exit tour

Stop emerging and unknown
threats and malware
with Zscaler Sandbox.

Experience inline patient-zero defense and protect against zero day attacks with AI-powered quarantine and advanced threat protection.

Welcome to the Zscaler Sandbox tour!

Zscaler Sandbox protects against patient-zero infections and advanced persistent threats with the world’s first AI-driven malware detection, prevention and quarantine engine.

Built on a cloud native, proxy-based architecture, known and unknown threats are blocked inline with unlimited content inspection and native decryption across web and file transfer protocols (FTP), including SSL/TLS.

Let's get started.

back

SSL Inspection

Adversaries are using encrypted traffic to stealthily deliver threats and evade detection

Let’s make sure you inspect all SSL traffic to gain the most benefit from Zscaler Sandbox by configuring SSL Inspection policies.

Click on "SSL Inspection" to continue.

back

As part of the Zscaler Zero Trust Exchange™, you are able to have complete SSL inspection at scale, without latency and capacity limitations. Your users will not be impacted by this functionality, unlike appliance-based SSL decryption devices that can throttle performance by 50 percent.

Click on "Add SSL Inspection Rule" to continue.

back

We will name this rule Inspect All SSL and change the rule status to Enable.

back

In the Action section, you will notice some actions are selected by default for the Zscaler Internet Access (ZIA) console. You are entitled to modify rules criteria based on your organization’s needs and risk tolerance.

back

Block Undecryptable Traffic

Traffic that is not able to be decrypted will pose a risk to your organization. Zscaler recommends blocking this type of traffic pattern.

Let's make sure we select the latest TLS Version to guide our inspection rule.

Click on "Minimum Client TLS Version" dropdown to continue

back

Now, click on the latest version.

back

Next, let’s make sure we select the latest server TLS version.

back

Click on "Minimum Server TLS Version" dropdown to continue

Click on the latest version.

back

This rule will uncover and prevent evasive threats, including malware and ransomware, hiding in encrypted traffic. With Zscaler’s Single Scan, Multi-Action™ engine and cloud native, proxy-based architecture, decryption and inspection happens without latency and capacity limits.

back

You're now ready to save this rule.

Click "Save" to continue.

back

Malware Protection

Before we tour Zscaler Sandbox, let’s take a look at another web security functionality from Zscaler Internet Access, Malware Protection.

Click on "Malware Protection" to continue.

back

Malware Protection protects you against threats including malware, adware, and spyware using known pattern match.

Zscaler Internet Access (ZIA) will have these actions selected by default. You are entitled to modify rules criteria based on your organization’s needs and risk tolerance.

Click on "Security Exceptions" to continue.

back

Zscaler Internet Access (ZIA) will have these actions selected by default. You are entitled to modify rules criteria based on your organization’s needs and risk tolerance.

back

Advanced Threat Protection

Before we tour Zscaler Sandbox, let's take a look at another web security functionality from Zscaler Internet Access, Advanced Threat Protection.

Click on "Advanced Threat Protection" to continue.

back

Advanced Threat Protection protects you against:

  • Known C2 destinations
  • Known file, browser, and other vulnerabilities
  • Known and unknown phishing destinations

This additional layered security approach ensures your users and business are protected against advanced techniques.

back

ZIA provides default Page Risk™ Index score thresholds, they are:

  • Scores below 34 are considered Low Risk, allowing users to access safe web pages.
  • Scores between 35 and 79 are considered Moderate Risk, allowing users to access slightly suspicious web pages.
  • Scores above 80 are considered High Risk, allowing users to access very risky web pages.

The scores are calculated in real-time. Depending on your organization’s risk tolerance, Zscaler will evaluate against the Page Risk Index scores you set.

Sandbox

Now, we’re ready to turn our attention to Zscaler Sandbox.

Click "Sandbox" tab to continue.

back

Zscaler Sandbox

As a critical function in the security stack, the goal of a sandbox technology is to provide preventative measures against malicious files and code executions.

back

Zscaler Sandbox is designed to scan, intelligently quarantine, and execute files inline and in real-time. With AI-based verdicts, benign files are delivered instantly while malicious files are blocked for all Zscaler global users as a result of the shared protection from the cloud effect.

Let’s configure a new Sandbox Rule.

Click on "Add Sandbox Rule" to continue.

back

Traditional and cloud-based sandboxes with an out-of-band approach will still allow files to be downloaded and executed while they scan and execute the files. This leaves organizations vulnerable to patient-zero infections and zero day attacks.

We will name this rule Quarantine All Executables and change the rule status to Enable.

back

Click on the dropdown menu to select File Types.

back

Search for file extensions under the category, Executable, and select all.

back

Click "Done" to continue.

back

While EXE and DLL are the most common Portable Executables (PE) seen to carry malware, they are not the only file types that can execute threats.

