Attackers are Thinking Outside of the Sandbox and so Must We…
Over the years we’ve all heard claims of ‘silver bullet’ solutions to solve security problems. One of the most recent claims has been around the use of sandboxing technology alone to fight advanced malware and targeted threats.
The idea behind sandboxing is that you limit the impact malware can have by isolating an unknown or untrusted file, constraining it to run in a tightly controlled environment and watching it for suspect or malicious behavior. Sandbox technology can mitigate risk, but it doesn’t remove it entirely.
One of the challenges with deploying a sandbox-only solution to deal with malware is that attackers are making it their job to understand security technologies, how they work, where they are deployed and how to exploit their weaknesses. This includes sandbox detection.
The attack chain, a simplified version of the “cyber kill chain,” (the chain of events that leads up to and through the phases of an attack) illustrates how relying on a sandbox-only antimalware solution can create a false sense of security.
Survey: Attackers start with surveillance malware to get a full picture of your environment. This encompasses the extended network that also includes endpoints, mobile devices and virtual desktops and data centers, as well as the security technologies deployed, such as sandboxing.
Write: Based on this intelligence, attackers then create targeted, context-aware malware.
Test: They validate that the malware works as intended by recreating your environment to ensure the malware successfully evades the security tools you have place, for example detecting if it is in a sandbox and acting differently than on a user system or not executing at all.
Execute: Attackers then navigate through your extended network, environmentally aware, evading detection and moving laterally until reaching the target.
Accomplish the mission: Be it to gather data or destroy, the attacker is positioned to maximize success of the mission.
Given the attack chain, we can quickly see that motivated and sophisticated attackers can and do defeat even multiple layers of detection technologies. In fact, the Verizon 2012 Data Breach Investigations Report found that in over half of the incidents investigated it took months – sometimes even years – for a breach to be discovered. That’s more than ample time for the attacker to accomplish the mission, remove evidence and establish a beachhead for subsequent attacks.
Detection will always be important, but these technologies only scan files once at an initial point in time to determine if they are malicious. If the file isn’t caught or if it evolves and becomes malicious after entering your environment, point in time detection technologies cease to be a factor in the unfolding follow-on activities of the attacker.
Thwarting attacks can’t be just about detection but also about mitigating the impact once an attacker gets in. You need to take a proactive stance to understand the scope of the damage, contain the event, remediate it and bring operations back to normal. Technologies that also enable continuous analysis and retrospective security are now essential to defeat malware.
• Continuous analysis uses big data analytics to constantly gather and analyze files that have moved across the wire and into the network. Should a file pass through that was thought to be safe but later demonstrates malicious behavior, you can automatically be alerted to take action.
• Retrospective security uses this real-time security intelligence to determine the extent of the damage, contain it and remediate the malware. Compromises that would have gone undetected for weeks or months can be identified, scoped, contained and cleaned up rapidly.
When it comes to defending our networks today, it’s clear that silver bullet solutions don’t exist. Not a day goes by that we don’t read about another successful breach. Attackers are thinking outside of the sandbox and so must we.