The Ins and Outs of Sandboxing Technology

August 29, 2018 · Mary Chavez · · Comments

It has long been a strategy to try to detect malware by monitoring suspicious behavior. However, the more sophisticated malware becomes, the harder it is to detect.  That’s where sandboxing can help: Sandboxing allows organizations to install and run malware in an enclosed environment – separated from the corporate to reduce the risk of infected code spreading to other programs or systems. In this dedicated environment the malware can be monitored safely by the Security Operations Centers (SOC), without the risk of it infecting the organization’s systems.

Sandboxing, therefore, has two benefits: first, a company’s critical infrastructure is protected from questionable code because it is run in a separate system; and second it can help IT departments test malware in a safe environment, learn how it works within a system and in turn detect malware attacks of the same ilk faster.

Features of Effective Sandboxing Technology

There are three essential features of effective sandboxing technology. The first is the ability to see the whole program running. In order to be effective, the sandbox has to see the entirety of the execution of a program to make sure it’s safe. The second feature is the ability to avoid detection as a sandbox. If the malware can detect that it’s in a sandbox, then it can behave differently and evade detection. A sandbox will need to either use emulation or virtualization techniques to avoid detection. The third is that you’ll need the technology to be able to scale by running multiple programs fully at once.

Malware Becoming More Advanced

Simple sandboxing has been the standard for a number of years now, meaning plenty of time for malicious actors to develop workarounds. Though sandboxing on the whole is mostly effective, there are downfalls to this technology, including the delays it creates and the likelihood that at least one malware program will identify the sandbox.

There are some strategies that malware can use to avoid detection in a sandbox. Network World lists them as stalling code, creating a “blind spot” in the implementation of the sandbox, and environmental checks.

Stalling Code

Malware that uses stalling code can delay the release of the malicious code that it has until the sandbox has timed out. The code performs some normal task at first and waits to release the malware until the sandbox has deemed it passable.

Blind Spots

Some sandboxing systems use a system of “hooks” to make calls to the program and determine if it is safe to run. Malware can pass through the sandbox by only running code between the calls that the sandbox makes, therefore going undetected.

Environmental Checks

When using this technique, the malware sends out checks in its environment for common features, aspects, or files that could identify it as a sandbox. If It finds these predetermined features, it could shut off or change its behavior to avoid detection, thus rendering the sandbox ineffective.

Sandboxing as Part of Your Security Hygiene

Though there are some ways that malware can avoid detection, sandboxing can be an effective way to protect your infrastructure from threats. It should be used, not as the only line of defense against malware, but as part of a healthy security hygiene.

Mary Chavez - Director of Marketing and Partner Alliances

Director of Marketing and Partner Alliances