Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

A New Kind of Sandbox: Findings Mapped to MITRE ATT&CK


For security teams, there seems to always be room in the budget for a sandbox technology.  Yet, how can a legacy technology tool continue to benefit today’s security operations centers? 

Information and patterns from the sandbox can bring to light strengths and gaps in a security program. While traditional sandboxes call it a day once a malicious file or code has been blocked, a more advanced approach maps tactics, techniques, and procedures (TTPs) of the malware’s behavior and intent to the MITRE ATT&CK framework. The ATT&CK framework is a powerful training and informational tool that illustrates an adversary’s behaviors or possible behaviors during an attack using real-world observations. When sandbox intelligence is mapped to the framework, security operations teams can apply the insight to create tactical defenses directly to other parts of their security stack, making the sandbox more integral in security operations workflows.


Rethinking legacy sandbox appliances

The sandbox provides an isolated environment that imitates a real user’s operating system and functionality to safely detonate unknown or suspicious files and code without harming the network or other local appliances. Sandboxes are intended to be the last line of defense and the first step in detection against unknown threats, offering preventative measures for organizations. However, as a part of traditional network security defenses, legacy sandbox appliances are out-of-band and have capacity limits, often unable to provide cyber threat and data protection without additional appliances and SSL decryption “helper” devices, which significantly slows down connectivity speeds. With a 314% increase in encrypted threats with malware accounting for 91% of attacks, the lack of native SSL/TLS traffic inspection at scale unknowingly allows sophisticated malware to reach the user and provide protection only after the initial compromise.

With modern threats exploiting sandbox weaknesses or evading the sandbox completely, security operations centers (SOCs) should take a second look at their current sandbox appliances. Digital transformation is an additional driver as security and network teams look to turn off physical sandbox appliances in favor of cloud-based sandboxing. This not only reduces overhead, complexity, and cost – resources that can be reallocated to more exciting and mission-critical projects – but provides better threat protection at scale.


A step in the right direction with Zscaler Cloud Sandbox

The inline proxy architecture of the Zscaler Cloud Sandbox employs the power of the cloud to quickly perform content inspections and deliver intelligence-driven protection at infinite scale. The cloud-gen sandbox applies real-time intel from more than 240 billion daily transactions, 250,000 daily threat protection updates, and 300 million daily signals for instant verdicts for benign files and automatically quarantines high-risk unknown threats, without reaching the end user first.

Aside from knowing how many hostile attempts were blocked, some security operations analysts may find it intriguing to perform a reverse engineering report. While fun to conduct, wrangling the data to present to stakeholders can be its own hassle, not to mention the time it takes to manually codify the malware’s behavior and intent to the MITRE ATT&CK framework. Rather than carrying out the manual work, SOCs can automate it with Zscaler’s sandbox reporting feature that now has mappings to the ATT&CK framework.

Using the industry’s first AI quarantine functionality, the cloud-gen sandbox will proactively analyze and retain in memory unknown or suspicious files, purging if they are deemed benign. If malware is detected, the sandbox automates a report that highlights its lifecycle and killchain, mapping the behavior to the ATT&CK framework as seen in the screenshot below. This mapped visualization makes it easier to operationalize sandbox findings. Instead of aimlessly preventing all tactics and techniques, your SOC can now focus on the most common TTPs targeting your organization. 


The data and patterns derived from the cloud sandbox report enables your analysts to build stronger detections and policies across your entire security stack including your security information and event management (SIEM), endpoint detection and response (EDR), and other tools. Beyond the security stack, you can leverage the report to collaborate with other teams and ensure that configurations in multi-cloud environments and potential attack surfaces are secure. By expanding your lens into adversarial activities, you can continue to stay on high alert and prevent future attacks in the event that the malicious file or code attempts to reach your network in a different way. 

It’s time to take the technology of legacy sandbox appliances out of the Stone Age and modernize it. To find out more about Zscaler Cloud Sandbox and the new MITRE ATT&CK mapping and reporting, check out the on-demand webinar “Outside the (Sand)box: Operationalizing MITRE ATT&CK to Strengthen Your Defenses” today. 

To learn more about new and exciting AI-powered innovations coming to Zscaler, register for Zenith Live.

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.