Sandboxing is emerging as a key tool in detecting the spy on the network, helping enterprises in their fight against APTs, says Darren Turnbull
What does it really mean to live in the shadow of the Advanced Persistent Threat? Certainly, APTs are a lot more subtle, intelligent and dangerous than their random and generally less sophisticated predecessors. The Internet threat environment is a lot more malicious today, and we can no longer rely on signature-based defenses against it. We need to fight intelligence with intelligence.
Yet, while cyber crime has evolved and advanced, it has also become retrospective in its approach. Cyber crime today has a lot in common with the golden era of old school spying – infiltrate, hide, and extract valuable and sensitive information without being detected. This approach is highly effective in a world where digital information is getting increasingly valuable.
With the stealthy online infiltration to steal valuable proprietary information being the ultimate aim of the modern cyber criminal, it is clear that organizations need to be especially vigilant and prepared in detecting those new types of rampant and unrelenting threats. The successful embedding and execution of malicious code on a network can cause havoc to an organization with the biggest risk now laying in the theft of Intellectual Property. competitive advantage, insider information, valuable and salable IP are all highly valuable to both the professional cyber criminal and the emerging (and as yet unproven) state-sponsored attackers.
New ways of working such as BYOD, where endpoints are also used for non-business use such as social media, are aiding APTs. Something as simple as a link on Facebook to an infected webpage can prove the entry point into an organization’s network. Cyber criminals are becoming highly skilled in targeting people and tricking them into innocently gifting access to their devices and, consequently, the corporate network.
Fortunately, there are still ways to spot the ‘spies’ trying to infiltrate the network, and even those who have gained access and bedded themselves in. They will invariably leave tell tale signs. It’s simply a case of looking for the signs and, in the case of a suspected ‘spy’, fooling them into making mistakes that will allow them to be identified and dealt with.
Need for Sandboxing
Sandboxing is not a new idea, but it is proving increasingly useful in countering APTs. Malware has always tried to disguise itself and today’s developers are making their software ‘aware’ of its surroundings. The sandbox – which can be local or cloud based – provides a tightly controlled virtual environment in which only the basic resources are provided to allow suspicious or unknown software to run, and where network access and other critical functions are restricted. The malware is thereby tricked into believing it has reached its destination so that it can be closely observed for revealing behavior. But how do you choose which piece of software needs to be ushered into a sandbox virtual environment for closer scrutiny?
There are five initial exploit and exfiltration behaviors that, either in isolation or in tandem, can point to malware activity.
Looking at these in more detail; Some APT payloads randomly generate strings of IP addresses intended to aid propagation, or they may attempt to make connection with a command and control server in order to exfiltrate data or call on further attack resources via a botnet. If details of the malicious server are known, it’s the equivalent of a suspected spy under surveillance revealing himself when he calls his spymaster.
Also, documented APT cases have involved numerous techniques for obscuring (obfuscating) the real meaning and intent behind malicious JavaScript code, and of course the malware will likely mimic the behavior of its host device or application to avoid detection. Consequently, the trend towards encrypted malware within APT payloads renders all encrypted traffic to elevated risk.
A layered approach to security
For more effective protection and greater control, sandboxing should ideally operate as part of a layered strategy. The first line of defense will be the antivirus engine supported by an inline real-time onboard sandbox. If the threat proves sufficient, the suspicious files can be submitted to a cloud-based sandbox for further analysis. This layered and unified approach delivers more control and speed for countering a potential attack. And it is necessary. As cyber crime becomes more advanced and multi-layered, so must the security stance of the organization.
Unfortunately, there persists a belief among many enterprises and organizations that none of this really applies to them. The high media profile of ‘cyber war’ raging between nation states supports this mistaken belief. However, in cyberspace there are no national boundaries and every organization, no matter how large or small, is a potential target. It is very easy for skilled cyber criminals to use social routes to gain access to devices and networks, so what’s to stop them targeting any organization, especially if they can assume that the organization is unprepared and vulnerable? And with cyber crime tools becoming cheaper and more readily available, what’s to stop competitors doing the same?
In the shadow of the APT, traditional IT security defenses are outdated and no longer adequate. There is an increasing urgency for organizations to recognize and accept the very real risks posed by APTs and to adopt a more modern and intelligent layered approach to threat detection and remediation. Sandboxing is a key tool in that approach.
Darren Turnbull is VP – Strategic Solutions, Fortinet.