anti-malware scanning tools about a decade ago: as part of their scanning process, a new piece of malware would automatically be analyzed by the tool (either in the cloud or on a specialized server) and a verdict offered before it could be executed by the endpoint. (Here is a 2013 article in CSOonline as an example.) One service is URLscan.io, which is a free website scanning service. It navigates through the site mimicking an ordinary user and reports on any malicious activity it finds.
The natural evolution of this strategy is seen with vendors such as VMRay and JoeSecurity.org who specialize in building various sandboxes that can perform automated and deep analysis of malware. JoeSecurity’s tools can be integrated into endpoint protection products such as Carbon Black and Sentinel One along with a variety of threat intelligence products and security orchestration tools. If you are in the market for these tools, you should examine the sandbox claims carefully.
Sandboxes have been also used by developers for other purposes than just security over the years. For example, a programmer will use it to test the operations of a new routine or application, without having to be concerned that the code will destroy data or cause a computer to crash. Once this code has been properly vetted and the various problems resolved, it can be released into the normal production stream.
Sandboxes are also used in a growing number of commercial applications, most notably the protected web browser. Thanks to attacks such as man-in-the-middle, script injections, and phishing attacks, malware can enter a computer from browsing these infected web pages. Accordingly, a number of vendors (such as Authentic8, Citrix’ Secure Browser and Sandboxie) now offer specialized browsers that can be used instead of Chrome or Safari that run all web code in a sandbox. If you run an infected link, you don’t have to worry that your computer will become compromised.
Like much in the security industry, the sandbox has become part of the cat-and-mouse game of attackers trying to get around this analysis. As malware authors have become better at hiding their routines, they have also developed ways to look for those specific “tells” that they are running inside a sandbox.
This is just a more sophisticated way that malware can avoid detection, such as by naming their variables with obscure labels or staging different pieces of the malware or by running existing pieces of code already found in the operating system in a computer’s memory. Let’s review some of their sneakier methods at sandbox detection and how a typical piece of malware will try to find these items. If these are discovered, the malware generally stops running.
Delay execution. This is a favorite of many malware routines. Because sandboxes examine what happens in real-time, many of the early sandboxes wouldn’t wait around to see what happened after a few minutes of loading the malware sample. So the malware authors built-in automatic delays into their routines, in the hopes that by then the sandbox would have given them a stamp of approval.
It’s important to be aware of these evasive techniques and to design new sandbox security strategies or adjust existing ones accordingly.
Sometimes, the right cybersecurity solution can make all the difference, by taking some pressure off of you as an IT professional or organizational decision-maker. From website security and SSL to our convenient and affordable Cyber Security Solution, our team has your back. Just let us know how we can assist you.