The Nitty Gritty of Sandbox Evasion presented at NoSuchCon 2014

by Rob Rachwald,

Summary : With organizations facing a deluge of cyber-attacks, virtual-machine sandboxing has become a popular tool for quickly examining legions of files for suspicious activity. These sandboxes provide isolated, virtual environments that monitor the actual behavior of files as they execute. In theory, this setup enables security professionals to spot malicious code that evades traditional signature-based defenses.
But sandboxes are only as good as the analysis that surrounds them. By themselves, sandboxes can only monitor and report file activity, not analyze it. And unfortunately for organizations that rely on them, the file-based sandboxes used by many vendors are proving oblivious to the latest malware. Attackers are using a variety of techniques to slip under the radar of these sandboxes, leaving systems just as vulnerable as they were before.
Rob Rachwald has worked in security for more than 15 years. At Intel, Rob worked on securing their supply chain management system. Additionally, Rob managed product marketing at code review companies Fortify and Coverity. Before joining FireEye, Rob was at Imperva for four years as the senior director of security strategy and oversaw Imperva¹s thought leadership initiatives.