Comparing the use of threat intelligence feeds with API access to cloud security services and the use of local scanning engines
A sandbox develops intelligence on malware and security threats. However, a sandbox can be expensive to deploy and difficult to scale. Even when deployed as-a service, it can come with the additional challenge of guaranteeing data privacy.
These are major concerns for malware researchers, forensic specialists, security engineers – anyone wishing to develop intelligence, whether working in an enterprise or security provider.
In this post we’ll start to look at how these challenges arise, and how they can be addressed.
Sandboxes can be deployed on-premise: hand-built, or bought as a product. Alternatively they can be delivered as-a-service. Either way, they often consist of three key elements, each developing increasing amounts of intelligence.
A sandbox will initially assesses the reputation of the file – the sample. Is there an existing malware hash? Does the file belong to a family of known malware (ascertained using an anti-virus engine)? Admittedly this is really reputation information rather than intelligence, but it provides a real-time response, and effective pre-filtering. Importantly, it prevents the unnecessary expenditure of later-stage resources.
The sample is then analysed without actually running it or exposing systems to the threat it may contain. Various disassemblers are used to transform the binary code into assembly code, and powerful engines used to look for patterns and structure that may reveal that the sample is, or contains, malware.
Finally, a sandbox will develop dynamic intelligence using behavioral analysis of the code as it executes.
We will look at how assessment, static and dynamic analysis occur in our next blog article. But one thing is for sure: Each sandbox vendor has their own unique approach to developing dynamic intelligence. Despite this, avoiding the built-in evasion capabilities of modern malware, and developing as much intelligence on the sample as possible, is always the objective.
It is this final stage that adds the greatest cost, complexity, scalability and privacy challenges to the deployment of the sandbox system
The development of dynamic intelligence using behavioral analysis is complex. It requires a great deal of engineering experience.
For example, malware authors spend a lot of time refining their code to detect a sandbox environment and evade observation. There only needs to be the slightest hint of an abnormal environment and the malware will fail to execute. The job of the sandbox operator is to ensure that they win this competition by ensuring the system remains completely undetected. Given the number of possible platforms, patches, network connections etc, it’s certainly non-trivial.
The continued development, refinement and updating of the system requires a team of experienced development engineers. These skills are difficult to find, and consequently costly to employ. When skills are hard to come-by, it’s a good time to implement a cloud-service and benefit from the economy of scale it delivers.
However for any security vendor to deliver a cloud sandbox, they must make an upfront investment in computing power. This investment contributes to the high cost of accessing (private cloud) sandbox services. This is the reason why the performance of most sandboxes top out at a few hundred or thousand sample submissions a day. The cost of buying and maintaining the (cloud-based) hardware needed to support the virtualized or emulated environments required to deliver the speed, and importantly, the depth of forensic analysis needed, is ultimately prohibitive.
Unfortunately, leveraging the scale of the cloud computing industry has, up until now, not been possible. The reason for this has been the need to meet the exacting security standards put in place by vendors such as Amazon Web Services
Although cloud services offer economy of scale, meeting data-privacy regulations is important to an enterprise. This is why they often prefer on-premise sandboxes. The transfer of any non-PE document (graphic files, Microsoft documents, PDFs etc) to a third-party, cloud-hosted sandbox presents a challenge for data privacy and GDPR compliance. Unfortunately, many cloud-sandbox architectures are not developed with GDPR in mind. Consequently, managing the transfer of data can be quite complex.
Avira has operated one of the most powerful and sophisticated sandbox systems in the industry for years. It is one of the reasons that we are consistently rated the top performing AV security company by the independent test-houses . It is the reason Avira’s technology and threat intelligence is at the heart of many of the world’s leading security products delivered by other vendors.
However, because Avira focuses on providing OEM solutions to the cyber-security industry we’ve not, until now, made this technology available as a separate solution. For Avira it was essential for us to solve the triumvirate of challenges of scalability, complexity and privacy.
The introduction of Avira’s Cloud Sandbox allows our technology partners and enterprises to access an enhanced version of the sandboxing technology that has powered the Avira Protection Cloud for many years. It is accessed through a simple to use API, delivered through a cloud service. The key benefit is that removes the need for security vendors and enterprises to maintain their own sandbox systems. This frees up their own resources to focus on other tasks, and reducing operational costs.
But solving the challenges of complexity without bringing scale would be of little benefit.
We solved the issue of scale by working with Amazon Web Services (AWS). Together we brought a unique industrial-scale sandbox to market. The development of a revolutionary dynamic detonation system hosted within an AWS environment required close cooperation with their security team. Together we overcame major design hurdles to meet the most exacting security requirements and standards of the AWS infrastructure.
In September 2019 Avira was awarded the AWS Partner Network Innovation Award for this innovative design. It was awarded for the way the detonation service was planned, deployed and secured within the AWS environment.
Finally, and importantly, because the Avira Cloud Sandbox was designed with GDPR in mind, we were able to architect a solution that avoided the need to become joint data controllers . In the case of the Avira Cloud Sandbox the relationship is simplified to be that of data processors.
The Cloud Sandbox API roll-out starts in 2H 2019. If you would like early-access this award-winning service, then you can register your interest here.