Long Live Advanced Threat Protection

Death of the Sandbox.

By Benny Reich, VP Product
October 29, 2018

How Sandboxes are being easily bypassed, and what’s next.

Why were Sandboxes Created?

Until the early 2000’s Anti-Virus software (AVs) were dominant. With signature-based anti-viruses, URL reputation engines and threat intelligence, companies were covered against most attacks. However, these security measures were reactive. Signature detection (looking for patterns identified in known instances of malware) or reputation lookup (looking for known malicious sites) detect only previously identified threats.

Around 2005, a new type of threat emerged that was hard to detect with static methods: the Advanced Persistent Threat (APT). APTs are custom-developed, targeted attacks using a set of stealthy and continuous hacking processes. They are inherently designed to evade typical detection methods. To protect against this new type of threat, sandboxes were invented and added to the cyber-security toolbox as an added layer of protection.

How Does Sandbox Technology Work?

Sandbox protection is behavior-based, providing the malware with a place to “play” and waiting to see what it is going to do. The Sandbox profiles malware behavior by letting it reach the shellcode execution stage – a technique well known to attackers. Presumably, even if it doesn’t have a signature or reputation, it will expose its true intentions in the sandbox.

The value proposition for sandboxes was great over 10 years ago and genuinely had a strong ability to stop APTs. But as we all know in the cyber world, attackers find ways to get around solutions, and it is clear that now there are many well-known means by which to do so.

Common Sandbox Evasion Techniques.

There are many creative ways to evade sandboxes, all of them having the same rationale: the malware wants to prevent the sandbox from executing the malicious code and detecting it. It therefore leverages methods to either detect the environment it runs in, understand system behavior or identify user interactions. It executes its malicious code only once it knows it is outside the sandbox and onto the end-user’s computer.

Some common means of evading sandbox detection are:

  1. Detection and awareness of the sandbox environment
  2. Abusing sandbox limitations
  3. Context-aware malware

Sandbox Environment Detection.

Sandboxes are designed to mimic to the best of their ability the end-user’s real environment. However, there are various ways in which the virtual environment looks different from an end user’s system, which help malware to identify it is running inside a sandbox. Malware may try to find out if it’s running in a virtual environment or may check for the signature of a vendor’s sandbox. The sandbox’s fingerprints can be specific configuration files, executables, processes, registry keys, services, network device adapters etc. Once a malware detects a virtual environment it avoids running any malicious code until safely on the other side.

Examples of techniques attackers use to detect the sandbox environment:

Abusing Sandbox Limitations.

As sophisticated as a particular sandbox might be, malware authors can often find and exploit its weak points and limitations

Examples of techniques attackers use to abuse sandbox limitations:

The Sandbox Killer.

While being very innovative at the time, sandboxes have become just another semi-efficient component against cybercrime as they are no longer effective protection against APTs and zero-day attacks.

Perception Point uses a different approach for protecting against APTs and zero-day attacks, in a much more deterministic way that doesn’t wait for the malicious content to actually detonate. Our HAPTM (Hardware Assisted Platform) x-rays code rather than checks behavior to detect the use of exploit techniques before malware is even delivered (e.g., when it gets out of the valid execution flow to check the environment).

It consists of 3 algorithmic layers:

On top of that Perception Point applies additional layers to detect evasion techniques:

In cybersecurity there is no holy grail that catches all threats. However, it does not mean you should compromise on systems that are clearly very easy to evade today. You should aim for a deterministic and holistic multi-layered solution, that is able to be rapidly updated as new techniques emerge.

To learn more about our solution,

Click Here

Share the joy
Stay a step ahead

Research & News.

Asset 5
Case Study

Case Study: Advanced Attack Analysis

Uri Ahronovich

Perception Point’s platform recently caught an advanced threat directed at one of our customers within a Microsoft Word file.

Asset 5

Why Relays, AVs, & Sandboxes just aren’t enough anymore

By Jonathan Levy

Over the years organizations have implemented multi-layered approaches to protect their email, due to the fact that no single solution has provided sufficient results.

Asset 5

Breaking CFI: Exploiting CVE-2015-5122 using COOP

By Oshri Sela & Shlomi Levin

In this series of posts we’re going to demonstrate how modern CFI implementations can be circumvented.

Show More
Contact Us

Schedule a trial today.

Yes, I would like to receive email communications from Perception Point. I understand I can unsubscribe at any time.