The Sandbox
Understanding CyberForensics

Understanding The Sandbox Concept of Malware Identification

We need to get some definitions out of the way so we all know what we are talking about.

A “sandbox”, as it relates to computer security, is a designated, separate and restricted environment (or “container”, with tight control and permissions, where computer code can run without the ability to cause damage or infection. Just like in a real playground where children can play in the sandbox — but are not allowed to play anywhere outside of the sand box. And the box around the “sand box” is designed to keep the sand in and not make a mess all around. At that moment, the sandbox is their “virtual world”.

“Virtualization” provides a separate environment within a computer that can function independently from all other environments on the computer. One virtual container cannot change or modify another virtual container.

A “sandbox” and a “virtual machine” are not the same. When you run an application in a sandbox, it has access to run as if it were not in a sandbox. Anything the application attempts to create or change, however, is lost (or NOT saved) when the application stops running.

In a “virtual machine”, anything created or changed by the application is allowed, and everything that happens stay within the virtual machine. Similar to the “Las Vegas” theory; “What happens in Las Vegas stays in Las Vegas”.   Once testing is completed, the virtual machine in use can be deleted without concern for anything that was done to it by the running of the questionable application.

As it relates to computer security, a “honeypot” is typically a computer, network or a data system that appears to be part of a larger system, but is actually a controlled, standalone “bait” vehicle, designed to attract those wanting to infect and abuse. If you watch US television, you will most likely be familiar with the police action show “Bait Car”. The difference being that the criminals get caught immediately in the tv show. Real life “honeypots” don’t necessary lead to that same outcome.

There are different types of “honey pots”. For years, anti-spam companies “baited” forums, and web sites, and Usenet, and every source they could find, with email addresses in order to received spam. The spam received researched to identify where the spam comes from as well as other general patterns. The type of honeypot we utilize in this discussion applies to the collection, research, identification and analysis of “MalWare”.

Virus prevention software can’t act on infections until it is taught about specific threats and Malware.

“Malware” is a shortened form of “malicious software”. Malicious software is used to gain control of your computer, allowing the malware creator to do whatever he wants. The ultimate goal of gaining control is to disrupt the normal operations of the target; obtain sensitive or secret information; or gain access to private computer networks and system for other purposes. Malware includes Trojans, viruses, ransom ware, spy ware, and yes, adware!

In order for “malware” to be caught, classified, added to virus protection software, etc., it has to be “caught”. So the web is full of “spider webs for malware”, or “honeypots”! Honeypot creation can be as simple as placing an old computer (or server that is too old or too slow for any valid purpose), install honeypot software, and connect it to the network. (Honeypot software is available as an open source product by the way). It won’t take long before your system sees malicious activity, as hackers begin scanning for weaknesses, and attempting to break in.

In a test this year, a security blogger leased server space in various countries and created honeypots. Within five minutes of being active, some of the machines had already been “hit” or scanned more than nineteen times! These were unknown machines, without any public awareness of their name, location, or status. The number of hacking attempts increased exponentially over the next few days!

Once hackers gain access to our system, they spend time looking around, searching for anything they can find. Since these systems are honeypots, they won’t find anything. The next step is for the hacker to upload his malware to our system. At this point, the hacker will attempt to run his malware, but our system ignores him, and eventually he moves on or uploads other malware. Either way we have now harvested copies of malware being used in real-life.

Honeypots are equipped with a “sandbox” in order to contain and prevent the code or malware from wreaking havoc. Sandboxes are also used to analyze and learn about the specific malware threat.

From a press release dated November 19, 2013, “Threat Track” (which is the new name for “CWSandbox”), bills itself as the complete “malware analysis solution”. To maintain congruity, we will continue to refer to “Threat Track” and “CWSandbox” simply as the “sandbox”.

The main job of the sandbox is to enable “users to automate the sample submission process; completely analyze any threat; and quickly act to protect sensitive data”. Once the sandbox gets the malware, it is able to analyze and evaluate the actions and processes of the malicious software. This allows system administrators to evaluate the potential exposure of their networks and take the appropriate action to secure against the latest threats.

Although malware authors are trying to stay ahead of sandbox technology, sandbox has managed to implement new features and controls that mimic the actions required by the malware. For example, some malware “stalls” or as kids like to say, “plays possum”, waiting for a period of time to pass or a particular action to occur – such as a system reboot. As part of the analysis, sandbox mimics a system reboot and then looks to see how the malware responds to the fake reboot.

Need more proof? The Federal Bureau of Investigation (FBI) bid on the public market looking to use sandbox on “any machine owned or controlled by the FBI”.  The knew the value of the software.

One final comment about why we need sandbox.

“Automated malware must be analyzed (1) automatically, (2) effectively, and (3) correctly. … This is important to realistically assess the threat posed by the malware sample.”

