Today, it is increasingly difficult to defend against advanced malware. While known malware files can be identified with traditional antivirus, and common malware by first generation sandbox technologies. Today’s advanced malware is designed to evade detection when in a sandbox.
Perimeter-centric approaches leave organizations exposed while robust web applications have resulted in new threat vectors. Ultimately, humans are still the weakest link.
A next-generation cloud-based sandbox that is based on a full system emulation that will identify, analyze, and block advanced malware will help address these challenges. A cloud-based sandbox solution generally is comprised of three modules: static analysis, behavioral analysis and cloud intelligence.
The three modules work together to ensure the efficiency and efficacy of malicious files detection. Through static analysis, behavioral analysis and cloud intelligence, the cloud-based sandbox detects malware with a low false-positive rate and high detection rate.
The static analysis module executes static signature analysis of the files, such as identification of file types, file format, and the known malware signature. Additionally, front filter technology (E.g. URL whitelist, file signature validation, sample database on cloud) can screen out the known threats to reduce the workload of sandbox.
The behavioral analysis module simulates multiple operation systems and running environments, and trigger file behaviors in the simulated environments that closely resemble real ones in production environments. The solution should use a machine learning model to validate the file behavior.
Cloud intelligence uses threats intelligence information compiled globally and compares the static information and behavior of the files against the intelligence information, such as malware signatures, phishing websites and malicious domain names, and attaches every file with a risk evaluation score, rather than simply defining it as good or bad.
Key benefits to using a cloud-based sandbox
The following are some of the benefits to leveraging a cloud-based sandbox for protection against malware.
High detection rate with both static and behavioural analysis
The malware sample database on a cloud-based sandbox can contain more than 1 billion samples. It quickly detects whether any uploaded file matches with the malware samples. A cloud-based sandbox simulates running environments and trigger file behaviors such as creating processes, modifying registry and requesting back chain. Unknown threats can be detected by analyzing the file behavior.
Protection of encrypted traffic
Since SSL encryption technology has become popular, more and more applications use HTTPS. However, today’s malware also uses SSL encryption technology to escape from detection. A cloud-based sandbox decrypts the encrypted traffic and restore the files in the encrypted traffic. With this approach, malware can be detected, even if they are hidden in the encrypted traffic.
Measurements against anti-sandbox technology
Cloud-based sandboxes support the identification and detection of anti-sandbox malwares. By hiding the sandbox processing information such as kernel model and registry information, it can simulate the running environments. To avoid malware from escaping from detection, a cloud-based sandbox simulates manual and interactive operations and takes over the API, so that the malware behaviour can be triggered.
Comprehensive threat information in the reports
Upon detecting malware and unknown threats, a cloud-based sandbox displays alarms and notifications, as well as comprehensive reports of malware behavior in the administration panel of the firewall. Network behavior, process behavior, file behavior, and file key information are displayed in the reports.
The process for the attack is visualized through the kill chain analysis on firewall platforms, so that security administrators can take appropriate action.
Advanced malware has become so sophisticated that it can easily evade traditional security solutions including firewalls, IPS and antivirus technologies.
To address advanced malware, a cloud-based sandbox delivers a unique, advanced threat detection platform that can emulate the execution environment and analyze all activities related to malicious files, identify advanced threats and collaborate with existing solutions to provide rapid remediation.
Article by Hillstone Networks' South East Asia regional director Francis Teo.