How to trap malware in a sandbox

The phrase ‘know your enemy as well as you know yourself’ is often quoted in IT security. But with the sheer number and complexity of cyber attacks, getting to know the enemy is a huge task. Adversaries line up daily, using a bewildering array of malware threats to try to disrupt operations or stealthily siphon confidential data. And organisations remain vulnerable to zero-day attacks given the volume of new malware that can hide in plain sight in innocuous-looking files. So, although we may not know everything about every enemy, new security technology can reveal vital intelligence that can be used to identify and nullify new risks that arise every day.

Cyber crime has become big business, and as in any other business sector, criminals want to boost revenues and grow market share. To increase the likelihood of success, they target hundreds, even thousands of companies. In 2012, an average of 70,000 to 100,000 new malware samples were created and distributed daily – over ten times more per day than in 2011 and over 100 times more than in 2006. Check Point’s 2013 Security Report found that 63 per cent of organisations were infected with bots, and more than half were being infected with new malware at least once a day. Keeping pace with this massive growth is proving impossible for conventional anti-malware approaches.

Hiding in plain sight

Stealthy malware, the attack technique most commonly used, is difficult to detect and is designed to operate below the radar of IT teams. The code for a majority of these new malware types is concealed in common file formats that we all use for business – emails and their attachments, including Word documents, PDFs, Excel spreadsheets and so on. Hacker toolkits can obscure these executable scripts in order to disguise their malicious actions, which may mean changing the registry on a user’s computer or downloading an executable file which can then infect the network.

Even though layered defences using IPS and IDS can help to block some malware actions, these approaches do not stop infections from reaching the network and spreading across it. New exploits, or even variants of known exploits, have no existing signatures that conventional defences can detect. While antivirus, anti-spyware and similar security solutions are useful for ‘clean-up duty’ in the aftermath of an attack, they are often ineffective as a defence against new attacks.

However, just as a country’s border controls will use a range of techniques to observe people entering the country to identify those who pose a threat, new security techniques have made it possible to scrutinise the emails, files and data that enter a network via emails or as web downloads, in real time. Malicious files can then be isolated on the gateway at the network edge, or in the cloud according to the organisation’s choice, so that infection does not occur in the first place – providing an external layer of protection against attacks, without impacting the flow of business.

Scanning for malware

This isolation and evaluation process is done using a technique called threat emulation. Rather like a border control’s X-ray scanners, the technique makes it possible to look inside suspect files arriving at the gateway – either as email attachments or as downloads from the web – and to inspect their contents in a quarantined area known as a ‘sandbox.’ This self-contained, virtualized version of a computer environment acts as a safe area for running various applications that may be risky or destructive.

In the sandbox’s virtual environment, the file is opened and monitored for any unusual behavior in real time, such as attempts to make abnormal registry changes or network connections. If the file’s behavior is found to be suspicious or malicious, it is blocked and quarantined, preventing any possible infection before it can reach the network and cause damage. At this point, further actions can be taken to identify and classify the new threat in order to make subsequent identification easier.

Let’s take a closer look at how threat emulation identifies new types of malware and attacks that do not have signatures, and how it can help to stop these new, stealthy attacks.

Continue to find out how to build the “sandbox”

Image Source

Share this story