Resilient-Advanced-Network-Solutions 4.jpg

Networking Intelligence

8 Most Common Sandbox Evasion Techniques & The Best Cyber Security Solutions

common-sandbox-evasion-techniques-cyber-security-solutions.jpgMore and more organizations are turning to network security sandboxes to cope with the rise of DDoS attacks and advanced persistent threats (APTs). While a network security sandbox is an effective tool to limit exposure to risk, it is most powerful when implemented as a component of a robust, multi-layered network security strategy offering complete, end-to-end protection.

How Security Sandboxes Enhance Cyber Security

A traditional sandbox can analyze program files and identify threats by quarantining code and scripts in an isolated environment. In network security this concept means that appliances can execute and inspect network traffic and run application data, such as Adobe Flash or JavaScript, to uncover malicious code. This enables organizations to identify previously unseen malware or zero-day threats before they enter the network and cause harm to your organization.

Not all Sandbox Technology is Alike

Sandbox technology has been around for a while but has experienced a resurgence as organizations look to unmask evasive new threats, or old threats wearing a new disguise. The traditional sandbox is resource-intensive as the code needs to fully execute before it can be analyzed. Traditional signature detection is reactive requiring knowledge of known threats to build a basis for detection.

Hackers are taking advantage of these traditional sandbox vulnerabilities and are developing malware that is capable looking like acceptable code and tricking the sandbox to gain system access. After getting by the sandbox, the malware then changes its characteristics from nice to naughty. Sandboxes must be able to subtly monitor activity to protect against this latest generation of threats.

Most traditional sandboxes cannot scale to process a large number of files quickly or cope with high levels of network traffic.  As a result the network is slow, causing business disruption or creating a scenario where a decision is made to bypass the sandbox to speed up traffic. Finally, the sandbox is of little use to your organization if it does not interface well with your existing technologies.

As cybercriminals uncover the sandbox methods of security detection, they invest more in security evasion. The following are the most common ways that hackers will use to get around the traditional sandbox today.

Common Sandbox Evasion Techniques

  • Logic Bombs: The malicious part of the code remains hidden until a specified time.

  • Rootkit and BootKit: Advanced malware contains a rootkit component that subverts the operation system with kernel level code to take full control of the system.

  • Sandbox Detection: APT code may contain routines that try to find out if it’s running in a virtual environment or may check for the fingerprints of a vendor's sandbox.

  • Botnet Command and Control Window: Begins with a dropper, clean code that connects to a URL or IP address that can download a file on command, hours, days or weeks later.

  • Network Fast Flux: Fast Flux or domain generation algorithm techniques that changes the URL or IP that an infection will connect to.

  • Encrypted Archives: Malware is encrypted in an archive and social engineering is used to trick a user into open the infection by entering the password.

  • Binary Packers: Cloaks malware by encrypting it in garbled portions that can’t easily be analyzed by traditional antivirus security.

  • Polymorphic Malware: Changes each time it is run, adding bits of garbage code in an effort to evade foil pattern and checksum-based inspection.

Fortinet’s FortiSandbox

Fortinet combines sandboxing technology with proactive signature detection to filter traffic before it hits the sandbox, as it’s much faster than simply sandboxing alone.  In addition, Fortinet’s patented Compact Pattern Recognition Language (CPRL) is a deep-inspection proactive signature detection technology developed through years of research by FortiGuard Labs. A single CPRL signature can catch 50,000 or more disguises a piece of malware can be wrapped in. Combined with sandboxing, CPRL proactive signature detection helps cast a wider net over the attacks and methods of modern Advanced Persistent Threats (APT) and Advanced Evasion Techniques (AET).

Sandbox Expertise

Threat detection comes down to inspecting as many layers as possible through all potential angles of attack. To provide adequate protection against APTs, a sandbox must easily integrate with the other components of your security environment. The best approach is a combination of gateway-based and sandbox inspection. Used properly, the sandbox is a learning device, ultimately tied into gateway security to quickly identify new threat activity and facilitate incident response.

Resilient Intelligent Networks is an experienced systems integrator who partners with top tier technologies, like Fortinet. Our team of experts has the experience to uncover your organization's needs, choose and implement technologies, and stay on top of advanced persistent threats with robust cyber security solutions.

Sandboxing has proven to be a powerful tool for advanced threat protection. However there are many things to consider when choosing and implementing the best sandbox solution for your business. Check out this infographic and learn more about how to choose the right Sandbox Solution for your organization>>

Infographic: Choosing the Right Sandbox Solution for your organization




Recent Posts

Posts by Topic

see all

Subscribe to Blog