It would be interesting to analyze the good and the limits of this kind of technologies to be able to better choose our security solutions.
What is a Sandbox?
sandboxing means to create a “virtual”, “fake” image that can be targeted by malware attackers o unknown security problems.
Monitoring the change that happen to this decoy it is possible to understand if something strange is going on. The idea basically is that since the fake machine should perform just a serie of deterministic actions anything that goes out of the baseline is something that require further investigation.
So configuration changes to files or registry, unwanted external communications, different memory load everything can be used to understand if something is going weird.
The hardest part in creating a sandboxing system is that the target should look like a normal environment, while it has to be deeply monitored, far beyond the usual monitoring needs.
another hard point for sandboxing technology is that the decoy should be as close as possible to the used systems you want to protect, otherwise you could not be able to look at what is happening in the real environment.
Last, but not least, we should remember that some of malware and attack that are outside come against sandboxing technology using stealth or anti sandbox technology. While the first try to hide and be undetectable, the second try to understand if the target is a real or fake one, and in the second case stop any execution in order to not be detected.
Sandboxing techniques are effective and a powerful tools when dealing with security but should be implemented carefully.
we should take in account some considerations:
1) the less standard is your environment the less effective is the sandboxing approach. This is related not only to operating systems in the several version, patch level and so on, but also to all the software running on the platform.
Now this seems easy but if we do not have a strict control we could be in need to create a great number of sandbox units in order to fit the various configuration. And I’m not considering hardware drivers….
2) a sandbox can be exploited
The sandbox itself can be exploited. Usually we are dealing with some sort of virtual image that is monitored by its drivers, this means that the sandbox itself is not immune to attacks. Target attacks or APT can have all the interests to leverage eventual vulnerability of the sandbox systems in order to be successful.
3) an evolving environment needs an evolving sandbox systems
as for the other security technologies the sandboxing is useless if not insert in a series of process that deal with the security, a process that has to take into account the evolution of the systems and user behaviours as well as of the external environment in terms of threats and technologies.
So are sandboxing technologies worth the effort? The answer is simply yes but in a clear security context. As for reputation technologies, sandboxing could not be, alone, the answer but sure is a powerful tool if used correctly. Beside marketing effort that sometimes present those technologies as the holy grall of security we should be aware that are just tools to be wisely used .