AusCERT 2013: Sandboxing let companies confront APTs head-on: ThreatTrack

The security industry’s reliance on cloud-based analysis of detected threats may have helped it build a level of malware defence, but those concerned about being penetrated by below-the-radar advanced persistent threats (APT) may want to take matters into their own hands, ThreatTrack director for enterprise security Nicholas Keuning has suggested.

Presenting at the AusCERT 2013 security conference, Keuning demonstrated the use of a sandboxing technique in which he was able to analyse the behaviour of a contained APT, figuring out its likely avenue of attack and a strategy for remediating it.

“Within about five minutes I was able to understand this complex sample well enough to not only understand that it’s bad, but to have the information to block, alert and remediate it in my network,” he told CSO Australia.

The ThreatAnalyzer sandbox technology, which offers functionality normally part of a forensic toolbox used by malware investigators, has been bundled into a more end user-accessible format and made available to end users for analysis of suspected APTs and other threats.

Combined with cloud-based antivirus scanning capabilities that isolate incoming email attachments and Web threats, Keuning said the Malware Determination Engine built into ThreatAnalyzer offered companies “basically a miniature antivirus company running in the corner, but specific to their organisation”.

“When we set up the box, what we’re really selling you is a threat analyser with higher level reporting functionality,” he explained.

“Almost any attribute can be good or bad, but it’s the combination that becomes really important when it comes to behaviour analysis. There’s no one behaviour where you can say ‘this is malicious’, but the more metadata we can generate, the more information we have to create those combinations of good and bad.”

Inviting APTs into the company for analysis may make sense for some who feel confident in sandboxes’ ability to contain the threat, but many IT managers may be loathe to risk potential infection by taking on the role of APT wrangler. Asked whether this approach could backfire if APTs were written to detect the presence of the sandbox and work around it, Keuning was confident the technique would prove resilient.

“Any time you create a sandbox, you’re creating some detection capabilities,” he said. “There is some detection capability of virtual machines and there is no way around it, but our box has some capabilities to stop that from taking place” such as hiding information about the processors and other hardware.

Just as APT authors are continually refining their code, ThreatTrack is continually building new capabilities into its engine that help it keep up with new methods of attack. However, for companies concerned about the unknown behaviour of APTs and malicious code, sandboxing offers unprecedented visibility into what they can expect – and how they can unravel increasingly sneaky malware trying to worm its way into the organisation.

“We have been detecting these for a very long time, and there is always going to be a little bit of a cat and mouse game,” Keuning said. “But we want to be able to find this stuff, alert on it, protect and remediate it for you if it’s there. This is something we’ve been doing every day with antivirus – but the big difference is that these targeted APTs aren’t sent to 100,000 or 500,000 people; they’re sent to just one or two. Someone is purposely coming after you.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags ThreatTrackAPTsAusCERT 2013

More about APTCSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place