Files introduced into the network by trusted users are one of the most common – and most dangerous – malware delivery vectors. These files appear completely innocuous – like the Word files that delivered a recent attack – yet can contain highly-sophisticated malware that is extremely difficult to detect. Another example is the Dark Tequila Añejo malware which was detected only after 5 years of malicious activity!
And here is the crux of the matter. Detection is difficult. Really difficult. Why? Because the detection technologies used by mainstream anti-malware tools and endpoint security technologies (like antivirus engines, EPP, EDR and others) can detect only known threats and files with a known malware signature. These legacy solutions cannot handle either new threats or targeted attacks. And with hundreds of thousands new malware codes published every day, the fact is that many attacks are completely unknown.
To attempt to deal with the challenge of detecting unknown threats, sandbox-based solutions were introduced several years ago. This tech opens and runs incoming files in an isolated environment, and checks whether they behave abnormally. Most sandbox solutions can even emulate future dates, to detect potential zero-day attacks. Unfortunately, towards the end of 2017, numerous malware attacks managed to completely bypass sandbox solutions, leaving organizations exposed to massive cyber risk. Moreover, sandbox technology’s relatively long scanning latency was found to slow down organizational processes and negatively impact workflow.
The Next Generation of Anti-Malware: Prevention
In 2016, CDR (Content Disarm & Reconstruction) technology made the move from its military origins to the commercial market. CDR was designed from the ground up to prevent malware attacks – not just detect them. CDR was widely praised and well-received. InformationAge reported that “…instead of relying on sandboxes, companies should be trying new ideas, like content disarm and reconstruction (CDR). In a recent report, Gartner said that CDR systems installed on mail gateways to nab malware-laden messages before they are passed through to users can be an important supplement, or even replacement, for traditional sandboxes.”
CDR technology works by manipulating supported file types to change the structure of hidden malicious code and render it harmless. In its simplest implementation, CDR technology converts files into different formats (DOCX to RTF, XLS to CSV, or even converting the documents into PDF files). The idea was that such conversion would deactivate embedded malware – and this was indeed the case, until hackers learned to get around it. Moreover, the files manipulated were often changed significantly, making it far more difficult for end-users to work with them productively.
Prevention 2.0: True CDR
The next generation of CDR technology eliminates the need for clumsy file format conversions. These advanced solutions don’t need to convert formats because they actually dissemble and rebuild each and every incoming file from scratch. This is known as “file sanitization,” and it’s the key disrupter in next-gen CDR tech (like that from ODI).
Totally transparent to endusers, the true CDR sanitization process first identifies the file type, then applies a format-specific algorithm that penetrates the format and extracts relevant data – including attached or embedded files. Ultimately, the enduser receives a fully-secure, fully-functional and completely-usable copy of the original file.
The Bottom Line
In the end, there’s not really a question as to whether detection or prevention is preferable to mitigate cyber risk and enhance cyber security. By eliminating threats before they are even recognized as threats, advanced CDR solutions like that from ODI are truly Benjamin Franklin’s “ounce of prevention.”