{"id":20853,"date":"2020-07-07T17:12:53","date_gmt":"2020-07-07T16:12:53","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/research-sandbox\/20853\/"},"modified":"2020-09-03T15:54:17","modified_gmt":"2020-09-03T14:54:17","slug":"research-sandbox","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/research-sandbox\/20853\/","title":{"rendered":"Sandbox for experts"},"content":{"rendered":"<p>The creators of mass Trojans go to great lengths to execute their malicious code on victims\u2019 computers. However, the masterminds behind complex threats and APT attacks spend no less effort on developing mechanisms <em>not<\/em> to execute their code. That way, they can bypass security technologies \u2014 in particular, sandboxes.<\/p>\n<h2>Sandboxes and evasion techniques<\/h2>\n<p>One of the basic tools for identifying malicious activity is the so-called <em>sandbox<\/em>. Essentially, it is a controlled, isolated environment. Security solutions can execute suspicious code in this environment and analyze all of its actions with no harm to the system. If a solution detects any malicious activity, it blocks execution of this code outside the sandbox.<\/p>\n<p>This containment method is very effective against mass threats. Security vendors implement the sandboxing mechanism in one form or another in most security solutions. Therefore, cybercriminals have developed technologies whose sole purpose is to determine whether the malware is running in a controlled environment or in the workstation\u2019s actual operating system. The simplest methods involve trying to access an outside server (blocked by regular sandboxes) or checking system parameters. If something is off, the malware usually self-destructs, leaving no trace of the attack and thus complicating the researchers\u2019 work. More advanced threats also check for a real user in the system; if the code is running with no trace of real human activity, it may be running in a sandbox.<\/p>\n<p>Naturally, we\u2019ve responded by improving our anti-evasion technologies. In particular, our infrastructure incorporates a powerful sandbox armed with mechanisms capable of emulating various environments and Kaspersky\u2019s accumulated knowledge about all kinds of possible malicious activity. Researchers can use part of the sandbox functionality remotely, through our Kaspersky Cloud Sandbox solution.<\/p>\n<p>But using a remote sandbox doesn\u2019t always work for large companies that have dedicated security operation centers. First, many internal and external regulations prohibit the transfer of any information to third-party servers. That includes suspicious code. Second, malware tailored for attacks on individual companies can check for conditions specific to a particular infrastructure (for example, the presence of highly specialized software). Therefore, our solution, Kaspersky Research Sandbox, can be deployed within the corporate infrastructure.<\/p>\n<h2>Kaspersky Research Sandbox key features<\/h2>\n<p>Kaspersky Research Sandbox does not transfer anything from the infrastructure \u2014 if necessary, it can work through Kaspersky Private Security Network, which operates in data-diode mode. But its main advantage is that it allows researchers to build their own emulation environment. That means they can create an exact isolated copy of a typical workstation that employees use at their company with all specific software and network settings, and investigate the behavior of suspicious objects on that copy.<\/p>\n<p>What\u2019s more, Kaspersky Research Sandbox technologies not only use advanced behavior analysis tools to track everything that happens in this isolated environment, but they also mimic human activity in the system. Therefore, our sandbox enables the detonation, analysis, and detection of advanced threats, even if they are tailored specifically for your infrastructure.<\/p>\n<p>The solution can emulate machines running Microsoft Windows or Android. You can learn more about Kaspersky Research Sandbox on the <a href=\"https:\/\/www.kaspersky.co.uk\/enterprise-security\/sandbox-malware-analysis?icid=gb_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">solution's dedicated page<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We developed a sandbox capable of emulating a company-specific system in an isolated environment.<\/p>\n","protected":false},"author":2581,"featured_media":20854,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1836,2360],"tags":[423,502,2204],"class_list":{"0":"post-20853","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-apt","10":"tag-products-2","11":"tag-sandbox"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/research-sandbox\/20853\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/research-sandbox\/21537\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/research-sandbox\/17003\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/research-sandbox\/22762\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/research-sandbox\/30150\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/research-sandbox\/36258\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/research-sandbox\/13668\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/research-sandbox\/24656\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/research-sandbox\/11688\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/research-sandbox\/23590\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/research-sandbox\/27819\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/research-sandbox\/27661\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/sandbox\/","name":"sandbox"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/20853","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/2581"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=20853"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/20853\/revisions"}],"predecessor-version":[{"id":21426,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/20853\/revisions\/21426"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/20854"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=20853"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=20853"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=20853"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}