True CDR – the Next Generation of Malware Prevention Tools
By: Dr. Oren Eytan – CEO, ODIX.
One of the most serious security challenges facing enterprise networks is how to achieve effective protection from malware-infected files, when existing protective systems can’t detect these threats.
CDR (Content Disarming and Reconstruction) is an Israeli technology – originally developed in the Israel Defense Forces and adapted for civilian use – that can solve this problem.
CDR is file sanitization technology designed to protect against damage from malware attempting to enter an organization’s network through files containing malicious code. This technology is the most powerful tool for preventing file-based malware attacks. CDR can defend against new and unfamiliar threats that traditional protective tools – antivirus, sandbox, and even EDR systems – are unable to stop.
The file sanitization process is not necessarily based on discovering harmful code (which is challenging when the threat is unknown), but rather on disrupting and neutralizing all unfamiliar code hiding inside files – without guesswork, statistical analysis or user behavior analysis.
The CDR file sanitization process scans all files before they reach the user. Malware is not always discovered in files. But after the CDR process, it is possible to say with nearly 100% certainty that files are clean and safe to use.
File Sanitization – Repurposed from Military to Civilian
CDR was born to enable Israeli security organizations to prevent malware infiltrations of their secure networks, at any price.
Today, every computer network (not only secure networks) is subject to multiple threats and constantly targeted by malware attacks. These attacks have become widespread because practical knowledge of how to launch them is available online to all who seek it. Commercial network security administrators understood the need for CDR technology, but since the technology was originally designed for military needs, it was not initially suitable for business.
The first CDR systems developed by Israeli security organizations used a number of antivirus engines rather than a single engine. This solution worked well when first introduced some twenty years ago, but as technology advanced the situation changed. Attackers moved from file-based attacks to more clever strategies – attacking specific networks with specially-written malware. Even when an infected file is scanned using all the known antivirus engines, these attacks are not detected. The reason is simple – the antivirus engine needs to identify the malware signature, but before this is possible someone needs to identify the malware and update the engine’s data.
The Big Problem – Sanitization Leaves Files Unusable
Once antivirus engines became ineffective in preventing new and unknown malware attacks, a new file sanitization method was developed based on converting the file format. Often, changing the file format destroys or disrupts malicious code in the file, preventing its activation. The primary problem with the format-changing approach is that the sanitized file is not the same as the original one, and quite often becomes completely useless.
By way of example, if a user expects to receive an Excel file with formulas but instead he gets a flat PDF or CSV file, the user is often forced to create a completely new version of the file. While this solution might meet the needs of closed security organizations where security takes top priority even at the expense of productivity, it is highly unsuitable to a business organization.
Double Format Conversion – Interim and Insufficient
The initial solution to the above file usability problem was to do a double format conversion – to convert the file to an interim format and after that to convert it back to its original format. At the end of this process, the user does receive a file in the original format. However, in every reformatting – single or double – the file loses some of its functionalities and its usefulness to the organization is adversely affected.
Another disadvantage of converting file formats is the inability to cope with nested files. A nested file, for example, can be used by an attacked trying to insert malware into the organization through a PDF. To do so, he embeds the infected PDF file into a DOCX file, hoping to circumvent traditional protective tools like sandboxes, which see only a non-threatening Word file. When the end user opens the file, the attached PDF with the malware is immediately activated.
Single or double file conversions cannot deal with nested files. Sometimes the user receives the attached file with the original malware, and sometimes the attached file appears as an image or icon only. Either way, the user does not get the functioning file he or she was expecting to receive.
Thus, the format conversion approach – at any level of sophistication – still risks damaging organizational productivity in the best case, and compromising security in the worst.
The Solution – True CDR Based on Algorithms
The most advanced CDR solutions are not based on converting formats but rather on disassembling and rebuilding a file from scratch according its specific format.
This sanitization process identifies the type of file and applies a special algorithm that penetrates this format – extracting relevant data and including attached files. At the end of the process, the user receives a secure, usable file with all expected functionality.
From a technical perspective, the sanitized file is actually a totally new file, but this is hidden from the user. This technology fully supports sanitizing files nested within other files, and archive files like ZIP and RAR.
How does this work? Continuing the example above (PDF file nested in a DOCX file) – let’s assume that this time the hacker is cleverer. He compresses the DOCX file into ten levels of a ZIP file. Most file scanning approaches, including format conversion, scan one or two levels of the compressed file. However, the True CDR process recursively scans all of the compressed file’s levels. It locates the DOCX file and sanitizes it using the most appropriate algorithm. It also locates the attached PDF and sanitizes it as well. Afterwards, it sanitizes the entire ZIP file independently. It closes all the levels and delivers a file whose structure resembles the original structure yet is clean and safe to use.
Security Policy Management – Key to File Sanitization
The CDR process needs to take into account organizational data protection requirements, and operational and business needs. This delicate balance cannot be achieved unless the file sanitizing process is under the full authority and supervision of the information security administrator.
Every organization has different user permissions defined in their risk management policy. Since the files sent to the organization are critically important for their operations but at the same time could pose a security risk, an advanced CDR system must offer the flexibility to define user (or user group) permissions to be in-line with risk management needs.
For example, the organization’s basic file entry policy could require that a CDR system remove macros from Excel files, but should this apply to the Chief Financial Officer and her staff? They use Excel files with macros on a daily basis. The information security administrator can set up a system that sanitizes Excel files, sent to the CFO staff, leaving their macro functionalities in place. In this way, the department can continue to function as normal, and the security administrator can mitigate the risks involved, for example, with special training sessions.
The prevention of malware penetration from files entering the network is one of the biggest network security challenges. The risks increase constantly, as new malicious code is created daily, and traditional protection methods fall short in keeping track of them and preventing attacks.
True CDR (Content Disarm & Reconstruction) technology based on algorithms offers the most effective and precise way to deal with this problem. This technology is not based on identifying the malware but on absolutely blocking its entry.
CDR technology is detection-less. It does not inform us that “this file contains malicious code.” Rather, it guarantees that after the sanitization process, any malicious code that may have been present will not cause damage. And true CDR technology takes into consideration that the organization needs to continue to operate as normal.
This type of file sanitization technology thus protects the file’s functionality while neutralizing the potential threat and satisfying organizational security policy demands. The successful implementation of these parameters in a file sanitization system represents a breakthrough in the application of military technology for civilian use.
How can TrueCDR™ protect your network against malware threats?