When one thinks of a sandbox, what comes to mind are idyllic images of kids playing with buckets, shovels, and miniature-bulldozers on a pleasant summer day. A solid sandbox is a way to contain the kids to a safe area, stimulate creativity, and play within a clearly defined boundary. In some ways, the same is true for cyber-sandboxing, and that sense of “containment” within an increasingly hazard-fraught virtual word is driving its popularity.

What is sandboxing? As the name implies, cyber sandboxing creates a safe boundary.

Sandboxing constructs a virtual system

“Sandboxing creates a virtual system somewhere, maybe the cloud or on the systems itself, where you create virtual operating systems that act just like a normal computer,” George Insko tells SmarterMSP. Insko is Director of Cybersecurity for the University of Kentucky, which enrolls over 30,000 students and is the state’s largest institution of higher education.

In short, sandboxing allows any malware to be seen in a simulated virtual environment, so that it can be seized before being released into the more extensive network.

“When the sandboxing machine sees a suspect file, it grabs that file, imports the suspect file to one of the virtual operating systems, and opens it,” Insko details. The sandboxing technology then looks for indicators of compromise in the virtual operating system.

“These could be things like new connections to known malicious IPs or URLs, changes in the virtual operating systems registry keys, or just known bad files being opened and unwrapped. This should be largely effective in finding bad files,” Insko says.

However, as popular and potentially effective as sandboxing is, it’s not the end-all to good cybersecurity. 

Subscribe to SmarterMSP.com

“Sandboxing is just one tool in a cybersecurity tool kit,” says Insko. “As with any tool, it depends on how the user wields it, how the tool was made, and if it’s actually the right one for the job.”

There is a variety of sandboxing software technologies available, from downloadable freeware to ones that employ more sophisticated methodology.

However, most sandboxing programs are in what Insko describes as a “reactive mode.” Most sandboxes contain, but do not destroy threats; this means that whoever is managing the security services will need to go digging in the sandbox to root out the threat. Although, there is new technology that is more proactive in detecting and destroying threats in a contained area. This feature is something MSPs should take a close look at adding to their arsenal.

“This is a proactive approach and the preferred method of deploying sandboxing technology because it can reduce operational overhead and lessens a company’s risk. This trend is moving out to the desktop, with desktop antivirus being able to sandbox files and block them in close to real time,” acknowledges Insko.

What types of businesses can benefit from a sandbox?

Insko advises, “To understand what businesses will best benefit from sandboxing technology, each cybersecurity team should conduct both a gap-assessment and risk-assessment, determine who is attacking them, and why they are a target. Then, deploy tools to fix the holes in their gaps and reduce risk where needed.”

Emre Erturka senior cybersecurity lecturer at Eastern Institute of Technology in New Zealand, tells SmarterMSP that the “human factor” is a reason why sandboxing can be useful in specific business settings.

“I think the reasoning behind using sandboxing in medical, military, or other high-stakes environments has to do with human vulnerability. Some industries normally employ people with modest computer and security literacy, who may then fall victim to threats coming from websites and emails. Sandboxing would be a good measure for those industries or companies, which have a history of being targeted or incurring breaches,” theorizes Erturk.

Beyond the freeware and cheap off-the-shelf versions, the more effective sandboxing technology and the personnel needed to analyze and operate it, are often expensive, so it’s not for everyone.

“In some cases, sandboxing might not be the best choice. With the amount of success attackers have had with phishing and malware, and the ease at which it can be deployed, having some form of sandboxing in front of their users would be wise,” Insko says.

Moving towards deception

The appeal of sandboxing technology is that it can sniff out malware before it releases its payload. However, it’s not foolproof, so MSPs still need to do their due diligence. Bad guys are catching on.

“It’s the very small percentage that gets by which will harm you. The people sending the malware that get by know what they are doing. They are defeating sandboxing techniques by utilizing tricks like using multiple layers of encryption or compression to hide malicious files,” details Insko.

The bad guys can also use delayed malware execution, password protecting files, and are making the malware check to see if it is in a virtual environment. If it senses that it is, then it acts accordingly and sits latent. This allows the malware to pass the inspection phase of the sandboxing, or it will run a bunch of false execution codes to fool the sandboxing technology.

Ironically, Erturk says the very act of deception can be detected, which could catch the attention of an astute MSP or IT staffer.

“Just morphing or trying to escape radar would be suspicious anyway, so virus analysts can do further investigation on those that seem to be delaying their payload,” Erturk says. Still, the fact that sandboxing can be evaded shows that more work is needed.

“This is why sandboxing is not 100% effective and more enterprises are moving towards deception technologies, because a lot of the cybersecurity products have been letting us down for years. Deception technologies force the bad guys to be perfect once they have gotten into the enterprise. In its own way, deception is a form of sandboxing,” explains Insko.

The continual cat-and-mouse game between hackers and good guys continues, which now includes “playing in the sandbox.”

Photo: Ostap Senyuk / Unsplash

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *