Sandbox reliance is virtual insanity
Sandbox reliance is virtual insanity

Are we really here or is this all a simulation? This fundamental question has entertained philosophers, scientists and science fiction fans for eons. Yet today there's a dangerous new breed of malware also asking the same question.

New versions of the Dyre malware have been reported to evade sandbox analysis using tactics like counting processor cores. As most virtual environments only use one core, this simple environmental ‘sentience' check has allowed it pass undetected into the heart of organisations.

Other tradecraft includes ‘stalling code', where the malware performs some other safe computation until the sandbox times out and the file is thought safe. As soon as this time period is elapsed, the real malicious code is executed.

Zero-days won't die

But let's take a step back and explore what has made sandbox technology an increasingly vital part of security the first place – application vulnerabilities. These are the programming weaknesses in our common software applications that allow cyber-criminals to drop malware onto unsuspecting users. Just clicking on a hyperlink or opening an infected PDF can be enough to start a breach. Vulnerabilities persist across all platforms but Java, Flash, common PDF readers and web browsers have consistently been top of the charts.

Smart IT teams have got better at managing and patching their systems against vulnerabilities but new weaknesses (zero-days) are uncovered all of the time. Traditional signature-based anti-virus detection has no way of spotting a zero-day attack. There's simply no fingerprint in the crime database to check against, and very often malware takes advantage of these undiscovered flaws on an otherwise fully patched and up-to-date system.

Attachment sandboxes however can identify behavioural anomalies in the execution of an attachment, which could point to new types of attack and this is why they are increasingly used at the core of automated detection processes. Consider how a sandbox usually works: An email arrives with an attachment and passes signature-based anti-virus checks at the email gateway. The sandbox spins up a virtual or emulated environment, opens the file and performs a deep behavioural analysis on the contents. Example techniques include monitoring for malicious scripts, buffer overflows, Windows API calls or rogue attempts to access other high-level system functions. If the file is deemed safe, the mail is then delivered to the recipient.

Yet sandboxing has other drawbacks. The process delays emails, often frustrating employees and reducing their productivity. The complexity and resource demands can also make it expensive. The result is that organisations often limit who they protect to keep costs under control. Perhaps finance, legal and the executive team; but this will only lead to a false sense of security, and is akin to building a fence around only half of your property.

Every employee is a risk

Unfortunately this seemingly flawed attempt at risk and cost management is not any level of protection against increasingly targeted attacks. Attracted by the ever-growing data repositories and valuable IP held by organisations, attackers are becoming increasingly sophisticated in their methods.

Cyber-criminals will take their time probing a target for weaknesses. This might be research into a firm's security technology or gentle social engineering of apparent low-risk employees. Organisations may also be targeted to be used as a pivot – the attackers use their systems to gain access to trusted third-party companies, damaging the reputation of both organisations in the process.

Several major data breaches and state-sponsored hacking attacks have been initiated through the use of spear-phishing or targeted email attacks of this kind. Is your receptionist or your air-conditioning supplier your weakest security link? Existing security protection must therefore be augmented to combat this growing threat. Effective security must protect all employees no matter what device they use to access business email – desktop or mobile, corporate provided or personally owned.

Reduce sandbox reliance

Today's security response must reduce this total reliance on the sandbox. We need to examine organisational workflows and identify smarter ways to protect our employees. One new model is to combine on-demand sandboxing with message transcription.

We recently analysed one terabyte of Mimecast email platform data. It showed that around 51 percent of attachments that we processed were PDF files. These are read-only files to most employees yet could potentially harbour malicious code. Our research also showed that other common file attachments (17 percent Word, 9 percent Excel and 3 percent PowerPoint) were often only read rather than edited; so it would be a fair assumption that these types of files could be safely transcribed into threatless versions.

This new security approach blends the sandbox with a transcription service that automatically converts attachments into a safe file format, neutralising any malicious code. The attachment is delivered to the em­ployee in this safe format without any delay. Should the employee need to edit the attachment, they can request it is sandboxed on-demand and the original delivered to them.

By transcribing the contents of an attachment to a different file type (eg docx to pdf), you are changing the execution environment. This means any macros or hidden code from the original file simply cannot run in the new format.  This is very different to file sanitisation products, which attempt to ‘clean' dangerous code from a file.  The vast majority of transcribed files also radically reduce the risks that a sandbox weakness or failing results in infection.

Balancing user experience, scalability, cost and security can be challenging and requires careful thought depending on your organisation. Traditional sandboxes are costly and so are often deployed to a subset of users. Every employee is a target and every employee needs protection. Only by making smarter decisions about when to use sandbox resources, can we make better security a reality.

Contributed by Neil Murray, chief technology officer at Mimecast