Sandboxing is one of the most effective tools there is for analyzing suspicious objects and detecting malicious behavior. Different implementations of this technology are used in a wide range of security solutions. But the accuracy of threat detection depends directly on the way the sandbox emulates the environment in which suspicious objects are run.
What is a sandbox and how does it work
A sandbox is a tool that creates an isolated environment in which the behavior of suspicious processes can be analyzed. This usually takes place in a virtual machine or container, which allows the analyst to examine potentially malicious objects without the risk of infecting or damaging a real working environment or leaking important corporate data.
For example, the sandbox in the Kaspersky Anti Targeted Attack (KATA) Platform works as follows: if some component in the security solution detects a dangerous or suspicious object (for example, a file or URL), it’s sent to the sandbox for scanning, along with the details of the working environment (OS version, list of installed programs, system settings, etc.). The sandbox runs the object or navigates to the URL, recording all artifacts:
- Execution logs, including system API calls, file operations, network activity, URLs and processes accessed by the object
- System and memory snapshots (dumps)
- Created (unpacked or downloaded) objects
- Network traffic
After the testing scenario completes, the collected artifacts are analyzed and scanned for traces of malicious activity. If those are found, the object is flagged as malicious, and the techniques, tactics and procedures identified are mapped to the MITRE ATT&CK matrix. All data retrieved is stored for further analysis.
The main problem with sandboxes is that cybercriminals know about them and constantly refine their evasion methods. To circumvent sandbox protection, attackers focus on developing technologies to detect specific features of virtual environments. They do this by looking for characteristic artifacts or states of the sandbox, or unnatural behavior of the virtual user. Having detected (or even just suspected) such signs, the malicious program alters its behavior or self-destructs.
In the case of malware used for targeted attacks, cybercriminals meticulously analyze the configuration of the operating system and the set of programs used on the target machine. Malicious activity is triggered only if the software and system fully comply with the attackers’ expectations. The malware can work at strictly defined time intervals or activate after a certain sequence of user actions.
How to make an artificial environment more real
To fool a potential threat into running in a secure environment, combinations of different approaches are deployed:
- Variable and randomized virtual environments: creation of multiple sandboxes with different combinations of settings and installed software
- Realistic simulation of user behavior, including the speed of typing passwords, viewing text, moving the cursor, clicking the mouse
- Use of a separate physical (non-virtual) machine isolated from the working environment to analyze suspicious objects related to hardware attacks and device drivers
- A combination of static and dynamic analysis; monitoring of system behavior at certain time intervals; use of time-acceleration technologies on virtual machines
- Use of images of real workstations from the target environment, including operating system and configuration of programs, plug-ins and security settings
Our sandbox implements all of these techniques: it can emulate the behavior of a real user, deploy randomized environments, and operate in manual or automatic mode. And we’ve recently updated our extended detection and response solution – Kaspersky Anti Targeted Attack Platform. The integrated sandbox now lets you use custom system images with a choice of OS (from the list of compatible ones) and install third-party programs. More information about the platform is available on the dedicated KATA page.