Modern Cybersecurity Threats Require a Modern Sandboxing Solution

A new report from the Ponemon Institute paints a sobering picture of today’s cyber threat climate. In 2018, 70 percent of survey respondents saw a significant increase in zero-day threats, which are capable of exploiting vulnerabilities on the same day they’re discovered. More than three-fourths (76 percent) of successful attacks involved new or unknown threats, despite significant investments in security tools to defend against zero-day attacks.

These types of attacks are becoming more common due to the availability of cheap exploit kits on the dark web, making it easy for even a newbie hacker to inflict serious damage. At the same time, many organizations take a reactive approach to cybersecurity using tools that are designed to combat known threats. Preventing zero-day attacks is virtually impossible, so organizations must focus on detection and response.

Sandboxing is an essential tool in the fight against zero-day threats. Sending suspicious traffic to a tightly controlled environment, or sandbox, makes it possible to execute untrusted or unverified code and automatically perform malware analysis. Security professionals can see what happens when the code runs and determine if it’s malicious without allowing it to spread or cause damage.

 

Benefits and Limitations

Many malware authors use anti-debugging techniques to prevent cybersecurity researchers from stepping through the code. Sandbox solutions typically look for these techniques as well as common threat indicators, such as keystroke logging and attempts to access the registry or system files. The sandbox will also determine if the code drops other files onto the system or attempts to connect to a remote server.

But while sandboxes can be effective at detecting zero-day threats, they also have limitations. For one thing, they only approximate a real-world system, so it’s not always possible to determine how malware will act on its actual target. In addition, sandboxing only analyzes the activity of one file. Some malware installs its various components over time and cannot drop its payload until all pieces are in place.

Sandboxing can provide insight into what malware does, but it doesn’t offer many clues of where it originated, how it may have entered the network or whether it has infected other systems. And, of course, hackers use various techniques to avoid detection by a sandbox. That’s why it’s important to integrate the sandbox solution into a layered security approach.

 

Cisco’s Approach

The cloud-based sandboxing technology in Cisco Advanced Malware Protection (AMP) offers many advantages over traditional onsite platforms. Cisco hosts multiple sandboxes in a highly resilient architecture that’s available 24×7, with analysis performed by the Cisco Talos Security Intelligence and Research Group. Customers receive a detailed report within minutes after uploading a file.

If the file is found to be malicious, the report will provide information on the potential impact of the malware as well as indicators of compromise, and the information will be shared across the customer’s Cisco security portfolio. Retrospection will automatically delete any matching files within the customer’s environment, reducing the spread of malware without manual IT involvement.

The results of the analysis are also saved in Cisco’s online database, which benefits all Cisco customers. Because Cisco processes a large volume of files, there’s a good chance that a report is already available for any given sample. Customers can also peruse the report database to gain a better understanding of cyber threat trends.

Cisco’s sandbox infrastructure is always current, eliminating the need to manually apply updates to an onsite solution. File samples are analyzed against new vulnerabilities using the very latest detection techniques.

Most importantly, the Cisco AMP sandbox works in concert other components of the Cisco security infrastructure to provide comprehensive protection. Cisco has built a better sandbox to help organizations detect and respond to new and unknown threats.

Try Cisco AMP

Investigate malware attacks like a pro using the sophisticated tools in Cisco AMP. Quickly determine the origin of an attack, which devices have been affected, and what steps you need to take to contain and eradicate the threat before it causes further damage.

Learn More

Related Articles

A sampling of other articles you may enjoy if you liked this one.

Advanced Malware Protection from Cisco Tames Cyber Predators
Apr 22, 2019

In the animal kingdom, the ability to quickly identify predators is key to the survival of the speci...

Read More
Malware Incident Response Requires Sophisticated Tools
Feb 8, 2019

Obviously, organizations want to do all they can to prevent malware attacks. But the odds are high t...

Read More
Cisco AMP Continuous Monitoring
Jan 14, 2019

Cisco AMP Protects Your Network Before, During and After an Attack Most people think of a malware s...

Read More
Stay in the Know

Stay in the Know

Don't miss out on critical security advisories, industry news, and technology insights from our experts. Sign up today!

You have Successfully Subscribed!