Why Do You Need a Malware Sandbox?

By ANY.RUN Team

To solve the problem of identifying previously unknown malware samples help malware sandboxes – protection systems that allow you to evaluate the security of software by running and analyzing it in an isolated virtual environment. This article will lead you through all the details of what it is and why any organization needs this service.

What is a malware sandbox?

Malware sandbox is an established class of solutions on the market. The main task of a sandbox is to check the objects placed in it, collect events in the network for further analysis, as well as process the collected data. Each event is verified according to configured policies.

A sandbox is an isolated environment where an object, such as a suspicious file, is sent for analysis. The sandbox collects as much telemetry and context as possible from the pre-configured sensors in the network. The sensors can be any existing device or application: a mail gateway, workstation agents, or a firewall that sends files to the sandbox for inspection. Or a malware analyst can upload a file or submit a link for further research by themselves.

It is important to check malware in different circumstances. And almost all operating systems are supported by a sandbox to reveal malware behavior. A customized sandbox is already a tool against targeted attacks. Customization, as always, depends on the user’s priorities.

Why do you need a malware sandbox?

It is not always possible to detect malicious code in static analysis. The sandbox allows you to deploy a sample, examine its work and behavior in dynamics. The tool helps to build protection against any malicious objects: backdoors, downloaders, bankers, ransomware, etc. Websites, applications, and operating systems – the service landscape is huge. The sandbox is often placed in the DMZ segment, between the perimeter firewall and the core.

What is the difference between a sandbox and an antivirus?

A malware sandbox dynamically analyzes objects in an isolated network environment that has no connection to the company’s network and allows the object to reveal itself as much as possible. Host-based antivirus works another way around, it aims to block malware and its actions. Antivirus or EDR is the next tier of protection. Most importantly, the malicious object should not reach the workstation.

What types of objects are handled by the sandbox?

It can be links, binaries, word or excel files, images, any customer objects. It is worth mentioning that there is no sense in analyzing files larger than 300 MB. There are separate specific solutions for analyzing large files, this is very rarely needed.

Malicious objects get to sandbox from several sources like Firewalls, mail gateway, WAF. And many standard protocols are supported for the exchange: Syslog, ICAP, SMTP, NFS. You can integrate the sandbox via an API into almost any environment, so all kinds of organizations can benefit from this tool.

Does the sandbox help protect against an APT attack?

Yes, the sandbox helps in defending against advanced persistent threats, APT attacks because it allows you to analyze events in depth. A malicious object can have different signatures and bypass the antivirus, but the behavior stays about the same, which the sandbox shows. One of the main goals is to make the sandbox the most attractive for malware so that it can expose itself as much as possible in a controlled, secure environment. For example, the interactive approach of ANY.RUN sandbox triggers malware that requires direct human actions. Drag a mouse, tap keys, create specific files and folders, open documents – do everything to trick malware.

Of course, you can create your own isolated environment for malware analysis from scratch. But it takes a lot of effort and time in preparation. And still, there is a chance that your sandbox will not be secure enough, invisible for malware, and provide the necessary information. To speed up the process we recommend using ready-made solutions like ANY.RUN. It is an online service, so you can run a sample from anywhere and get results right away.

Specialist qualifications for working with the sandbox

With a competent and intuitive interface, the high qualification of an employee is not required. Sandboxes like ANY.RUN makes easy and fast analysis its main advantage.   A little experience and a general understanding of the cyber security processes are enough. To solve incidents and investigations, you need a higher level but still  ANY.RUN service’s all details and information are displayed conveniently, so you won’t miss a thing and carry out a complete analysis.

Sandbox reports are transparent and readable (MITRE matrix, screenshots, and videos, IOCs, behavior activities, etc.). The collected information is aggregated and optimized, the report saves time for a technician.

Conclusion

A sandbox is one of the most important elements in building corporate infrastructure protection. A modern sandbox not only blocks the spread of a malicious object but also structures a significant amount of dynamic analysis data, passing this data to a specialist for further evaluation or via standard exchange protocols to other cybersecurity products.

The malware sandbox functions with almost any operating system and device. The use of this tool gradually speeds up both investigation and verdict issuance. On average, delays in issuing a verdict are a few minutes. The global sandboxing market is growing rapidly and is projected to double in 2 years. And it’s clear that a malware sandbox is an effective service that you definitely need.

About the Author

ANY.RUN is the first interactive online malware analysis sandbox. The service provides detection, analysis, and monitoring of cybersecurity threats. Based on the interactive approach of investigations, ANY.RUN offers users to affect the virtual machine by launching various programs, changing configurations, rebooting the system, and running different scenarios. The user is in full control of the analysis flow in real-time. Find out more here: https://any.run/.