Is it time to supplement your sandbox strategy?

Whatever effectiveness sandboxes once had in stopping hackers in their tracks has long dissipated, according to none other than Gartner.

It’s a venerable technology, but sandboxes just haven’t been able to keep up with the new techniques hackers use to install their malware on networks and systems.

Malware-purveyors often use undisclosed and zero-day exploits to release their malware, easily bypassing sandbox detection using sandbox evasion techniques.

The malware’s behaviour changes to disguise itself and pose as a legitimate application that can pass through a sandbox undetected – a technique that has made the sandbox if not passé, then increasingly ineffective, according to Gartner.

>See also: How does advanced malware act like AI?

And it’s not just sandboxes. By definition, of course, undisclosed and zero-day exploits imply an attack or technique that has not been seen before, because they’ve not been seen before, there is no signature to detect – rendering traditional anti-virus software and cyber defence systems useless for these kinds of attacks.

That dilemma, of course, is why malware analysis sandboxes became the standard in cyber security.

Every file that passes into a network is examined, and if something doesn’t seem right – if it tries to execute code that does not match its profile, or attempts to access routines and files that it ostensibly should not be touching – a sophisticated sandbox will halt the application (now presumed to be malware) in its tracks.

Malware writers, of course, are well aware of what they are up against – and have adjusted their behaviour in turn. Thus, in recent years there has been a plethora of new approaches and attempts that hackers have used to get through sandboxes undetected.

Following the principle that hackers have to be right only once to succeed, while security defenders have to be right every time, hackers have developed an arsenal of tools that essentially can enable any malware to successfully avoid detection.

How do hackers figure out they are dealing with a sandbox? There are numerous ways; for example, malware can be written to detect the hooks (essentially a shim layer that captures the detail of communications the malware is trying to initiate), shutting down or going into hibernation if such activity is detected.

Another method used by sandboxes is to emulate a working environment, but an emulated environment can be detected because they are different than working environments (for example, files that in a working environment would usually be modified are detected as being “fresh out of the box,” indicating that the hacker is working in a sandbox).

>See also: Combat fraud with analytics

There are also vendor-specific files in sandboxes that, if detected, will tip off the malware to disguise itself. If the file looks legitimate, the malware has a good chance of getting passed through to the system – where it can do its dirty deed.

And with as many as 227,000 new pieces of malware released daily – or 323,000,or even a million, depending on who you believe – the chances of that happening are probably pretty good.

There are, in fact, dozens, if not hundreds of little variations hackers can use to hide their malware’s intentions, essentially providing malware with unlimited paths through traditional cyber security systems.

These days, many of these slippery malware threats are delivering ransomware, now among the most popular tactics of hackers; instead of stealing data and having to find a customer for it on the Dark Web, or lining up a customer for data that they target, hackers have found that they can cash in much more quickly and easily by locking down a system and demanding a fee for freeing it up. Regardless of its “objective” value, data that is used by an organisation is by definition important to that organisation – which means that everyone, everywhere, is now a potential target.

Gartner’s suggestion to this dilemma is to change strategies; instead of relying on sandboxes, companies should be trying new ideas, like content disarm and reconstruction (CDR).

In a recent report, Gartner said that CDR systems installed on mail gateways to nab malware-laden messages before they are passed through to users can be an important supplement, or even replacement, for traditional sandboxes.

>See also: Browser based malware: evolution and prevention

According to the report, CDR systems can be much more effective than sandboxes at detecting the in-document macros and zero-day exploits that are a favourite of ransomware-mongers.

CDR involves disarming suspicious files by extracting from them all malicious content and reconstructing them as a clean, safe to use copy of the original file – keeping all functionality intact.

An e-mail message that contains a Word file attachment, in which is embedded a macro that opens up a port for later undetected delivery of a malware attack, for example, is extremely difficult for any security system to detect – and is just the kind of thing that can slip through a sandbox.

But using CDR, companies can compensate for the weakness of installed security systems or sandboxes that cannot deal with the new threats.

Although not yet widespread, CDR has all the makings of a top-flight security technology, especially in an era when almost every attack can be considered a Zero-Day attack.

The nefarious malware that comes in so many hidden forms today, and the new methods hackers are devising on a regular basis to hide it, practically guarantee that they will rack up victory after victory.

By dissecting their malware – and indeed, any file that gets sent to a system and ensuring that they comply with specifications – companies have a fighting chance against these new and exotic attacks.


Sourced by Itay Glick, CEO and co-founder of Votiro

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...