A new report from the Ponemon Institute paints a sobering picture of today’s cyber threat climate. In 2018, 70 percent of survey respondents saw a significant increase in zero-day threats, which are capable of exploiting vulnerabilities on the same day they’re discovered. More than three-fourths (76 percent) of successful attacks involved new or unknown threats, despite significant investments in security tools to defend against zero-day attacks.
These types of attacks are becoming more common due to the availability of cheap exploit kits on the dark web, making it easy for even a newbie hacker to inflict serious damage. At the same time, many organizations take a reactive approach to cybersecurity using tools that are designed to combat known threats. Preventing zero-day attacks is virtually impossible, so organizations must focus on detection and response.
Sandboxing is an essential tool in the fight against zero-day threats. Sending suspicious traffic to a tightly controlled environment, or sandbox, makes it possible to execute untrusted or unverified code and automatically perform malware analysis. Security professionals can see what happens when the code runs and determine if it’s malicious without allowing it to spread or cause damage.
Benefits and Limitations
Many malware authors use anti-debugging techniques to prevent cybersecurity researchers from stepping through the code. Sandbox solutions typically look for these techniques as well as common threat indicators, such as keystroke logging and attempts to access the registry or system files. The sandbox will also determine if the code drops other files onto the system or attempts to connect to a remote server.
But while sandboxes can be effective at detecting zero-day threats, they also have limitations. For one thing, they only approximate a real-world system, so it’s not always possible to determine how malware will act on its actual target. In addition, sandboxing only analyzes the activity of one file. Some malware installs its various components over time and cannot drop its payload until all pieces are in place.
Sandboxing can provide insight into what malware does, but it doesn’t offer many clues of where it originated, how it may have entered the network or whether it has infected other systems. And, of course, hackers use various techniques to avoid detection by a sandbox. That’s why it’s important to integrate the sandbox solution into a layered security approach.
Cisco’s Approach
The cloud-based sandboxing technology in Cisco Advanced Malware Protection (AMP) offers many advantages over traditional onsite platforms. Cisco hosts multiple sandboxes in a highly resilient architecture that’s available 24×7, with analysis performed by the Cisco Talos Security Intelligence and Research Group. Customers receive a detailed report within minutes after uploading a file.
If the file is found to be malicious, the report will provide information on the potential impact of the malware as well as indicators of compromise, and the information will be shared across the customer’s Cisco security portfolio. Retrospection will automatically delete any matching files within the customer’s environment, reducing the spread of malware without manual IT involvement.
The results of the analysis are also saved in Cisco’s online database, which benefits all Cisco customers. Because Cisco processes a large volume of files, there’s a good chance that a report is already available for any given sample. Customers can also peruse the report database to gain a better understanding of cyber threat trends.
Cisco’s sandbox infrastructure is always current, eliminating the need to manually apply updates to an onsite solution. File samples are analyzed against new vulnerabilities using the very latest detection techniques.
Most importantly, the Cisco AMP sandbox works in concert other components of the Cisco security infrastructure to provide comprehensive protection. Cisco has built a better sandbox to help organizations detect and respond to new and unknown threats.
