Sep 26 2013

How Sandboxing Fights Back Against Malware Attacks

Isolating unknown traffic complements existing security measures.

If the ingenuity behind new diabolical flavors of malware seems boundless, that's probably because it is.

Sandboxing aims to help state and local information security managers get out in front of the onslaught of sophisticated zero-day attacks headed their way. This method of isolating unknown files from the rest of the network to observe how they behave before they can wreak havoc was traditionally associated with suspicious email attachments.

However, security software makers such as Check Point Software, Fortinet, McAfee and Trend Micro now offer sandboxing capabilities, while Cisco Systems will gain SourceFire's Advanced Malware Protection for FirePOWER when the vendor finalizes its acquisition of the company later this year. Industry observers say sandboxing is more of a method than a product, and offers yet another weapon in the arsenal that complements firewalls, intrusion prevention systems, anti-virus and other established security technologies.

Identifying and Analyzing Unusual Behavior

Charles Kolodgy, research vice president for secure products at IDC, says that when a file initiates an unexpected behavior, "normally that means it is malicious." With sandboxing, suspicious objects (PDFs, images, documents with embedded malicious URLs and more) are sent to a quarantined environment that mirrors that of the larger enterprise network.


Percentage of worldwide malicious URLs originating in the United States in the first quarter of 2013

SOURCE: "Zero-Days Hit Users Hard at the Start of the Year" (Trend Micro, April 2013)

Their activity is then analyzed to see if registry keys are being modified, DNS lookups initiated, ports opened or communication with unknown servers attempted, he says.

"So many organizations are finding [malware] they've never seen before," says Fred Kost, head of product marketing at Check Point Software. Consider links to legitimate-looking websites embedded in emails that deposit their payload when an unwitting employee clicks on the link, for example, or malware embedded in a Microsoft Word file that appears to come from a colleague.

People can find a great deal of information about state and local governments online, including everything from public officials' salaries and the status of pending pieces of legislation to countless staff email addresses. Kost says all of that data gives attackers fodder to create more effective spear phishing and other attacks, using sophisticated social engineering to fool even seasoned technology users — and ratcheting up the need for a threat-emulation environment.

"Anti-virus and intrusion prevention and other technologies that use pattern recognition are very effective at finding the known thing," says Kost. When Check Point piloted its new threat emulation blade, dozens of its early adopters each faced at least one zero-day attack during the pilot.

Integrated Approach

Vinay Anand, vice president of product management for network security for McAfee, says the company is weaving throughout its platform the LynuxWorks ValidEdge technology it acquired in February. Renamed Advanced Threat Defense, it will be integrated into a range of McAfee products with a refurbished email gateway among those items slated for release before the end of the year.

Anand says that McAfee's approach to sandboxing — making it a central part of network security, rather than bolting sandboxes on various appliances and other items facing the web — offers the most comprehensive form of threat emulation available, one that plays well with existing security technologies.

"Sandboxing gives you one more view," Anand says, adding that packet-level analy­sis, maintenance of current attack signatures and other methods of securing a network continue to come into play.

<p>4X-image/Getty Images</p>

aaa 1