Sandboxing technology for malware protection

One of the essential properties of modern targeted attacks is their ability to penetrate the victim’s IT infrastructure without being noticed by security systems. Advanced malware uses camouflage techniques that make it invisible. In such cases, dynamic analysis, which is performed in a specialized environment – a sandbox, can help. Sandbox technologies are at the heart of Trend Micro’s Connected Threat Defense concept. In this post, we will talk about how sandboxing is used in Trend Micro solutions.

About sandboxes

Sandboxing technologies provide the most effective mechanisms to defend against targeted attacks and attacks using zero-day vulnerabilities. The principle of sandboxing is that suspicious software is launched in an environment specially prepared for it, isolated from the rest of the infrastructure. Known and known malicious code does not end up in the sandbox because it is blocked at the firewall or signature analysis level. But if these tools do not have enough data to make a decision, the file is sent to the sandbox.

Using isolated virtual machines for executing scanned objects and emulating user interaction allows you to trace in detail the nature of the actions performed by potentially unsafe software and decide whether the object can be returned to the user to run on a workstation.

The integration of sandboxed analysis with signature analysis and other verification methods in standard security products can improve the efficiency of identifying potential threats and improve against targeted attacks.

Local sandboxes

Local sandboxes are included in many antivirus programs. They implement isolation based on partial virtualization of the file system and registry. Instead of creating a separate virtual machine for each scanned process, the local sandbox creates duplicate file system and registry objects for them. The result is a secure sandboxed environment on the user’s computer. If the process changes files or writes something to the registry, only the copies inside the sandbox will change, and the real objects will not be affected. Isolation from the main system is ensured through rights control.

The advantage of this approach is the relative ease of implementation and low cost of system resources. And as disadvantages, we can note the need to constantly clean up virtualization containers to run each scanned file. In addition, there are workarounds for such a sandbox implementation, which allow malicious code to “escape” to the main system and roam to the fullest.

A more secure version of the local sandbox involves the creation of a separate virtual machine that copies the working environment. But the resource costs for this option turn out to be unacceptably high, so network sandboxes are used instead, which are located on a dedicated server inside the company’s network (on-premise) or in the cloud of the anti-virus solution manufacturer.

Networked sandboxes – cloud and on-premise

Network sandboxes have fewer restrictions than local sandboxes – they do not degrade the performance of the user’s computer and allow checking potential threats on various operating systems. Even a successful escape from such a sandbox will not be a problem, since it is completely isolated from the user’s work computer. If necessary, such sandboxes can emulate an Internet connection and work with removable media.

When working with network sandboxes, an agent is installed on users’ computers – a service that sends suspected files to the network sandbox. Transferring files to the cloud for analysis takes longer than interacting with an on-premise server in the company’s network. Together with the duration of the analysis, the waiting time for the result can be several minutes, during which the application launch will be “paused” until permission is received from the sandbox. In this regard, sandbox developers specify the maximum latency in the SLA.

Company-specific malware typically checks the environment in which it is running. And even if it does not contain a check for running in a sandbox, an environment mismatch can lead to the payload not being triggered during analysis, and the file will be considered harmless. To avoid such a situation, it is necessary that the work environment that the sandbox emulates matches as closely as possible the workstations of real users.

In the case of cloud sandboxes, it is more difficult to achieve such a match, while uploading a workstation image to an on-premise server is not difficult. The main thing is that the selected version of the sandbox server supports working with custom images.

In other words, in order to bring the configuration of virtual machines inside the sandbox as close as possible to the production environment, you need to be able to fine-tune their content: change the OS settings, edit the list of installed languages, peripheral device drivers, install additional or non-standard software, and even manage the contents of the desktop. because all this and much more can be regarded by cyber attackers as a condition for launching or not launching malicious instructions.

The use of standardized images for deploying virtual machines inside sandboxes is easily tracked and allows the use of detection bypass mechanisms in sandboxes.

Trend Micro sandboxes support the ability to load customized VM images, which has been shown to be more effective in detecting malware in practice compared to vendor sandboxes that use standardized VM images for analysis.

Based on considerations of the need to ensure maximum efficiency, today the on-premise option should be preferred. The implementations of cloud sandboxes known to us today from none of the manufacturers support customized images of virtual machines as a testing environment that accurately reflect the infrastructure of a particular customer.

Cloud sandboxes can be considered as a more affordable alternative, or if the company’s infrastructure is geographically distributed. In this case, the cost of providing the necessary network routing may outweigh the benefit of the difference between cloud and on-premise sandboxing.

Criteria for choosing a sandbox provider

Choose a vendor to be aware of the latest tactics that attackers are using to bypass security solutions used by the company. Several factors play an important role here:

1. specialization of the manufacturing company: are information security products the main ones in the profile, or are they related or auxiliary developments;

2. the history of the manufacturing company: how often the owners of the business change, and with them the priorities and vectors of the development of the product line;

3. Market presence: the wider it is, the larger the information base of malicious objects and models of malicious behavior, on which models of machine learning, behavioral analysis and other means of detecting and countering threats are built and perfected;

4. quick access to the most advanced information about identified vulnerabilities in the operating system and software: the sooner a security vendor obtains such information from its own research or from enthusiastic researchers and private cyber defense specialists, the faster countermeasures will be developed and implemented to block the exploitation of the latest vulnerabilities , even if a patch from the official OS or software manufacturer has not yet been released.

Vision Trend Micro

An example of a concrete implementation of the described sandboxing approach is the Trend Micro Deep Discovery Analyzer product. It is a scalable hardware sandbox server that allows you to load various images of your company environment into virtual machines. It fully integrates with our email and web security solutions, but allows you to sample third-party products for analysis using the Web Services API.

It can analyze executable files, web content and potentially harmful office documents, detects malicious URLs and allows you to submit samples for analysis via API or manually. Deep Discovery Analyzer receives up-to-date information from our global threat detection system, so it is always “up to date” with the latest developments in cybercriminals.

The amount of data in the world is growing from year to year, so the main vector for the development of sandbox technologies is to increase productivity, expand the list of types of analyzed objects and add new models for detecting potential threats.

For the future, we see the most obvious scenario as expanding the list of supported operating systems as object analysis environments, as well as expanding functionality that will allow sandboxing to be built into existing customer ecosystems with minimal changes to the configurations of the established IT infrastructure.