Click on the dropdown menu to select URL Categories.

back

Search for "Unknown", then click the parent "Miscellaneous".

back

Click "Done" to continue.

back

Let's jump to the Action section.

back

Click the First-Time Action dropdown and choose Quarantine.

back

We will also allow AI-Quarantine for Allow and Scan First Time Action to prevent patient zero infections from likely malicious files

back

Now toggle AI Quarantine to enable the capability.

back

You're now ready to save the new sandbox rule.

Click "Save" to continue.

back

Sandbox Activity Report

Next, let's take a look at the sandbox reporting dashboard.

Click "Sandbox Activity Report" to continue.

back

Sandbox Activity Report

This Analytics Activity Report Dashboard summarizes your organization’s interaction with files and policies.

When Zscaler Sandbox detects and blocks an unknown malicious file, a report is automatically generated with a threat score and an action is taken based on the customer’s policy enforcement. During post-processing, the newly discovered threat is labeled as a patient-zero attack and added to the blocklist.

back

Let’s take a look at the reports.

Click the "Sandbox Activity Report" dropdown to continue.

back

Now, click "Sandbox Files Found Malicious" from the dropdown.

back

Here we can see there have been a number of file-based threats targeting the organization.

Let's open the first report on this list.

Click on the first MD5 link to continue.

back

Once Zscaler Sandbox detonates a malicious file in the controlled environment, it records the attack sequence to generate a detailed report. This can take sandboxing from the last line of defense to the first step in intelligence-driven action.

back

The Classification section provides a high-level summary of the threat, including the threat family and score.

back

We can see here that Zscaler Sandbox did not detect binaries or code execution that would lead to lateral spread or data loss. However, we can see activities to obfuscate detection.

Continuing to scroll through the report, we can see additional behaviors and categorizations.

In these sections, you can see additional details: System Summary, File Properties, and where the threat likely originated from.

back

Further down the report, you can view Network Packets activities, Dropped Files, and Screenshots of the attack sequence from the virtual environment.

back

Now, let’s see what techniques used by this malware are mapped to the MITRE ATT&CK framework.

Expand the MITRE ATT&CK module to continue.

back

The full view provides a high-level understanding of the malware behavior mapped to the entire framework.

back

There are numbered indicators to show how many subtechniques were used and the colors indicate the severity.

back

Let's click on minimized to focus only on tactics and techniques that matter to us.

back

Let’s take a look at two techniques deployed. The first is Masquerading.

back

The MITRE ATT&CK mapping allows you to apply behavioral insights from real malware targeting your organization. Security analysts can use this to enrich SecOps workflows to strengthen the defenses throughout the security stack.

The technique information is pulled directly from the framework. The description and informative indicators help analysts and report viewers understand the adversaries’ action and how Zscaler Sandbox categorized the behaviors under this technique.

In this case, the adversary used 4 masquerading subtechniques to avoid detection.

back

Click anywhere on the screen to collapse the window

Now, let’s take a look at another technique, File Deletion.

back

File Deletion is another technique used to evade defenses. The malware developer was adamant to fly under the radar to achieve their objective.

Fortunately, Zscaler Sandbox was able to use AI-powered quarantine to analyze the threat and provide your team with new insights, blocking this threat that would have exploited weaknesses from traditional sandboxes.

back

Thanks for touring Zscaler Sandbox!

Let's recap what you've learned:

  1. SSL Inspection
    Inspect and decrypt threats across web and file transfer protocols (FTP), including SSL/TLS.
  2. Malware Protection
    Utilize known pattern matches to stop malware, adware, and spyware.
  3. Advanced Threat Protection
    Apply an additional layered security approach to protect against advanced threat techniques.
  4. Zscaler Sandbox
    Leverage a cloud native, AI-driven malware prevention engine to intelligently identify, quarantine, and prevent unknown or suspicious threats inline.
  5. Reporting Dashboard
    Review summaries of file activity within your organization and automatically generate detailed reports for every threat incident.

Get an in-depth demo of ZIA

The world’s fastest, safest and most comprehensive Microsoft 365 experience.

See for yourself how Zscaler Internet Access simplifies adoption of Microsoft 365 to supercharge your users’ experience and productivity.

Hope you
enjoyed the tour!

Let’s recap what we learned about ZIA for Microsoft 365:

  • Fast, secure and reliable access to Microsoft 365
  • Complete inspection of all traffic with innovative in-line prevention, detection and data loss protection built in
  • Drastically simplified management with one-click configuration
  • Deep insights for users, apps, locations, traffic flows, and more
Get an in-depth demo of ZIA