Think outside the sandbox

Think outside the sandbox

By:
Jerish Parapurath
July 8, 2015

As cyber attacks increase in frequency and complexity, organizations continue toinvest in prevention-centric technologies to secure their network perimeter. However,prevention-centric technologies are less than prefect. They protect networks fromknown threats using a combination of security rules, signatures and reputation lists.

A critical component of today’s network perimeter security is the file-based sandbox.They were created to analyze suspicious files on isolated hosts – many with differentoperating systems – in a contained environment.

The file behavior analysis includes changes to registry keys, creating new processes,installing new services, creating or deleting files, installing a toolbar, modifying hostfiles, and command-and-control (C&C) server communications.

It’s important to note that the file behavior analysis is performed in an isolated networkand on an isolated and simulated host. The analysis does not fully capture all thenetwork behaviors of a real infected host.

Results of the file analysis from the sandbox is a signature that identifies malicious filesand blacklists that contain C&C servers contacted by the malware. Perimeter securitydevices use these signatures and blacklists to block known malicious files and C&Cconnections.

All new samples and variants of a malware go through this cycle of sandbox analysis.But malware creators are getting smarter and have designed malware that is aware ofsandbox analysis. Some malware are equipped with tricks to evade sandboxdetections. They also employ different methods to connect to the C&C server as afallback option, such as HTTPS, Tor and P2P.

What happens to malware that slips past perimeter security defenses? What happensto an unknown malware?What happens to the file analysis that has captured only apart of the malware behavior, such as the initial communications to a C&C server orjust one method of communication to a C&C server? This is where network behavioranalytics systems come to the rescue.

A network behavior analytics system uses a combination of machine learning and datascience to analyze network traffic and identify traffic that indicates active malware in anetwork.

This provides security analysts with visibility into nefarious network activity anduncovers the steps of an active cyber attack. Regardless of the malware type, theattackers’ mission is the same: Spy, spread, and steal from the network.

The network traffic from an infected host includes communications with C&C servers,malware updates, internal reconnaissance, and lateral movement such as malwarepropagation and abuse of stolen credentials, data accumulation and data exfiltration.

These activities can occur over the course of several weeks or months. They often blend well with benign network traffic, which makes it even more difficult to detectusing signatures and reputation lists.

A network behavior analytics system gives IT security teams the network visibility theyneed to quickly respond to cyber threats. It can detect threats missed by perimetersecurity devices such as firewalls, sandboxes and IPS. Security information and eventmanagement (SIEM) can leverage data from network behavior analytics systems toquickly identify and respond to threats.

In today’s threat landscape, every day is a zero-day. Network security must be layered.Complementing perimeter security, sandboxes and SIEMs with a network behavioranalytics system is required to quickly identify and respond to cyber threats. It’s timeto think outside the sandbox.

Signatures are great at catching large-scale commodity threats. But to stop targetedattacks, you need to jump off the signature hamster wheel and lay in wait whereattackers will inevitably show up – inside your network. Read more.

{{cta('66f692e8-4635-41ca-b883-fa4cfe6e6c89','justifycenter')}}