What Is a Sandbox Environment? Exploring Their Definition and Range of Applications

What Is a Sandbox Environment? Exploring Their Definition and Range of Applications

The Purpose of a Sandbox

Sandbox is a controlled and isolated environment where security professionals analyze, observe, and execute suspicious or potentially malicious software, files, or code without harming their actual systems. Think of it as a digital quarantine zone for testing and assessing the behavior of unknown or untrusted programs.

Sandboxes are essential for looking into and finding malware, infections, and other online cyber threats, which then security teams have the freedom to examine the malware’s operations meticulously, ascertain its primary goal, and develop effective countermeasures to safeguard their environment after observing these potential threats, their interactions with the system, and their behavioral trends in a controlled virtual environment.

Below, we will explore how to utilize a sandbox in your environment, including its perks, functionality, limitations, and its role in safeguarding against cyber-attacks.

How Does a Sandbox Work?

Sandboxing is a critical cybersecurity technique that IT professionals often rely on. Untrusted code is isolated within a secure environment using techniques like virtualization or process separation, later executed and observed by monitoring its interactions with certain processes or files.

No matter how a sandbox is utilized, every environment runs on the same feature, isolation. Sandboxing involves isolating the code or application being tested or analyzed from the rest of the system. This isolation is achieved through various means, including:

Process Isolation

The code is run in a separate process with restricted access to system resources, files, and network connections.


In some cases, sandboxing uses virtualization technologies to create a virtual machine (VM) or container that emulates a complete operating system. The code runs within this virtual environment, keeping it separate from the host system.

User Permissions

Sandboxed code is often executed under a different user account or with limited permissions, excluding its access to critical and certain system resources. Sandboxes are also used in cloud hosts and some particular applications to ensure that the enclosed program cannot infiltrate or compromise the host computer, where restricted access is also common.

Browser Sandboxes

Browser sandboxes are a subset of application-level sandboxes that isolate web browser processes and tabs from each other and the underlying operating system. They prevent web-based threats, such as malicious websites and JavaScript, from compromising the user’s device by running untrusted web content in isolated environments.

How to Create a Sandbox Environment

To choose the right sandbox environment, consider your purpose (malware analysis, testing, or browsing), operating system compatibility, isolation level needed, ease of use, and performance impact.

Security features, community support, and tool compatibility are crucial. Factor in resource requirements, costs (for commercial solutions), customization options, update frequency, and user feedback. Make a decision that aligns with your specific goals, ensuring it meets your needs while balancing security and usability.

Testing and experimenting with different sandboxes can help you find the best fit for your requirements.

Again, the specific steps to create a sandbox may vary depending on your needs and the tools available, but here are some general guidelines:

Choose a Sandbox Type

Software Sandboxes

These are virtualized environments that can be set up using software tools. Popular options include VirtualBox, VMware, Docker, and Kubernetes.

Hardware Sandboxes

These are physical devices or systems dedicated to sandboxing. They can be used for more stringent isolation but are often more resource-intensive.

Select the Purpose

Determine why you need the sandbox. Is it for malware analysis, software testing, network traffic analysis, or other purposes? The intended use will influence your setup.

Install Operating Systems

If you’re creating a virtualized sandbox, you may need to install one or more guest operating systems within the virtual environment. These can be different versions of Windows, Linux, or other OSes, depending on your use case.

Isolate the Sandbox

Implement strict isolation between the sandboxed environment and the host system. Ensure that the sandboxed code or applications cannot access critical system resources or sensitive data on the host.

Examples of Using a Sandbox Environment

Antivirus sandbox

Antivirus sandbox is used to assess suspicious files for possible threats. The antivirus program separates a file from the main system when a user downloads it and sets it in the sandbox.

In this controlled environment, the file is run while the antivirus software monitors it and searches for malicious behavior, including changing system files or establishing unwanted network connections.

Additionally, the sandbox checks the file’s signature against a database of known threats, where, based on these tests, the antivirus determines the file’s safety or malicious intent, protecting the user’s machine against infection.

Virtual machine (VM)

Setting up a Virtual machine (VM) as a sandbox turns a host computer into an isolated, virtual environment.

By emulating hardware components such as the CPU and storage, it establishes a safe environment for the execution of malicious files or untrusted applications and data. A VM sandbox may, for instance, open phishing mail attachments. The sandboxed program runs independently of the host system within the virtual machine.

This enables secure observation and analysis of its actions. The host cannot be affected, even if the attachment turns out to be malicious.

VM backup in a sandbox provides a safety net for recovery and rollback, and if a file in your sandbox becomes corrupted or causes harm to your system, you can quickly restore it to a previous state using the backup.

This cuts down on downtime and guarantees that testing and development may continue without being significantly interrupted.

Link verification

Link verification, QR code scams can point to URLs, and a sandbox can be used to verify the integrity of the destination website. It can assess whether the linked website contains known phishing or scam indicators, helping users avoid interacting with malicious sites.

Benefits of Using a Sandbox Environment

Sandboxing has several advantages, including:

Threat identification and analysis

Sandboxing enables security teams to examine the behavior of unknown or suspect files in order to discover and reduce possible security threats.

Zero-day protection

Sandbox environments can assist in detecting and preventing zero-day attacks, which are exploits that aim to take advantage of software vulnerabilities that have not yet been found or fixed.

Network traffic analysis

Sandboxing can also be applied to network traffic analysis, allowing organizations to inspect incoming and outgoing network traffic for suspicious or malicious behavior. This helps in identifying and mitigating threats at the network level.

Malware analysis

Sandboxing gives security researchers a secure, isolated environment to execute and examine malware samples, characterize their traits, and observe their behavior.

User and data protection

By preventing malicious code from executing on user devices or servers, sandboxing helps protect sensitive data and user privacy, for example, by receiving email files for analysis before the recipient can open it

Organizations must take into account the following sandboxing obstacles:

False positives: Sandboxing may produce false positives when harmless files or programs are mistakenly classified as harmful.

