Blog |

Bad Actors Are Going to School on Sandboxes - Here Is What You Can Do about It!

Automated Static Analysis is your secret weapon to leap ahead of advanced threats

Patrick Correia Author: Patrick Correia, Director of Product Marketing, ReversingLabs

cover bad actors 7

Just a few short years ago, Dynamic File Analysis (AKA Sandbox) was all the rage. Detonating a file in a “safe” sandbox environment to learn “who it would call and what it would do” and use that critical intelligence to upgrade defenses, was deemed the latest must have technology in cyber defense. While there is no question that dynamic file analysis is a practical and useful tool, as time went on the limitations of the technology surfaced. It’s understandable that bad actors have gone to school on sandboxes to understand exactly how sandboxes work, what the weaknesses are and how to exploit those weaknesses. So there are shortcomings, but that is not the end of the story - automated static analysis can augment sandboxes and overcome whatever strategies and tactics bad actors can come up with. 

Challenges

Let’s take a step back and look at just some of the challenges security professionals are faced with when relying heavily on sandboxes, then explain how automated static analysis can help.

1: too many files to keep up with

Enterprises are inundated with a broad range of files (more on that later), so totally depending on a sandbox which is relatively slow performance wise, requires heavy investment in compute power and financial resources. Even then, sandboxes can easily be overwhelmed, e.g. DoS wave attacks for one.

2: SANDBOXES CAN BE EASILY EVADED

One of the biggest limitations is that the bad guys know most organizations utilize this technology and have found ways to fool it or move around it. Techniques like; building malware that detects when it is in a sandbox, and upon detonation, does not execute the code related to the attack, or using uncommon extensions or browser plugin exploits, environments likely not present in the sandbox.

3: LIMITED COVERAGE OF FILES THAT A SANDBOX CAN ANALYZE

Typically sandboxes are limited to just a few file types and those that qualify likely do not include emerging attacks. Some usual examples that sandboxes do run are Win Exe, some PDF, FLASH (if with HTML), ZIP and RAR archives and macros. That leaves a lot of files and objects not covered - not to mention new evasion techniques and emerging file format attacks that are generated every day.

Solutions

So it’s pretty clear that sandboxes have limitations, but that is not where this story ends. High-speed automated static analysis is your secret weapon to defend against advanced attacks. And maybe we should rephrase that statement to: high-speed automated static analysis, in conjunction with dynamic analysis, should be your go-to weapon to defend against advanced attacks. Here are a few reasons why:

1: It can handle the volume of files and objects

The explanation is in the name: high-speed, automated static analysis. It’s pre-execution and it’s fast (typically 5 ms for decomposition of a file). No more manual processes which take a terrible toll on resources and effective detection, or combining disparate tools that weren’t designed to work together. Automated static analysis is scalable to millions of files per day. It’s easy to see why our customers use it as a funnel to drastically reduce the amount of volume before the sandbox to improve compute cost/benefit ratios. Add File Reputation which references our 8 billion sample database of goodware and malware and you are off and running!

2: Evasion, what evasion?

Since it’s pre-execution, there’s no getting around automated static analysis. It unpacks 360 file formats and generates up to 3000 threat indicators and extracts all objects, far exceeding dynamic analysis capabilities. And the metadata produced provides a complete context of malware intent.

3: We’ve got you covered

With 3,600 file formats identified at high speed, emanating from web traffic, email, file transfers endpoints or storage, automated static analysis has the capability to expand analysis to all executable content and can be deployed against all objects and files that need to be analyzed. This increases system resiliency and visibility to all unknown malware. Here’s a short list of what sandboxes typically do not cover:

  • FLASH (ALL)
  • WINDOWS DLL / Drivers
  • Documents
  • Non-traditional Archives
  • Firmware
  • Scripts
  • PE Packers
  • Installers
  • Android, WIN Phone
  • LINUX, iOS
  • Very Large Files
  • 1000+ Format Families

More on what automated static analysis enables security teams to do

Security teams gain earlier detection and identification of threats and by eliminating large numbers of good files early, reduce false positives and improving the efficiency of the investigation process. This complements the use of dynamic analysis as only “files of interest” are sent to the sandbox greatly improving efficiency and the data extracted from both offers amazingly rich context.

Internal malware investigation teams greatly accelerate their analysis processes and have a better starting point. The same fast analysis and deep contextual understanding of the malware, means an investigation team gains quick understanding of properties of the malware and can create “custom signatures and rules” to proactively search for that malware internally while upgrading detection capabilities across endpoints and networks. Targeted YARA rules integrated as part of static analysis can enable a security team to react faster than AV vendors in detecting unknown or polymorphic malware.

Threat hunting teams that can benefit from solid intelligence to decide what they are going to hunt for. They also need tools that help them hunt in multiple locations across their enterprise and search for their targets both historically and in real-time. Automated static analysis help here as well. Malware intelligence collected by the investigations teams and linked with the latest global threat intelligence provide excellent starting points to hunt from. The most advanced of the new static analysis tools include databases to store rich malware context and provide advanced search engines to pivot across large sample sets and push out multiple hunting queries across the network, SIEM or data lakes.

Looking for more information? Don't forget to register for our upcoming live webinar, Achieve Better, Faster Results by Augmenting Your Sandbox with Automated Static Analysis, on September 18 at 2PM ET / 11AM PT.