If your job covers data security, you’ll already be aware of the need to continually keep one step ahead against advanced persistent threats (APTs). It’s likely that you’re involved with proactive mitigation and advanced threat visibility, but today’s threats are often able to bypass traditional malware security solutions by masking their malicious activity.
To better detect APTs, security professionals are deploying advanced threat detection and protection technologies, often including virtual sandboxes which analyse the behaviour of suspicious files and uncover hidden, previously unknown malware. However, threats are getting smarter each day, and many vendors’ sandbox techniques simply have not kept pace.
An APT is a set of stealthy and continuous computer hacking processes, often orchestrated by criminals targeting a specific entity. These threats often include unknown and undocumented malware, including zero-day threats.
They are designed to be evolving, polymorphic and dynamic. They are targeted to extract or compromise sensitive data, including identity, access and control information. While these types of attacks are less common than automated or commoditised threats that are more broadly targeted, APTs pose a serious emerging threat. So what should you look for when selecting a security vendor to help you stay ahead without increasing costs or complexity?
First, it is imperative to understand the importance of analysis before infiltration. Some sandboxing solutions do not come to an analysis verdict until it is too late, when a potentially dangerous files has already entered the network perimeter. This increases the possible vectors an executed malware file has to infiltrate throughout the network behind the perimeter.
You will need to ensure that your sandbox allows you to capture suspicious code and analyse behaviour simultaneously with multiple engines, and block it until verdict. This provides you with comprehensive visibility into malicious activity, while resisting evasion tactics and maximising zero-day threat detection.
The second challenge concerns limited file analysis. Some gateway sandboxing solutions are limited in the type of files or by the operating environment they can analyse. This is a major concern as attackers continue to employ increasingly sophisticated files to penetrate a network.
Certain sandbox solutions may only address threats targeted at a single computing environment, and yet many organisation today operate across multiple operating systems, such as Windows, Android and Mac OSX. When seeking a new sandbox security solution you will need to ensure it aligns with the environments that staff use and that it is not limited in its ability to analyse files of any nature.
>See also: How does advanced malware act like AI?
Third, it is critical to note that standalone single-engine sandbox solutions are no longer adequate. Whereas in the past, they would be able to detect and eliminate the risk of an attack, malware today is designed to detect the presence of a virtual sandbox and evade discovery, therefore rendering first generation sandbox technologies obsolete. Single engine sandboxing solutions are a prime target for attackers and represent an easy target for those using evasion techniques.
Additionally, these single engine solutions create significant analytical gaps. For example, analysis looking at calls between applications and operating systems may be less granular than an analysis examining calls between hardware and operating systems for the simple reason that many of those calls are hidden from the application layers. Many IT managers seek to avoid this pitfall by deploying multiple sandboxing technologies.
However, this significantly increases configuration complexity, administrative overhead and costs. A more effective technique is to integrate layers of multiple sandbox engines, rather than deploying multiple sandboxing technologies.
The fourth aspect you should look out for is encryption technologies. For many years, financial institutions and other companies that deal with sensitive information have opted for the secure HTTPS protocol that encrypts information being shared. Now other sites like Google, Facebook and Twitter and many others are adopting this practice as well in response to a growing demand for user privacy and security.
Although there are many benefits to using more internet encryption, a less positive trend emerges as hackers exploit this encryption as a way of “hiding” malware into that encrypted traffic that many corporate firewalls don’t inspect.
Using secure sockets Layer (SSL) and transport layer security (TLS) encryption (SSL/TLS), or secure shell (SSH) traffic, skilled attackers can cipher command and control communications and malicious code to evade intrusion prevention systems (IPS) and anti-malware inspection systems.
These attacks can be extremely effective, simply because most companies do not have the right infrastructure to detect them. Legacy network security solutions typically either don’t have the ability to inspect SSL/TLS-encrypted traffic, or their performance is so low that they become unusable when conducting the inspection.
Finally, today’s advanced threat detection technologies often only report on the presence and behaviour of malware. Even if the sandbox technique effectively identifies a newly evolved threat at a specific endpoint, organisations then have no clear way to remediate the threat.
They do not have a simple, efficient way to have firewall signatures updated across a global distributed network. Once malware is discovered, which is likely after a system is infected, remediation falls to the IT organisation, leaving you with the time-consuming task of tracking down and eradicating malware and associated damage from infected systems. You will also need to quickly create and deploy new malware signatures across the organisation to prevent additional attacks.
While legacy sandboxes have several potential flaws, the underlying principle remains sound. In order to protect your organisation against APTs you’ll need to ensure these five shortcomings are addressed so that your sandboxing is effective.
This may involve taking a number of simple steps such as applying a cloud-based analysis to suspicious files in order to detect and block unknown threats outside your gateway until a verdict is determined.
Your sandbox technology should be able to analyse a broad range of files types across different operating environments, regardless of the file size or type. Moreover, by integrating multiple sandbox engines will allow you to better resist today’s APTs, while simultaneously reducing cost and complexity.
Sourced by Florian Malecki, international product marketing director at SonicWall
The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here