Story image

Protection against malware with a cloud-based sandbox

27 Feb 2018

Today, it is increasingly difficult to defend against advanced malware. While known malware files can be identified with traditional antivirus, and common malware by first generation sandbox technologies. Today’s advanced malware is designed to evade detection when in a sandbox.

Perimeter-centric approaches leave organizations exposed while robust web applications have resulted in new threat vectors. Ultimately, humans are still the weakest link.

A next-generation cloud-based sandbox that is based on a full system emulation that will identify, analyze, and block advanced malware will help address these challenges. A cloud-based sandbox solution generally is comprised of three modules: static analysis, behavioral analysis and cloud intelligence.

The three modules work together to ensure the efficiency and efficacy of malicious files detection. Through static analysis, behavioral analysis and cloud intelligence, the cloud-based sandbox detects malware with a low false-positive rate and high detection rate.

The static analysis module executes static signature analysis of the files, such as identification of file types, file format, and the known malware signature. Additionally, front filter technology (E.g. URL whitelist, file signature validation, sample database on cloud) can screen out the known threats to reduce the workload of sandbox.

The behavioral analysis module simulates multiple operation systems and running environments, and trigger file behaviors in the simulated environments that closely resemble real ones in production environments. The solution should use a machine learning model to validate the file behavior.

Cloud intelligence uses threats intelligence information compiled globally and compares the static information and behavior of the files against the intelligence information, such as malware signatures, phishing websites and malicious domain names, and attaches every file with a risk evaluation score, rather than simply defining it as good or bad.

Key benefits to using a cloud-based sandbox

The following are some of the benefits to leveraging a cloud-based sandbox for protection against malware.

High detection rate with both static and behavioural analysis

The malware sample database on a cloud-based sandbox can contain more than 1 billion samples. It quickly detects whether any uploaded file matches with the malware samples. A cloud-based sandbox simulates running environments and trigger file behaviors such as creating processes, modifying registry and requesting back chain. Unknown threats can be detected by analyzing the file behavior.

Protection of encrypted traffic

Since SSL encryption technology has become popular, more and more applications use HTTPS. However, today’s malware also uses SSL encryption technology to escape from detection. A cloud-based sandbox decrypts the encrypted traffic and restore the files in the encrypted traffic. With this approach, malware can be detected, even if they are hidden in the encrypted traffic.

Measurements against anti-sandbox technology

Cloud-based sandboxes support the identification and detection of anti-sandbox malwares. By hiding the sandbox processing information such as kernel model and registry information, it can simulate the running environments. To avoid malware from escaping from detection, a cloud-based sandbox simulates manual and interactive operations and takes over the API, so that the malware behaviour can be triggered.

Comprehensive threat information in the reports

Upon detecting malware and unknown threats, a cloud-based sandbox displays alarms and notifications, as well as comprehensive reports of malware behavior in the administration panel of the firewall. Network behavior, process behavior, file behavior, and file key information are displayed in the reports.

The process for the attack is visualized through the kill chain analysis on firewall platforms, so that security administrators can take appropriate action.

Advanced malware has become so sophisticated that it can easily evade traditional security solutions including firewalls, IPS and antivirus technologies.

To address advanced malware, a cloud-based sandbox delivers a unique, advanced threat detection platform that can emulate the execution environment and analyze all activities related to malicious files, identify advanced threats and collaborate with existing solutions to provide rapid remediation.

Article by Hillstone Networks' South East Asia regional director Francis Teo.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
65% of manufacturers run outdated operating systems – Trend Micro
The report highlights the unique triple threat facing manufacturing, including the risks associated with IT, OT and IP.