brian

The number of targeted cyber attacks is continuing to grow. According to one recent report, last year saw a 42% rise; further evidence that we are in a cyber arms race in which the threat actors have the ‘first mover’ advantage.

Cyber Security is constantly evolving to react to Advanced Persistent Threats and Precision Targeted Malware. However, while working to prevent attacks minimises the chances of your network being compromised, 100% threat prevention is simply not possible. This being the case, when an attack does get through your network’s defences, it is important to know how to detect and solve the issue.

Network-based sandboxing is a particularly popular approach that involves analysing inbound suspicious files by allowing them to run in a virtual machine environment. The objective is to positively identify the malware and extract forensic data to help prevent further infection and aid in remediation tasks. This approach seems logical; isolating the malware and examining it within a controlled environment before eradicating it. However, relying solely on Sandboxing as your solution for advanced threat protection is unreliable and leaves your business open to attacks.

The shortcomings of Sandboxing

Network-based sandboxing for dynamic malware analysis has many shortcomings as a security tool, some of which are based on the environment that it is deployed in, the malware’s evasion and the communication techniques and limitations of what virtual execution engines can reveal in terms of what is actionable and usable by the security and incident response teams.

An advanced threat will try to evade the most basic traditional defences. The accepted wisdom has been that, if you want to understand what malicious software does, you put it in a sandbox. However, the dynamic analysis of any code is not possible, which means that even if you have captured malware, you will not be able to fully understand its capabilities.

Virtual machine sandboxing needs a malware binary to execute and access to malware in motion is not always available. Encrypted binaries will only be seen as generic files and will not be available to capture and execute. Mobility has exacerbated this issue as users are able to leave the network perimeter to work on Wi-Fi at home or in a shop where the likelihood of infection is most likely greater. Then the device will return to the business network infected and the sandbox is not a viable tool to stop this method of infection as it can never observe malware in motion on these systems.

Windows and Beyond

Unfortunately, if you are running operating systems such as OSX or Android on your network, then sandbox detonation for these systems will not work. It only works with Windows binaries on Windows machines. If a malware file written for Windows is downloaded by an Apple device, for instance, the sandbox will successfully detonate the file and alert, only to yield a false positive.

One further consideration is the fact that cyber criminals typically have the first move when it comes to malware attacks. They have a pretty good idea of what security measures would be in place. Malware authors have developed techniques to discover these virtualised testing environments by checking for properties such as live internet access or other characteristics. Malware programmed to wait for a number of mouse clicks, a system reboot or sleep commands will allow the malicious software to remain dormant in the sandbox and avoid detection.

The presence of malware does not necessarily lead to infection, it cannot confirm whether the device’s anti-virus picked up the file and quarantined it, or if the end user was vigilant enough to not click on, or download, the offending file. The sandbox would alert in all of these cases, but they would all be false positives. In a large, diverse network, this yields multiple false positives and creates extra work that needn’t be for the response team.

Today’s advanced threats are prepared for the sandbox and implement multi-stage malware into the infection lifecycle. The malware dropper designed to install the malware is only part analysed by sandboxes. If a dropper releases two malware files, one easily detectable and the other encrypted, the sandbox would detect the unhidden one and leave the encrypted file to compromise that endpoint.

Protection from Advanced threats

Sandbox-based analysis tools are available to any adversary planning an attack, since they are commercial products and available to anyone willing to purchase them. Whilst ‘simple’ malware may be caught by sandboxing, for APTs (Advanced Persistent Threats), authors will test their attacks before they are released. It can therefore be difficult to detect, classify and attribute APTs by sandbox methods. Against a rapidly changing threat landscape, sandboxing alone can leave networks with a false sense of security and they will need a more comprehensive approach to threat protection.

Today’s advanced threats are dynamic; security teams should focus on technologies that include the ability to dynamically analyse new files to discover zero day advanced threats, but are not reliant on having to see the malware to discover hidden active infections. With solutions which have full deep-packet inspection engine and a framework that allows new detection techniques to be added as threats evolve – IT organizations can achieve the goal of shortening the time between a compromise (infection) and detection. In this way, teams can answer the questions: ‘what, where and who’ in real-time, as well as assess those answers to corroborate evidence and discover advanced threat infections.