Fighting modern cybercrime is a dragged-out hide-and-seek game. Cybercriminals are doing their best to create new methods of hiding malicious payload to prevent detection and forensics. APT actors are especially creative on this matter — they have enough resources to develop sophisticated hiding methods. Therefore, our task is to give clients the means that will be able to detect hidden threats and analyse their modus operandi no matter what. One of those instruments is a new service we have introduced called Kaspersky Cloud Sandbox.
How would you detect a malware if it was tailored to be invisible for all sorts of scanners? Catch it in the act, of cause, during the time when it begins its malicious activity. However, doing it in your corporate network is sort of unsanitary (to put it mildly). To protect your infrastructure from “crime re-enactment experiments” a sandboxing method was invented.
The core of this sandboxing method is the execution of the program in a tightly controlled environment, isolated from the main infrastructure. There on one side it will be able show its true colours and on the other — would not cause any real harm. In one form or another this method is widely used in our products, and shows itself quite effective. The problem is — not only we know how it works, malefactoras are also aware that sandboxes exist.
APT actors usually supplement their payload with additional checkup procedures that has just one main purpose — to understand if malware is working in the wild or under the microscope. And if algorithms suspect that is was executed in the controlled environment, the malware will just stop any malicious actions and keep a low profile.
What can we do on our side? We disguise our sandbox as a usual workstation and mime daily activities of a typical employee, who clicks on keyboard buttons, scrolls through long texts, visits web-sites. At the same moment we log everything that happens in our sandbox without interfering. This allows for thoroughly analysis of the object in question and put together a dossier: what strings it created in memory, what was it accessing in the system registry, what internet addresses was it checking?
Of course, such an instrument cannot be integrated into an on premise security solution. It is not needed on everyday basis and it is unprofitable to keep it in infrastructure. That is why we created a cloud service, accessible by Kaspersky Threat Intelligence Portal clients. It allows corporate Security Operation Centre employees and forensics analysts to receive detailed reports on any suspicious objects.
Essentially, Kaspersky Threat Intelligence Portal is a centre that aggregates all available threat intelligence data in real time. That is why our cloud sandbox became equipped not only with the latest information from Kaspersky Security Network (KSN), but also with the latest behavioural detection technologies. So it can detect threats even if they have not been encountered in the wild yet.
Kaspersky Cloud Sandbox becomes especially handy during cyberincidents investigation. To prevent a crime is a half of a battle, it is no less important to understand what cybercriminals were after and what methods they employed. Such information, apart from everything else, allows to improve security systems in case of the same or similar attack re-occurrence.