Do you know what sandboxing is?Rosario
Following its official definition, “sandboxing is a software management strategy that isolates applications from critical system resources and other programs. Sandboxing helps reduce the impact that any individual program or application will have on your system.” Put another way, a sandboxing in cybersecurity is a physical or virtual environment used as a resource for testing software and its security being classified as “secure” or “insecure” after testing. The executive programs in the isolated environment (physical or virtual) are called sandboxing and the sample environment is called sandboxes. Based on observed behavior, samples can be classified as harmless, malicious or “needs more detailed information”. In many cases, a machine learning (ML) or other Artificial Intelligence (AI) algorithm is allowed to classify the sample.
Sandboxes provide ideal, isolated environments to control certain types of malware without giving that malware the opportunity to spread. But as sandboxes became more sophisticated and evolved to defeat evasion techniques, multiple strains of malware have been detected and had to change their tactics moving forward.
So how do you detect malware that has evaded sandboxing?
Here are some principles you can implement to protect against malware that has evaded the sandbox.
1. Dynamically change the sleep or hibernation cycle.
While a sandbox typically scans for malware for seconds, extending the scan time significantly increases the chances of detecting such malware. However, this approach may not be effective, as it requires more time. Instead, have the sandbox dynamically change its timing to trick the malware and encourage its execution.
2. Simulate human interactions.
The sandbox environment does not simulate interactions by default, but you can add some user-like interactions to better analyze the malware. However, keep in mind that modern malware can be smart enough to detect false mouse clicks or movements.
3. Add real hardware and environmental artifacts.
Retrieve hardware information in your sandbox that will help you detect malware that checks hard disk size, recent files, CPU numbers, operating system version, memory volume, and other system and hardware characteristics.
4. Perform static analysis in addition to dynamic analysis
Sandboxing technology is a form of dynamic malware analysis, as it examines the behavior of malware in a secure environment. Although the malware that evaded the sandbox does not perform any action, you can subject it to a full static code analysis. Static analysis will check the file for evasion techniques or coded pieces of code.
5. Use fingerprint analysis.
Fingerprinting technology will allow you to analyze a malware file and find indicators of malicious code. Fingerprinting can also be used to detect evasion characteristics of malware.
6. Use behavior-based analysis.
Behavior-based analysis offers features designed to detect and combat evasion techniques. During this analysis, the sandbox interacts with the malware itself to find possible execution paths. In addition, they emulate process interactions to look like a host computer. Once an evasion technique is detected, the sandbox counteracts its malicious code.
7. Customize your sandboxing.
By adding other innovative malware detection features to your sandbox, you can significantly improve its effectiveness in detecting malware. For example, you can use a multi-sandbox matrix of different environments and iterative analysis. It will also be effective to check for malware communications beyond the machine’s API system. In addition, you can also add a feature to your sandbox that looks for and checks for traces of malicious code at runtime.
8. Add kernel analysis.
While most sandbox solutions operate in user mode, some types of malware are designed to inject malicious code into the kernel space (rootkits or drivers) and thus escape the sandbox. That way, by adding kernel analysis to your solution, you can prevent malware from moving into the kernel.
9. Implement machine learning.
Malware analysis based on machine learning algorithms can effectively detect sandbox evasion techniques in malware code before it executes. In addition, you will be able to collect millions of other signals that collectively can detect malicious code.
10. Consider content disassembly and reconstruction (CDR) as an additional layer of security.
CDR is often considered the opposite of sandboxing, but can serve as an add-on to other security solutions. This technology removes all active content from a file and provides a user with a sanitized document.
Thanks to the combination of these tools that are part of the redborder solution, a more comprehensive analysis is obtained in order to combat complex threats and APT-level attacks, providing greater protection against advanced threats.