What Is Application Sandboxing?
Numerous IT organizations utilize application sandboxing in an effort to protect sensitive data from cybercriminals. Sandboxing is a simple idea: contain dangers arising from an application to stop them from negatively impacting other applications, or the whole operating system. Apple Safari and Google Chrome are clear examples of how this technique is used.
By deploying an application in its personal sandbox via VMs or other application isolation methods, you minimize its capacity to gain access to the system resources and information of the device it is being run on.
Benefits of Sandboxing
Sandboxing has various benefits that may improve the security profile of your network, and provide new ways to carry out your organization’s objectives:
- Create and deploy environments—if you employ sandboxes, it is simple to develop and deploy environments at scale. A sandbox provides you with the flexibility you require to check various versions and recent lines of code.
- Get access to advanced support and networking—with the correct sort of sandbox architecture, you may utilize sophisticated networking features and check them to see how they could improve or fit in with your existing system.
- Save money for your company—rather than purchasing, sourcing, maintaining and staffing your own on-site development labs, you could employ cloud-based sandboxing. The money you may have used to run, procure and maintain the equipment might be invested in different tasks to fulfil the company’s objectives.
- Incident response—application sandboxing methodologies must make use of both testing and threat intelligence data, to appreciate the motivation and identity of cybercriminals. This might assist incident responders, so they can ascertain whether the malware is a component of a targeted attack, an advanced persistent threat (APT), an automated attack or a mass distributed attack.
- Prepare for attacks in the future—when a threat is managed within the sandbox environment, it is contained and can be studied by the on-premises IT team or third-party cybersecurity experts. A detailed examination of the threat can reveal patterns that could help you isolate and prevent future attacks. The insights gained from the threat analysis could also help you isolate vulnerabilities within the network.
Data Breach Mitigation with Application Sandboxing
Here are some examples of attack strategies and how sandboxing can help you mitigate the threat and create a more effective incident response process.
Drive-By Compromise
Cybercriminals could access a system via a drive-by compromise, whereby a user views a website during their normal browsing session. With this methodology, the web browser of the user is exploited and targeted when they visit the compromised site.
The cybercriminal could target a particular community, for example reliable third-party suppliers or different industry specific teams, which typically visit the target site. This sort of targeted attack is reliant on the common interest, and is called a watering hole attack or strategic web compromise.
You can use application isolation and built-in browser sandboxes to manage web-based malware.
Public-Facing Application Exploits
Cybercriminals could make use of weaknesses to compromise internet-facing software and gain primary access to an industrial network. Internet-facing software could be underlying networking implementations, a user’s application, weak defenses, an assets operating system, or the like. Victims of such exploits could be intentionally exposed to data exfiltration and remote management.
A cybercriminal could attempt to target applications that are public-facing as they could offer direct access to an ICS environment or the capacity to maneuver into the ICS network. Publicly exposed applications could be identified via online tools that traverse the internet for open services and ports.
Version numbers linked to the exposed application could give adversaries the information they require to target particular known vulnerabilities. Remote access ports or exposed control protocol located in Commonly Used Port could be appealing to cybercriminals.
Application isolation will restrict the other system features and processes a vulnerable target may access. Built-in features may include software restriction policies, SELinux, AppLocker for Windows, or AppArmor for Linux.
Privilege Escalation and Evasion
Cybercriminals could exploit a software vulnerability to make the most of a programming error in a service, program, or in the kernel or operating system software itself to avoid detection. There could be vulnerabilities in the software, which an attacker might exploit to circumvent or disable security features.
Cybercriminals could use software vulnerabilities in an effort to elevate privileges. Exploitation of software vulnerabilities occurs when a cybercriminal makes use of a programming mistake to execute adversary-controlled code. This mistake could be in a service, program, or within the kernel or operating system itself. Security approaches including permission levels could prevent access to data and the use of various techniques, so cybercriminals could need to carry out privilege escalation to encompass use of software exploitation to bypass those limitations.
Cybercriminals could exploit a vulnerability in a software to misuse a programming mistake in a service, program, or within the kernel or operating system software itself to enable remote service abuse. An aim of remote services post-compromise exploitation is for primary access into, and lateral activity throughout, the ICS environment. This provides access to the victim’s systems.
Application isolation means that it is hard for cybercriminals to move forward with their operation by exploiting unpatched or undiscovered vulnerabilities by utilizing sandboxing. Different application micro segmentation and virtualization techniques can also minimize the impact of certain forms of exploitation.
Scripting Attacks
Cybercriminals could utilize scripting languages to carry out arbitrary code as pre-written script or as user-supplier code to a specific interpreter – a common example is a SQL injection attack. Scripting languages are a type of programming language. However, scripting language is different from compiled languages as it makes use of an interpreter rather than a compiler.
Interpreters decipher and compile parts of the source code before it is executed. On the other hand, compilers gather every line of code into an executable file. Scripting lets software developers run their code on all systems that have an interpreter. This means that they can distribute a single package, rather than pre-compiling executables for several distinct systems. Scripting languages, for example, Python, have their interpreters shipped by default alongside several Linux distributions.
As well as being a helpful tool for administrators and developers, attackers can leverage scripting language interpreters to run code in the target environment. Because of the character of scripting languages, this means that weaponized code could be easily deployed to a target, and could leave it open to on-the-fly scripting to carry out a task.
Sandboxing and application isolation allow you to limit certain operation system interactions, including access via services, user accounts, registry, network access and system calls. This can offer even stronger protection in instances where the source of the executed script remains unknown.
Conclusion
In this article I explained the basics of security sandboxing, and how sandboxing can help prevent catastrophic data breaches:
- Drive-by compromise—protecting a browser by surrounding it with an isolated sandbox environment can prevent “drive by” threats
- Public-facing application exploits—by isolating a public-facing application, breaches of the application do not spread to the rest of the IT environment.
- Privilege escalation and evasion—sandboxing can prevent many types of privilege escalation and make it more difficult for attackers to evade detection.
- Scripting attacks—sandboxing can limit interaction between an application and the underlying system shell, rendering many types of scripting attacks useless.
I hope this will be of help as you consider the use of sandboxing as a core part of your security strategy.