Extinction Level Event: Evolution of the Sandbox

Extinction Level Event: Evolution of the Sandbox

Moore's LawAn Extinction Level Event occurs when something rapid and cataclysmic happens upsetting the natural order of things to such a degree that species are not able to adapt quick enough and die off in rapid fashion. In the natural world, these events are rare with only five major extinction events recorded in Earth’s history – and some scientists claim we are now in a sixth major extinction event. However, the cyber world is evolving at a much faster pace. Moore’s Law describes the exponential rate of computing power and how it increases every two years. Right along with these increases in sheer computing power have come advances in both information security capabilities and methodologies used by advanced threat groups to thwart those gains. In technology we expect rapid extinction cycles — and we are on the verge of witnessing another cyber security extinction level event now.

Automated malware analysis solutions (Sandboxes), by computer security standards, emerged as the dominant form of breach detection quite recently though they have existed in various forms for the past decade. Sandboxes have reached their maturity level in that time capturing customer’s, investor’s, and most importantly for good guys – adversary’s attention. Like the evolution of man, several offshoots have evolved. At a high level, the primary technologies are: Hypervisor Based Analysis, Operating System Emulation and Full System Emulation.

Operating System Emulation

OS Emulation sandboxes do not use a real operating system – they mimic it. The analyzed code runs in a debugger-like environment and anytime the code initiates a system API call, the emulator pretends to be the OS. Unfortunately OS Emulators have a hard time adhering to the actual OS system calls and malware easily spots when something is off. The end result is able to evade the detection methodology. Either the malware does not execute properly (you do not get a true reading of the actions it will take on the targeted endpoint) or the malware detects it is in a sandbox and goes dark.

Hypervisor Analysis

Using virtualization allows the sandbox solution to detonate potential malware in self-contained environments and record the program’s activities. However, code in a virtual environment occupies physical hardware during execution, preventing the hypervisor from seeing what is occurring until the program initiates system calls. Instrumenting hypervisors can also leave tell-tale clues the attacker can look for in addition to more evasive techniques such as those used by rootkits to disable system hooking.

Full System Emulation

Emulating the hardware provides a level of visibility and control to the analysis solution that cannot be matched. Not only can the emulator see each and every instruction that executes on the CPU, but it can load entire operating systems on top of the emulated hardware as well as control execution logic. In plain language, Full System Emulators can adapt and evolve as the environment changes. Please review Full System Emulation: Achieving Successful Automated Dynamic Analysis of Evasive Malware if you want to read in more detail.

evolution-of-manLet’s get back to the evolution of man for a minute – over the past two million years, there have been several offshoots of man that for one reason or another didn’t make it – they failed to adapt or overcome environmental challenges and went extinct. The Neanderthal man died out about 40,000 years ago when modern man, Homo sapiens, arrived on the scene. It only took about 5,000 years for the Neanderthals to go extinct once Homo sapiens arrived. Theories abound as to why this happened, and more recent human history supports the theories of competitive replacement (one technologically advanced people invading the territory of a lesser advanced people) or by biological means (remember what happened when Cortes’ men introduced Smallpox to the Aztecs?). Whatever the reason, Neanderthals are gone, and we are here reading this article.

As a cyber-security practitioner, you already know that threats are constantly evolving, and if you want to stay on pace, or even get ahead of the threat, you must constantly be able to evolve the solutions you have selected to guard your company’s intellectual property.

We’ve seen this evolution in another prominent security technology – the firewall. When firewalls first arrived on the scene, they were basic packet filtering firewalls – no intelligence or protocol analysis. Limitations were hit very quickly with dynamically allocated ports in protocols like FTP as well as the allowed ports letting some pretty nasty stuff get through. So an evolution was required, and application gateway, stateful inspection and content filtering firewalls emerged onto the scene.

Evolution of Advanced Threat SolutionsNow let’s do a variation of the human evolutionary tree and apply it to how security solutions have tried to keep pace with growing threats. As adversaries evolved their tactics, organizations quickly realized traditional defenses (anti-virus, firewalls) were no match against them. Newer, more capable solutions were developed and each time the advanced adversary demonstrated an ability to adapt and overcome any obstacles put in their path.

The Advanced Persistent Threat was not going the way of the Neanderthal – in fact, they were more and more looking like they were the Homo Sapien!

When automated sandbox technologies arrived on the scene, there was a brief glimmer of hope that this type of analysis would thwart whatever an advanced adversary could throw at it. It’s running the code and inspecting the outcomes, so certainly any type of malicious activity will be seen, identified and alerted upon, right? Well, yes, but then evolution got in the way again.

lastline-genetic-markerHypervisor and OS Emulation Sandboxes have a genetic flaw in their make-up. They cannot see every CPU instruction executed, thus they cannot manipulate the outcome of conditional instructions. They cannot adapt and evolve with their environment. They cannot adapt and evolve to overcome the adversary. Can a Full System Emulation sandbox miss a new type of evasion methodology? Certainly. However, unlike its genetically flawed cousins, the Full System Emulation sandbox saw the code and behaviors execute and can be told “this behavior is malicious”; because it has total visibility, it may also already recognize generic behaviors incorporated into the evasive routines. Also, as the evasive behaviors are recognized, the Full System Emulator can be taught how to trick those new behaviors into thinking everything is A-OK so the malicious code will reveal its true nature. Like the modern human body, the Full System Emulation sandbox can have its own version of antibodies injected into it – its adaptable threat intelligence.  In fact, Full System Emulation alone cannot overcome advanced adversaries. Just like one of the key evolutionary advantages of man was the opposable thumb, without our corresponding evolving intellect, we would not have learned to make tools that we could grasp. Full System Emulation is the opposable thumb that gives us visibility into what is happening on the CPU, applied intelligence through research gives us an understanding of how certain activities look in the CPU (i.e., what set of instructions means a system hook was bypassed, a mutex was created, a registry key was modified?). You must have both Full System Emulation AND Applied Intelligence to understand and adapt to your adversary.

So here we arrive at the brink of another technological extinction level event: the cousins of the Full System Emulation sandbox, the Hypervisor and OS Emulation based sandboxes must go the way of the Neanderthal in order for organizations to stay ahead of the advanced threat groups focused on compromising their infrastructure.

Extinction is part of the natural order of things.