Deep Content Disarm and Reconstruction (Deep CDR), Part 1: The Case for Data Sanitization
Document-based malware exploits are an incredibly common method for attack. The types of malware distributed via this method are representative of today's common threats; they rely on vulnerable applications, typically out-of-date software, to install malware on the target computer. The malware could be anything from ransomware designed to encrypt all data, key loggers, spyware, or even botnets designed to report back to a C&C Server.
Because these exploits typically rely on software vulnerabilities to execute, it is easy to underestimate the severity of the issue. If users are keeping their browsers, operating systems and other programs up-to-date these attacks are generally ineffective. However, according to HP's 2015 Cyber Risk Report, the top ten exploits reported in 2014 used well-known software vulnerabilities, not zero-day attacks. This is not cutting edge malware; the most common vulnerability exploited was first identified in 2010!
Image Source: HP Research Cyber Risk Report 2015
These exploits depend on end users delaying software updates and applying patches, and users seem all too willing to ignore updates indefinitely. This becomes especially problematic when one considers the number of known software vulnerabilities in Microsoft Word and Adobe Acrobat alone. By the way, if you are delaying the installation of a software update to read this blog post, go install it. Right now! I'll still be here when you get back!
Kidding aside, a greater emphasis on user education regarding the importance of timely installation of software updates is clearly needed; but what additional steps can security professionals take to improve their network's protection against this type of attack? Content disarm and reconstruction (CDR), also known as data sanitization, is one method that can protect against document-based malware.
What is content disarm and reconstruction?
Content disarm and reconstruction (CDR), or data sanitization, includes a family of technologies designed to remove the embedded objects, exploits and zero-day attacks mentioned above while preserving the usability of a file. The need is dire; SMBs, large enterprises and government agencies are all under attack from document-based exploits, often sent via spear phishing attack. Sometimes called Threat Extraction or "cleanse safe for use," data sanitization is usually accomplished in one of three ways:
- Altering the internal structure of a file
- Removing content
- Converting a file to a different format
This series we will examine the strengths and weaknesses of these methods against malware targeting common software vulnerabilities, including assessing the efficacy of threat removal and the usability of the source files after CDR.
The second edition of this series is now available, and discusses the strengths and weaknesses of sanitizing files through structure alterations!
- ファイルアップロードの保護 – 10 のベストプラクティスで サイバー攻撃を防御
- MetaDefenderによる世界で最も危険なマルウェアEmotetの防御
- OPSWAT Expands Global Availability of Critical Infrastructure Protection
- OPSWAT Announces Expansion of Cybersecurity Training Program
- Avoiding storage data leaks and PII regulation noncompliance
- How OPSWAT Can Help Detect and Prevent the VMware WorkSpace ONE Access exploit (CVE-2020-4006)
- Protecting Critical Infrastructure from Advanced Cyberattacks
- MetaDefender Cloud Hash Reputation Database Now Exceeds 40 Billion
- OPSWAT Continues to Expand OESIS Framework with New Partners
- 6 Potential Security Gaps in File Transfer Process for Critical Infrastructure