What is Sandboxing?
Sandboxing is the process of isolating suspected software code so that it can be examined to determine its properties and characteristics, without risking malware infection of valuable internal compute assets. This can be done in an appliance or virtual machine. The sandbox allows the code to run and observes the behavior, then assigns a risk score based on that behavior. That risk score can be used to determine the disposition of the software. Is it malware, or just a benign Microsoft Excel macro? This intelligence can then be distributed to other parts of your network such as firewalls and end-point security to better protect your enterprise. Sandboxes are normally used to detect and isolate unknown malware.
Agile and DevOps are not just for the good guys
Just like cutting-edge software developers use agile development and DevOps to speed software development and deployment cycles, hackers are using these same tools to develop scalable, autonomous, self-learning attack swarms and intelligent, headless botnets that can quickly exploit zero-day vulnerabilities. Hackers are also taking advantage of AI and machine learning technology to train their systems to use a variety of attack vectors to target a wide swath of the attack surface at once. These AI-driven botnets can attack end-user devices, probe for server and firewall vulnerabilities, generate phishing emails, perform SQL injections, map a network, and exploit operating system vulnerabilities. All at once. On a massive scale. Using the same cloud technology that businesses us to scale.
Ransomware as a Service
And hackers don’t even have to know how to build this botnet. They can just rent it by the minute or hour, just like your company rents Microsoft Office. This makes becoming an advanced hacker as easy as swiping your credit card and picking your target. Recently fired and want to get back at your employer, and you know some vulnerabilities? Mad at your boss and want to get even? It is as easy as a bit of insider knowledge and a bitcoin account and your former employees could be the ones doing the attacking from behind an anonymous botnet.
How do you stay ahead of these rapidly advancing threats?
How do you deal with these increasingly sophisticated, fast-changing threats? Hire more people? While that is a possibility, they are difficult to find, take a lot of training, are expensive, and are in very high demand. Not to mention that throwing people at the problem is not very scalable.
Sandboxing to the Rescue
Sandboxing is a technology that organizations are increasingly relying on to detect unknown threats and stop them before they can cause harm and cost money. A sandbox is purpose-built to identify zero-day advanced malware, and just as importantly, to quickly share this new threat intelligence to the rest of your security infrastructure, quickly.
Products such as Fortinet”s FortiSandbox can be deployed as a physical device, a virtual machine, or you can pay-as-you-go. It is purpose-built to detect these heretofore unknown zero-day threats by isolating the potentially malicious code, allowing it to run in a sandboxed environment, observing its behavior, and then assigning a threat score based on the results.
This threat score can then be shared with other security products via the Fortinet Security Fabric or via an API interface. For example, Fortisandbox can notify your firewalls of the newly discovered threat so they can automatically block traffic with the same signature or characteristics. Fortisandbox can also notify your Security Operations Center of the new threat, as well as report the information to FortiGuard Labs for investigation and sharing of threat intelligence worldwide.
Physical device, virtual appliance, or pay per use
FortiSandbox is available in a variety of formats. You can purchase a hardware device specifically scaled for your expected volume. Or you can choose to run it as a virtual machine either on-premises or in the AWS, Azure, or Google cloud. Or you can simply subscribe to Fortinet’s “sandbox on demand” service that allows your security infrastructure to transfer suspected malware to Fortinet’s sandbox environment for analysis, and pay as you go for each scan.
Summary
Hackers are using the same advanced software development techniques – agile development, DevOps, and AI – to create constantly-evolving cyberthreats targeted at your environment. Cyber crime is big money, so where there is money to be made, there will be people – often bad actors – to exploit the opportunities. And this doesn’t even count the well-funded and very sophisticated nation-state cyberterrorism activities whose goal may or may not be money, but often times are more sinister and difficult to detect.
Sandboxing is one tool for security specialists that is growing in importance that can be used to isolate and detect zero-day threats, and share the threat intelligence internally and with the wider community.
Leave a Reply