The rapid proliferation and pervasiveness of unknown malware have rendered most traditional solutions incapable of protecting users from attacks.

August 20, 2018

5 Min Read
Cybersecurity

By Ilan Paretsky

Your customers are targeted by malware thousands of times a day, with upwards of 90 percent of detected malware originating from email and browser threat vectors. Much of it is ransomware; more than 400,000 machines were infected by the WannaCry virus in 2017, at a potential total cost of around $4 billion for just that one variant. And now, cryptojacking is on the ascent. Symantec found an 8,500 percent increase in coinminers on endpoint computers in 2017.

Over the years, one cybersecurity solution that has proven relatively effective in the fight against malware is sandboxing technology. A traditional sandbox solution (at the OS level) quarantines, executes and analyzes files and programs in a self-contained environment to determine if they are safe. Files sent to the sandbox are activated, and file system activity, network connections, system registry and other processes are monitored to detect abnormal behavior. Only once-deemed safe are files released. 

Sandboxing has been used since the 1990s. While not perfect, as I discuss in this blog – and Cisco has found that macros can defeat the technology if a user opens an infected file – it’s still a useful defense.

In fact, sandboxes have been proven effective at shielding endpoints from many zero-day attacks, in which cybercriminals exploit undetected vulnerabilities in software to compromise specific applications, database-management systems and operating systems. Zero-day attacks have no known signatures and thus can evade detection by intrusion prevention systems and antivirus tools. 

Sandboxes are also effective at protecting against APTs, a type of cyberattack that’s extremely dangerous to customers with high-value information. APTs utilize multiple attack techniques that can execute over days, weeks, months or years. They are made up of several small events, which might seem harmless when viewed individually. Designed to infiltrate systems, APTs allow cybercriminals to target organizations and gain access to particular assets and valuable data over long periods of time.

While in the past, sandboxing solutions have proven to be adept at detecting and neutralizing these kinds of threats before they begin to infect and do damage to an organization’s network, attackers are smart and persistent. They’ve gone back to their drawing boards to develop newer, more sophisticated zero-day threats and APTs, including environmentally aware malware with the ability to recognize when it’s contained in a sandbox. Such malware waits until it’s outside the sandbox environment before activating and commencing exploits.

Other attackers created malware with “extended sleep” functions (built-in sleep timers) that activate only once the container file has been marked safe. These attacks incorporate innovative evasive techniques to circumvent even the most meticulous sandboxing solutions.

To address this new wave of threats, cybersecurity experts have improved on the sandboxing concept by leveraging artificial intelligence, analytics and heuristics and integrating their products with detect-and-block cyber solutions. These “next-gen” sandboxes accelerate threat analysis capabilities and reduce human error in terms of releasing files and granting access permission.

In response to next-gen protections, cybercriminals again focused their skills and energy on creating malware that can infiltrate endpoints through the “soft underbelly” of the browsers used more and more for work as SaaS – such as Microsoft Office 365 – proliferates. New malware can commence exploits even without being downloaded. Such threats, along with increasing use of browsers, have made sandboxes less effective.

As users surf the internet, their browsers execute millions of tiny programs in real time without even downloading them. These programs possess the ability yo download malware from the internet directly onto endpoints. Attackers use such browser-borne code to introduce fileless exploit kits and malware, which can quickly spread from endpoint computers to servers, and compromise a customer’s entire network.

Since these programs are never downloaded, they never get into the sandbox, which was designed to contain files, not apps. Although secure web gateways, URL filtering, firewalls, antivirus solutions and the sandboxes that MSSPs often bundle with these solutions all play vital roles in a strong, defense-in-depth strategy, they simply aren’t enough to protect against the next-gen level of threats currently swarming the internet.

A New and Improved Isolation Technique

Remote browser isolation is an effective way to secure endpoints without creating friction for users. Gartner says that, by 2022, one-quarter (25 percent) of enterprises will adopt browser isolation techniques for some high-risk users and use cases, up from less than 1 percent in 2017. In fact, the consultancy named browser isolation a Top 10 tech in 2016.

Remote browser isolation leverages container-based virtual browsers to render websites as safe, interactive visual streams and deliver them to endpoint browsers in real time. That provides a native browsing experience to users while isolating all browser-executable code in a remote container, where it’s locked down.

At the end of each browsing session, the containers are destroyed, along with all content — benign, infected or malicious. This effectively prevents malware and browser-borne threats from entering and spreading through the organization’s network. Unlike sandboxes, which eventually release files they deem safe back onto the endpoint, RBI prevents all website content (files and browser-executable code) from ever reaching the endpoint. This better ensures containment of sophisticated threats, such as environmentally aware malware and malware with extended sleep functions, that have proven adept at outwitting sandbox solutions.

By isolating browsing from endpoint devices, and thus organizations’ networks, the browsing web threat vector is neutralized, and attack surfaces are greatly reduced. That’s something to consider for MSSPs looking for ways to up their endpoint security games.

Ilan Paretsky is chief marketing officer at Ericom Software, responsible for the global marketing activities of the company. Prior to joining Ericom in 2005, Mr. Paretsky held various leadership positions in marketing, business development, project management, and software development in the global software and telecom industries.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like