Features, Insight, Opinion

Introducing content disarm and reconstruction – the zero-trust rebel that frisks every file

By: Sertan Selcuk, VP of Sales, META at OPSWAT

As United Arab Emirates (UAE) enterprises continue to take advantage of new technologies, they must also shoulder the expectations and requirements of their operating markets. Customers expect safe and responsible storage and use of their data. And regulators require it. But even as these new pressures mount, delivering on them has become more difficult, given sprawling technology stacks and the unvetted personal devices of remote workers. Worst of all, attackers are becoming more active and more sophisticated.

Today, file attachments are a sinister thing. Whether delivered via email or within web application and portals, every one of them — simple or complex — has the potential to be a source of harm. Word documents, Excel spreadsheets, PowerPoint decks, PDFs, CAD files, and others can be booby traps of catastrophic proportions. Threat actors have access to a range of tools from embedded objects to scripting to infiltrate, infect, disable, and extort. For example, late last year, e&’s security arm, Help AG, warned of the return of Emotet, pervasive malware delivered via malicious code embedded in macro-enabled Word or Excel files. It spreads by accessing email addresses and targeting other users automatically and culminates in the download of damaging payloads such as ransomware.

Of course, we still must address the ongoing issue of application vulnerabilities. And so far, we have only mentioned the “detectables” — the things we know something about. How do we deal with zero-day targeted attacks and advanced persistent threats (APT)? How do we cope with the annual millions of new or modified strains of malware?

Forget detection

Before we look to answers, let us make one obvious exclusion: the answer is emphatically not “business as usual”. Traditional point solutions are demonstrably inadequate in combatting the overwhelming tide of malware — strains that have grown in complexity and are sophisticated enough to shrug off the challenges of rule-based anti-malware engines and sandbox measures.

Instead, let us consider technology that does not rely on detection but follows zero-trust principles and assumes all files are malicious. This method works by first verifying a file’s type and identifying any embedded content. It removes any content it considers to be potentially malicious and reconstructs the file using only legitimate components. We call this sanitisation method “content disarm and reconstruction”, or CDR.

Because of its zero-trust foundation, CDR technology is highly effective at preventing unknown threats, including zero-day targeted attacks and threats that specialise in malware evasion. Because of its reconstructive approach, CDR is also effective in addressing file-based vulnerabilities and in getting rid of malicious code embedded in scripts and macros.

The right stuff

But not all CDR is created equal.  Let us begin with archives, which have become more popular in recent years as a means of integrating and storing multiple file types in a single volume. Security procurement teams considering CDR must review the archive formats supported by a solution to ensure that security analysts will be able to control aspects such as the level of recursion (where one file type such as a PDF is embedded within another such as a PowerPoint file; both files should be accessible to the CDR dismantling process).

We should also remember that some 5,000 known file types currently exist. Which do you use, and how many of them are supported by the CDR solution? Does the reconstruction process return a fully functional file, complete with all original multimedia animations and macro functions? And does the CDR support all the configurations that fit your use case? Does it remove hyperlinks for specific filetypes?

All these questions and more (including the CDR’s performance rates regarding different file types) should be addressed during formal evaluation. CDR systems must produce comprehensive and easy-to-interpret audit trails for all its sanitisation operations, and the integrity of archives must be verifiable. The security team must have control over their own policies, allowing (for example) the retention of Excel macros for internal emails while removing them for external ones. And if, like many other organisations across the region, you run a mix of operating systems, then you must confirm if the CDR supports all of them.

Testing, testing…

And don’t be afraid to delve a little deeper. Challenge the design of the technology itself. How secure is it? How is the core engine protected? Look into longevity issues. How sustainable is the product in the long term? How many engineers work on it and what is their background? What processes do they follow and how do they approach quality assurance? It is not unreasonable to ask the vendor to allow you to review such procedures. You must confirm the safety of the build process by finding out whether any countermeasures are embedded in the build chain to protect against attack.

Exhaustive as this interrogation may appear, the vendor of any robust CDR will be only too happy to give you a look under the hood of production. They will unhesitatingly disclose how they test their platform and whether third-party validation is involved. They will willingly share details such as the size of the test data set and samples of malware and zero-days. They should even permit manual verification of test data sets.

Additionally, there are integration questions to be answered. There are questions regarding upgrade frequency and methods of enhancement. How quickly can a new file type be supported? And explore the legal implications of the CDR platform. Does it use third-party libraries? If so, are they legally licensed? Confirm by asking to see the EULAs.

Disarmed and reconstructed; are you content?

CDR is a new approach. Its power is undeniable but to be effective, security teams must ensure they are receiving true CDR. Assuming they do, they will find themselves in game-changing territory, where worn-out legacy solutions are cast aside to make way for a battle-ready sentinel that gets the job done.

Previous ArticleNext Article


The free newsletter covering the top industry headlines