Sandboxes are vulnerable. Over the past several months, we’ve seen an increase in attacks that are specifically designed to evade sandbox detection. Some use ingenious locale settings. Others mask XML files with a .docx extension to get around true file type requirements. And some are made up of a single URI and a short TTL domain that leaves such a small footprint that they are undetectable. In addition, all run queries to detect installed apps, uptime, disk volume, or an active Internet connection to determine if they are in a sandbox. If so, the malware goes to sleep until the coast is clear. Then? Game over.
You can read more about a variant of the Emotet trojan that is able to evade sandbox detection here. And the recently penned article for Dark Reading that outlines three such attacks by Kowsik Guruswamy. I won’t bore you with all the gory details here, but the point is that today’s threat actor has grown sophisticated enough to easily and frequently evade sandbox security defenses. That’s a big problem for enterprises that rely solely on a detect-and-respond cybersecurity approach.
Sandboxing is currently the security tool of choice employed by most enterprises for protecting users from web-based threats. A sandbox sits in a Secure Web Gateway (SWG) as a means to detect and quarantine malicious content before it has a chance to infect an endpoint. This detect-and-respond strategy has largely worked. Recently, increasingly robust threat intelligence has enhanced detection methods, hardening cybersecurity defenses all over the world. However, for every two steps forward that cybersecurity takes, it also takes a step back. Hackers and other threat actors are getting more sophisticated as well, and they’re able to adapt on the fly to counter even the best sources. As a result, new threat intelligence can expire as soon as it is put onto the battlefield.
Relying solely on sandboxing makes the enterprise extremely vulnerable. Once the inevitable infection occurs—and, yes, it will occur—it will encounter few if any defenses inside the perimeter. Malware essentially has free rein to spread across the network and infect critical business systems at will. That’s why we’re fierce advocates of Zero Trust. Why spend all your resources trying to determine safe vs. risky content when you can just assume that all web content is risky? That way, you can isolate everything in a safe, cloud-based environment far from users’ devices. Malware is prevented from ever reaching the endpoint—whether or not it has been detected. The result is that any damage is limited to a remote isolation environment far from your users, network, data, and critical business systems. Sure, users can click on malicious content, open weaponized documents, and practically invite threat actors onto their devices, but the Menlo isolation solution ensures that threat actors do not have direct access to end users or their devices.
Of course, web isolation is not a single panacea for all your cybersecurity needs. There will be instances when users need local access to files, and some traffic can’t be isolated. Therefore, an isolate-or-block approach is needed. Isolation and sandboxing work together in a cohesive manner within the SWG to keep the enterprise safe from web-based threats. Organizations know that it’s important to harden the perimeter, but they also need to be prepared for the inevitable breach. A unified isolate-or-block approach covers all angles.