Sandboxing Security: A Practical Guide

sandboxing security

What is Sandboxing Security?

Sandboxing security techniques and tools enable you to move suspicious software and files into an isolated environment—a sandbox—where the threat is tested. A sandbox is designed to mimic production environments, but it is deployed safely away from your real assets.

A major advantage of sandbox environments is the ability to isolate threats. Once the threat is isolated, you can test and analyze it, usually by “detonating” the suspicious file and causing it to deploy its malicious payload. The information gathered from the analysis can help you protect your systems from similar threats—essentially turning a zero-day threat into a known factor.

There is a wide range of sandboxing security solutions. Typically, a solution provides capabilities for analysis, pre-filtering, visualization, emulation, anti-evasion, and threat intelligence.

What is Sandboxing Security?

Sandboxing security techniques and tools enable you to move suspicious software and files into an isolated environment—a sandbox—where the threat is tested. A sandbox is designed to mimic production environments, but it is deployed safely away from your real assets.

How Does Sandbox Cyber Security Work?

Sandbox security testing proactively detects malware by running suspicious code in a safe and isolated environment, and monitoring the behavior and outputs of the code. This is known as “detonation”.

How to Choose Sandbox Security Software

Here are some of the key capabilities you should look for in a sandbox security solution:
– A sandbox should be able to analyze executables, DLLs, PDFs, Microsoft Office documents, Java and Flash programs, and any other artifact that may be used in your environment.
– A sandbox should support Windows and MAC environments 
– A sandbox should not need to use variable durations to detect dormant malware. Long-term analysis has a high resource cost, because it’s best practice to randomize the sandbox’s sleep settings, to increase the chance of capturing malicious activity. This means that not all files are scanned, and when scanned, takes a long time.
– A sandbox should have anti-evasion techniques, being able to unpack hidden files and URLs.
– Look for sandboxes that are native to the security solution or application you are protecting  or have easy to implement API for customized applications
– Select sandboxes that do not rely only on threat intelligence and machine learning, but have mechanisms to detect zero-days in a deterministic manner

How Does Sandbox Cyber Security Work?

Sandbox security testing proactively detects malware by running suspicious code in a safe and isolated environment, and monitoring the behavior and outputs of the code. This is known as “detonation”.

The major advantage of sandbox-based security testing is that it can reliably detect unknown threats. Other methods of testing, both traditional signature-based methods, and modern behavioral analysis based on machine learning (known as featureless detection), are limited in their ability to detect unknown threats.

These traditional methods are only as good as the threat databases and models that support them. The sandbox technique provides an additional layer of defense, making it possible to test payloads that passed other detection techniques, but may still contain threats.

There are three primary ways to implement a sandbox for security testing:

  • Complete system emulation—the sandbox simulates the host’s physical hardware such as CPU and memory to gain a comprehensive understanding of program behavior and impact.
  • Operating system emulation—the sandbox emulates the end user’s operating system, but does not accurately simulate system hardware.
  • Virtualization / containerization—this method uses a virtual machine (VM) or container to run software in an isolated environment.

Tal Zamir

Using Sandboxes to Detonate Malicious Payloads

Malware typically distributes payloads (macros, scripts, hyperlinks, files) when copied or downloaded to a device, or when a file is opened. Sandbox systems with detonation features can automatically analyze files and identify suspicious activity.

Some popular sandbox solutions do not provide detonation capabilities out of the box—but it is still possible to “play around” with malicious software to investigate its behavior. Other solutions have built-in, automated security testing features.

Typical Workflow for Sandboxing Detonation

If the malware doesn’t immediately activate its payload, the sandbox system can attempt to trick the malware into deploying, by changing certain virtual machine settings (such as date and time settings), or restarting the VM. Sandbox engines can also simulate different system properties that may trigger malicious behavior.

typical workflow for detonation is as follows:

  1. The sandboxing system detects content that is suspicious and needs to be tested.
  2. Content is moved to the sandbox environment.
  3. The end user is may be  notified that the content is being tested depending on the application.
  4. If the content is safe, the user or application can download.. If not, the content is blocked/quarantined  and administrators are notified.

Traditional Sandbox Limitations

Traditional security sandboxing has many downsides as they are costly and resource-intensive. Additional limitations are listed below.

Delayed Execution: A sandbox  can take up to  7 to 20 minutes to analyze a file. In some cases, malware can be programmed to execute after time delay or on a specific date.

Hiding Malicious Code in Password-protected Attachments: The sandbox cannot open the file unless it knows the password.

Data Obfuscation and Encryption: Standard sandboxes do not know how to decipher encrypted traffic.

Remotely Called VBA or Javascript: In this case a  link in a file leads to the download of malicious code only after the file passes sandbox inspection.

Malware Detection of Sandboxes:  Hackers can create attacks that know if the file is being checked by a sandbox and if so, will remain inert. 

How to Choose Sandbox Security Software

Here are some of the key capabilities you should look for in a sandbox security solution:

  •  A sandbox should be able to analyze executables, DLLs, PDFs, Microsoft Office documents, Java and Flash programs, and any other artifact that may be used in your environment.
  • A sandbox should support Windows and MAC environments 
  • A sandbox should not need to use variable durations to detect dormant malware. Long-term analysis has a high resource cost, because it’s best practice to randomize the sandbox’s sleep settings, to increase the chance of capturing malicious activity. This means that not all files are scanned, and when scanned, takes a long time.
  •  A sandbox should have anti-evasion techniques, being able to unpack hidden files and URLs.
  • Look for sandboxes that are native to the security solution or application you are protecting  or have easy to implement API for customized applications
  • Select sandboxes that do not rely only on threat intelligence and machine learning, but have mechanisms to detect zero-days in a deterministic manner

Sandboxing Security with Perception Point 

Looking for a managed sandbox solution to protect your organization?

Perception Point’s SaaS solution is powered by 7 layers of patented detection engines and provides a detection rate of more than 99.95%.Dynamically scanning 100% of content, including embedded files and URLs in just seconds, it eliminates security blind spots for the best protection across email, cloud collaboration apps, web apps and web browsers.

The platform recursively unpacks every piece of content and rapidly scans all text, files, and URLs with multiple advanced detection engines. The multiple engines leverage state of the art detection algorithms using computer vision, machine learning, and various dynamic and static methods, to intercept every type of threat, from commodity attacks to advanced threats.

One of these engines is the HAP – Hardware Assisted Platform which is a  next-gen sandbox that dynamically scans content at the CPU/memory level. It detects threats in a deterministic manner, at the exploit level, rather than the application level, finding low-level misusage patterns and anomalies – rather than looking for known behaviors that have been previously categorized as potentially malicious.

The HAP outperforms CDRs  and traditional sandboxes, with the following:

1. Deterministic verdict – by looking at the CPU-level data, the solution provides  a single, clear verdict, without relying on statistical analysis, ensuring better detection and FP rates.

2. Speed – the HAP’s short scanning time ensures minimal to negligible delay time and optimal user experience.

3. File usability – Perception Point doesn’t tamper with the file, maintaining its usability

4. Scale – Perception Point scans 100% of the traffic dynamically leaving no file unscanned and no room for malicious files to penetrate your organization.

SOC team overloaded? Get a free, fully managed, 24x7 Incident Response  service, and save up to 75% of your SOC resources. Learn more.