Resource requirements: The amount of processing power, memory, and storage needed for sandbox environments is large, which can have an effect on performance and scalability.

To properly protect your cyber environment and minimize the risk it is important to educate your employees with Security Awareness Service, and Advanced Threat Protection to secure your critical data.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.


In today’s digital world, every click, every share and every bite of data we transmit tells a good story about us. People trust this world, often more than they should, secrets, memories, finances – their very lives – into it.

And yet many are oblivious to the fragility of this trust, where the lines between right or wrong often blur. Mitigating those risks by employing a safe, controlled sandbox environment to detect, prevent and analyze the online threats is only a fraction of the security controls that organizations need to employ.


What is a sandbox environment in development?

A sandbox environment in development is a controlled and isolated space where software developers can test, experiment, and deploy applications without affecting the production environment. By isolating development and testing from production systems, resources are used more efficiently, and downtime is minimized.

What is the difference between a sandbox and a test environment?

A sandbox is an isolated space for experimentation and small-scale testing, often with simplified data, while a test environment replicates the production setup closely for comprehensive testing. Sandboxes are for development, learning and helping with safe analyzing potential threats, whereas test environments ensure software reliability and accuracy before deployment in production.

What is the difference between a virtual environment and a sandbox?

Sandbox and virtual environment share similar characteristics to make them easily confused.

Technically virtual environment can act like a safe isolated space for the execution of bad code, whereas a sandbox environment is a controlled area for testing, experimentation, and security isolation. While both provide isolation, they serve different purposes, with virtual environments focusing on dependency management and sandboxes on broader software testing and security.

Hornetsecurity’s Cyber Security Report 2024 is here!

Hornetsecurity’s Cyber Security Report 2024 is here!

Every year we at the Security Lab here at Hornetsecurity sift through billions of emails from every year and analyze the data to provide actionable insights to cyber defenders everywhere.

This article serves as your appetizer for the main course, the free report which you can download here.

In this year’s report we processed over 45 billion emails and just over a third of those, 36.4%, were categorized as unwanted. Out of that slice, 96.4% were spam or rejected outright due to external indicators, with 3.6% identified as malicious emails.

Out of all the malicious emails we identified, the majority were phishing emails (43.3% which is a 4% increase from last year) while the second most prevalent type was malicious links at 30.5% (an increase of 18%!). In the report itself we analyze these findings in more detail and tease out how you can use these data to defend your organization.

We also look at attachment types and analyze why certain types are gaining in “popularity” with the criminals and why others are losing their appeal, such as Microsoft Office documents. We also looked at which industry verticals were most targeted (Research, Manufacturing and Entertainment), another point you can use to raise awareness with your organization’s leadership if you need to.

The report looks at backup in Microsoft 365, the need for it and Microsoft’s changing stance on the topic as well as how to manage permissions effectively in a tenant, something that’s very hard using only the built-in tools. The rise of QR code phishing is noteworthy, as is the prevalence of brand impersonation in malicious emails.

As Multi Factor Authentication (MFA) adoption is increasing, criminals are adapting using Attacker-in-the-Middle kits such as W3LL to trick users and stealing identity tokens, even when MFA is used. The risks of vendor overdependence are analyzed in the report, and we also look at several high-profile security events in the Microsoft 365 sphere, including the highly sophisticated Storm-0558 attack on Entra ID.

An interesting part of last year’s report was our predictions for emerging risks and trends we’d see over the last 12 months, in this year’s report we look at how we did with those. We also outline our predictions for the coming year, which include the use of AI for both attack and defense, MFA bypass technique proliferation, supply chain attacks and the risks of network slicing in 5G networks. There are many others, and we go in depth in the report.

The report rounds out with a look at how you can protect your organization, how to build a cyber resilient culture, getting the basics of cyber hygiene right, and how to adopt a zero-trust mindset across the whole business.

Hopefully this has enticed you to grab the full Cyber Security Report, get all the details and most importantly, improve your own and your organization’s security posture. We at Hornetsecurity are here to help you.

What Are Insider Threats? Definition, Types, and Mitigation Tactics

What Are Insider Threats? Definition, Types, and Mitigation Tactics

What Is an Insider Threat?

An insider threat is like a wolf in sheep’s clothing. Outwardly, they appear just like any other trusted member of your enterprise, but inside, they have the potential and agenda to destroy whole infrastructures or manipulate data for their satisfaction or monetary end goal.

They can be a current or former employee, a disgruntled system administrator, an outside contractor, cyber intrusion, or an infiltrator from a business competitor. Their objectives can range from fraud and intellectual property theft to plain and simple revenge.

Types of Insider Threats

When you first think of insider threats, the first thing that comes to mind is a person with a privileged access system, a system/database administrator, or individuals with capabilities within applications, but that’s not always the case.

Today, anyone can become an insider threat, willingly or unwillingly, by providing valuable information to an external source delivered with a successful phishing attempt.

However, the motives fluctuate, and there are various reasons why one might become an insider threat:

Malicious insider

This individual has joined the company for the sole purpose of retrieving information from the organization, and their motives could be financial or based on a patriotic government espionage approach.

What they do with the stolen data is a debatable subject, as they could sell it to a third party or a competitor, and it mostly boils down to money. They can act alone or in a group with a larger picture, depending on their end-game.

Lack of recognition

Workers who do not have a strong sense of identification or loyalty to the company may be more inclined to take part in insider threats. A sense of disengagement may bring this on, a short-term job outlook, or a lack of engagement.


Employees may turn spiteful and commit acts of sabotage if they believe their diligence and commitment are not appreciated and/or go unnoticed. For vengeance or attention, they might purposefully interfere with operations by installing malware, harming systems, and erasing essential data, or their motive could only be driven by chaos.

