Application Isolation and Sandboxing

From attackics
Jump to navigation Jump to search
Application Isolation and Sandboxing
Mitigation
ID M0948
NIST SP 800-53 Rev. 4 SI-3
IEC 62443-3-3:2013 SR 5.4
IEC 62443-4-2:2019 CR 5.4

Description

Restrict the execution of code to a virtual environment on or in-transit to an endpoint system.


Techniques Addressed by Mitigation

NameUse
Drive-by CompromiseBuilt-in browser sandboxes and application isolation may be used to contain web-based malware.
Exploit Public-Facing ApplicationApplication isolation will limit the other processes and system features an exploited target can access. Examples of built in features are software restriction policies, AppLocker for Windows, and SELinux or AppArmor for Linux.
Exploitation for EvasionMake it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.1
Exploitation for Privilege EscalationMake it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.1
Exploitation of Remote ServicesMake it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.1
ScriptingConsider the use of application isolation and sandboxing to restrict specific operating system interactions such as access through user accounts, services, system calls, registry, and network access. This may be even more useful in cases where the source of the executed script is unknown.