Advanced malware is the latest and potentially most destructive threat in cyberspace. These advanced threats are stealthy, targeted and very patient. Though often based on well-known malware with easily identified signatures, they are changed to avoid typical pattern recognition defenses. Additionally, they are usually focused on specific targets, making their footprint on the network even smaller. Finally, they will patiently maneuver until they achieve their objective, so their trail is hard to pick up. For all these reasons and more, advanced malware may be active for a long time before it is discovered and shut down. In the meantime, working undiscovered, it creates significant damage to systems and organizations.
Because of the unusual characteristics of advanced malware, many of the traditional assumptions employed in developing network security solutions are no longer categorically valid. Signature-based approaches continue to be needed in the overall solution, being extremely efficient and accurate in capturing known malware, but they are no longer sufficient on their own to completely protect an organization. Advanced malware evades these defenses, requiring alternative approaches.
One of the common methods for addressing this threat has been a behavior-based technique, known as sandboxing.
A sandbox is an isolated virtual environment pretending to be a real endpoint. The sandbox allows a suspect file to run as if it had reached a targeted endpoint, while its built-in instrumentation monitors the file’s behavior. If the file is indeed malicious, it can do no real damage in the isolated virtual environment. This makes the sandbox a relatively safe environment for testing suspected files. In addition, because there is no requirement to know anything about the file before it is analyzed – in other words, no signatures are needed – sandboxing is a great technique to start identifying advanced malware.
There are, of course, limitations to some sandboxing approaches which may limit their ability to catch advanced threats. For example many sandbox technologies run on generic versions of a given OS, rather than a real image of the customer’s actual operating environment. This can lead to false assumptions about the behavior of the suspect file.
Still, this behavior-based approach has been effective in identifying a good number of advanced threats, so there is a lot of excitement in the market around this technology. However, it is precisely this excitement that has led to the common myth that the primary challenge of advanced malware is identifying it.
In fact, identifying advanced malware is important, but the real challenge is dealing with advanced malware, which means it also must be stopped, and any damage done must be remediated. To really defend against advanced malware, sandboxing must be complimented by tools that block and remediate what it discovers. Without these additional capabilities, the security industry is only working on part of the problem and leaving the majority of the (tedious and manual) work to its customers.
Sandboxing is a feature, not a product, and identifying advanced malware is only a step, not a solution. Buying a product that can only sandbox does not solve the challenge – in fact, in the short term, it just signs up the security team for more work.The challenge is much bigger, and evolving.
The real solution requires deep integration with other security technologies and products. Only in the integration with other security products can advanced malware be stopped and remediated – sandboxing only identifies the threat. Signature-based solutions already have the ability to block and prevent attacks from getting through, and their real-time nature assures that attacks do not infect their target. So while traditional solutions are often not capable of identifying advanced malware, they defend well. The challenge of sandboxing fixation is blocking and remediation are forgotten, but critical, parts of the total solution, and only integration can bring them together.
To learn more of the Seven Myths of Advanced Malware, subscribe to this blog or following me on Facebook or Twitter.