Industry Trends

The Sandbox: A Tool of Choice for APTs

By Stefanie Hoffman | December 05, 2013

Let's face it, Advanced Persistent Threatsare becoming smarter, and well, more advanced. It's no secret that cybercriminals are developing more sophisticated and subtle attacks equipped with a slew of highbrow features such as self-awareness and the ability to stealthily dodge countless security systems.

With intelligence as the weapon of choice, attacks are more dangerous than they ever have been. As such, advanced threats require an equally robust security system to effectively stop them in their tracks. Signature-based solutions often won't cut it, argues Fortinet's Darren Turnbull, vice president of strategic solutions in his article "APTs: Detecting the Spy on Your Network"


Yet while cybercrime is constantly evolving, the fact remains that APTs still rely on tried and true "spy" tactics - infiltrate, hide, and extract valuable sensitive information - methods that remain extremely effective as the value of digital information soars. Topping the list of high value targets are data that provides competitive advantage, insider information and saleable IP - all of which garner top dollar in the cyber underground as well as with emerging state-sponsored attackers.

As such, organizations have little choice but to become more vigilant and increasingly prepared to combat a spate of rampant and unrelenting threats, according to Turnbull.

But that's easier said than done. Recent technology trends, such as BYOD, have opened up a host of new and yet uncontrolled threat vectors. Personal social media used on the same devices as business critical applications have also served to accelerate the proliferation of APTs. Also, thanks to sites such as Facebook and others, copious amounts of personally identifying information are readily available for cybercriminals to use in highly targeted assaults designed to trick users into spreading malware and infiltrate corporate networks.

But while attacks have become stealthier and more evasive, they're also still detectable with the right set of tools. Even the most sophisticated threats leave behind a of trail clues, Turnbull says - it's often a matter of locating the telltale signs that will eventually lead to malware identification.

While not new, sandboxing is a tool that can help security administrators piece together those unintended clues left in the wake of an attack. Granted, malware has always attempted to mask itself. However, sandboxing, offered locally or in the cloud, serves to cast a spotlight on evasive malware by providing a tightly controlled virtual environment that enables a suspicious or unfamiliar program to be run separate and apart from the network and other critical functions. Among other things, sandboxing tricks the malware into believing it has successfully reached its target. From there, security folks can observe its behavior and more easily identify any suspicious activities. In short, sandboxing gives malware little room to hide its intentions or whereabouts.

Altogether, there are five exploit and exfiltration behaviors that point to malicious activity. Some APT payloads randomly generate strings of IP addresses that accelerate propagation. They could also make connections with a command and control server in order to abscond with sensitive data, or bulk up attack resources via a botnet. In any case, these details ultimately become dead ringers for the presence of malware.

In addition, APTs regularly employ a multitude of techniques for obfuscating the actual intent of the malicious JavaScript code. Malware often mimics the behavior of the host device or application in order to evade detection. As a result, encrypted malware within the APT payload elevates the risk to all other encrypted traffic.

Ultimately, sandboxing should be leveraged as part of a more comprehensive multi-layered security strategy, Turnball says. In fact ideally, the first line of defense is the anti-virus engine supported by an inline real-time onboard sandbox, designed to address unknown or malicious code if it appears to pose a formidable threat to the organization.

And these days it's becoming increasingly necessary. In light of a groundswell of APTs that are becoming more intelligent, hardy and evasive, traditional defenses have often outlived their usefulness. The rapidly evolving threat landscape has called for organizations to step up their game and adopt a more modern and intelligent approach to counteract a surge of similarly crafty threats. And sandboxing will be a critical tool in that arsenal.

Join the Discussion