Insider Espionage

Sometimes, the most vulnerable employees are the ones who feel undervalued or mistreated. When outside actors sense that an insider feels neglected, they may contact them. These outside parties might recruit these people by disclosing private company secrets to conduct insider espionage.

Ideological or Political Motivation

Insiders may have ideological solid or political beliefs that lead them to engage in insider threats. They might seek to dismantle the organization’s functioning for ideological reasons or expose any wrongdoings inside it.


Employees may utilize their access to an organization’s systems to further their political or ideological agendas. They might, for instance, partake in hacktivism, which is breaking into systems to forward a political viewpoint or message.


People occasionally have a strong moral opinion that an organization is engaging in unethical or illegal activity that doesn’t match their beliefs. They might commit insider threats by revealing private information in an effort to expose misconduct by ruining the company’s reputation or punishing them financially.

Personal problems

An organization’s internal insider risks may be influenced by personal issues. Insider threats may arise due to employees’ or individual’s substantial personal concerns or challenges that affect their behavior and provide them access to an organization’s systems and data. Personal issues can lead to insider threats in a number of ways, including:

Financial Stress

As they say, money is the root of all evil. Individuals with financial difficulty may be more susceptible to corruption and accepting bribes from outside parties that want access to confidential data. They might jeopardize security to benefit financially from it.

Personal legal troubles

People who encounter legal issues, such as criminal charges or lawsuits, may be more susceptible to external threats who could abuse their personal issues as leverage to pressure them to perform malicious activities.

Insider Threat Behavior Patterns

The term “insider threat behavior patterns” describes the visible behaviors and acts that people within an organization display that may point to the possibility of an insider threat. Understanding these trends is essential for early insider threat identification and mitigation. The following are typical insider threat behavior patterns:

  1. Access abuse: Insiders may frequently access private systems, documents, or locations outside the bounds of their official duties. Unauthorized access to financial information, private papers, or intellectual property is a few examples that indicate an employee might have an agenda that differs from their role.
  2. Data Hoarding/Exfiltration: Insiders may be planning to misuse or exfiltrate this information if they gather or download an excessive amount of data, especially if it has nothing to do with their job responsibilities.
  3. Unauthorized Software Installation: Installing malicious or unauthorized software on work-issued devices is cause for concern because it can be leveraged to cover up insider activity or exploit security holes.
  4. Social Engineering: One of the main signs of insider threats is manipulative behavior intended to deceive coworkers into disclosing private information, getting over security measures, or helping with insider attacks.
  5. Unauthorized Physical Access: Employees who have physical access to a company’s facilities run the risk of abusing it to steal devices and private documents or compromise physical security.

How to Detect Malicious Insider Threats

Do you know your people? Detecting an insider threat can be a difficult task, but not impossible, as every employee has a certain amount of power and a baseline behavior within the company. Before you can look for anomalies, you must create a baseline of “normal” behavior in both people and systems.

Typical login times, data access patterns, communication styles, and job-related tasks should all be part of this baseline.

Exfiltration of data can be averted by enforcing Data Loss Prevention (DLP) solutions by continuously monitoring data movement and transfers across the network. Any employee retrieving or exfiltrating sensitive data could be a potential malicious behavior that should not go unnoticed by the DLP solution, which can be an early detection of an insider threat.

No matter how secure you think your company is by implementing different kinds of solutions, Security Awareness Training should be the first priority of the company, as humans are the weakest link in the organization.

Training and raising the awareness of your employees while encouraging them to report any suspicious activity is the single greatest shield against a malicious insider threat.

How to Protect Against Insider Attacks

In order to protect against cyber attacks, the most important thing for corporate security is to mitigate insider risks. Start by enforcing rigorous access controls in place and limiting unnecessary access, following the principle of least privilege.

  • Establish clear security guidelines and provide staff training to encourage a vigilant culture.
  • Urge the creation of solid and one-of-a-kind passwords that require frequent changes.
  • Keep an eye out for anomalies in user behavior, particularly regarding system logins and data access.
  • To encourage employees to raise suspicions, create a confidential reporting method.
  • When employing new employees, make sure they have undergone extensive background checks. You should also implement security safeguards for outside vendors accessing your systems. These steps can aid in defending your company from insider threats.

Your IT security staff needs to understand the importance of confidentiality and integrity in the data they process and possess. Knowing what to protect is the most critical thing when it comes to security, whether digital or physical property.

Advanced Threat Protection is essential for preventing insider threats. Offering cutting-edge tools and technologies to identify anomalous activity, illegal access, and data exfiltration. It improves overall security by reducing the risks associated with both deliberate and unintentional insider threats.

Enhance employee awareness and safeguard critical data by leveraging Hornetsecurity’s Security Awareness Service for comprehensive cyber threat education and protection.

To keep up with the latest articles and practices, visit our Hornetsecurity blog now.


In conclusion, in the present-day technological setting, shielding an organization from insider threats is vitally important. The significance of taking proactive efforts to identify, stop, and lessen internal security threats has been emphasized in this article.

Through a focus on staff awareness, rigorous access controls, ongoing monitoring, and a solid security culture, companies can effectively mitigate the risk of insider threats.

It is critical to keep in mind that insider threats can come from a variety of sources, such as coercion, negligence, or malicious motivation.


What is considered an insider threat?

An insider threat is a security risk that arises from people working for an organization who may, whether on purpose or accidentally, jeopardize its data, operations, or security.

What is the most common form of insider threat?

The most common form of insider threat up to date is negligent employees who unintentionally jeopardize security by falling for phishing scams or misusing sensitive data. When employees click on a dangerous link in an email that appears to be from a reliable source, they may not be aware that it could result in a malware infection or data breach.

Is insider threat a vulnerability?

Insider threat is not a vulnerability by itself but is a security risk. Employees can use a potential vulnerability like their badge and privileged access to the server room to exploit it and compromise security.

