Sandboxing isn't sexy

In the cybersecurity industry, we love our jargon, acronyms and abbreviations. The list is endless! Yet, sandboxing doesn't often come up during conversations. With the current buzz about AI, there are seemingly 'cooler' topics to discuss for a security engineer like myself.

...That being said, I'd like to shine a light on sandboxing, so bear with me as I explain my reasoning...

Let's first clarify what sandboxing means.

To me, sandboxing is a security mechanism where a separate, isolated environment is created to run and test untrusted or suspicious payloads.

In simple terms, sandboxing is like a test kitchen for suspicious payloads. It's where we take that questionable email attachment or that downloaded file from who-knows-where and see what it's really up to—without putting our network at risk.

Think of it like a controlled explosion chamber used by bomb squads. It contains the blast, so if something explodes, it doesn’t hurt anyone.

At its core, a sandbox ensures payloads are investigated and the resulting threat intelligence is relayed back to the tool or analyst responsible for its submission. This intelligence is crucial for bolstering our defenses.

While there's a plethora of technology behind the scenes of a quality sandbox, I'll spare you the technical deep dive. The key takeaway is its role in preventing disasters. The whole point is to catch bad stuff before it wreaks havoc on any part of your network.

Fundamentally, sandboxing is a cat and mouse game between threat actors and sandbox developers. Threat actors do not want their payloads caught by a sandbox, it would undo their efforts and force them to start over. Sandbox developers want to unmask malicious payloads and extract as much threat intelligence as possible.

The result of the latter? All security tools are updated with the newly discovered intelligence and thus improve their detection quality.

This should be a continuous cycle!

Now, this whole process of analyzing payloads, collecting threat intelligence, and sharing with other security tools is laborious, resource intensive and takes some effort integrating into security frameworks hence it just isn’t sexy to talk about,

-however-

From my personal experience, sandboxing has very quickly proven itself during every project I've been involved in.

By now I’d argue this is a mandatory and very foundational component to anything and everything related to Network, Cloud, Application, and Endpoint security.

So, what’s the urgency now?

I think it’s always been an under-appreciated tool but now with the explosion of AI its importance has skyrocketed. The principal here is that with the use of AI in cyberattacks, traditional, often signature based tooling is just less effective. Really, there’s only one (near)definitive method to determine the nature of payloads and that’s behavior.

Sandboxing is a proven technology to do exactly that.

With the assistance of AI, it’s easy to write obfuscated payloads to perform malicious tasks whilst evading detection so behavior matters! As an example, what I mean with that;

• Is it fiddling with settings it shouldn't?
• Poking around files quietly?
• Trying to call out to external systems?

That's the kind of info we need!?

It doesn’t stop here though.

Another big game-changer with AI in cyberattacks is the sheer pace at which they unfold. These AI-driven systems work autonomously, no human interaction required, so no lengthy decision times (on next steps of a breach) needed. They're adapting to situations and making moves in seconds based on information learned during the breach.

As such, we do not have the “luxury” spending weeks doing forensic analysis. By that time, it’ll mostly be too late to prevent damages and you’ll be firefighting a preventable issue.

Summarizing it all, just think of AI as the enabler for faster, more damaging and heavily automated cyberattacks. To combat all of this, there's no way around AI-powered, automated and very much integrated defenses. Sandboxing is proven technology here.

When this is baked into your security setup and is part of a cybersecurity platform I have no doubt they’ll help prevent a ton of issues!