Malware Sandboxing

Skilled analysts/researchers are hard to come by and expensive to hire. A mind-map from http://tylerhalfpop.com/re/2014/09/06/re-malware-analysis-skills/ illustrates some of the necessary skills.

FireEye is the first to market by putting automated/dynamic analysis into appliances that detect and block malicious web traffic and email links and/or attachments. Competition soon sets in and essentially created a class of control termed as “Breach Detection System” (or BDS in short) by NSSlab. Solutions like FireEye won’t put malware researchers out of a job, in fact, their expertise are sort after to innovate automated sandboxing analysis thus some of these solutions won’t come cheap.

IDS/IPS/WAF typically looks at a request made to your servers and determines it matches against a known set of malicious signatures before it decides to allow or block the attempt. BDS on the other hand, looks at the opposite side of the fence, it looks at the web traffic usually initiated by end-users and analyses the web requests and objects downloaded. If the automated analysis deems the requests and/or objects as malicious, then subsequent requests will be blocked.

Some BDS also blocks call-backs to known Command & Control (or C2 in short) servers when operating in an in-line mode. If the analysis within the simulation environment detects malicious behaviours but call-backs to unknown C2 destinations, it has the ability to update a “Threat Intelligence” network or cloud managed by the BDS companies. Some customers are not keen on the idea of sending information out thus will only allow update of the appliances so as to keep the defense up-to-date.

BDS offering email protection performs the same automated analysis on the embedded links and/or attachments before it allows forwarding or denies the mail to recipients.

I have the privilege to work in an environment with a significantly large BDS deployment and at the same time, building up Security Operation Centres. My opinion of BDS is mixed.

The opinions expressed here are my solely my personal views and not on behalf of my current company.

“Don’t put all your eggs in one basket” is applicable to security controls investments. “Defense-in-Depth”, “Layered-Security” and other related metaphors basically boils down to spreading out (the spending of) strategic implementation of technical controls to significantly increase the cost/difficulty to mount attacks. Sadly, base on the amount spent and my personal testing, I really can’t see the justification for that amount. That being said, competition is a good thing. It brings the prices down and drives more innovations in terms of advancing automated malware analysis.

I’m not saying BDS is useless, I think it is more effective for blocking email attachment/link based attack tactics, especially if email policies are in place to reject any attached executables file.

Unfortunately for web protection, delivering malicious payload via SSL/TLS is one of the easiest ways to bypass BDS. Without selective SSL/TLS visibility, such solution is totally blind to encrypted traffic and becoming less effective as the Internet is moving towards encrypted traffic for both good and bad intents/reasons. Your security program is as strong as its Achille’s Heel.

It is ironic that companies are willing to block email executable attachments but not consider application control as part of their security program. By application control, we mean limiting exposure to a known good set of applications that users can run for their daily work. Microsoft has application control natively within the Operating System but the usual complain is that it is hard to maintain/manage.

Why should admin/HR/accounts/finance department folks be allowed to run arbitrary executables gotten from the web, removable media or anywhere else on their desktops or laptops?

Why should a POS terminal be running any other programs besides the POS software?

How often do we introduce a new software that would create (perceived) additional burden of maintaining a whitelist?

If the lack of application control is the current situation in your company, please stop and take a step back before acquiring any BDS. It is not a magic box that will solve “Advance Persistent Threats”.

Your mobile/home workers who are using the Internet outside the “protection” of the corporate BDS are likely to give you more problems. Giving them VPN access is like bridging your intranet with the untrusted Internet. Compound with the lack of application control and un-patched application and OS, it is going to be another headline or worst still, going on without notice.

The unhealthy pre-occupation with zero-day exploits is a very strong FUD marketing tactic that definitely make some companies rich for a short while. However, the adversary does not always need to always rely on zero-day exploits to infiltrate, all it takes are a few un-patched machines, ability to run untrusted executables and all other bad-practices that are ignored or perceived to be fixed by buying more security solutions. BDS will never solve or meant to cover such gaps.

Show your support

Clapping shows how much you appreciated Jym’s story.