3 Facts about Sandbox-based Gateway Appliances
While sandbox-based gateway appliances provide generally good protection against malware, bad guys are finding new ways to circumvent them.
By Sanjay Katkar, CTO, Quick Heal Technologies
Sandbox-based gateway security appliances are widely used in enterprises both large and small, for plenty of good reasons. They are popular, effective, easy to implement and often inexpensive.
These appliances employ a variety of tools to block new, unknown malware along with targeted attacks found in email attachments and downloaded files. The tools span a wide spectrum of technology: URL filtering, advanced persistent threat (APT) defenses, legacy malware protection and application control.
Over the past few years, spear phishing attacks, made via an email that appears to be from an individual or business that you know but isn't, have been the primary cause of successful data breaches. With more than 90 percent of attacks on enterprise networks coming about as a result of spear phishing, the rise of sandbox-based gateway appliances couldn't come soon enough.
At the same time, the underworld has gotten smart and hackers have found new ways to break through the protection of these appliances.
As new areas of vulnerability have emerged to wreak havoc on your corporate network, here's what you need to know about sandbox-based gateway appliances.
They Are Generally Reliable
Typically, sandbox-based gateway appliances provide strong malware protection across various platforms -- notably multiple Windows OS environments -- and across a wide range of file types such as Microsoft Office, Adobe PDF, Java, Flash, executables and so on. In addition, they do a great job of detecting and stopping threats hidden in SSL and TLS encrypted communications.
Sandbox-based appliances execute their defenses against malware in a virtual mode. They process each incoming email attachment by launching it in a secure virtual environment and monitoring its runtime behavior to detect if any malicious activity is occurring. Once they detect a threat, they put it in quarantine. Then they extract key information from the malware, such as file names and the IP addresses it tries to call back to. Such information is then used to search for other activity on the network coming from the same attack source.
For the past five years or so, the sandbox approach has produced good results, as it has successfully detected and blocked a variety of zero-day advanced persistent threats.
The key to the success of these appliances is that they have been able to neutralize what were -- by today's standards -- relatively unsophisticated malware variants. Those malware creations focused solely on penetrating traditional anti-virus and firewall solutions. Before the arrival of sandbox-based appliances, malware was routinely able to breach traditional security walls with persistent zero-day attacks.
Today, however, the struggle to keep up with the inventiveness of cyber criminals has become more challenging than ever. The bad guys have created newer, smarter malware specifically to penetrate the APT defenses of sandbox-based appliances, leaving gaps in the protection they were once able to guarantee.
... But No Longer Impenetrable
Recently, Quick Heal Research Labs detected a new form of malware, APT-QH-4AG15, that breached the networks of some financial institutions in the Philippines, penetrating the toughest defenses posed by sandbox vendors.
These attacks were spread by spam emails containing malicious executable files inside attachments. What is notable about these attacks is that once the components were executed by victims, the malicious payloads cleverly avoided detection, bypassing automated analysis security software. These payloads were specially built to carry out user surveillance by capturing keylogs, screenshots and login information.
The mechanism of these targeted attacks was similar to those seen in APTs. In general, once all the components of an APT have been decrypted and downloaded onto a victim's machine, the remote attacker gains full access and can perform various malicious activities.
Employ as One Layer of Security in a Multi-layered Defense
While the network breaches of the last few years have raised concerns about the effectiveness of endpoint security protection, future breaches will raise concerns about the reliability of sandbox gateway appliances.
Even the most advanced sandbox-based appliance can be breached today. As a result, enterprise IT needs to consider and implement multiple layers of protection to safeguard their networks.
The only way to effectively protect your enterprise and its data from attack is to enact a multi-layered defense that covers the entire enterprise network: all endpoints, all mobile devices and all applications. The smart play is to also ensure that all software updates are rigorously implemented in a timely fashion.
Small to midsize enterprises, which often lack deep internal IT resources, can best defend their environments by working closely with IT service providers experienced in the latest threat protection strategies and solutions. The bottom line is to get ready, get real and recognize that what worked yesterday won’t necessarily work today when it comes to achieving the best possible network protection.
Sanjay Katkar is the co-founder and chief technical officer of Quick Heal Technologies, a global provider of IT security solutions. He holds degrees in computer science from University of Pune, India. Katkar, who has been associated with Quick Heal since its incorporation, has spearheaded the development of the company's enterprise software, technology and services. Specifically targeted at small to midsize enterprises, Quick Heal's Seqrite data security product line is sold in North America exclusively through channel partners.