Security Experts:

Sandboxes are "Typed": It’s Time to Innovate to Defeat Advanced Malware

Alfred Hitchcock once said, “I am a typed director. If I made Cinderella, the audience would immediately be looking for a body in the coach.”

Sandbox technology used to fight advanced malware is also “typed” – as a security technology that malware authors expect to operate in a certain way. The problem is that cybercriminals increasingly use this knowledge to create new techniques to evade this line of defense.

Sandbox evasion isn’t a new phenomenon. It began with malware recognizing it was in a sandbox and “sleeping” to force a timeout. But as security analysis tools have become more effective at detecting the sleeping process, malware authors are creating new strategies which we’re seeing used in the recently discovered Rombertik malware, the Angler exploit kit, some variants of Upatre malware, and malicious Microsoft Office documents. In the case of Rombertik, the malware writes a byte of random data to memory 960 million times. Sandboxes may not be able to determine that the application is intentionally stalling, since it’s not actually sleeping. In addition, excessive or “garbage” code forces security analysts to spend more time reviewing and analyzing the malware.

Given this continuous innovation by attackers, it’s likely that your malware analysis needs have exceeded the capabilities of traditional sandboxing technologies. There are three typical ways that organizations purchase and deploy sandbox technology.

1. As a stand-alone solution without dependency on other security products

2. Built into network-based security devices such as firewalls, IPS, or UTMs

3. Built into secure content gateways, such as web or email gateways

While each deployment option has its own set of pros and cons, traditional sandboxing technologies generally work in the same way: they extract suspicious samples; analyze in a local virtual machine; and produce a report. They also face similar limitations: they can be evaded by environmentally-aware advanced malware; they don’t use nor do they share data that can be used to identify malware that has penetrated the network; and they offer limited remediation capabilities.

It’s time for traditional sandboxing technologies to be improved upon. To combat malware using advanced evasion tactics, organizations need a more robust malware analysis tool that is part of an integrated threat defense strategy and includes the capability to scan and identify malware retrospectively, after it slips through initial lines of defense. This requires an approach to malware analysis that is integrated, context-rich, and offers retrospective security.

Integrated: Malware analysis must be an integrated component across the security architecture, from the firewall, to email and web secure gateways, to network and endpoint security solutions. Flexible deployment options are essential to satisfy a range of requirements and accommodate existing infrastructure.

Context-rich: Context is critical to know where the real threats are and to accelerate response. Malware analysis that is context-rich provides information based on region, vertical or historical distribution; combines global and local intelligence, behavioral indicators of compromise, threat intelligence feeds, and other enrichment; and delivers a threat score that reflects maliciousness based on the specific characteristics of the organization’s infrastructure.

Retrospective security: This capability lets security teams identify malware that has penetrated the network, see the file’s trajectory across the enterprise, quarantine any infected devices, and execute automated or hands-on remediation before reattaching the device to the network. Retrospective security is critical to accelerate time to detection (TTD) and response.

Most people would agree that Alfred Hitchcock is one of the greatest directors that ever lived. Yes, he was “typed,” but he also pioneered many techniques in the suspense and psychological thriller genres which future generations continue to build upon. That’s what’s needed with malware analysis. We need to take the best of what traditional approaches offer and innovate to help fight well-funded attackers that get better at what they do every day.

view counter
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Phantom Cyber.