Looking beyond the Sandbox: Adapting to a New Enterprise Cyber Security Posture
Data breaches and ransomware attacks are growing in frequency and severity.
A recent Sophos study, that included 5400 IT decision makers from 30 countries, confirmed that 37% percent of the respondents were hit by a ransomware attack in the last year.
Sandboxes are a key component in an organization’s security suite to fight such attacks and with the global sandbox security market valued at over $4.5 billion, most major organizations are using sandbox solutions. However, as these reports indicate, even organizations with reputable, high-quality sandbox solutions find themselves victimized by cyberattacks.
Throughout the last decade, gateway sandbox solutions have grown from a relatively obscure technology to become an integral part of the enterprise-level organization’s security stack. These solutions have evolved from relatively simple operating system emulations to fully functional copies of entire hardware systems. With each step, sandboxes became more effective at mitigating a broad range of threats, which is why standalone sandboxes and solutions that use sandboxes (such as email security solutions) have become a key component of a CISOs security suite.However, this commonly used solution has some serious limitations in today’s cybersecurity environment. This is how the Sandbox works The sandbox is a safe, closely monitored virtualized environment, designed to scan suspicious files for malicious behavior. Sandboxes try to trick malware into thinking it’s running on a real machine. This will often trigger the malware to perform its malicious activity and reveal itself. A typical sandbox use-case scenario runs something like this:
A human resources employee at a major energy utilities company receives a job application with a resume attached. The attachment is a PDF from an untrusted source, so it must pass sandbox verification. Before the email arrives at the employee's mailbox, the sandbox opens it in a virtualized container and starts scanning for unusual behaviors. The sandbox solution detects that a hidden script inside the PDF secretly installs a keylogger on the user’s computer. The sandbox rejects the attachment, warns the employee, and alerts the company’s security operations team. The entire process took a few minutes.
This approach has been shown to yield more accurate results than other detection-based solutions, but introduces serious limitations in practice.
The Inherent Limitations of Sandbox Security
Latency Impacts Usability Sandbox analysis works by allowing incoming files to run freely in a safe, virtualized environment for a short time. Usually, this period of time is capped at a few minutes. If the sandbox cannot scan the file within a few minutes, it will automatically approve the file and pass it on.
Unfortunately, security leaders cannot simply configure their sandbox to take as much time as it needs. Cybersecurity policies cannot force users to wait five, ten, or fifteen minutes for a file to pass, forcing organizations to reduce security standards. Typical latency of 1-3 minutes which is considered reasonable for sandbox processing still presents a major productivity bottleneck.
Sandboxes Do Not Scale Well Sandbox technology is expensive in terms of computing resources. High-performance full system emulation cannot run on a small endpoint device. It requires a purpose-built system that looks and feels like a real enterprise production environment.
This presents serious obstacles to scaling sandbox solutions for enterprise-level organizations, as each sandbox can only process a small fraction of the traffic of an enterprise (up to 100 files in parallel, ~3000 files per hour).
Buying more sandboxes does not solve the problem, given the hardware costs and latency issues associated with each sandbox.
Even cloud-based SaaS sandbox solutions become prohibitively expensive as they scale to meet the needs of large enterprises, government agencies, and public institutions. Deploying new sandboxes doesn’t provide the economy of scale that enterprises need.
Four Ways Cybercriminals Bypass Gateway Sandbox Solutions
Cybercriminals know how sandboxes work, and have designed malware with sandbox gateway solutions in mind. My team and I have identified four of the most common methods cybercriminals use to defeat sandboxes today.
- Attaching Malware to Large Files
Most sandboxes feature a built-in file size limit. The popular solutions have an upper limit of between 30 MB and 150 MB. This leaves most videos, installer packages, and image-heavy presentation files firmly outside the sandbox’s jurisdiction. Some sandbox solutions will simply let large files pass through unchallenged. Security leaders may not even be aware that large files are completely unsecured. Unless the organization’s cybersecurity policy deploys a specific solution for handling large files, this vulnerability may go completely under the radar until it’s too late. Even if sandboxes could scan large files, the processing time required for such files will likely lead to the files being approved automatically, despite the scan being incomplete. This is a serious vulnerability for enterprise-level organizations.
