How Reliable Are Sandbox Gateway Appliances?
—By Sanjay Katkar, CTO, Quick Heal Technologies
Over the past few years, spear phishing attacks via highly targeted messages have been the primary attack vector of successful data breaches. More than 90% of attacks on enterprise networks are the result of spear phishing methods.
This has led to the rise of a new breed of security solutions – Sandbox Based Gateway Appliances. This solution provides advanced malware detection for incoming emails in the form of an easy-to-use sandbox appliance. It launches every incoming email attachment in a secure virtual environment to monitor its runtime behavior. In case it detects any malicious activity, a red flag is raised. The results of this technology have been positive and many zero-day Advanced Persistent Threats (APTs) have been detected and blocked by this approach.
So does the implementation of this security signal the end of APTs and data breaches? The early success of such Sandbox based appliances can be attributed to the fact that malware variants were never designed with such protection mechanisms in mind. Instead, these samples were focused towards breaching traditional antivirus and firewall solutions. This enabled them to breach traditional security solutions with zero-day attacks very frequently. But now that more enterprises are using these Advanced Threat Protection Sandbox based appliances, new malware variants are being designed with the aim of penetrating this specific protection mechanism.
At the Quick Heal Threat Research Labs, we have come across a new malware sample that was able to breach this Sandbox protection. It successfully worked its way around this mechanism and reached a user’s inbox without getting detected. Detailed analysis of this sample revealed that it has been designed to infect highly protected networks. It also has several anti-virtual machine and anti-sandbox tricks implemented within it. This malware was reported on 4th August and it has been named APT-QH-4AG15.
We are in the midst of analyzing this APT threat further, and will be releasing a detailed analysis report in the next few days. What this attack has taught us is that even the most advanced Sandbox based appliance protection can be breached. As a result, enterprises need to consider and implement multiple layers of protection to safeguard their networks. While the network breaches of the last few years have raised concerns about the effectiveness of endpoint security protection, future breaches are also sure to raise the question – Can Sandbox appliances provide reliable protection against APTs?