Etay Maor is Senior Director, Security Strategy for Cato Networks, a developer of advanced cloud-native cybersecurity technologies.
Legacy antimalware technologies rely on malware signatures and known threat indicators to detect a malware attack. Today, the cybercrime landscape is rife with sophisticated expertise and vast resources. Even the most robust threat intelligence feeds cannot keep up with the pace at which attack tactics evolve.
Many hail sandboxing as the best way to detect hidden and previously unknown threats in file attachments and web links. Businesses consider it an essential component of their security stacks. But is it actually indispensable, especially in a secure access service edge (SASE) architecture? Is it truly adept at preventing zero-day exploits and stealth attacks? And is it in line with the lean and agile enterprises of today?
Sandboxing is pretty much like opening a suspicious-looking package in an isolated, safe room just to be sure it doesn’t explode and cause damage. It’s not practical to assume employees won’t open any unknown email attachments or web links.
A sandbox is a fully isolated virtual environment that sits at the control point between the internet and the enterprise network and endpoints. Any files or programs that enterprise users download from the internet first get executed in the sandbox. That way, if the downloaded file turns out to be malicious (i.e., showing suspicious behavior such as trying to gain root privileges on a device or connecting to a remote, unknown server), the malicious file remains confined to the isolated environment. It never makes it to the user’s end device and beyond to critical IT systems.
Below we outline three areas where sandboxing can fall short.
1. Protection Without Disruption
The concept of sandboxing seems simple enough (and effective), but it’s barely keeping up with lean and nimble digital enterprises. Organizations need “protection without disruption,” something sandboxing is unable to provide because it’s complex and resource-intensive.
Analyzing file behavior in a sandbox requires malware analysis and operating system expertise on the part of security analysts. Modern enterprises can’t afford that kind of delay, especially since the required expertise is already scarce, thanks to the burgeoning cybersecurity skills shortage.
2. Consistent Prevention
Sandboxes don’t always work. Sophisticated cyberattacks are known to detect and evade sandboxing. Even some known and outdated malware attacks have evolved and reemerged with variants that can circumvent sandboxing techniques. For instance, a variant of the Emotet malware masks its file type with a .doc extension. Since sandboxing relies on true filetypes, it doesn’t consider it an executable and opens it in a Word document instead.
Modern malware also analyzes the hardware, installed applications, network connectivity, patterns of mouse clicks and open and saved files to gauge if it’s in a sandbox environment. The malware will delay execution if it detects a sandbox. Result? Security analysts won’t find any malicious file behavior and will deem the malware-laden files safe.
3. Social Engineering
Sandboxes are typically useless against phishing attacks that involve files with no apparent malicious behavior. For instance, a simple PDF file may contain a link to a phishing site or a fake sign-in form. A sandbox will not flag the file because it doesn’t exhibit any malicious activity, and sandboxing doesn’t address malicious intent.
To offer better protection, next-generation sandboxes have also emerged, sometimes even as a part of a SASE model. However, they just add to the speed and complexity barriers of legacy sandboxes. For most organizations, the cost/benefit ratio is simply not worth it.
The Essentials Of Persistent And Timeless Security
Organizations need to shift their perspective when it comes to security controls and approaches. Instead of looking for sandboxing specifically, they should evaluate security controls based on their ability to consistently prevent zero-day threats and in real time. Organizations should focus less on what a security technique does and more on how it does it.
Modern security controls should use machine learning (ML) and artificial intelligence (AI) to analyze and detect malicious files based on their structural attributes. They should be able to gain and utilize full traffic visibility at line rate, even in encrypted traffic. That way, files will be analyzed based on their content and not just by common file extensions like .pdf, .jpeg, etc. Such security controls will also be effective against polymorphic malware that continuously changes its features to avoid signature-based inspection engines.
And despite all these capabilities, the need for a detection and response strategy doesn’t diminish. Organizations need continuous monitoring across inbound and outbound network traffic and AI-based anomaly detection to discover and mitigate live threats within the network.
As such, these context-aware antimalware and AI-based anomaly detection capabilities are often a part of cloud-driven SASE architectures. That’s because SASE converges the best security solutions for file analysis as well as ML and AI-based anomaly detection. Adding sandboxing on top is unnecessary and excessive.
Is This The End Of Sandboxing?
No, not really. Sandboxing can be a great tool for analyzing malware once it’s detected through other techniques. Organizations using sandboxes should consider them just one part of a modern defense-in-depth and multi-tiered security model. For preventing and detecting sophisticated zero-day and stealth attacks, they’re better off adopting a real-time approach that suits today’s leaner and nimbler enterprise models.