Malware Analysis with Dynamic Sandboxing
Malware authors are clever, patient, well-funded, and relentless adversaries. They won’t stop until they achieve their objectives. If you’ve got data that they want, no defenses seemingly will prove sufficient. If you lock a door, they’ll come in a window. If you block the window, they’ll come down the chimney. If you plug the chimney, they’ll tunnel under the house. In the ever-escalating cyber arms race between attackers and security practitioners, layered defenses abound, but vulnerabilities still persist.
So how do you fight back? You first have to disavow yourself of the notion that all malware can be blocked in real-time – it simply cannot – malicious code is far too prevalent, polymorphic, and adaptive to be defended against entirely. Besides, stealthy malware may already be resident on your systems and networks – slowly exfiltrating data and compromising proprietary interests over many months or even years – before you put up your latest armor.
Layered defenses can block the “known bad,” but since some malware will always slip through, you must analyze these “unknown” files and URLs to determine their true capabilities by running them within highly realistic virtual environments. Only dynamic sandboxing can methodically unmask advanced malware by revealing its malicious behavior within a safe, instrumented framework closely configured to match production systems.
This begs the question of what makes for good sandboxing technology? It’s a set of capabilities that automates workflow processes and generates “actionable intelligence” for security teams. Enterprise organizations with high-volume, active networks may face up to tens of thousands of unique threats per day; an asymmetrical threat environment in the face of today’s flat-to-declining IT security budgets.
There are many ways to flag suspicious files for analysis using content analysis algorithms, security analytics profiling, file source inspection, communications protocol filtering, or any combination of factors. The dynamic sandbox solution must be capable of analyzing a large number of samples using parallel processing complete with automatic risk scoring, emulating the target environment as closely as possible and thereby allowing the organization to prioritize its efforts and focus its limited security resources on addressing the most urgent threats.
It is critical that the instrumented environment accurately capture low-level kernel events (e.g. page faults, exceptions) and high-level system events (e.g. file system, named objects, registry, network, and system processes) in the precise order that they occur. It must also include anti-VM (virtual machine) techniques to help thwart evasive malware. Furthermore, an increasing trend among malware authors is to disguise malware as legitimate software – fake anti-virus is perhaps the most prevalent category – so the ability to automatically click-through installers and respond to dialog boxes is essential to ensure that proper intelligence is generated from malware that requires user interaction to reveal itself.
The introduction of dynamic sandboxing into security infrastructures presents a significant opportunity for organizations to dramatically improve their defensive posture and security response capabilities. When used in conjunction with traditional front-line and advanced defenses, this enhancement can substantially improve your ability to defend against advanced persistent threats and targeted attacks.
Michael Rosen is the product marketing manager for Norman Shark, a provider of proactive security solutions and forensics malware tools.