“it is clear traditional signature-based anti-malware solutions are increasingly ineffective”. This comment by Neil MacDonald of Gartner spells out the problem many enterprises face. If antivirus is no longer deemed effective, then what steps can an enterprise take to protect themselves against malware and viruses?
Traditional AV vendors such as Symantec, McAfee, Kaspersky, Sophos and Trend are enhancing their existing solutions in an attempt to incorporate advanced threat detection mechanisms. In a previous article, we mentioned that a defence in depth strategy is considered the best approach.
An emerging solution that should form part of that overall strategy is Sandboxing. Sandboxing is able to detect threats that other security mechanisms such as antivirus would otherwise miss. When Sandboxing is coupled with a NGFW solution that incorporates antispam, antivirus, IPS, web filtering, app control and IP reputation filtering – you have a robust defense mechanism.
MTG deploy both sandboxing and NGFW (Next Generation Firewall) solutions from Fortinet. Although this guide is vendor agnostic, elements are specific features of the Fortinet product set. You can learn more about that here.
What is Sandboxing?
A Sandbox is a safe isolated environment that is designed to replicate an end-user IT environment. The Sandbox environment allows you to open files, run code and then rate the file based on activity and behaviour, rather than just attributes. Executables can be ran, spreadsheets with Macros and allow contained network traffic – all in attempt to classify and understand the risk a particular application or file poses. Ultimately, the sandbox provides a safe environment in which to execute and observe malicious code, network connections, registry operations and configuration changes.
Here are some scenarios where sandboxing can play a part:
- Someone e-mails in a spreadsheet containing a macro. The macro is malicious, upon opening the macro downloads a unique payload and begins to infect the user system.
- The IT department downloads an installer for a TFTP server, it is scanned for viruses, is virus free and they install the software. Unbeknown to them, this particular release does contain a yet-to-be publicised derivative of malware and proceeds to inject their system
- Another user downloads a PDF that contains an exploit, specifically crafted for their (dated) version of Acrobat. The user downloads and opens the PDF, and this proceeds to exploit their system.
In all cases, Sandboxing can be used to scan and identify threats.
- In the case of the spreadsheet. The sandbox will open the spreadsheet in a VM environment (with MS Office), observe the behaviour, classify the threat and make a judgement call. If indeed the spreadsheet is malicious, the sandbox will create its own signature that can be distributed to the NGFW and endpoint protection. In effect – a self-generating antivirus signature.
- The IT department can execute installers and unknown-applications in a sandbox environment before going into production.
- PDF documents and even websites can be tested in the sandbox to determine if vulnerabilities exist.
With these examples, it is easy to see how sandboxing can be used to identify emerging threats and that can extend to custom, targeted exploits. Remember, the analysis is based upon characteristics and actual behaviour, not just attributes or signatures in a database.
How does it work?
Essentially a sandbox environment is a replica of a user environment. This can include Windows 7, Windows 8, Microsoft Office and Acrobat. It can open word documents, spreadsheets, zip files and rar files. The file or application operations are emulated as if a real user was opening the documents.
Fortinet use a patented Compact Pattern Recognition Language (CPRL) that attempts to identify 50,000 or more disguises used by malware as an evasion technique. FortiSandbox demonstrates an industry leading 99% breach detection, identifying the majority of breaches in under a minute.
If you would like more information about Sandboxing and how it can help secure your enterprise, please get in touch today or view more information about our Firewall solutions.