While a vulnerability represents a weakness in the organization’s defenses, an insider threat involves individuals, whether employees or contractors, who can leverage these vulnerabilities for unauthorized access, data theft, or other malicious activities.

In summary, insider threats can capitalize on vulnerabilities, making them a critical consideration for comprehensive cybersecurity.

How are insider threats detected?

Active surveillance of user behavior, network activity, and data access is how insider threats are found. Sophisticated security tools, like anomaly detection and user behavior analytics, assist in spotting departures from known patterns and generate alarms for additional research and mitigation. Access controls and routine audits are also essential for detection.

Bypassing Authentication A Comprehensive Guide to Pass-the-Hash Attacks

Bypassing Authentication A Comprehensive Guide to Pass-the-Hash Attacks

No, this guide does not relate to any sort of attack on potato hash or anything to do with the passing of other versions of hash. This is a brief peek behind the curtain on how a hacker might exploit your account to gain privileged access to your environment with a pass-the-hash attack.

Unlike in the movies, a hacker usually doesn’t type away on the keyboard for a few seconds to crack a password. Instead, they typically don’t even need to know or decrypt your password to exploit your account. It’s all about how the attacker can move laterally through an environment, for example:

  • Mary is a receptionist for Vandelay Industries, an import company. She uses the same password for her personal and work accounts. Unfortunately for Mary, she was the victim of a phishing campaign and unwittingly gave her password out to an external attacker.
  • The attacker could then log into her personal email and locate some key information about Mary; in particular, they discovered she had sent some recipes to her work email to print out.
  • The attacker can now create a method to get Mary to install some malware onto her work computer. The next time the attacker saw her sending recipes to her work, they added another email with a Word attachment and a payload. Mary opens this and infects the computer with remote access tools.
  • Next, the attacker gets to work discovering what they have access to in the environment and what they can move to laterally. They decided to create a simple issue on Mary’s work on a computer that locks up her print spooler. This is now preventing her from printing, so she calls the help desk for assistance. The help desk engineer happily connects to her computer with their elevated account and proceeds to repair the spooler services. The attacker continues to cause these small issues until Mary is provided with temporary local administration access so she can keep working and not always call the help desk.
  • With these new privileges, the attacker can now execute their password hash extraction tool to gather all the hashes from the system. Fortunately for the attacker, the help desk engineer has logged onto this system with their support account. With the NTLM hash of this account, the attacker is then able to connect directly to one of the administrator’s jump boxes.
  • On the administrator jump box, the attacker repeats the process and gathers another account with Domain Admin privileges. They then proceed to exploit a Domain Controller and inject backup administrator accounts and services into the environment.

Although this scenario does have some points of mitigation, it isn’t an unlikely event for this type of lateral movement and social engineering to occur in the workplace.

Disclaimer: The technical steps outlined in this article are to be used for educational purposes only. We do not condone the use of these pass-the-hash attack examples for illegal or nefarious actions.

What is Pass-The-Hash (PtH)

Pass the Hash (PtH) is the method of capturing “hashed” user credentials and exploiting authentication protocols to gain lateral access to other systems. The term Pass the Hash is taken from the fact that the hashed password doesn’t need to be decrypted into plain text for authentication systems to accept the user session.

Instead, this password hash can be reused to generate new sessions as the user, as the hash will remain static until the password is rotated.

How Does a Pass-The-Hash Attack Work?

The entry point for an attacker can vary, sometimes from malware or baiting attacks, but more commonly, it is gained via some version of social engineering. In most scenarios, the target has been the victim of phishing or spear phishing attack, so the attacker can gain credentials or access to the system.

Once on the system, the attacker will scrape the system for hashes of every account logged into that machine. These hashes can be stored within the LSASS process memory, Windows Memory dumps, Page Files, Credential Manager, and SAM registry hives.

To extract these hashed passwords, an attacker can use tools such as Mimikatz to pass the extracted hashed password back to the authenticator and successfully authenticate.

Pass-the-Hash Attack Examples

The best way to understand proactive methods and mitigation strategies for pass-the-hash attacks is to show an example of how these tools can be utilized. For education purposes, we have outlined the steps in a pass-the-hash tutorial for the more common method of hash extraction from the LSASS.

Extract the Hash

The first step we must consider is extracting an NTLM hash. This can then be passed back to authentication systems to allow us access to privileged systems. The tool we will use for these examples is Mimikatz.exe, and we will run the following commands to elevate and extract the hashes and simulate the pass-the-hash attack.

  1. Run Mimikatz.exe as an administrator and grant the current account permissions to debug processes.
  2. We then want to list all the active user sessions and their hashes
    sekurlsa::logonPasswords full
Extract the Hash

As we can see, a user called “notadadmin” has an RDP session on this computer. We can capture their NTLM hash and save this for the next step.

NOTE: If a user has saved a password into Credential Manager, this can also be extracted when reviewing the outputs.

Extract the Hash

Exploit the Hash

Next, we can use our newly gathered hash to exploit some services within the domain and execute the pass-the-hash attack. We know that this user is called “notadadmin” so it’s possible they might be a domain administrator. Let’s try to create a new CMD.exe session with our new account.

