Attackers have learned how to bypass signature-based Anti-Virus and Intrusion Prevention/Detection Systems by rapidly morphing threats to known vulnerabilities or building exploits to take advantage of unknown or zero-day vulnerabilities. New type of threat detection control is needed which allows files that have not been seen before to execute in a virtualized, safe environment to determine if malware is present. This type of control is called a sandbox.
There are two types of unknown threats:
- Threats based on known vulnerabilities that morph so rapidly, in seconds or minutes, that signature-based controls like anti-virus controls cannot keep up.
- Threats based on unknown or zero-day vulnerabilities. A signature-based control obviously has no chance to detect these threats.
The best way to detect these unknown threats is to allow the files in which they reside to execute in a safe, virtual environment. In this “sandbox,” the execution is observed and malicious behavior can be detected. Once the malicious behavior is detected, signatures can be created so the next time that type of attack is seen it can be blocked by a more traditional Intrusion Prevention System. In addition, automatically updating IP blacklists in a firewall or proxy is recommended.
Sandboxing can be done locally on a manufacturer-provided appliance or in the manufacturer’s cloud. There are advantages to each of these deployment methods. If you focus on executables and PDFs being downloaded from the Internet, the cloud approach enables more extensive, varied, and time-consuming analysis and is more cost effective. If you are concerned about internally transmitted documents, then the appliance option provides more privacy.
Finally, not all sandboxing solutions are equal in their ability to detect malware. The cyber adversaries have gotten wise to these virtualized executable environments and in some cases the malware is written to be dormant when it detects the presence of a sandbox.
If you have a question or a comment, or would like more information, please let us know by completing the Contact Us box on the upper right side of this page.