Sandboxing solutions can help businesses maintain an effective barrier against cybercriminals and minimize the chances of an attack. David De Laine writes.
The term ‘malware’ has become so widely used in recent years that it’s easy to forget how many forms it can take—adware, spyware, viruses, worms, Trojans and many more. While each affects computer systems differently, they all share a common set of objectives: to steal data, perform unsolicited business transactions and disrupt the flow of business.
Meanwhile there is also an increasing level of threat from so-called zero-day malware. This malware exploits previously undetected vulnerabilities before software vendors have had a chance to develop an update or patch.
Battling such threats has traditionally been handled by the implementation of antivirus software and intrusion prevention systems. Designed to inspect files before they enter a corporate IT infrastructure, they act as gatekeepers that stop malware at the perimeter. They achieve this by checking for signatures of known malware and preventing anything identified as a threat.
But with cybercrime techniques continuing to evolve, this approach to security is no longer sufficient. Many threats can avoid signature detection by hiding within executable files or in regular documents and web pages. These types of attacks are typically harder to spot and, once the end-user runs a malicious executable, the attacker has full access to the target system.
The non-executable challenge
While many companies prevent the download of executable files or their inclusion in email attachments, non-executables on the other hand – such as documents and slide presentations – are usually allowed through. Tricking a user into opening an infected non-executable file can ultimately allow a cybercriminal to bypass security roadblocks.
For this reason documents pose one of the greatest risks to organisations today. In the daily functioning of business, employees must routinely open documents from job applicants, customers, and vendors. While researching markets, competitors, and new technologies, employees regularly download files from the web. Most employees open these documents without considering the implications, and risk exposing their companies to malware embedded inside them. Organisations need to be aware of these threats and take the steps necessary to mitigate the risk.
Taking an OS-level sandbox approach to security
Sandboxing is a very effective method of pre-screening files before they enter an organisation’s network. A sandbox emulates a standard operating system (OS) within a restricted environment, allowing suspicious files to be opened and checked before they are allowed into the corporate network.
Each file is tested in various ways as if it were opened by an actual user, then observed to see if it activates anything beyond what is normally expected. A good sandbox should be able to avoid evasions, provide fast and accurate detection, block attacks, decrypt SSL and scan a wide array of file types including .doc, .xls, .ppt, .pdf, .exe, and .zip.
However, cybercriminals are aware of the increasing use of sandboxes and are creating ways to avoid detection. For example, some add a timer to their payload to delay its launch until minutes (or even days) after the file has been opened. Others identify a sandbox by looking for virtual machine indicators such as scanning registry keys, disk size or remote communications and not deploying if these conditions are met. Some are even able to check for activities such as page scrolling and mouse clicks that are difficult to replicate in a virtual environment.
It’s possible to combat many of these advanced malware techniques by using dynamic operating system-level sandboxing with anti-evasion techniques. These include stimulating the file in different ways, accelerating the system clock and even emulating the CPU in software.
Deeper level of protection through CPU-level sandboxing
Sandboxing is the preferred solution to protect against unknown malware because it is easy to deploy and simple to use. But no matter how good OS-level sandboxing technology might be, a smart cybercriminal will find some innovative way to evade detection. This is where CPU-level sandboxing comes in, to detect malware at the exploit level. There are countless different vulnerabilities and millions of pieces of malware in circulation, but there is only a very short list of exploit methods. CPU-level sandboxing allows an organisation to detect the use of these methods by carefully examining CPU activity and the execution flow at the assembly code level while the exploit occurs.
With a CPU-level inspection capability, it becomes virtually impossible for hackers to evade detection as the malware is detected before it has a chance to employ any evasion tactic. The detection speed and accuracy of CPU-level sandboxing makes it the best technology for blocking both known and unknown attacks from infiltrating networks.
Security is going to continue to be a cat-and-mouse game between business and cybercriminals, however organisations can stay steps ahead by using advanced sandboxing technology that includes both OS-level and CPU-level approaches to address the security challenge.
[David De Laine, ANZ Regional Managing Director, Check Point Software]