Connect with us

Hi, what are you looking for?


Malware & Threats

It’s Time to Think Outside the Sandbox

Attackers are Thinking Outside of the Sandbox and so Must We…

Over the years we’ve all heard claims of ‘silver bullet’ solutions to solve security problems. One of the most recent claims has been around the use of sandboxing technology alone to fight advanced malware and targeted threats.

Attackers are Thinking Outside of the Sandbox and so Must We…

Over the years we’ve all heard claims of ‘silver bullet’ solutions to solve security problems. One of the most recent claims has been around the use of sandboxing technology alone to fight advanced malware and targeted threats.

The idea behind sandboxing is that you limit the impact malware can have by isolating an unknown or untrusted file, constraining it to run in a tightly controlled environment and watching it for suspect or malicious behavior. Sandbox technology can mitigate risk, but it doesn’t remove it entirely.

One of the challenges with deploying a sandbox-only solution to deal with malware is that attackers are making it their job to understand security technologies, how they work, where they are deployed and how to exploit their weaknesses. This includes sandbox detection.

SandboxThe attack chain, a simplified version of the “cyber kill chain,” (the chain of events that leads up to and through the phases of an attack) illustrates how relying on a sandbox-only antimalware solution can create a false sense of security.

Survey: Attackers start with surveillance malware to get a full picture of your environment. This encompasses the extended network that also includes endpoints, mobile devices and virtual desktops and data centers, as well as the security technologies deployed, such as sandboxing.

Write: Based on this intelligence, attackers then create targeted, context-aware malware.

Test: They validate that the malware works as intended by recreating your environment to ensure the malware successfully evades the security tools you have place, for example detecting if it is in a sandbox and acting differently than on a user system or not executing at all.

Advertisement. Scroll to continue reading.

Execute: Attackers then navigate through your extended network, environmentally aware, evading detection and moving laterally until reaching the target.

Accomplish the mission: Be it to gather data or destroy, the attacker is positioned to maximize success of the mission.

Given the attack chain, we can quickly see that motivated and sophisticated attackers can and do defeat even multiple layers of detection technologies. In fact, the Verizon 2012 Data Breach Investigations Report found that in over half of the incidents investigated it took months – sometimes even years – for a breach to be discovered. That’s more than ample time for the attacker to accomplish the mission, remove evidence and establish a beachhead for subsequent attacks.

Detection will always be important, but these technologies only scan files once at an initial point in time to determine if they are malicious. If the file isn’t caught or if it evolves and becomes malicious after entering your environment, point in time detection technologies cease to be a factor in the unfolding follow-on activities of the attacker.

Thwarting attacks can’t be just about detection but also about mitigating the impact once an attacker gets in. You need to take a proactive stance to understand the scope of the damage, contain the event, remediate it and bring operations back to normal. Technologies that also enable continuous analysis and retrospective security are now essential to defeat malware.

• Continuous analysis uses big data analytics to constantly gather and analyze files that have moved across the wire and into the network. Should a file pass through that was thought to be safe but later demonstrates malicious behavior, you can automatically be alerted to take action.

• Retrospective security uses this real-time security intelligence to determine the extent of the damage, contain it and remediate the malware. Compromises that would have gone undetected for weeks or months can be identified, scoped, contained and cleaned up rapidly.

When it comes to defending our networks today, it’s clear that silver bullet solutions don’t exist. Not a day goes by that we don’t read about another successful breach. Attackers are thinking outside of the sandbox and so must we.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.