Alles sicher, oder was? - Sandboxing

08/07/2022

Everything safe, or what? - Sandboxing

Since time immemorial, companies have been exposed to a wide variety of threats in cyberspace. Espionage, economic fraud and ransomware attacks are among the most common threats. But how do these actors get into your business?

Emotet, Agent Tesla, ZeuS. These three of the most well-known malware families have one thing in common, they all use phishing as a key strategy for their spread. Social engineering strategies, such as phishing or spear phishing, are often used. The "human vulnerability" therefore continues to be a popular target for attack, which is also confirmed with regard to current studies, such as those conducted by Bitkom.

But how can you protect yourself and your employees from such attacks? This blog post deals with one of the possible approaches to effectively mitigate such threats: so-called sandboxing. But there are several questions that need to be answered.

What is a Sandbox?

According to the National Institute of Standards and Technology (NIST), it is an IT system that allows untrusted applications to run in highly controlled environments. Essentially, the permissions of the operating system (often virtualized) and the application are still restricted. For example, the sandbox is usually prohibited from accessing the underlying file system or the network.

How does email sandboxing work?

In principle, the functionality of a classic sandbox is identical to that of an email sandbox. Dedicated, specially hardened hardware is often used to additionally prevent malware from taking over the physical system of the sandbox and thus gaining access to the network.

Instead of sending emails directly to the clients' mailboxes, a redirection often takes place first. Mails and attachments are checked both statically (signature checking, among other things), but in many cases also dynamically supported by machine learning algorithms. Depending on the product, attachments are unpacked in a sandbox and any software they contain is installed. Furthermore, system operation can be emulated in an accelerated manner in order to observe changes made by the software in just a few moments.

The aim is to identify malware that acts with a time delay and, for example, only starts encrypting outside business hours. The decision is then made on the basis of various criteria. If malware is detected, a message is sent to the IT security department. If no malware is detected, the e-mail is delivered to the mailbox of the specified user.

Are there any disadvantages to using an email sandbox?

Basically, a sandbox is not a perfect security tool and does not detect every malicious mail. Thus, it is no substitute for well-trained personnel. Regular phishing training and other security training are still necessary to secure your company.

In addition to the cost of purchase, maintenance and operation, other factors, such as time delays due to scanning or the general volume of mail, must also be taken into account.

Author: Robin Enste