Dec 20 2023

The Power of Sandboxing for State and Local Government Security

Sandboxing can be a great tool for state and local agencies to use to thwart ransomware and malware, prevalent threats against government networks.

The onslaught of malware never ends. Luckily, state and local governments can rely on sandboxing, a time-tested method to thwart attackers.

Sandboxing a process in which a suspect file, code or URL is shunted to an isolated area outside of an organization’s production IT system for closer examination. There, it’s prodded and watched (also known as being “detonated”) to see how it responds to standard programs and operating systems such as Windows and Linux. If the code starts causing trouble, the malware is tagged and then blocked at the network endpoints. Equally important, information on the exploit (particularly when it is brand-new) is pushed out to the network edge, which watches for similar incursions in the future.

“As the only instance outside of a customer endpoint where a file is executed, it can help state and local governments in the early detection of advanced threats such as zero-day exploits and targeted attacks that may evade traditional security measures,” says Andy Kinghorn, director of development at Symantec.

Today, most of the process is done virtually and elsewhere — which affords key advantages, as Fortinet notes on its website: “It consists of using a sandboxing environment to test downloads, URLs, and code — but in the cloud instead of using on-site hardware. When a sandboxing environment is in the cloud, it is kept apart from your computer or any of the devices on your network.”

Click the banner below for more on how to stay ahead of cyber attacks.

In rarer cases, an organization may choose “bare-metal” sandboxing on racked hardware that is physically separate from any network. Such air-gapped measures are typically used in situations where security is paramount.

“Bare metal is super effective, has no virtualization and is heavily resource intensive,” says Deepen Desai, chief security officer for Zscaler. But the method has downsides: It’s labor intensive and requires resetting hardware between sandboxing sessions. This is a problem that doesn’t exist with virtual machines.

On the upside, the bare-metal approach makes it far harder for malware to evade a sandbox.

How Do Inline Blocks and Next-Generation Firewalls Help Sandboxing?

Inline blocks and next-generation firewalls keep suspicious files from crossing from the edge into the network in real time. They combine advanced threat filtering and artificial intelligence (AI) to recognize potentially hazardous code, which is then sent directly to the sandbox for examination.

“Inline blocking, NGFWs and sandboxing are complementary technologies where each is essential as part of a multilayered security solution,” Kinghorn says. “Intrusion prevention systems technology you would find in a NGFW provides additional indicators of compromise and metadata that can provide context in the sandbox decision-making to help block network threats.”

While a combination of sandboxing and inline blocks is most advisable, the two technologies deliver different user experiences. A firewall can filter out malware in milliseconds.

“Sandboxing provides unique capabilities, but at the expense of time and money,” says Randy Pargman, director of threat detection for Proofpoint. The process generally takes between three and 10 minutes. It’s more expensive because most organizations pay third-party vendors for the service based on use. “If you have 10,000 things that need to be sandboxed in an hour, you need a lot of computers running in parallel,” he adds.

At the Marple Newtown School District in Pennsylvania, the network administrator uses Check Point network detection and response and manages user expectations when a file gets sandboxed for five to 10 minutes.

“We get the occasional calls from people saying an email is taking a long time to come in,” says Christopher Lee, director of technology for the district. “We explain that it’s a virus scan.”

How Do Bad Actors Try to Avoid Sandboxing Detection?

Black hat programmers are exceptionally good at figuring out new ways to evade detection. Since they realize most organizations employ sandboxes, they’ve written code to detect the environment and stay dormant until cleared to roam a target network.

“The people who write the malware know what security is in place,” says Check Point’s Tony Sabaj.

Since the good guys know that the bad guys also know, the act of scanning a piece of code often gives up the game. “Even them doing the check is a trigger point,” Desai says.

Malware’s most common trick is running out the sandboxing clock. “It basically does nothing suspicious until enough time goes by, then it deploys the malicious part,” Pargman says. Proofpoint tricks the code into thinking that more time has elapsed, causing it to show its true colors.

Alan Hall
Very simply, you don’t want to sandbox every suspect file that comes into your organization.”

Alan Hall Director of Product Marketing, Symantec Network Information Security

How Does Artificial Intelligence Support Sandboxing?

AI and machine learning excel at comparing things and recognizing differences. Network security is an ideal fit for this technology, which is now woven into most platforms.

“AI and ML excel at extracting and processing information from large data sets quickly,” Kinghorn says. “They enhance sandboxing value where we can scan files while running with more computing resources than a customer endpoint and provide an unfiltered stream of system events as a file is executed within the environment.”

In short, it’s a perfect training ground for AI, which keeps learning and improving over time. AI is also used to pick up malware hiding in logos and other images on websites. It can recognize problematic language patterns in emails to identify phishing and other exploits as well, Pargman says.

“As we move to AI processing and neural networks, we’ve been able to increase security by 30 percent and decrease false positives by 90 percent,” Sabaj says.

LEARN MORE: What is a Browser in the Browser (BitB) phishing attack?

How Can State and Local Governments Avoid Sandboxing Pitfalls?

Just having a sandbox capability isn’t enough, experts say. Correct policies need to be employed to use one effectively.  A sandbox can be sluggish and inefficient, particularly if a network security posture is overly defensive and sends too many items for inspection.

“Very simply, you don’t want to sandbox every suspect file that comes into your organization,” writes Alan Hall, director of product marketing for Symantec Network Information Security. “At the same time, you don’t want to send a questionable file into your enterprise and inspect it later. If the file turns out to be malicious, you’ll have to remediate its impact on your organization, which will cost extra time and effort.”

The answer is to trim down the number of dubious files flowing into the sandbox using filters at the network edge to catch easily identifiable malware and block it there.

“Such a filter-funnel strategy will protect your organization from unnecessary costs and slow performance, while providing effective cybersecurity protection,” Hall says.

Desai agrees that an integrated approach is best: “You can’t just rely on sandboxing. Inline blocks take care of the majority of known exploits,” he says.

While sandboxing has been around for more than a decade, few expect it to be superseded by a new technology any time soon. That’s because the method works well and is being constantly updated and improved.

“Sandboxing will continue to evolve,” says Pargman. “It’s going to be around for a while. Today’s sandboxing is an entirely different beast” than what was available even a few years ago.

da-kuk/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT