Heuristic Scanning and Sandbox Protection: Best of Both Worlds
We have been dealing with targeted attacks and know that there is no single technology that can practicably defend an organization’s network against these high-impact campaigns. This is sad, true, but it does mean there are ways to harness security technologies like sandboxing and heuristic scanning so that they work together to protect as a stronger whole.
The use of heuristics and sandboxing as complementary technologies that cover each other’s weaknesses serves as an effective and efficient way in identifying unknown threats at the earliest time possible. Heuristic scanning employs a rule-based system in order to quickly identify possibly malicious files. Its effectiveness relies heavily on how the rules are defined. Sandboxing, on the other hand, is a method to safely execute a suspicious file in a protected environment, usually VM, in order to see what it will do, without infecting the host.
Efficiency and Accuracy
In practice, heuristic scanning acts as a filter before sending a file to the sandbox. Doing so can reduce cost and increase system capacity. Heuristic scanning can also determine a file’s file type and, if your two technologies are working together. For example, heuristic scanning can tell the sandbox that a certain Office file is Word 2003, Word 2007, or Word 1.0. Therefore the sandbox can execute the file in the appropriate/expected environment.
Furthermore, even if a company has enough resources to sandbox every single file under all possible conditions, there are malware that can tell that it is being run in a sandbox and thus not exhibit any malicious routine. An IT admin’s best bet is to have detected this file earlier via heuristic scanning first, for better detection coverage.
Solution Versus Zero-days
As mentioned before, the effectiveness of heuristics plus sandboxing relies heavily on the defined heuristic rules. These rules need to be forward-looking enough to recognize previously unknown threats, but also specific enough so as to avoid false alarms.
One good way to check for the effectivity of these rules is to see how well the rules fare against zero-day exploits. By nature, zero-day exploits are malware using unpatched vulnerabilities but with similar exploitation techniques. If sufficiently “smart”, heuristic rules will be able to catch them.
Even years-old heuristic rules in the Trend Micro Advanced Threat Scan Engine, for instance, have been able to detect recent zero-days:
- CVE-2014-0515 in May, 2014 was detected by a rule developed in 2014 – HEUR_SWFJIT.B
- CVE-2014-1761 in April, 2014 was detected by a rule developed in 2012 — HEUR_RTFEXP.A/HEUR_RTFMALFORM.
- CVE-2014-0496 in February, 2014 was detected by a rule developed in 2010 — HEUR_PDFEXP.A
- CVE-2013-3346 in November, 2013 was detected by a rule developed in 2010 — HEUR_PDFEXP.A
Aim for Early Detection
Assume compromise: enterprises should understand by now that the later they are able to catch onto an on-going targeted attack campaign, the more difficult it is to mitigate the damage or even to detect the attack. Therefore, early detection must be first priority for network defenders, and a layered protection will go a long way.
Additional insights and analysis by Shih-hao Weng and Sunsa Lue.