This is one of the 52 terms in The Language of Cybersecurity published by XML Press in 2018 and the contributor for this term is Keirsten Brager.

What is it?

The practice of isolating malware, or software that is suspected to contain malware, within a contained or quarantined environment to observe and study its communications, infection vectors, and other behavioral heuristics.

Why is it important?

Sandboxing allows security researchers to investigate malware execution, heuristics, and communications within an isolated environment and aids in the development of indicators of compromise (IOC) and anti-malware signatures.

Why does a business professional need to know this?

Sandboxing is one of many techniques security researchers use to observe complex malware, including advanced persistent threats (APTs). This technique contains malware within a virtual environment that allows it to function only within predefined and enforced limits.

By using virtual environments to mimic vulnerable targets, a cybersecurity specialist can execute malware under controlled conditions. Malware can be unpredictable and difficult to contain in the wild, and isolating it can be the only way to determine the mechanism by which it infects, proliferates, and communicates.

Of particular importance to cybersecurity specialists are the IOCs that can be garnered from sandboxing. Attackers often leverage techniques that exhibit distinct exploit patterns. These patterns can be observed using sandboxing techniques, then used to identify similarly functioning malware and, potentially, attribute the malware to a particular source.

Although sandboxing is a viable tool for researching malware behavior, sophisticated APTs can detect the existence of a virtual environment (i.e. sandbox) and either not execute or disable themselves, making it difficult or impossible for a researcher to investigate. However, sandboxing remains an important technique in a cybersecurity specialist’s arsenal.