James Thew - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How is a smart sandbox different from traditional sandbox technology?

Expert Michael Cobb explains what a smart sandbox is, how it differs from traditional sandbox technology, and when one should be considered for enterprise use.

What is the difference between a smart sandbox and common sandbox technology in terms of containing and analyzing unknown security threats? Is there a use case for them in the enterprise?

The problem enterprises have -- along with everyone else who is online -- is ensuring antimalware defenses are able to spot and mitigate the latest attacks. Zero-day exploits are the most challenging threats for any class of security technology to detect as they are completely unknown and the absence of a patch leaves networks and devices exposed. One of the methods being used by antimalware vendors to combat zero-day exploits is sandboxing.

Sandbox technology provides a tightly controlled set of resources -- such as limited access to memory, system files and settings -- which allows the actions and intentions of potentially malicious code to be observed while it executes without jeopardizing the host device. This on-the-fly behavioral analysis of code entering an organization's network means that even attacks using zero-day exploits can be detected as the malicious intentions of the code give it away.

Malware writers are aware of this technique of analyzing their code before it has chance to compromise a system, so many now are adding advanced obfuscation and evasion techniques to dodge being identified by regular sandboxes. One such method is for the code to act benignly if it detects it is being executed in a sandbox environment, or not decrypt and run the exploit code if it is opened directly or in an incorrect context. These evasion techniques mean the challenge now is for sandboxes to reflect a user's environment as accurately as possible and induce an attacker's code to reveal or execute its malicious payload.

One such sandbox is part of Trend Micro Inc.'s Deep Discovery solution. Like most traditional sandbox technology, it's capable of analyzing the behavior of various aspects of a threat: Its scripts, its shellcode and its payload. However, this "smart" sandbox can be configured by administrators to match their system configurations. This means there's a better chance of seeing how custom malware specifically targeting an organization would behave, which will allow administrators to better assess its scope and potential impact on their systems, such as registry changes, dropped files and connections to command-and-control servers.

On-the-fly behavioral analysis of malware is an essential tool in the battle against advanced threats; smart sandboxes that can outsmart malware designed to avoid sandbox analysis are the latest advance in the ongoing arms race between malware writers and those trying to thwart their attacks. Expect to see other antimalware vendors introducing new or similar techniques for trapping malware in a smart sandbox environment for analysis, identification and mitigation. This approach provides more up-to-date protection against zero-day attacks than signature-based checks, and hopefully will put enterprise defenses ahead of attackers -- at least for the time being.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn more about sandboxes and enterprise malware defense

This was last published in August 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal