Even when your device and operating system have reinforced security, you’re not really safe. Malware detection, antivirus software, antispam, endpoint security solutions and the like are all necessary means of cyber protection, but still won’t be enough for the sophisticated malware and obfuscation techniques employed by today’s malicious actors.
The usual protection techniques and technologies work by identifying known indicators of compromise (IoC), meaning zero-day threats and new attacks that easily evade security defenses can be missed. Incorporating sandboxing into your security tooling will provide you with an additional layer of security, allowing you to detect previously unknown threats and advanced persistent threats in a safe environment.
What happens in the sandbox, stays in the sandbox
A sandbox is a preventative analysis technology used for security deception. As an isolated environment on a network, it provides a safe testing area for running programs and executing code separately from the system, with no risk of infecting the system. When running without a sandbox, an application can require access to many of your system’s critical resources.
But with a sandbox environment that mimics the operating system of the user, the application will only be able to access resources within the sandbox, with permissions to only those it needs. This way, any suspicious code or program can be kept in an isolated area, ensuring safe execution with no disruptions to the system.
Sandboxing is valuable for both software development and cybersecurity. When it comes to software development, sandbox environments are used to create secure applications, allowing developers to test new code in various environments and non-compatible programs running simultaneously.
For security, sandboxes are used as an addition to firewall solutions by protecting the OS while launching applications and working with sensitive data. Sandboxing can also be used to safely analyze malware and help prepare for future attacks. It’s often employed by blue teams to safely test malware against multiple OSs, analyze it and even determine if existing anti-malware solutions have properly flagged the malicious code or file. For more on the subject, we recommend you read our Blue Team Toolkit post, in which we talk about the best open source sandbox tools available.
Everyday users also benefit from sandboxes when browsing the web. Web browsers essentially run the web pages you visit in a sandbox as they are constricted to running in the browser only, with no access to your local files, webcam, etc. Mobile apps are also run in a sandbox—they have to ask for your permission if they want to access any other resources, including your media library, camera and location.
As there are different uses and needs for sandboxing, there are multiple versions and approaches to consider:
- Virtual machines - VMs, as their name implies, create virtualized hardware devices that emulate the entire operating system, and don’t have access to anywhere outside of it. This means you can install software and run code as if you were on your regular device and OS. Well-known VMs include VMware, Java VM, VirtualBox and Xen Project.
- Sandboxing programs - A good example of a sandboxing program is the popular Sandboxie, a sandbox for Windows. It creates an isolated operating environment and applications can be run in it without accessing or modifying the local system, allowing for controlled testing of programs and applications.
- Limiting permissions - Having the system assign levels of access for users and programs according to determined rules, such as SELinux rules and POSIX capabilities, means you can have control over what processes are started, and what can inject code into your applications.
- Chroot jail - chroot is an operation on Unix that changes the visible root of the current process and its subprocesses. A program or an applications running in such isolated environment (called chroot jail) can’t access files outside it.
How does sandboxing help?
With different uses for sandboxing environments we see different benefits. The bottom line is that using a sandbox adds another layer of protection to your existing security solutions, and with many sandbox solutions and programs ready to run right out of the box, it’s easy to see why it’s a frequently used security method.
As previously mentioned, traditional security perimeter defenses and solutions can only recognize and stop known malware and CVEs, but fall short when it comes to new, zero-day threats and vulnerabilities.
While not acting as a zero-day threat protection per se, sandboxes can separate the threat from the rest of the network. This allows security researchers to analyze it and identify possible system or network vulnerabilities. By isolating threats and malware, security researchers can learn more about new threats, which will help stop future attacks.
Sandboxing also complements other security programs and solutions, especially firewalls and antivirus software. It can provide context to malware not detected by these solutions and helps enrich them with new IoAs, threats, etc.
Sandboxing helps identify application vulnerabilities, widely acknowledged as the stepping stones of software development. When testing new applications and effecting software changes, having a sandbox means you’ll be able to spot any problems in an area isolated from production, and with it avoid many issues that can arise before and after going live.
There is no unavoidable technique
While a sandbox is an excellent addition to your security arsenal, as with anything in cybersecurity, you can never be 100% secure. So of course, malware authors and cyber criminals have found ways to evade sandboxes and most newer generation threat detection solutions.
Delaying execution - One of the sandbox evasion techniques used by malware authors is timing-based. As sandboxes usually analyze malware for a limited period of time, malware can use calls for extended sleep and successfully leave the sandbox before execution. In other cases, malware can be programmed to execute at a particular time, on a specific day and hour. Additionally, malware can also contain code that executes CPU cycles to delay the actual code until the sandbox has finished analyzing it. Here, a prolonged analysis or a change in time of analysis can significantly increase the chance of detecting malware that uses this technique.
Detecting user interactions - Sandboxing environment does mimic the “real” system, it still doesn’t have the user interactions a legitimate system would have. Malware authors can create malware that detects user behaviour such as mouse scrolls and clicks and opening of documents, and executes only upon such detection. You can add human-like interactions such as fake mouse clicks and movements, but modern malware can also detect those.
Environment detection - Malware authors use techniques to detect whether they’re in a sandboxing environment by checking devices installed on the system, such as certain file names, hypervisor calls and other processes tied to sandboxes like as vmusrcs.exe, vmtoolsd.exe, and others.
Detection of system features - Sandbox-evading malware can also be created to detect the features of a real system that can’t be found in a sandbox, such as installed programs, system artifacts, hardware components, and more. One technique is the core count technique in which malware can find any inconsistencies between systems like the number of CPU cores. Another technique is using malware that will execute only after a system reboot, as the sandbox doesn’t stay up after the reboot.
It’s good taking risks in life, and playing in the danger zone, but when it comes to cybersecurity and keeping the integrity of your network, systems and sensitive data, playing in the safe space is the better option. Sandboxing is one of the tried and tested defence techniques will ensure every piece of new and unknown code, program or files isn’t free to run rampant in your network and potentially install malware or disrupt your services. Remember — what happens in the sandbox, stays in the sandbox.