For more information, go to





Read the rest of this entry »

U.S. Critical Infrastructure Ripe for Attack

The Enterprise Strategy Group (ESG), a leading IT analyst, consulting, and research organization, has conducted a research project to assess whether organizations categorized by the U.S. Department of Homeland Security (DHS) as Critical Infrastructure and Key Resources (CIKR) were vulnerable to security attacks due to weaknesses in cyber supply chain security.

Based on primary research with 285 U.S.-based CIKR organizations, ESG concludes that critical infrastructure firms realize they are under attack. ESG found that the […] Continue Reading…

Read the rest of this entry »

Small Firms are Easiest Targets

The Wall Street Journal reported last Thursday that while the media focuses on hacking attacks at major firms like Sony, in actuality the majority of cybercrimes happen at firms with less than 100 employees.*

Most intriguing was the story of a magazine shop in which cyber crooks planted a software program on the cash register that sent customer credit-card numbers to Russia. It was illustrative of the situation facing many small firms that are computerizing  […] Continue Reading…

Read the rest of this entry »

Top Hacker Secrets shared at DefCon

The DEF CON conference, a  meeting ground for hackers and those who want to learn what they are up to, was held last week in Vegas. There were some interesting topics and tips for cyber security I thought you might be interested in. So here is the abbreviated highlight reel.

There are folks who make a living watching Internet traffic over wireless networks (like at Starbucks, McDonalds, etc.). In a demonstration at DEF CON it […] Continue Reading…

Read the rest of this entry »

Advanced Threats are source of major breaches

Cisco recently released their “Cisco 2Q11 Global Threat Report” which provided data on the breaches and risks occurring across the world. For me, it reinforced the mantra that companies are suffering and putting themselves at risk because “they don’t know what they don’t know.”

Cisco states that advanced persistent threats (APTs) played a key role in many breaches. APTs are generally rootkit-enabled*, exhibit no visible symptoms of infection, and often employ escalation of privilege and […] Continue Reading…

Read the rest of this entry »

Humans are the weakest link in Cyber Security

Humans the weakest link in cyber security

Details emerged about the notorious break-in at security firm RSA that resulted in the compromise of their SecureID two-factor authentication product and cost parent company EMC a reported $66 million.

What apparently happened is that an email was sent to a few EMC employees that had an Excel spreadsheet attached. reports that the “e-mail message had been spoofed to look like it had come from a generic Webmaster […] Continue Reading…

Read the rest of this entry »

Out of the Loop Execs put Security at Risk

A recent McAfee report states that  only 22 percent of data center managers felt senior management is aware of their respective organization’s security measures and risk preparedness.

The key findings of the 2011 Data Center Security Survey, conducted by Gabriel Consulting Group (GCG) on behalf of McAfee, essentially says “management is ripe to be blindsided by a security breach” according to Dan Olds, Principal Analyst at GCG.

What compounds the problem is that many companies, according […] Continue Reading…

Read the rest of this entry »

Top Security Predictions for Coming Years

It’s that time of year again when we go through the security predictions for 2012 from the leading prognosticators and the wannabes. So until St. Nick comes, enjoy the “Top”  lists we’ve compiled from M86, Websense, SecurEnvoy, CSO, the folks at SANS and others. You’ll get a different “Top” list in the next few blogs until Christmas.

Targeted attacks grow more damaging and complex

Hacktivist groups such as Anonymous and LulzSec have made security breaches a […] Continue Reading…

Read the rest of this entry »

Understanding IT Risk Management

Managing IT risk is part of running any business these days. Regardless of the type of business, understanding and managing one’s IT risks will help to increase security, reduce management costs and achieve greater compliance. Managers who fail to identify, assess and mitigate IT risk are setting themselves up for serious security breaches, reputational damage, and financial losses. Further, those leaders who think that managing IT risk is the job solely of the IT […] Continue Reading…

Read the rest of this entry »

Project Honey Pot Success

To celebrate this milestone, Project Honey Pot which came into existence in 2004, sifted through their collected data to learn more about spam and spammers who send it. Some highlights:

Monday is the busiest day of the week for email spam, Saturday is the quietest.

12:00 (GMT) is the busiest hour of the day for spam, 23:00 (GMT) is the quietest.

Malicious bots have increased at a compound annual growth rate (CAGR) of 378% since Project Honey […] Continue Reading…

Read the rest of this entry »

Continuous Monitoring – A Critical Aspect of Risk Management

Continuous Monitoring – A Critical Aspect of Risk Management

Many organizations have recently discovered that – while traditional security monitoring systems can help reduce risk, they are not enough to react to today’s external, targeted, persistent, zero-day attacks. As a result, a number of Federal agencies and some private sector organizations are beginning to replace point-in-time audits and compliance checks with a Continuous Monitoring program to help them simultaneously assess the effectiveness of controls and […] Continue Reading…

Read the rest of this entry »