What is Sandboxing: A Vigilant Network Security Litmus Test

Unfortunately, networks of all shapes and sizes are under constant threat of cybercrime. Criminals go to great lengths to craft malware that is both invasive and elusive, potentially causing havoc for businesses and private individuals alike.

Antiviruses and firewalls are absolutely necessary with our dangerous online landscape. The accomplished software engineers behind these cybersecurity services are always coming up with inventive ways to detect known threats, and quickly engineer watertight solutions to those issues.

But cybercriminals are always two steps ahead, formulating dangerously creative malware and exploits every single day. Their aim may be to extort money from companies and individuals, or it may be to simply cause chaos.

So how do businesses stay safe from these new, emerging threats before a “cure” for those threats can be engineered and distributed? One particularly robust method is called sandboxing.

What is Sandboxing?

Sandboxing is a computer and network security practice whereby unknown, incoming files are intercepted and tested for potentially malicious effects. This testing occurs in one or more totally isolated virtual PC-like devices – called “engines”. Because they’re totally isolated, any malware found won’t affect other devices on your network.

This virtual environment – the “sandbox” in question – accesses and opens the file much like you would on a regular end user device, taking note of any resulting negative or unexpected effects. If no malware is found in the file, it is noted as safe and end users are allowed to download it. If the file does contain malware, then its activity is recorded and end users are prevented from downloading it.

How Does Sandboxing Work?

When a new file comes into the network – whether it’s being downloaded directly from a website or has been emailed to one of your team, access to that file will be blocked while it is sent to the sandboxing system for testing. The sandboxing system opens the file within a series of different engines (virtual PCs) to see what happens.

Malware often deploys its negative effects – called its “payload” – either as soon as it reaches a device or when the file is opened. In this case, the sandboxing platform can see that something untoward is happening straight away.

Other times, malware waits for certain parameters to be true before deploying its payload, such as when the system clock reaches a certain time and date or when certain settings are changed. Most modern sandboxing solutions will actively try to trick the malware by changing the virtual machine’s time and date settings, tinkering with its security parameters, restarting the virtual operating system, and much more – all in an attempt to catch any malware “in the act”.

Some malware can detect that it’s in a sandbox and withhold its payload, but it can usually be caught out by using different kinds of emulated systems – called “sandboxing engines”. These engines present alternative ways of testing the file and getting it to misbehave. Modern, sophisticated sandboxing solutions use multiple engines to provide the tightest security possible.

While files are being tested, users are informed that the file is currently being sandboxed and are asked to attempt the download again in a few minutes. If a file is found to be malicious, any attempts to download the file will not be permitted. The network administrator will be notified when malware is discovered.

Wait – doesn’t testing every file take a long time?

Individually sandboxing every single incoming file would take an incredibly long time – time modern businesses just don’t have. Older sandboxing systems would keep databases of files that had been tested before and whether they were safe or not. Therefore if someone wanted to download a known file, there was no need to test it again, the sandboxing solution already knows whether it’s a threat. Understandably, this speeds up the process considerably.

Modern sandboxing systems have significantly scaled up this database functionality. Recent platforms rely on (and feed back to) global, cloud-based databases of known, previously sandboxed files. Pooling global file and threat information in this way helps to speed the process up even further.

Rather than matching file records using easily changeable file data like file names, these databases tend to operate using file hashes. Every single computerised file in existence has a totally unique and immutable code (a hash) associated with it. If the file is changed, its hash changes. If a file with a known hash comes along, there’s no need to test it again.

Why Does My Network Need a Sandbox?

Sandboxing is an essential tool in an organisation’s fight against malware. One infected PC can easily infect a whole network because malware is usually programmed to spread far and wide between connected devices. Sandboxing and firewalls help to shield your entire network from malicious programs before they even reach end user devices.

The main benefit of sandboxing is that it’s invaluable in the fight against “zero-day” malware. This is freshly released malware that doesn’t have a known, readily available fix yet – it may not even become known to antivirus and firewall developers for some time. Because there’s no known solution yet, zero-day malware can be particularly damaging – leaving organisations with potentially buggy, insecure, or downright inaccessible IT estate without a fix in sight. But by interrogating all unrecognised files before they reach your end user devices, sandboxing neatly sidesteps this problem.

Reviewing your sandbox’s logs and file database can also give you unique insight into the kinds of threats that you’re facing – enabling you to take a proactive approach against them. For example, if many of your users are trying to download the same malicious file from an email, it may be worth investigating whether you’re being targeted by a phishing campaign. If there’s a particular site that appears as a particular source of malicious files, you can block your network’s users from accessing that site.

How Do Organisations Implement Sandboxing?

Sandboxing can be implemented in a number of ways. Though standalone sandboxing hardware is available for enterprise-level networks, we recommend that most organisations use a firewall with in-built sandboxing capabilities. The firewall’s role as a network’s gatekeeper makes it particularly well-placed to carry out sandboxing functions. These functions can be found within many modern enterprise firewalls, including hardware solutions and virtual firewall services. As well as investing in any hardware and set up fees, companies will also usually have to pay for a license or subscription in order to use the sandboxing service.

Solopreneurs and private individuals can invest in software-based solutions which sandbox files as they enter the system. This is great for protecting a small handful of devices, but individual software installs are difficult to manage en masse.

Is My Network Protected?

It’s tough to say. Depending on the age of your firewall, you may not have any sandbox coverage. And if you do, then an older sandbox may not be robust enough to properly detect and deal with more modern threats.

If you’re unsure about your current sandboxing situation, get in touch with the Just Firewalls team for a no-obligation network security health check.

What Solutions Do Just Firewalls Suggest?

Though there are a number of worthwhile sandboxing solutions available on the market (each with their own ways of doing things) our in-house boffins highly recommend SonicWall firewalls and a subscription to SonicWall AGSS.

SonicWall AGSS (Advanced Gateway Security Suite)

SonicWall is a global industry leader for network security hardware, and their recent firewall solutions come with the option to access their AGSS or Advanced Gateway Security Suite. This is a suite of IT security tools that serve to amplify your network’s threat detection and response measures.

AGSS includes real-time gateway antivirus and anti-spyware controls; robust content filtering and policy tools; and a little gem called Capture ATP. This is SonicWall’s powerful cloud-based sandboxing service which checks a wide range of file types as they reach the network’s firewall.

Much like the kind of functionality described above, Capture ATP (Advanced Threat Protection) is designed to detect both known and unknown instances of malware, achieving an enviable level of security across your whole network. Capture ATP uses multiple sandboxing engines to rigorously test unknown files, keeping you safe from known malware threats and zero-day exploits.

Through AGSS, Capture ATP is available on all SonicWall firewalls – from the entry level TZ series to high-end NSA and E class solutions.

Want more info about how a Capture ATP-enabled firewall can help to fortify your network against malware threats? Speak to a member of our knowledgeable sales team today to discuss your options – or to claim your free network security health check! Simply call 0808 1644414 or drop us a line.