NetworkSage vs. Sandboxes

A question that I’ve come across -- and that I thought through early in identifying the value of NetworkSage -- is how Network Interpreters compare to Sandbox technologies. I wanted to share how I think about the similarities and differences of these tools.

Sandboxes -- What are They?

First, I want to acknowledge that sandbox technologies are an excellent tool in the analyst’s toolbox. There are three main types that I’m aware of:

1. Binary-based

In binary-based sandboxes, an analyst submits some sort of executable file and allows the sandbox to analyze and detonate it. Common sandboxes that do this are VirusTotal (owned by Google), HybridAnalysis (owned by CrowdStrike), and Hatching Triage (independent).VirusTotal UI

Figure 1: VirusTotal UI

2. URL-based

URL-based sandboxes allow an analyst to submit a domain name or URL to the system. The platform will then attempt to visit it, follow any redirects, and provide the user with information about what it discovered. The most well-known sandbox doing just this is Urlscan (independent), though Joe Sandbox (independent) and VirusTotal also perform URL analysis.Urlscan UI

Figure 2: Urlscan UI

3. Interactive

Interactive sandboxes allow an analyst to set up a temporary environment and perform whatever analysis they choose -- whether that’s clicking on a binary, visiting a website, or something else. The service ANY.RUN (independent) is the most well-known interactive sandbox, though Joe Sandbox also provides the ability to perform interactive analysis.ANY.RUN UI

Figure 3: ANY.RUN UI

Sandbox Shortcomings

Sandboxes are an indispensable tool, but they have a very real and important limitation: they can only represent what occurs in their environment at the time of analysis. To understand why this is important, let’s walk through some real-world scenarios.

Scenario 1: User Visits Short-Lived Malicious Site

In the first scenario, say you have a user (Bob) who has received a Microsoft-themed phishing email. Bob clicks on the link, enters his credentials, and goes about his day without realizing his error.Bob enters his credentials into phishing portal

Figure 4: Bob enters his credentials into phishing portal

Later in the day, you receive an alert from your security tools telling you that Bob visited a site that it thinks is malicious. You submit the site’s URL to a sandbox, only to find out that the site is down (somebody else reported the site to the Glitch platform admins, but that information didn’t make it into the sandbox). Nobody else had submitted this domain to the sandbox, so there’s seemingly nothing bad to worry about! At this point, without any more meaningful evidence, you walk away with the belief that there’s nothing to worry about. But in reality, you’ve missed a False Negative that is now leveraging Bob’s credentials to further carry out an attack.Phishing portal is now down and not obviously malicious

Figure 5: Phishing portal is now down and not obviously malicious

Scenario 2: Attack Targets Your Organization

In the second scenario, a malware author has decided that your organization is worth specifically targeting. To achieve this, they set up a watering hole attack related to topics of interest to your employees. When someone visits the site, they check the public IP address of the system and -- when it’s a match -- convince the user to install a trojanized Chrome extension. However, when it’s not a match, the page shows an article relevant to your industry.
Bob -- perpetually gullible -- visited the site, and soon after installed the trojanized Chrome extension!
Later, when your security tools identify some anomalous activity to the watering hole site, you visit the site via an interactive sandbox. But when you visit the site, all you see is an article about widgets in your industry. You’ve again missed an attack on your employees. This kind of scenario plays out in many slight variations, including geolocation targeting, links that can be used only once, specific operating systems to target, and so on.

Scenario 3: Specific Link Required

In scenario 3, Bob has clicked on a link in an email that tells him he has a new document received.Bob gets email about a received document

Figure 6: Bob gets an email about a received document

Bob was expecting a document from an external vendor recently, so he checks it out and finds that he needs to enter his credentials in order to download a file that needs his signature. Bob enters his credentials, then downloads and opens the file.Bob visits a specific link

Figure 7: Bob visits a specific link

In the background, the downloaded file is now taking additional steps on Bob’s computer to download follow-on stages.
When your security tools alert you to some suspicious behavior, you only see the domain name, because the communications are TLS-encrypted. You submit the domain to a sandbox, but it appears to be uninteresting:Visiting the Parent Domain

Figure 8: Visiting the Parent Domain

If you had submitted the full URL, the URL-based sandbox may have identified the phishing portal; had it been an interactive sandbox, you would've received the malicious file (which is a commonly-known trojan flagged by many security vendors). However, since this information was encrypted, you unassumingly mark this as a False Positive and move on with your day.

Scenario 4: Phishing Site Leverages Anti-Bot Technology

In this scenario, Bob clicked on a link that took him to a site that has anti-bot technology installed.Malicious site with Antibot technology

Figure 9: Malicious site with Antibot technology

After proving he's a human, he is connected to a phishing site, where he promptly enters his credentials.Phishing page

Figure 10: Phishing page

Moments later, an anomaly detection tool gives you an alert about Bob visiting an anomalous site. You submit the site to a URL sandbox, which quickly returns a verdict of not malicious. The sandbox was unable to bypass the captcha and observe the phishing portal, so you are again lulled into a false sense of security.

Scenario 5: User Visits Known Phishing Site

In this final scenario, Bob has wisened up...a bit. He receives and clicks on a Microsoft-themed phishing email, but this time he realizes the error in his ways and leaves the site before entering any credentials.Bob leaves phishing site without entering credentials

Figure 11: Bob leaves phishing site without entering credentials

Later, when analyzing alerts from your security tools, you notice that a user visited a suspected phishing site. When you submit the domain to a sandbox, it’s clear that this is a True Positive. However, what you don’t know is that Bob didn’t actually enter his credentials. Therefore, you’ll be wasting time prioritizing and responding to an incident that doesn’t actually exist!Sandbox identifies site as malicious

Figure 12: Sandbox identifies site as malicious

To take the example farther, imagine if 10 users in your organization clicked on the link, and only three entered credentials; how would you know how to prioritize without calling all 10 users?

How is NetworkSage Different?

The importance of understanding what actually happened to your users in your organization is paramount. Otherwise you may constantly be underreacting or overreacting in significant ways. This is a major gap -- a gap that NetworkSage fills!
Because NetworkSage works with your network flows (no payload needed!), it is able to explain and visualize what actually happened in your organization -- from start to finish. When you share your network flows, you will be able to see:
  • what Attack Vectors were used to bypass your defenses
  • Attack Vector for Phishing Compromise

    Figure 13: Attack Vector for Phishing Compromise

  • how your user interacted with the site
  • whether or not they did something that you should remediate
  • User Impacted -- Credentials Compromised

    Figure 14: User Impacted -- Credentials Compromised

This is something that no sandbox can achieve in an automated fashion.
Further, because NetworkSage is built on top of patent-pending traffic labeling, the commonality of your activity (whether that’s an advertisement loading or a never-before-seen phishing site) is automatically correlated with the entire community. Those activities that are interesting -- either because they’re indicators of attacks, malicious behavior, or things that commonly confuse analysts -- can have additional information attached to them by a growing team of expert analysts. Evolution of the threat landscape is met with evolution of community knowledge.Sample in NetworkSage's Events View

Figure 15: Sample in NetworkSage's Events View

All of this boils down to giving you more time to focus on prevention, investigating real incidents, and proactively hunting. Who wouldn’t want that?

Additional Resources

To dig deeper into what NetworkSage has to offer, I recommend the following resources:
Or, if you just want to get out and start exploring, you can register for a free account and start submitting samples now!