  1. While still in our Mimikatz session, run the following command to create a CMD session as the user
    sekurlsa::pth /user:<username> /domain:<domain name> /ntlm:<NTLM Hash>
Exploit the Hash
  1. This will now open a new CMD window for this user. Let’s now invoke a remote session onto the domain controller within this environment. We can utilize the PsExec.exe tool to initiate a remote CMD session on the IP of the Domain Controller. To validate our access, let’s list the NTDS directory.
Exploit the Hash
  1. We can also confirm that we are using the correct account with the “whoami” command. We can take it one step further, and RDP onto the Domain Controller for more freedom. We can add a new registry item to the Domain Controller to allow RDP-restricted admin with the following command in PowerShell.
    New-ItemProperty -Path “HKLM:\System\CurrentControlSet\Control\Lsa” -Name
    “DisableRestrictedAdmin” -Value “0” -PropertyType DWORD
Exploit the Hash
  1. After successfully allowing RDP-restricted access, we can run the following command back in Mimikatz to initiate an RDP session with the NTLM hash.
    sekurlsa::pth /user:<username> /domain:<domain name> /ntlm:<NTLM Hash>
    /run:”mstsc,exe /restrictedadmin”
Exploit the Hash
  1. The RDP window will appear as usual with a user account already filled in. We can ignore what this says as we have passed our desired account NTLM hash in the background. Click connect, and it will initiate the RDP session. We can list our accounts to validate who we are and the groups we are a member of.
Exploit the Hash

How to Prevent & Mitigate Pass-the-Hash Attacks

Although we have shown how simple it can be to perform a pass-the-hash attack, it can be a little trickier in reality. In most scenarios, AV and EDR will block Mimikatz from downloading, along with restricting the execution of the process.

However, pass-the-hash detection can be difficult as the foundation of the attack is to use existing authentication mechanisms. The best way to reduce and mitigate a pass-the-hash attack is to leverage the following recommendations:

Enable Windows Defender Credential Guard

Windows 10 and above contain the Windows Defender Credential Guard tool natively. When this is enabled, the Local Security Authority Subsystem Service (LSASS) is run in a virtualized sandbox environment. This solution now isolates itself from the wider operating system and only allows a small subset of binaries with valid Microsoft signatures access to the service.

Restrict Privileged Access accounts

Administration accounts or privileged accounts should never be used on a regular workstation. This also applies to local administration accounts or users with local admin privileges.

The best method to reduce the attack surface if an account gets compromised is to use a service such as Windows Local Administrator Password Solution (LAPS) to manage, rotate, and back up local administrator passwords.

This solution has been specifically designed to reduce the dangers of pass-the-hash attacks and exploitation of local administrator accounts.

In many networks, every client PC has the same local administrator account and password (because they were deployed from the same image), which makes lateral movement very easy. LAPS ensures each client PC has a unique local administrator password.

Zero Trust Network Architecture

This key architecture decision should be made in all modern enterprise environments. The methodology is to ‘trust nothing and no one’. Correct network segmentation and security will ensure that end-user computer environments don’t have direct access to sensitive infrastructure and that only the bare minimum is required for client authentication.

Enhance employee awareness and safeguard critical data by leveraging Hornetsecurity’s Security Awareness Service for comprehensive cyber threat education and protection.

To keep up with the latest articles and practices, visit our Hornetsecurity blog now.


In conclusion, understanding the intricacies of Pass-the-Hash attacks is crucial for bolstering cybersecurity measures. This comprehensive guide sheds light on the methods, risks, and preventive strategies associated with such attacks.

By staying informed and implementing security best practices, individuals and organizations can fortify their defenses against potential breaches, safeguarding sensitive data and maintaining the integrity of their systems.


What are the tools for a pass-the-hash attack?

The most used tool for a pass-the-hash attack is called Mimikatz. Other tools of note are Metasploit and Invoke-TheHash.

How do you mitigate a pass-the-hash attack?

With a holistic approach to privileged access management, Zero Trust Network Architecture, and OS hardening, specifically Windows Defender Credential Guard.

What is the risk of pass-the-hash?

The risk of a pass-the-hash attack is hard to quantify as the methods themselves are hard to detect. The best approach to take with any security mitigation is to apply the methodology that you have already been attacked and take appropriate actions to protect your environment.

What is a pass-the-hash attack, how is it executed, and which type of hash is used in this attack?

A pass-the-hash attack is the action of extracting password hash tokens from a system and using these to reauthenticate services. In most scenarios, NTLM is primarily targeted as this is widely used within most organizations to access information.

How do hackers get hashes?

Hackers can exploit the Local Security Authority Subsystem Service (LSASS), dumping memory to a file, extracting from the page file, Security Account Management (SAM) registry hive, or even the Credential Manager saved passwords. Some of the main tools attackers use to execute a pass-the-hash attack are Mimikatz, Invoke-TheHash, and Metasploit.

Boosting Safety Through Cyber Threat Intelligence to Secure Your Digital Space

Boosting Safety Through Cyber Threat Intelligence to Secure Your Digital Space

In an age where the digital landscape is continually evolving, businesses and individuals alike face increasing threats from a myriad of cyber adversaries. To navigate these challenges, there has been a growing emphasis on the value of threat intelligence in the cybersecurity domain.

But what exactly is threat intelligence, and why has it become a cornerstone of contemporary cyber defense strategies? In this article we’ll look at threat intelligence (TI), the different flavors of threat intelligence, how it can be operationalized in a business, and the different stakeholders that can benefit from it.

Understanding Cyber Threat Intelligence

At its core, cyber threat intelligence (CTI) is a comprehensive understanding of potential threats that could target an organization or individual. This knowledge isn’t merely about being aware of possible cyber threats, but it encapsulates the wider context in which these threats operate. It dives into the motivations, Tactics, Techniques, and Procedures (TTPs) used by threat actors.

CTI is derived from an analysis of both raw and processed data. The data’s source can range from open sources (like news articles or blogs) to dark web forums and technical data from internal and external threat feeds. The ultimate aim is to convert this vast amount of data into actionable intelligence that can guide both strategic and tactical decisions.

Obviously, the concept and application of threat intelligence will differ greatly between smaller and larger organizations.

For very small SMBs, threat intelligence may simply be having awareness that there are threat actors that pose a cyber threat to them and maybe (if they can afford it), outsourcing their cyber security team to a provider, such as a Managed Security Service Provider (MSSP), or a Managed Service Provider (MSP). This organization will then enlist threat intelligence as described in this article to keep their clients safe.

Larger organizations with their own security team and cybersecurity professionals will have a different approach to threat intelligence.

