NetworkSage vs. Sandboxes
A question that I’ve come across -- and that I thought through early in identifying the value of NetworkSage -- is how Network Interpreters compare to Sandbox technologies. I wanted to share how I think about the similarities and differences of these tools.
Sandboxes -- What are They?
First, I want to acknowledge that sandbox technologies are an excellent tool in the analyst’s toolbox. There are three main types that I’m aware of:1. Binary-based
In binary-based sandboxes, an analyst submits some sort of executable file and allows the sandbox to analyze and detonate it. Common sandboxes that do this are VirusTotal (owned by Google), HybridAnalysis (owned by CrowdStrike), and Hatching Triage (independent).
Figure 1: VirusTotal UI
2. URL-based
URL-based sandboxes allow an analyst to submit a domain name or URL to the system. The platform will then attempt to visit it, follow any redirects, and provide the user with information about what it discovered. The most well-known sandbox doing just this is Urlscan (independent), though Joe Sandbox (independent) and VirusTotal also perform URL analysis.
Figure 2: Urlscan UI
3. Interactive
Interactive sandboxes allow an analyst to set up a temporary environment and perform whatever analysis they choose -- whether that’s clicking on a binary, visiting a website, or something else. The service ANY.RUN (independent) is the most well-known interactive sandbox, though Joe Sandbox also provides the ability to perform interactive analysis.
Figure 3: ANY.RUN UI
Sandbox Shortcomings
Sandboxes are an indispensable tool, but they have a very real and important limitation: they can only represent what occurs in their environment at the time of analysis. To understand why this is important, let’s walk through some real-world scenarios.Scenario 1: User Visits Short-Lived Malicious Site
In the first scenario, say you have a user (Bob) who has received a Microsoft-themed phishing email. Bob clicks on the link, enters his credentials, and goes about his day without realizing his error.
Figure 4: Bob enters his credentials into phishing portal
Later in the day, you receive an alert from your security tools telling you that Bob visited a site that it thinks is malicious. You submit the site’s URL to a sandbox, only to find out that the site is down (somebody else reported the site to the Glitch platform admins, but that information didn’t make it into the sandbox). Nobody else had submitted this domain to the sandbox, so there’s seemingly nothing bad to worry about! At this point, without any more meaningful evidence, you walk away with the belief that there’s nothing to worry about. But in reality, you’ve missed a False Negative that is now leveraging Bob’s credentials to further carry out an attack.
Figure 5: Phishing portal is now down and not obviously malicious
Scenario 2: Attack Targets Your Organization
In the second scenario, a malware author has decided that your organization is worth specifically targeting. To achieve this, they set up a watering hole attack related to topics of interest to your employees. When someone visits the site, they check the public IP address of the system and -- when it’s a match -- convince the user to install a trojanized Chrome extension. However, when it’s not a match, the page shows an article relevant to your industry.Bob -- perpetually gullible -- visited the site, and soon after installed the trojanized Chrome extension!
Later, when your security tools identify some anomalous activity to the watering hole site, you visit the site via an interactive sandbox. But when you visit the site, all you see is an article about widgets in your industry. You’ve again missed an attack on your employees. This kind of scenario plays out in many slight variations, including geolocation targeting, links that can be used only once, specific operating systems to target, and so on.
Scenario 3: Specific Link Required
In scenario 3, Bob has clicked on a link in an email that tells him he has a new document received.
Figure 6: Bob gets an email about a received document
Bob was expecting a document from an external vendor recently, so he checks it out and finds that he needs to enter his credentials in order to download a file that needs his signature. Bob enters his credentials, then downloads and opens the file.
Figure 7: Bob visits a specific link
In the background, the downloaded file is now taking additional steps on Bob’s computer to download follow-on stages.
When your security tools alert you to some suspicious behavior, you only see the domain name, because the communications are TLS-encrypted. You submit the domain to a sandbox, but it appears to be uninteresting:
Figure 8: Visiting the Parent Domain
If you had submitted the full URL, the URL-based sandbox may have identified the phishing portal; had it been an interactive sandbox, you would've received the malicious file (which is a commonly-known trojan flagged by many security vendors). However, since this information was encrypted, you unassumingly mark this as a False Positive and move on with your day.Scenario 4: Phishing Site Leverages Anti-Bot Technology
In this scenario, Bob clicked on a link that took him to a site that has anti-bot technology installed.
Figure 9: Malicious site with Antibot technology
After proving he's a human, he is connected to a phishing site, where he promptly enters his credentials.
Figure 10: Phishing page
Moments later, an anomaly detection tool gives you an alert about Bob visiting an anomalous site. You submit the site to a URL sandbox, which quickly returns a verdict of not malicious. The sandbox was unable to bypass the captcha and observe the phishing portal, so you are again lulled into a false sense of security.
Scenario 5: User Visits Known Phishing Site
In this final scenario, Bob has wisened up...a bit. He receives and clicks on a Microsoft-themed phishing email, but this time he realizes the error in his ways and leaves the site before entering any credentials.
Figure 11: Bob leaves phishing site without entering credentials
Later, when analyzing alerts from your security tools, you notice that a user visited a suspected phishing site. When you submit the domain to a sandbox, it’s clear that this is a True Positive. However, what you don’t know is that Bob didn’t actually enter his credentials. Therefore, you’ll be wasting time prioritizing and responding to an incident that doesn’t actually exist!
Figure 12: Sandbox identifies site as malicious
To take the example farther, imagine if 10 users in your organization clicked on the link, and only three entered credentials; how would you know how to prioritize without calling all 10 users?
How is NetworkSage Different?
The importance of understanding what actually happened to your users in your organization is paramount. Otherwise you may constantly be underreacting or overreacting in significant ways. This is a major gap -- a gap that NetworkSage fills!Because NetworkSage works with your network flows (no payload needed!), it is able to explain and visualize what actually happened in your organization -- from start to finish. When you share your network flows, you will be able to see:
- what Attack Vectors were used to bypass your defenses
- how your user interacted with the site
- whether or not they did something that you should remediate
Figure 13: Attack Vector for Phishing Compromise
Figure 14: User Impacted -- Credentials Compromised
Further, because NetworkSage is built on top of patent-pending traffic labeling, the commonality of your activity (whether that’s an advertisement loading or a never-before-seen phishing site) is automatically correlated with the entire community. Those activities that are interesting -- either because they’re indicators of attacks, malicious behavior, or things that commonly confuse analysts -- can have additional information attached to them by a growing team of expert analysts. Evolution of the threat landscape is met with evolution of community knowledge.
Figure 15: Sample in NetworkSage's Events View
All of this boils down to giving you more time to focus on prevention, investigating real incidents, and proactively hunting. Who wouldn’t want that?