QU'EST-CE QUE LA SÉCURITÉ PAR SANDBOX ?

En cybersécurité, une sandbox est un environnement isolé du reste du réseau, qui simule les environnements des utilisateurs finaux. Les sandbox sont utilisées pour exécuter en toute sécurité un code suspect, sans poser de risque à l'appareil hôte ou au réseau. 

Utiliser une sandbox pour la détection de logiciels malveillants avancés apporte une couche supplémentaire de protection contre les nouvelles menaces de sécurité – notamment les menaces jour zéro (auparavant non détectées) et les attaques furtives. Et ce qui se passe dans la sandbox reste dans la sandbox, ce qui évite les problèmes au système et qui permet d'empêcher la propagation des vulnérabilités logicielles.

Sandbox environments provide a proactive layer of network security defense against new and Advanced Persistent Threats (APT). APTs are custom-developed, targeted attacks often aimed at compromising organizations and stealing data. They are designed to evade detection and often fly under the radar of more straightforward detection methods.

Sandbox testing proactively detects malware by executing, or detonating, code in a safe and isolated environment to observe that code’s behavior and output activity. Traditional security measures are reactive and based on signature detection—which works by looking for patterns identified in known instances of malware. Because that detects only previously identified threats, sandboxes add another important layer of security. Moreover, even if an initial security defense utilize artificial intelligence or machine learning (signature less detection), these defenses are only as good as the models powering these solutions – there is still a need to complement these solution with an advanced malware detection.

There are several options for sandbox implementation that may be more or less appropriate depending on your organization’s needs. Three varieties of sandbox implementation include:

• Full System Emulation: The sandbox simulates the host machine’s physical hardware, including CPU and memory, providing deep visibility into program behavior and impact.
• Emulation of Operating Systems: The sandbox emulates the end user’s operating system but not the machine hardware.
• Virtualization: This approach uses a virtual machine (VM) based sandbox to contain and examine suspicious programs.

Malware authors are constantly working to respond to the newest, most sophisticated threat detection. Some primary sandbox evasion techniques include.

• Detecting the Sandbox: Sandbox environments look slightly different than an end user’s real system. If malware detects a sandbox, it can either terminate immediately or stall execution of harmful activities.
• Exploiting Sandbox Gaps and Weaknesses: As sophisticated as a particular sandbox might be, malware authors can often find and exploit its weak points. One example is using obscure file formats or large file sizes that the sandbox can’t process. Or, if the sandbox’s monitoring method is circumvented, the sandbox gains a “blind spot” where malicious code can be deployed.
• Incorporating Context-Aware Triggers: Context-aware malware works by exploiting weaknesses of the automated sandbox technology. For example, what are sometimes referred to as “logic bombs” can delay code detonation for a specified period of time or until triggers occur that typically only happen in an end user’s system—like system reboots or keyboard and mouse interactions.