Defense Against the Dark Arts: Dissecting Sandbox Evasion Techniques
- Ben Abbott
- Tuesday, September 22nd, 12:30pm - 1:15pm
When traditional security products fail in preventing malware from infiltrating an organization, a malware analyzer using a sandbox is often the last line of defense. For years, malware authors have found ways to stay one step ahead in the arms race with vendors in this crucial security layer. Building on years of research, the VMRay team tracked and analyzed the evasion techniques that these malware authors use.
Join Ben Abbott, Solutions Engineer at VMRay, as he takes a deeper look at the techniques malware authors use to evade automated dynamic analysis, and what steps can be taken for organizations to restore hope in their defenses:
- Detecting the presence of a sandbox: Once a malicious file detects the presence of a sandbox during execution, it alters its behavior in an effort to avoid being detected.
- Exploiting weaknesses in the underlying sandbox technology: This approach typically takes advantage of the fact that most sandboxes use agents, or hooks, to monitor malware activity.
- Using contextual triggers: This approach gathers information about the malwares context, such as localization or time, and doesnt execute the malicious behavior unless the malware is running in the right context.
Bonus Sessions
The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:
- SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
- Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
Monday, September 21
Session | Speaker | Time | Type |
---|---|---|---|
Influencing a Software Vendor's Roadmap | James Nixon | Monday, September 21st, 12:30pm - 1:15pm | Special Events |
Back to the (Cyber) Future: Tomorrow's Cybersecurity Relies on Today's Asset Management | Andrew Senko | Monday, September 21st, 12:30pm - 1:15pm | Special Events |
Network Security Monitoring vs Encryption | Richard Bejtlich | Monday, September 21st, 12:30pm - 1:15pm | Special Events |
SANS@Mic PowerShell 2020: State of the Art / Hack / Infection | Jason Fossen | Monday, September 21st, 7:30pm - 9:30pm | Keynote |
Tuesday, September 22
Session | Speaker | Time | Type |
---|---|---|---|
SANS.edu Undergraduate & Graduate Programs Information Session | — | Tuesday, September 22nd, 8:00am - 8:30am | Special Events |
Solving Network and Security Challenges with SASE | Nitin Kumar, Eric Trolan | Tuesday, September 22nd, 12:30pm - 1:15pm | Special Events |
Defense Against the Dark Arts: Dissecting Sandbox Evasion Techniques | Ben Abbott | Tuesday, September 22nd, 12:30pm - 1:15pm | Special Events |
Moving Left: Driving Proactive Defense through Threat Investigation | Jackie Abrams | Tuesday, September 22nd, 12:30pm - 1:15pm | Special Events |
Wednesday, September 23
Session | Speaker | Time | Type |
---|---|---|---|
Automating Event Triage in the Cloud | Jay Spann | Wednesday, September 23rd, 12:30pm - 1:15pm | Special Events |
Confidence in Security Intelligence | John Wetzel | Wednesday, September 23rd, 12:30pm - 1:15pm | Special Events |
The Myths of Network Security | Matt Cauthorn | Wednesday, September 23rd, 12:30pm - 1:15pm | Special Events |
SANS@Mic - OSINT Geolocation Techniques and How to Prevent Them | Micah Hoffman | Wednesday, September 23rd, 7:30pm - 8:30pm | SANS@Night |
Thursday, September 24
Session | Speaker | Time | Type |
---|---|---|---|
Leveraging Asset Visibility to Enhance Security Operations | Mehul Revankar | Thursday, September 24th, 12:30pm - 1:15pm | Special Events |