The modern threat landscape is one of constant evolution. Everything is changing before our eyes – the types of security threats we face, and especially the methods cybercriminals use to infiltrate networks and confiscate data. These new, ever-changing threats have become very complex, bringing new risks and uncertainties.
Typically, signature-based protection like antivirus (AV) and intrusion prevention systems (IPS) detect and block known malware from infecting the organization. However, knowing that most organizations have deployed these technologies, hackers have turned their focus towards creating unknown malware – often just variants of earlier code – in order to bypass these systems more readily. Threat prevention solutions must protect against both known and unknown threats in order to be effective.
With Check Point’s recent SandBlast launch, there have been many questions about the sandboxing components of the technology. Let’s take a step back and discuss sandboxing and how it helps protect against unknown malware and zero-day attacks.
Traditional vs. Advanced Sandboxing
The traditional sandbox runs suspicious files in a controlled environment, segregated from the network, emulating a standard operating system (OS) for safe observation and analysis of file behavior. It activates files in various ways to simulate an actual user opening the file, and then monitors that activity to see if it triggers anything beyond what was normally expected.
The challenge is that cybercriminals know these safeguards exist, and they develop malware that can evade some of these sandboxes. They can actually write malware that knows when it’s inside a sandbox and instruct the code not to deploy until it knows it’s outside of the sandbox, on an actual endpoint. Another common approach hackers use is to build ‘sleep timers’ into the malware, allowing it to open minutes – or even days or months – after inspection, long after the file has been marked safe. These evasions show us that the current technology in place is no longer enough. Security solutions must evolve in order to stay ahead of hackers.
Advanced sandboxes address this disruption. They utilize the capabilities of traditional sandboxes, but add the capability to detect malware in data files before it deploys, by watching activity at the processor instruction level during the exploit phase, when the attack is trying to obtain unlawful execution privileges from the operating system. Traditional sandboxing, combined with the power of CPU-level sandboxing, delivers an advanced sandbox with powerful, evasion-resistant protection that detects AND blocks unknown malware.
When evaluating a sandboxing solution, keep in mind that the technology must have these capabilities:
- The sandbox must have the ability to detect and block attacks.
- Evasion resistance is highly important. A sandbox solution must detect malware before it deploys to be fully effective.
- Fast and accurate detection is critical to ensure your company’s productivity isn’t hindered.
- The sandbox must have the ability to support common file types –files that are used on a regular basis, such as PDFs, Word docs, Excel files, zip files, as well as the ability to support web objects such as Flash and Java.
Essentially, an advanced sandbox solution allows you to be proactive in your approach to security, rather than reactive. When you are constantly reacting to problems after they occur, rather than preventing them, it wastes time, energy, and money.