How sandboxing can help in the fight against cybercrime

Author: David De Laine, ANZ Regional Managing Director, Check Point Software

Barely a day goes by without new reports of organisations falling victim to cyber-attacks. Data breaches, network outages and system disruptions have become an unfortunate reality of the modern digital world.

While some organisations are aware of these threats and take preventative action, most will not even know something has happened until it’s too late. Attackers can hide malware inside documents, websites, servers, and networks that users readily access without a second thought. Disruption can occur before anyone is aware a threat even exists.

Constant threats

A particular cause of concern is zero-day attacks. These sophisticated attacks involve cybercriminals making use of previously undetected vulnerabilities in software that do not have a current patch or fix. The attacks typically aim to compromise an operating system, a database management system or a specific application. Zero-day attacks do not have a known signature and therefore can pass through antivirus tools and intrusion prevention systems without detection. Some zero-day attacks are carefully executed over a long period of time to avoid discovery while gradually stealing highly valuable information.

Another type of attack that can be highly dangerous to organisations is advanced persistent threats (APTs). Typically targeting large organisations or nation states, APTs involve multiple attack techniques that can occur over days, weeks, months, or even years. They become difficult to detect because they comprise multiple small events which individually may seem harmless. Designed to infiltrate systems while evading detection, APTs allow attackers to target an organisation and gain access to particular assets over an extended period of time.

The sandbox solution

An increasingly popular approach to the challenge of preventing cyber attacks is sandboxing.

Just like a sandbox is a safe environment for children to play without destroying other parts of the backyard, a digital sandbox is a safe environment in which suspicious files can be examined to prevent them from wreaking havoc on critical IT systems and data. Sandboxing has emerged as a powerful cyber security tool.

Sandboxing involves the capture of an executable file or document which is then opened within a secure virtual machine or emulator. In this controlled environment, potential threats are run to see exactly how the executing software behaves. This undertaken without the risk of the threat accessing production systems or the organisation's core network.

For detecting unknown threats, sandboxing is very a effective and necessary approach. As the modern threat landscape continues to evolve, sandboxing will become an integral part of every organisation’s overall security strategy.

It must be remembered, however, that not all sandboxes are equal . Some traditional sandboxing solutions can detect unknown malware but do not actually block it. At the same time, cybercriminals know sandbox solutions are being used to detect malware and so will implement evasion techniques.

Another common approach used is to build sleep timers into malware, allowing it to open minutes – or even days – after infection and long after the file has been marked as safe. Other common techniques include malware that notices mouse movements, or that encrypts threats in email attachments. Security solutions must continue to evolve in order to stay ahead of such attacks.

The advanced sandbox

While traditional sandboxes detect attacks in both executable files and data files alike, advanced sandboxes add the capability to detect malware in data files before that malware is fully deployed. The sandbox watches activity at the processor instruction level during the exploit phase while the malware is trying to obtain unlawful execution privileges from the operating system.

Advanced sandboxing solutions combine traditional capabilities with the power of exploit-focused sandboxing. This delivers a powerful solution with evasion-resistant protection that detects and also blocks unknown malware.

An advanced sandboxing solution incorporates CPU-level protection which focuses on the exploitation stage of the attack. This allows an organisation to detect and block advanced persistent threats and zero-day threats, as well as sophisticated malware that can evade detection by traditional sandbox technologies alone.

This advanced solution also shares information on newly identified malware with cloud intelligence networks, enabling connected organisations to rapidly protect themselves. With a plethora of new attack methods, understanding the difference between traditional and advanced sandboxing is important when building a secure network.

A continuing battle

As the techniques used by cybercriminals evolve and become smarter, so too must the technology that is keeping organisations secure.

Sandboxes address the serious problems of unknown malware, advanced persistent threats and zero-day attacks - much of which can bypass traditional antivirus technologies. Sandboxes detect and block these attacks before they have a chance to infiltrate your network.

Many organisations have protected their systems and data by implementing antivirus software, firewalls, and network segmentation. However recent high-profile breaches show these solutions are no longer enough. Potential threats need to be analysed before they are allowed to enter an organisation's network, and sandboxing achieves this by promptly locking down malicious files while allowing safe ones through.

For an organisation to remain secure in a constantly changing threat landscape, sandboxing must become part of its overall security strategy. In the ongoing battle between hackers and security professionals, attackers are increasingly utilizing more sophisticated tools such as new zero-day attack methods and custom variants of existing malware to circumvent traditional sandboxing technology and slip into their victims’ infrastructures undetected.

These new attack vectors require a proactive approach with advanced solutions and deep-inspection technologies such as sandboxes with CPU-level capabilities that not only catch known threats, but identify and stop those which were unknown.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attackscyber criminalssystem failuredata breachnetwork outageAPTsCPUssandboxingmalwarehacker attacksthreats

More about Advanced

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David De Laine

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place