What is it?
The practice of isolating malware, or software that is suspected to contain malware, within a contained or quarantined environment to observe and study its communications, infection vectors, and other behavioral heuristics.
Why is it important?
Sandboxing allows security researchers to investigate malware execution, heuristics, and communications within an isolated environment and aids in the development of indicators of compromise (IOC) and anti-malware signatures.
Why does a business professional need to know this?
Sandboxing is one of many techniques security researchers use to observe complex malware, including advanced persistent threats (APTs). This technique contains malware within a virtual environment that allows it to function only within predefined and enforced limits.
By using virtual environments to mimic vulnerable targets, a cybersecurity specialist can execute malware under controlled conditions. Malware can be unpredictable and difficult to contain in the wild, and isolating it can be the only way to determine the mechanism by which it infects, proliferates, and communicates.
Of particular importance to cybersecurity specialists are the IOCs that can be garnered from sandboxing. Attackers often leverage techniques that exhibit distinct exploit patterns. These patterns can be observed using sandboxing techniques, then used to identify similarly functioning malware and, potentially, attribute the malware to a particular source.
Although sandboxing is a viable tool for researching malware behavior, sophisticated APTs can detect the existence of a virtual environment (i.e. sandbox) and either not execute or disable themselves, making it difficult or impossible for a researcher to investigate(Levy 2016). However, sandboxing remains an important technique in a cybersecurity specialist’s arsenal(The Sandbox).
References
- (The Sandbox) Understanding the Sandbox Concept of Malware Identification: The Sandbox. Discusses the need for sandboxes -- designated, separate, and restricted environments (or containers) with tight control and permissions -- where computer code can run without causing damage.
- (Levy 2016) 2016: Time for Security to Take its Head out of the “Sand” (box): Levy, Israel (2016). Infosecurity Magazine. Examines an alternative approach to sandboxing, an endpoint protection approach known as containerization. Discusses the pros and cons of virtual containers as a cybersecurity tool.
About Keirsten Brager
Keirsten Brager is a lead security engineer at a Fortune 500 power utility company. She is also the author of Secure The Infosec Bag: Six Figure Career Guide for Women in Security. She produced this resource to help women maximize their earning potential, diversify their incomes, and fire bad bosses. Keirsten holds an M.S. in Cybersecurity and several industry certifications, including Splunk, CISSP, and CASP. As an active member of the Houston security community, Mrs. Brager has participated in a number of panels and public speaking engagements promoting strategies for career success. In her free time, she blogs, cooks New Orleans food, and convinces women not to quit the industry.
Term: Sandboxing
Email: kwbrager@gmail.com
Website: keirstenbrager.tech
Twitter: @keirstenbrager
LinkedIn: linkedin.com/in/kbrager