Some teams will merely consume cyber threat intelligence prepared by external vendors in a threat intelligence platform, in even larger organizations there might be a whole team of security analysts investigating the cyber threat landscape, emerging threats, and preparing actionable cyber threat intelligence for the larger security operations teams.

The Rise and Importance of Threat Intelligence

One might wonder why threat intelligence is suddenly in the limelight. The importance of threat intelligence lies in its proactive nature. Instead of waiting for an attack to happen, organizations can use threat intelligence to anticipate potential threats and fortify their defenses accordingly.

It’s akin to having a forward scout in a battle, providing information about enemy movement, enabling an organization to anticipate and strategize instead of merely reacting.

By understanding the motivations and Tactics, Techniques and Procedures (TTPs) of adversaries, businesses can build more robust security measures that specifically target these potential weak points. This contextual information makes all the difference; it’s the transformation of a generic defense strategy into one tailored to the specific threats an organization might face.

The Threat Intelligence Lifecycle

Where the organization is large enough to have cybersecurity professionals focused on gathering threat intelligence data and produce finished threat intelligence, the process generally goes through the following phases:

  1. First the requirements are gathered from various stakeholders involved in the business.
  2. Raw threat data is collected from internal logging systems such as Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), eXtended Detection and Response (XDR) and even Attack Surface Management tools. This is augmented by external threat data feeds and other publicly available data sources, information sharing communities and X (Twitter).
  3. The collected data is processed to narrow down the relevant information.
  4. In the analysis phase the filtered data is aligned with the requirements from phase one to produce actionable threat intelligence.
  5. This is then disseminated to the stakeholders in the business, such as security personnel, and senior leadership, and also perhaps shared in a threat intelligence platform.
  6. Once this threat intelligence lifecycle is complete, feedback is gathered so that the process flows smoother next time around.
External Attack Surface Management Attack Surface Summary

The Beneficiaries of Threat Intelligence

The benefits of threat intelligence aren’t exclusive to large corporations with vast cybersecurity infrastructures. Multiple entities, ranging from individual users to governments and multinational corporations, can reap its rewards.

For instance, IT teams can leverage threat intelligence to prioritize patch management by understanding which vulnerabilities are being actively exploited in the wild. On the other hand, executive leadership can use threat intelligence insights to steer the broader organizational cybersecurity strategy.

Furthermore, even smaller businesses, which often believe they are not prime targets for cyber-attacks, can benefit immensely from threat intelligence. With the understanding that many cyber adversaries use automated attacks, small to mid-sized businesses realize they too can be collateral damage or a steppingstone in a larger attack chain.

Delving Deeper: Types of Threat Intelligence

While threat intelligence as a concept might seem straightforward, it can be further broken down into several types:

Tactical threat intelligence

This pertains to information regarding specific tactics, techniques, and procedures used by cyber adversaries and generally focuses on the immediate future. It can be in the form of indicators of compromise (IoCs), which include IP addresses, URLs or specific malware hashes.

Strategic threat intelligence

This type gives a holistic view of threats, focusing on long-term trends and emerging risks. It’s essential for high-level executives and decision-makers who need to understand the bigger picture.

Operational threat intelligence

More hands-on, this type provides insights about specific operations, campaigns, or attack patterns, allowing defenders to discern potential motives and targets. It answers questions such as who / why and how regarding the threat groups.

Technical threat intelligence

Sometimes a fourth type is included, Technical Threat Intelligence. This is more focused on the mechanics of the early phase of an attack, often involving spear phishing, baiting and social engineering.

Operational Threat Intelligence example

The Importance of Threat Intelligence

As cyber threats evolve, the reactive approach of patching vulnerabilities and recovering from breaches is proving insufficient. Threat intelligence offers a proactive stance. It’s about understanding the threat landscape, anticipating potential risks, and taking appropriate preventive measures.

One very important point to realize is that threat intelligence on its own is of limited value. To achieve the best value out of any of the three or four types of CTI it must provide actionable advice. Ideal characteristics are organization specific, detailed, and contextual to the business and being actionable.

Threat Intelligence Benefits

Anticipatory defense

By understanding the tactics and techniques of adversaries, organizations can anticipate and prevent potential threats rather than reacting post-breach.

Enhanced decision making

Knowledge is power. With accurate and timely threat intelligence, decision-makers are empowered to make informed choices regarding resource allocation, strategic planning, and risk management.

Strengthened security posture

Informed by threat intelligence, security teams can fine-tune their defense mechanisms, adopt suitable technologies, and devise appropriate security strategies.
Example Strategic Threat Intelligence

Sources and Collection of Threat Intelligence

Effective threat intelligence is as much about quality as it is about quantity. The sources of both tactical intelligence and strategic intelligence are varied:

Open-source intelligence (OSINT)

Information derived from publicly available sources. This could be information shared on security forums, news articles, or other public domains. A good place to start are vendor reports such as Hornetsecurity’s Cyber Security Report and surveys, such as this one for Ransomware.

Commercial threat intelligence

Offered by specialized providers, this kind of intelligence typically comes at a cost but offers in-depth insights, often tailored to specific industries or threat landscapes.

Internal threat intelligence

Derived from an organization’s internal security logs, traffic data, and previous incidents. This type of intelligence is unique to the organization and provides insights into specific vulnerabilities and past breaches.

Government and industry-specific sources

Governments and industry bodies often share threat intelligence pertinent to their specific sectors, ensuring organizations within their domain remain secure. Depending on the size of your organization, having a good relationship with the Information Sharing and Analysis Centre (ISAC) for your industry vertical or country is important.

The Application of Threat Intelligence

As mentioned, while having threat intelligence is one half of the puzzle, its effective application is the other half. Here’s how threat intelligence is used:

Security operations

Enhancing the efficiency of security operations centers (SOCs) by providing them with the latest information on threats.

Risk management

Assisting in the identification, assessment, and prioritization of risks.

