For years, organizations have relied on the sandbox to protect themselves from a cybersecurity standpoint. With sandboxes, organizations could check incoming files and URLs for security risks in an isolated environment before they could move on and corrupt a network.
Sandboxes have evolved, but so have hackers, creating new methods and technologies that can easily outclass the traditional sandbox. Delayed execution of malware, embedding malicious content in archive files or within links, encrypted data that calls malware — all of these actions and more are virtually immune to sandbox inspection, and attackers that use these tricks can infiltrate a network and cause havoc.
No less an authority than the SANS Institute has documented some of the common techniques used by hackers to bypass sandboxes — with malware remaining dormant if it figures out it is in a sandbox environment instead of in the production environment. Here are some methods hackers use to outsmart sandboxes:
• Packaging: One way that hackers can evade sandbox controls is by embedding malware deep within files or links. For example, a clean file that includes a link to a malicious file is likely to get through a sandbox. This kind of evasion is pretty easy and does not require any advanced hacking capabilities.
• Lack of user input: This is a “giveaway” for sandbox-aware malware. Sandboxes generally don’t have users typing in them, copying or saving files, etc. The lack of expected user activity in an environment is a clear sign that malware is sitting in a sandbox — and it needs to avoid acting suspiciously.
• Sandbox fingerprinting: There are dozens of sandbox products out there, but most of them work in a similar manner. So if hackers can equip files with the ability to detect if they are in a sandbox environment, the files can hold off on their malicious activity in order to pass through the sandbox. Most sandboxes use hooks, injecting or modifying code and data within the analysis system. As a result, hackers can program malware to be aware of them. As proof of concept, researchers developed a system that probed sandboxes and discovered that nearly all “supervised learning techniques,” enabling adversaries to “automatically generate a classifier that can reliably tell a sandbox and a real system apart.”
• Sleep tricks (‘sleepers’): In order to prove that it does not have hostile intentions, malware — assuming that it will find itself in a sandbox — will use sleep programming functions to keep it in a passive state. It might take sandboxes as long as 20 minutes to check a file, so malware that sleeps for at least that long will be passed through the system. To defend against this, sandboxes have been updated. Unless they can detect a good reason for an application to sleep, they may ban it on suspicion of being malware. In response, malware developers have come up with techniques in which their creations make it appear that they are doing something like executing useless CPU cycles to delay the actual code from acting until the sandbox has released it into the work environment.
There are other techniques hackers can use to outsmart sandboxes, including hiding malicious code in password-protected attachments, data obfuscation and encryption. But the point should be clear: Malware that can evade sandboxes is pervasive. According to some estimates, “Over 98% of malware making it to the sandbox array uses at least one evasive tactic.” And new, more sophisticated techniques and types of malware capable of this are coming out every day.
If sandboxes aren’t working anymore, what can replace them? One idea is a security system that looks not at the malware at all but at the exploit — a code that leverages a software bug, enabling attackers to eventually deliver the malware to their target. While there may be hundreds of millions of malware in the field, there are only a few exploit techniques to deliver them to an IT system. A security system that can detect the exploits, can protect the system by defenestrating the malware.
There are other ways to protect a system from sandbox compromises. One of the most popular technologies that has emerged to overcome the weak spots of the sandbox is content disarm and reconstruction (CDR). This technology basically strips out all active content and then forms it back together to provide a “neutralized” document. The main benefits of this technology are its speed, its ability to prevent advanced attacks hidden in documents and (usually) its ability to be deployed easily.
Besides the technological approach, organizations should consider enforcing specific policies that might be able to prevent some attacks. Policies that include limiting file types from entering the organization (such as .exe files and others associated with malware), blocking any file with macro and auto-conversion of all documents sent to simple PDF documents.
But there’s no doubt that examining exploits to determine the nature of a file’s purpose is more effective, and faster, than examining the malware inside a sandbox. In addition to being more effective in detecting malware, security systems that take a deterministic approach, have, by definition, zero false positives, as opposed to behavioral systems, which can be fooled by malware that mimics the behaviors of legitimate files. By examining exploits instead of malware-associated features, administrators get a full, accurate picture of their security situation.
Regardless as to which approach you take, it’s important to have some sort of cybersecurity strategy in place in an era when the old ones that we have relied upon — especially the sandbox — have lost their luster.