Automated, on-demand scanning and threat intelligence sharing are just a few simple functions that your Sandbox should provide. In reality, the threat intelligence between different solution is still being “gapped” and mismatched.
Security is provided by multiple layers or approaches, which means you should still tend to detect malicious threats before being hosted by the endpoint. Also, there can also exist a repository of suspect or positively malicious file. The question you should ask yourself is how can you scan all of these files if product is not enabling such functions by default.
The only right answer is API. We all know that Sandboxing is malware’s worst enemy, but API enabled sandboxing is on another level. Today’s malware is not just some static code – it’s mutated by the environment it got into and it’s smart enough to evade detection. This is why the implementation of sandboxing is becoming a common practice.
For example, you can create function that acts as a intermediary with resources you would like to sandbox and the Sandbox itself. You can trigger a function to submit file to Sandbox when file is being uploaded, thus deploying sort of a threat analysis queue.
There is also a need to provide Sandbox capabilities to other services and security teams, thus extending the reach of ATP capabilities and expanding beyond on-premise.
Deep Discovery Analyzer is providing you with on-premise Sandboxing capabilities. Besides providing Trend Micro products (and other vendors) with Advanced Threat Protection (ATP), it also has API capabilities, which you can leverage to go beyond on-premise. With such capabilities you can automate time-consuming activities and provide ATP to other products or even create your own specialized functions.
Useful API capabilities
- Sample Upload (Detonate, Get Screenshot, Generate Report)
- URL detonation
- Sample IoC’s (Get list of created processes, added registry keys…)
- STIX IoC
- All Black Lists
There are more functionalities with using the API for Sandboxing. As you know, there is virtually no limit when using API.