Incident response

Informing teams about the latest threats, ensuring faster and more effective response strategies.

Awareness and training

Educating stakeholders and staff about the latest threats, ensuring everyone is informed and vigilant. Don’t forget your end users, they need regular security awareness training to ensure they catch attacks that slip through your technical controls.

To properly protect your cyber environment, use Hornetsecurity Security Awareness Service, and Advanced Threat Protection to secure your critical data.

We work hard perpetually to give our customers confidence in their Spam & Malware Protection, Email Encryption, and Email Archiving strategies.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.


The realm of cybersecurity is no longer just about having the most substantial walls or the most robust firewalls. It’s about understanding the enemy – their motivations, their methods, and their tools. That’s where threat intelligence shines.

With an effective threat intelligence strategy, organizations are not only more informed but are also better equipped to thwart potential cyber threats.

Given the relentless evolution of the cyber threat landscape, the importance of threat intelligence cannot be overstated. It serves as a beacon, guiding entities through the intricate maze of cyber risks, ensuring that they remain one step ahead of potential adversaries.

In an increasingly digital world, staying informed and proactive with the help of threat intelligence will be the hallmark of a robust cybersecurity strategy.


What is cyber threat intelligence?

Cyber threat intelligence is the collected and analyzed information about potential cyber threats, including the methods, motivations, and tactics used by cyber adversaries. It offers actionable insights to organizations, allowing them to anticipate and mitigate potential cyber risks.

Why is threat intelligence important?

Threat intelligence is crucial because it enables organizations to adopt a proactive stance against potential cyber threats, rather than merely being reactive. By understanding the landscape of possible threats, organizations can tailor their cybersecurity strategies and defenses more effectively.

Who benefits from threat intelligence?

Everyone, from individual users to large corporations and governments, benefits from threat intelligence. It helps in identifying, understanding, and mitigating potential threats, thus safeguarding assets, data, and overall digital infrastructure.

Advanced Threat Protection for Evolving Email Threats

Advanced Threat Protection for Evolving Email Threats

Email Security – The State of Play

On Monday morning, James in marketing at YOLO Pty Ltd sees an enticing email on his phone from a vendor that he does a lot of business with. It talks about the upcoming soccer finals being held in his city and offers two tickets for free as a thank you for being a great customer, along with a QR code link to a website to get the tickets.

James – a football fanatic – immediately scans the QR code, enters his work details and agrees to the application permissions screen that pops up.

Within a few minutes, attackers have used the OAuth permissions granted to them to gain full access to James’s Exchange Online inbox, a few hours later they’ve moved laterally from his account to others and within 24 hours they’ve obtained full access to YOLO’s entire network, with the ransomware attack following immediately after they’ve exfiltrated private corporate data for extortion and corrupted any backups they could access.

This is a fictional scenario but everything in it matches our Security Lab’s expert investigations, including the time spans.

If James had been protected by Hornetsecurity’s Advanced Threat Protection the malicious email would have been scanned, the QR code identified, the malicious form found, and the email would never had been delivered to James and his colleagues.

Email is by far the most common way attackers gain a foothold in your organization. And this is an ever-evolving arms race, the criminals (who are well funded and well organized) are always changing and improving their attacks, so yesterday’s defenses and yesterday’s technology are going to be bypassed.

To be protected and stay secure against new threats, you need Hornetsecurity next-gen technology in your corner, with new protections against novel attacks, such as malicious QR codes.

The news is often filled with headlines about Advanced Persistent Threats (APTs) and it seems that every organization that gets breached leads their PR response with “it was a very advanced attack”, the subtext being that it was really hard to defend against.

However, Hornetsecurity has produced many reports, along with others in the industry, showing that most successful attacks aren’t the result of some amazing, previously unknown attack vector – they’re the consequence of basic security hygiene failures, such as allowing phishing and spear phishing emails to end up in your users’ inboxes.

And not having a thorough and ongoing security awareness training program for all users, to strengthen the “human firewalls” throughout your business.  

A variant is Business Email Compromise (BEC) where an attacker has compromised one user’s email account and monitors normal communications over a period of time, then inserts a request to change a bank account for a regular payment (to the attackers account) for example. 

These examples are just scratching the surface. The real challenge is new and evolving threats. Attackers are always changing and improving their lures and attacks, and with their ill-gotten gains they can afford new technologies.

For example, just like marketing departments and app makers, they’ll A/B test different emails to see which wording and approach gets the most clicks. This approach is also being augmented by AI – where we use ChatGPT to improve the language in a presentation, they might use similar technologies to generate “psychologically appealing” email lures.

All of this is to say that you need a strong team, that’s ahead of the curve, to make sure your users don’t have to deal with these threats, and that’s where Hornetsecurity comes in.  

Attack Type Usage in 2022

An analysis conducted by Hornetsecurity’s dedicated Security Lab of 25 billion business emails found that 40.5% were unwanted, and out of that portion, 94.5% were spam, and 5% malicious.

Social engineering is a large part of the threat landscape and email threats from 10 years ago that were filled with spelling and grammar mistakes and clearly fake, have been replaced with psychologically appealing, cunning text playing on human nature.

Brand impersonation is another part of the risk, with so many of the cues to assess trust we rely on when we first meet someone in the real world absent in emails, a message from a trusted brand is more likely to result in that unfortunate click.

Most-used file types in malicious emails

As we saw with James, that single click can lead to your business data being encrypted, your backups corrupted, and sensitive data you hold exfiltrated and threatened to be disclosed publicly.  

There are many, many more varieties of email attacks and risks, our Cyber Security Report goes into much more depth.  

Basic and Advanced Threat Protection 

To mitigate the risks outlined above you need both basic and advanced email hygiene services. The basic approach, which every vendor provides, takes care of (most of) the spam so that your users don’t have to wade through enormous amounts of junk just to find their business emails.

