Introducing OPSWAT Threat Intelligence Similarity Search Learn More

Deep Content Disarm and Reconstruction (Deep CDR), Part 1: The Case for Data Sanitization

Document-based malware exploits are an incredibly common method for attack. The types of malware distributed via this method are representative of today's common threats; they rely on vulnerable applications, typically out-of-date software, to install malware on the target computer. The malware could be anything from ransomware designed to encrypt all data, key loggers, spyware, or even botnets designed to report back to a C&C Server.

Because these exploits typically rely on software vulnerabilities to execute, it is easy to underestimate the severity of the issue. If users are keeping their browsers, operating systems and other programs up-to-date these attacks are generally ineffective. However, according to HP's 2015 Cyber Risk Report, the top ten exploits reported in 2014 used well-known software vulnerabilities, not zero-day attacks. This is not cutting edge malware; the most common vulnerability exploited was first identified in 2010!

Image Source: HP Research Cyber Risk Report 2015

These exploits depend on end users delaying software updates and applying patches, and users seem all too willing to ignore updates indefinitely. This becomes especially problematic when one considers the number of known software vulnerabilities in Microsoft Word and Adobe Acrobat alone. By the way, if you are delaying the installation of a software update to read this blog post, go install it. Right now! I'll still be here when you get back!

Kidding aside, a greater emphasis on user education regarding the importance of timely installation of software updates is clearly needed; but what additional steps can security professionals take to improve their network's protection against this type of attack? Content disarm and reconstruction (CDR), also known as data sanitization, is one method that can protect against document-based malware.

What is content disarm and reconstruction?

Content disarm and reconstruction (CDR), or data sanitization, includes a family of technologies designed to remove the embedded objects, exploits and zero-day attacks mentioned above while preserving the usability of a file. The need is dire; SMBs, large enterprises and government agencies are all under attack from document-based exploits, often sent via spear phishing attack. Sometimes called Threat Extraction or "cleanse safe for use," data sanitization is usually accomplished in one of three ways:

  • Altering the internal structure of a file
  • Removing content
  • Converting a file to a different format

This series we will examine the strengths and weaknesses of these methods against malware targeting common software vulnerabilities, including assessing the efficacy of threat removal and the usability of the source files after CDR.

The second edition of this series is now available, and discusses the strengths and weaknesses of sanitizing files through structure alterations!

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.