- Deploying CAPTCHA-style Prompts
Sandbox solutions cannot interact with their target in a meaningful way. Even the latest, most sophisticated solutions cannot do much more than randomly clicking on various screen elements, hoping to pass as a human. Some sandboxes can even search for predefined phrases like “OK” or “Continue”, but this is nowhere near the interactive capacity of a human user.
Cybercriminals who embed a simple CAPTCHA-style challange into their malicious files can effectively fool sandbox solutions into letting them pass. These solutions work for the same reason standard CAPTCHA prompts work – there are certain tasks that automated solutions can’t do as well as human beings. Since it’s typical for sandbox solutions to automatically approve files that take too long to verify, the CAPTCHA prompt workaround is effective. The sandbox will not be able to progress beyond the CAPTCHA challenge for a few minutes before giving up and letting the malicious package through.
It’s very easy for cybercriminals to add these prompts to office productivity documents. The prompts may mirror proper application functionality in what may appear to a human eye to be a normal way. For example, current sandbox technology cannot tell the difference between a harmless VBA InputBox function in Microsoft Excel and one that will deploy malicious code when a user clicks on it.
- Active Sandbox Detection Scripts
Sandbox detection methods like those demonstrated by the open-source project Pafish can effectively detect whether they are being run on an emulation or a live production environment. There are many methods that identify the tell-tale features of a virtual environment. For example, Pafish verifies the difference between CPU timestamp counters, checks the hypervisor CPU ID for known virtualization vendors (like VMWare, Oracle, Citrix, etc.) and even counts how many physical processors its environment has.
Keep in mind, Pafish is a simple (and somewhat outdated) open-source script. It’s not nearly as advanced as what a professional cybercriminal might use to hunt a multi-million dollar ransom. Yet even Pafish can detect some of today’s most advanced sandboxes easily. Take a look for yourself:
(Each line shows a different method that Pafish uses in order to identify whether the environment it runs in is a sandbox emulation. To do this, it checks disk size, CPUID values, operating system uptime, and much more)
- Encrypted Content Gets a Free Pass
Sandboxes cannot analyze encrypted documents and archives. The most common policy for handling encrypted files is simply to let them pass unchallenged. In practice, this basically means that organizations automatically trust encrypted content regardless of its source.
The other approach is to block encrypted content entirely. High-security organizations are likely to take this route, but must accept the fact that it will interfere with employee productivity. Email encryption is already standard practice in many companies. In Japan, encrypting email attachments is a standard, universal practice. Cybercriminals were quick to catch on to this and launch massive campaigns exploiting this security hole.
Why Your Organization Needs to Take a New Approach to Gateway Security
Sandbox gateway technology has made huge strides in the cybersecurity industry, but it’s reaching the limits of its potential. As cybercriminals catch up to the vulnerabilities of sandbox architecture, it falls on security leaders at enterprise-level organizations to find new ways to protect their networks from cyberattacks.
CISOs who rely on sandbox technology need to be careful about the features and specifications of the solutions they deploy. It’s time to explore other solutions that are addressing large files, pop-up prompts, active detection scripts, encryption, latency, and scalability issues. Sandbox architecture no longer provides adequate protection from today’s threat landscape. It is time for CISOs and IT security leaders to identify more robust solutions that can deliver in real time and at scale.
Resec uses advanced detection and innovative prevention technologies to eliminate known and unknown (“Zero-Day”) file-based malware threats at the organization’s gateway. Resec’s platform is fully scalable, scans files of any size, is not prone to evasive techniques, bypasses pop-up prompts, supports encrypted documents, and is 90% faster than alternative solutions.to find out how.