Express Computer
Home  »  archive  »  Tech Views  »  The Sandbox Approach

The Sandbox Approach

0 66

Darren Turnbull

Sandboxing is emerging as a key tool in detecting the spy on the network, helping enterprises in their fight against APTs, says Darren Turnbull

What does it really mean to live in the shadow of the Advanced Persistent Threat? Certainly, APTs are a lot more subtle, intelligent and dangerous than their random and generally less sophisticated predecessors. The Internet threat environment is a lot more malicious today, and we can no longer rely on signature-based defenses against it. We need to fight intelligence with intelligence.

Yet, while cyber crime has evolved and advanced, it has also become retrospective in its approach. Cyber crime today has a lot in common with the golden era of old school spying – infiltrate, hide, and extract valuable and sensitive information without being detected. This approach is highly effective in a world where digital information is getting increasingly valuable.

With the stealthy online infiltration to steal valuable proprietary information being the ultimate aim of the modern cyber criminal, it is clear that organizations need to be especially vigilant and prepared in detecting those new types of rampant and unrelenting threats. The successful embedding and execution of malicious code on a network can cause havoc to an organization with the biggest risk now laying in the theft of Intellectual Property. competitive advantage, insider information, valuable and salable IP are all highly valuable to both the professional cyber criminal and the emerging (and as yet unproven) state-sponsored attackers.

New ways of working such as BYOD, where endpoints are also used for non-business use such as social media, are aiding APTs. Something as simple as a link on Facebook to an infected webpage can prove the entry point into an organization’s network. Cyber criminals are becoming highly skilled in targeting people and tricking them into innocently gifting access to their devices and, consequently, the corporate network.

Fortunately, there are still ways to spot the ‘spies’ trying to infiltrate the network, and even those who have gained access and bedded themselves in. They will invariably leave tell tale signs. It’s simply a case of looking for the signs and, in the case of a suspected ‘spy’, fooling them into making mistakes that will allow them to be identified and dealt with.

Need for Sandboxing
Sandboxing is not a new idea, but it is proving increasingly useful in countering APTs. Malware has always tried to disguise itself and today’s developers are making their software ‘aware’ of its surroundings. The sandbox – which can be local or cloud based – provides a tightly controlled virtual environment in which only the basic resources are provided to allow suspicious or unknown software to run, and where network access and other critical functions are restricted. The malware is thereby tricked into believing it has reached its destination so that it can be closely observed for revealing behavior. But how do you choose which piece of software needs to be ushered into a sandbox virtual environment for closer scrutiny?

There are five initial exploit and exfiltration behaviors that, either in isolation or in tandem, can point to malware activity.

Looking at these in more detail; Some APT payloads randomly generate strings of IP addresses intended to aid propagation, or they may attempt to make connection with a command and control server in order to exfiltrate data or call on further attack resources via a botnet. If details of the malicious server are known, it’s the equivalent of a suspected spy under surveillance revealing himself when he calls his spymaster.

Also, documented APT cases have involved numerous techniques for obscuring (obfuscating) the real meaning and intent behind malicious JavaScript code, and of course the malware will likely mimic the behavior of its host device or application to avoid detection. Consequently, the trend towards encrypted malware within APT payloads renders all encrypted traffic to elevated risk.

A layered approach to security
For more effective protection and greater control, sandboxing should ideally operate as part of a layered strategy. The first line of defense will be the antivirus engine supported by an inline real-time onboard sandbox. If the threat proves sufficient, the suspicious files can be submitted to a cloud-based sandbox for further analysis. This layered and unified approach delivers more control and speed for countering a potential attack. And it is necessary. As cyber crime becomes more advanced and multi-layered, so must the security stance of the organization.

Unfortunately, there persists a belief among many enterprises and organizations that none of this really applies to them. The high media profile of ‘cyber war’ raging between nation states supports this mistaken belief. However, in cyberspace there are no national boundaries and every organization, no matter how large or small, is a potential target. It is very easy for skilled cyber criminals to use social routes to gain access to devices and networks, so what’s to stop them targeting any organization, especially if they can assume that the organization is unprepared and vulnerable? And with cyber crime tools becoming cheaper and more readily available, what’s to stop competitors doing the same?

In the shadow of the APT, traditional IT security defenses are outdated and no longer adequate. There is an increasing urgency for organizations to recognize and accept the very real risks posed by APTs and to adopt a more modern and intelligent layered approach to threat detection and remediation. Sandboxing is a key tool in that approach.

Darren Turnbull is VP – Strategic Solutions, Fortinet.

Get real time updates directly on you device, subscribe now.

Leave A Reply

Your email address will not be published.

LIVE Webinar

Digitize your HR practice with extensions to success factors

Join us for a virtual meeting on how organizations can use these extensions to not just provide a better experience to its’ employees, but also to significantly improve the efficiency of the HR processes
REGISTER NOW 

Stay updated with News, Trending Stories & Conferences with Express Computer
Follow us on Linkedin
India's Leading e-Governance Summit is here!!! Attend and Know more.
Register Now!
close-image
Attend Webinar & Enhance Your Organisation's Digital Experience.
Register Now
close-image
Enable A Truly Seamless & Secure Workplace.
Register Now
close-image
Attend Inida's Largest BFSI Technology Conclave!
Register Now
close-image
Know how to protect your company in digital era.
Register Now
close-image
Protect Your Critical Assets From Well-Organized Hackers
Register Now
close-image
Find Solutions to Maintain Productivity
Register Now
close-image
Live Webinar : Improve customer experience with Voice Bots
Register Now
close-image
Live Event: Technology Day- Kerala, E- Governance Champions Awards
Register Now
close-image
Virtual Conference : Learn to Automate complex Business Processes
Register Now
close-image