Story image

Protection against malware with a cloud-based sandbox

27 Feb 2018

Today, it is increasingly difficult to defend against advanced malware. While known malware files can be identified with traditional antivirus, and common malware by first generation sandbox technologies. Today’s advanced malware is designed to evade detection when in a sandbox.

Perimeter-centric approaches leave organizations exposed while robust web applications have resulted in new threat vectors. Ultimately, humans are still the weakest link.

A next-generation cloud-based sandbox that is based on a full system emulation that will identify, analyze, and block advanced malware will help address these challenges. A cloud-based sandbox solution generally is comprised of three modules: static analysis, behavioral analysis and cloud intelligence.

The three modules work together to ensure the efficiency and efficacy of malicious files detection. Through static analysis, behavioral analysis and cloud intelligence, the cloud-based sandbox detects malware with a low false-positive rate and high detection rate.

The static analysis module executes static signature analysis of the files, such as identification of file types, file format, and the known malware signature. Additionally, front filter technology (E.g. URL whitelist, file signature validation, sample database on cloud) can screen out the known threats to reduce the workload of sandbox.

The behavioral analysis module simulates multiple operation systems and running environments, and trigger file behaviors in the simulated environments that closely resemble real ones in production environments. The solution should use a machine learning model to validate the file behavior.

Cloud intelligence uses threats intelligence information compiled globally and compares the static information and behavior of the files against the intelligence information, such as malware signatures, phishing websites and malicious domain names, and attaches every file with a risk evaluation score, rather than simply defining it as good or bad.

Key benefits to using a cloud-based sandbox

The following are some of the benefits to leveraging a cloud-based sandbox for protection against malware.

High detection rate with both static and behavioural analysis

The malware sample database on a cloud-based sandbox can contain more than 1 billion samples. It quickly detects whether any uploaded file matches with the malware samples. A cloud-based sandbox simulates running environments and trigger file behaviors such as creating processes, modifying registry and requesting back chain. Unknown threats can be detected by analyzing the file behavior.

Protection of encrypted traffic

Since SSL encryption technology has become popular, more and more applications use HTTPS. However, today’s malware also uses SSL encryption technology to escape from detection. A cloud-based sandbox decrypts the encrypted traffic and restore the files in the encrypted traffic. With this approach, malware can be detected, even if they are hidden in the encrypted traffic.

Measurements against anti-sandbox technology

Cloud-based sandboxes support the identification and detection of anti-sandbox malwares. By hiding the sandbox processing information such as kernel model and registry information, it can simulate the running environments. To avoid malware from escaping from detection, a cloud-based sandbox simulates manual and interactive operations and takes over the API, so that the malware behaviour can be triggered.

Comprehensive threat information in the reports

Upon detecting malware and unknown threats, a cloud-based sandbox displays alarms and notifications, as well as comprehensive reports of malware behavior in the administration panel of the firewall. Network behavior, process behavior, file behavior, and file key information are displayed in the reports.

The process for the attack is visualized through the kill chain analysis on firewall platforms, so that security administrators can take appropriate action.

Advanced malware has become so sophisticated that it can easily evade traditional security solutions including firewalls, IPS and antivirus technologies.

To address advanced malware, a cloud-based sandbox delivers a unique, advanced threat detection platform that can emulate the execution environment and analyze all activities related to malicious files, identify advanced threats and collaborate with existing solutions to provide rapid remediation.

Article by Hillstone Networks' South East Asia regional director Francis Teo.

Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."
Forget endpoints—it’s time to secure people instead
Security used to be much simpler: employees would log in to their PC at the beginning of the working day and log off at the end. That PC wasn’t going anywhere, as it was way too heavy to lug around.
DimData: Fear finally setting in amongst vulnerable orgs
New data ranking the ‘cybermaturity’ of organisations reveals the most commonly targeted sectors are also the most prepared to deal with the ever-evolving threat landscape.
IXUP goes "post-quantum" with security tech upgrade
The secure analytics company has also partnered with Deloitte as a reseller, and launched a SaaS offering on Microsoft Azure.
ExtraHop’s new partner program for enterprise security
New accreditations and partner portal enable channel partners to fast-track their expertise and build their security businesses.