What is Sandboxing?
Sandboxing is a technique in which you create an isolated test environment, a “sandbox,” in which to execute or “detonate” a suspicious file or URL that is attached to an email or otherwise reaches your network and then observe what happens. If the file or URL displays malicious behavior, then you’ve discovered a new threat. The sandbox must be a secure, virtual environment that accurately emulates the CPU of your production servers.
Sandboxing is particularly effective at defending against zero-day threats. Traditional inbound email filters scan emails for known malicious senders, URLs, and file types. Unfortunately, there are dozens of new (or “zero-day”) threats that appear every single day and are not yet discovered by email filters. Sandboxing, which is a key component of advanced threat protection, provides an added layer of protection in which any email that passes the email filter and still contains unknown URL links, file types, or suspicious senders can be tested before they reach your network or mail server.
Although Sandboxing is an effective and important defense technique, it suffers from two important drawbacks.
- Sandboxing is quite time- and resource-intensive. Running all your digital traffic through a sandboxing system is impractical and cost-prohibitive.
- Sandboxing can be evaded. As sandboxing became more common, cybercriminals began to design threats with features to help them evade detection. For example, a threat might be programmed to remain dormant until a future date, so that during sandboxing it appears benign. Another effective evasive technique is to make the malware able to detect whether it is in a virtual environment, and to remain dormant until it finds itself in a real desktop or other device.
Why Sandboxing is Important
What You Can Do
Barracuda Advanced Threat Protection is a sophisticated cloud-based service that delivers the benefits of sandboxing while eliminating the drawbacks of more traditional, stand-alone sandboxing solutions. Barracuda Advanced Threat Protection applies a multi-layered strategy that uses signature matching, heuristic and behavioral analysis, and static code analysis to pre-filter traffic and identify the vast majority of threats. Finally, it feeds only the small number of remaining suspicious files to a sandbox to definitively identify zero-day threats and block them from reaching your network.
The service scales elastically based on your level of email and network traffic to ensure that it does not negatively impact network or email performance. This makes it far more efficient and cost-effective than a standalone sandboxing solution.
It also employs a variety of techniques to overcome evasion strategies. For example, it detects any attempt by the file being analyzed to query the machine’s registry or memory. It defeats delayed-detonation techniques by advancing its internal clock/calendar. In short, it exposes the suspected malware to all possible environments in which it might activate its malicious behavior — if it has a malicious payload, that payload will be detonated.
And unlike more traditional virtual-machine sandboxing, Barracuda Advanced Threat Protection uses a CPU-emulation sandbox. This makes it indistinguishable from a real desktop machine from the malware’s perspective.
Advanced Threat Protection is available for the following Barracuda products:
- Barracuda CloudGen Firewall: Protects networks with automatic sandboxing of all suspicious files transferred to or from your network.
- Barracuda Web Application Firewall: Protects your website and web applications from malicious file uploads.
- Barracuda Email Protection: This cloud-based service protects your email system with sandboxing of all suspicious links and file attachments within each sent and received email.
- Barracuda Email Security Gateway: Provides similar email security using a physical or virtual appliance.
- Barracuda Web Security Gateway: Makes web browsing safe by protecting and automatically sandboxing files downloaded from websites.