It’ll also catch (some of) the malicious emails and attachments but given how central email communication is to business today – catching most isn’t good enough. You need the best protection possible, and that is Hornetsecurity’s Advanced Threat Protection – a next generation security service for Microsoft 365 that provides precise and comprehensive protection against all forms of malicious emails.  

This cloud service provides excellent spam filtering and email security, for both incoming and outgoing emails, you don’t want to be the unwitting spreader of malicious emails because one of your users was compromised. Both malware and malicious URLs are spotted and blocked before they can do harm.

Advanced Threat Protection goes beyond these basic services to specifically catch ransomware emails and lures, spear phishing campaigns and CEO fraud. Behind the scenes we use AI-based Targeted Fraud Forensics to spot risks that others miss.

Advanced Threat Protection also catches forged email headers, a popular attack method to make an email appear to come from someone trustworthy, when in fact it doesn’t.  

As for malicious email attachments, unless we’ve seen the file before and we know it’s benign (or malicious, in which case the email will be blocked outright), we use our proprietary Sandbox Engine to go through the steps a user would upon receiving the email, and then monitor very carefully what happens when the attachment is opened or executed, using over 500 behavioral analysis sensors.

These sensors detect attempts by the executable to detect if it’s running in a sandbox (a dead giveaway), and carefully monitors filesystem, processes, memory, and registry changes to catch evidence of a malicious payload. Filetypes such as executables, PDF, Office files and archive (ZIP etc.) are all identified and the engine looks at macros, embedded URLs, metadata, and JavaScript code.

If an email or attachment is identified as malicious after delivery, it’ll be automatically marked for deletion in the inboxes where it has already been delivered.

Like any good security solution, Advanced Threat Protection mostly does its work silently and provides your end users with clean inboxes but in situations where your attention is required such as when your organization is under targeted attack – Real Time alerts are issued to your administrators.  

Hornetsecurity’s complete portfolio also includes email encryption to ensure that only the sender and recipients can read the contents of sensitive emails, handling encryption keys and certificate management behind the scenes for ease of use.

If you have regulatory requirements to keep all emails for extended periods of time (6 months to 10 years), legally compliant archiving is built in. It also allows you to import data from other email systems.

365 Total Protection also provides an easy-to-use signature and disclaimer feature that lets you create individual signatures based on Active Directory user information automatically.  

QR codes – The criminal’s new best friend

A new, bleeding edge attack vector is malicious Quick Response (QR) codes and we’ve added scanning of these to keep your users safe. Remember James and his disastrous Monday?

Up until now, and in nearly all other email security solutions on the market, if the attackers included a QR code instead or a plain text link, it would have just been seen as a benign picture and not set off any alarms.

With Advanced Threat Protection, and the new QR Code Analyzer this gap has now been firmly closed.  

QR codes are a very popular way for businesses worldwide to advertise and engage customers and potential buyers, “just scan this code and receive a $ 5 voucher on your first purchase”. It’s amazing to think they were invented all the way back in 1994 in Japan.

They are everywhere, this one for example takes you to Hornetsecurity’s homepage.  

QR Code example

How popular are QR codes in marketing today? Bitly published a report filled with interesting statistics, but in summary, they saw 152% growth of their use in 2022, with Finance, Healthcare and Government Services seeing huge growth in 2022.

People are scanning QR codes more and they link to more diverse content, not just a single website. There are now QR codes that lead to coupons, events, social media content and marketing video content.  

This means end users are becoming more and more accustomed to scanning QR codes and expecting “something good” at the end of it. This is a perfect opportunity for criminals to hide their malicious links in innocuous looking picture files and bypass protections – except if you have Advanced Threat Protection guarding you.  

Our scanner looks for QR codes in GIF, JPEG, PNG, and BMP image files in emails and can extract both URLs and text from them, analyze them and only allows the email to be delivered if it’s benign.

There’s no configuration of the QR code scanner in Advanced Protection’s Control Panel, it’s simply turned on and protecting all your users, just like any good security service.   

Secure Links

Speaking of scanning links, Advanced Threat Protection has had URL Rewriting and scanning for a long time, the new version is called Secure Links and uses a new engine.

Using Hornetsecurity’s secure web gateway it doesn’t just scan the links in emails, it also “visits” the website and recursively scans links to establish if the site presents a risk to your users, and of course blocking access if it does. Most importantly it’ll do the check at the time the user clicks the link, not just when the email was delivered.

Sometimes attackers will compromise a site but not change anything until after their emails have been delivered, making time of click protection paramount.

Secure Links

Security Awareness Service

No security service is perfect, there’s always a chance that something will slip through even the strongest net, so you need to add another layer of defense – your end users.

Hornetsecurity’s Security Awareness Service provides simulated phishing emails to train users to be wary, and not fall for lures, plus follow up short e-learning content to help cement the knowledge.

Unlike other solutions administration of the system is very lightweight and it’s mostly a “set and forget” solution, that uses an Employee Security Index to identify users most likely to click on links without hesitation and increase their training.  

Mailbox Migration Tool

There’s no doubt that hosting your email inboxes in Exchange Online is more secure than hosting them on-premises, especially given several high-profile vulnerabilities that were exploited in 2021, 2022 and now in 2023. To assist with your migration, Hornetsecurity now offers an easy-to-use Mailbox Migration Tool.

Once your users are onboarded in Control Panel, a simple Azure AD Application is configured with OAuth permissions and you can start migrating mailboxes to the cloud, which could take some time, depending on the number of mailboxes and their size. Once they’re migrated you can enable 365 Total Protection for them.  

Harness Next-Generation Security

Specifically designed for Microsoft 365, Hornetsecurity’s 365 Total Protection offers comprehensive protection for a wide range of Microsoft cloud services.

It is easy to set up, seamlessly integrates with your existing Microsoft 365 environment and is extremely intuitive to use. 365 Total Protection simplifies and strengthens your IT security management from the very start.