Conventional antivirus and endpoint security tools are key components of a layered cyberdefense strategy for organizations, but they are certainly not foolproof in detecting malware.
More advanced malware, such as multistage malware that uses zero-day vulnerabilities, can defeat these security measures and infect the victim machine. This advanced type of malware is often deployed by nation-states or the more advanced organized crime groups to break into companies with good traditional defenses, and the usual delivery method is via an email phishing attack.
To compliment endpoint security and intrusion prevention systems, some organizations turn to cloud-based sandboxing, which is often offered as a premium module from their existing security providers. A cloud-based sandbox examines a potentially malicious file or link in a safe environment before it can be opened by the end user, enabling it to execute the file and see what it attempts to do. Suspicious behavior, such as contacting remote servers to attempt to download a payload or contacting a command-and-control server, can then be analyzed.
The file is only delivered to the recipient if it is safe. This sandbox is usually a virtual machine that is separate from the organization's network, which ensures the malware cannot spread to the network.
Analyzing links and files in this manner can block even complex zero-day malware that may not be detected by antivirus tools. A cloud-based sandbox is able to look at the behavior of the malware rather than relying on signature-based detection.
The advantage of cloud-based analysis over having a dedicated cloud-based sandbox on your network is scalability; it enables the organization to easily increase or decrease the number of files and links it can analyze. Cloud-based analysis also removes the overhead of needing to manage and update the appliance yourself, and provides much simpler coverage of remote offices and mobile users.
An effective cloud-based sandbox needs to support various features, such as the ability to monitor traffic encrypted using SSL, as this is a common method used by malware authors to attempt to avoid detection. It also needs to be able to operate inline, instantly blocking or quarantining based on user-defined policies. It's an advantage, too, if the cloud-based sandbox is able to take advantage of data from other users of the service, and to share information on threats so that any company using the same system can detect the threat.
The use of virtual machines for sandboxing has led some malware to attempt to fingerprint the machine on which it is running; if the malware detects a hypervisor, it terminates itself to prevent analysis. More advanced sandboxing is able to defeat these evasion techniques by making the fingerprint of the virtual machine appear as though it is running on bare metal, therefore tricking the malware into executing as if it reached the victim machine.
Overall, a cloud-based sandbox is a useful addition to an organization's defenses, as part of a defense in-depth strategy. It is an effective, although not foolproof, method of detecting zero-day malware and ransomware.
Learn the difference between software containers and sandboxing
Find out what sets application sandboxing apart
Discover how Trochilus RAT evades detection and sandboxing