Skip to main content

Kick suspicious email attachments to the sandbox

(Image credit: Image source: Shutterstock/kpatyhka)

Cybersecurity must simultaneously address two major challenges: identify, deflect, and mitigate every type of cyberattack that does (and will) exist; and provide ironclad security without slowing down operations or interrupting workflows. These priorities are in opposition and conspire to further complicate users' understanding of cybersecurity.

Fortunately, sophisticated sandboxing helps bridge the gap and adds an essential component to any cybersecurity strategy. The concept is quite simple: If an email attachment is determined to be suspicious for any reason, it's sent to a secure virtual environment called a "sandbox." There, it can be safely tested and analysed before either being delivered or destroyed.

Email attachments containing malware, dangerous links, or other destructive code are some of the most common sources of infection for computers. That's largely because, despite training and continuous education, users still click on attachments. Whether they're trying to work efficiently or they mistrust the wrong source, it's relatively easy to prey on users and trick them into downloading malicious content.

Sandboxing prevents users from making mistakes. More so, it accomplishes this while still making email a great way to share files. The original recipient receives an email with either a link to the sandbox containing their attachment or a benign, disarmed file with any active code stripped out. In either case, users never receive bad attachments and also never miss out on important ones.

How sandboxing builds on other layers of security

The email inbox is the most valuable — and most vulnerable — target in your IT infrastructure. It's exposed to the majority of attacks and requires a comprehensive solution to secure it. Email filters are a core component of any cybersecurity strategy because they block emails that are known to be bad from sneaking into the inbox. The problem, however, is that email filters tend to be a reactive solution that provides protection based on currently known threats.

The barrage of new-and-"improved" attacks is endless. Hackers are creating innovative types of malware on an hourly basis, and with just a few tweaks, they can easily modify an old strand to appear new and harmless to security filters. These infectious attachments can pass quietly into the inbox and trick users into believing that they are safe to open. Cybercriminals can often drill a big hole in an organisation's email security strategy with minimal effort.

Here's where the sandbox solves a big part of the problem. It is a powerful tool on its own, but sandboxing's strength and utility really come from layering it on top of additional security measures. While filters weed away emails on the basis of known details, sandboxing goes a step further by performing deep analysis of any suspicious attachments and monitoring what attachments attempt to do when they are opened and executed on a user's computer. By mimicking real-world user environments, sandboxes provide a safe place to study this activity without impacting users or networks. The information gleaned will only help advance cybersecurity measures in the high-stakes cat-and-mouse game against hackers and malware.

How sandboxing leads to better security overall

It's easy to think of sandboxing as simply a security tool, but it's also an intelligence tool. It keeps threats out of the inbox, yes, but its additional value is what it can reveal about those threats. Analysts can use it to see what types of attacks are being targeted at their organisations.

Sandboxing often catches the zero-day or zero-hour threats that have never been seen before — a critical function that's markedly more proactive and comprehensive than using email filters à la carte. Keeping new threats from doing damage is critical, and understanding how they could have done damage is equally important. Hackers constantly revise the technical tools and psychological schemes they utilise to accomplish their deviant goals. Capturing and analysing zero-day threats is an important way to study the latest, greatest, and most effective tactics out there.

While studying these attachments can shine a spotlight on hackers' tactics, it can also reveal weaknesses in the cybersecurity strategy. Hacking is entirely about results, and cybercriminals will continue to use whatever tactics they can devise to get people clicking on attachments. Understanding a hacker's technique is valuable information for continued training, as well as for an organisation's ever-evolving cybersecurity plan.

How to make sandboxing a seamless solution

Sandboxing is not a new capability, but it's one that's improving fast. It's getting better in terms of security, as well as areas of accessibility and utility. All enterprises should have sandboxing capabilities at their disposal, and they should select their providers carefully. Due diligence in every step of building and updating a cybersecurity framework is paramount.

Keep in mind that basic sandboxing is helpful but not necessarily reliable. Modern malware can detect when it's been placed in a sandbox and essentially appear benign — either by avoiding execution of its malicious code, or instead, performing some innocuous task. Sophisticated sandboxing mimics real-world environments and defends against malware that uses "sandbox-avoidance techniques."

Sandboxing should be part of the normal email flow, automatically kicking into action when required. It should also provide simple-to-understand reports to users about the supplemental testing performed, with comprehensive details to security-team members so they understand the risks. Additionally, sandboxing should offer some methodology to further examine files that may be started in email but were further propagated via other means. A manual upload for testing is a must-have for security teams.

Finally, there is a risk that widespread sandboxing will interrupt the flow of email if every attachment is sent through a sandbox prior to delivery. Sophisticated solutions should only sandbox potentially malicious attachments and should include options to "disarm" malicious attachments, turning them into benign versions that can be safely opened by intended recipients without delay.

By now, most everyone knows that attachments can be land mines. Yet there are endless of stories about smart, security-conscious professionals who have still clicked on malicious attachments. Sandboxing takes the burden off recipients. The email inbox remains a battleground, but it becomes a lot less explosive.

Dena Bauckman, VP of Product Marketing, Zix (opens in new tab)
Image source: Shutterstock/kpatyhka

Dena Bauckman has 20 years of IT security experience. She is a senior technology strategist at Zix, an email security leader, and has held CISSP certification for 10 years.