Using content disarm and reconstruction for malware protection

Content disarm and reconstruction is a modern approach to removing malicious code from files, key to detecting and thwarting successful phishing and malware attacks.

The majority of malware infections begin with a phishing email. These simple lures, which trick recipients into opening malicious attachments or clicking links that lead to malicious web content, have been among the most successful methods to gaining a foothold on a device or network for years.

Traditionally composed of PDFs, Word documents, Excel spreadsheets and PowerPoint presentations, infiltration methods have expanded to include malicious content delivered via corporate collaboration platforms, such as Microsoft Teams or Slack, as well as social media and mobile apps.

The problem for security teams is that traditional reactive security controls, which rely on detection of malicious code or actions, struggle to find today's complex malware. Many of these mechanisms fail to recognize zero-day threats as they only detect known threats. For example, antivirus products are usually signature-based. Even antivirus products that include sandbox analysis to identify unusual behavior still need to know what to look for. In addition, this type of analysis takes time and can cause latency issues. Plus, sophisticated malware can often evade sandbox detection.

This creates a major gap in network defenses. To avert modern malware attacks, many enterprises are adding content disarm and reconstruction, or CDR, to their threat prevention controls.

What is content disarm and reconstruction?

Also known as data sanitization, file sanitization or threat extraction, CDR handles content analysis from a default deny-all approach. It assumes all content is malicious so it doesn't need to try to detect constantly evolving malware functionality. Instead, it removes all of a file's components that do not comply with the file type's specifications and format -- known bad versus known good. This provides protection against both known and new unknown threats, whatever their level of sophistication.

CDR technology can protect a range of entry points into the network, including computer endpoints, email, web traffic and file-sharing services. CDR isn't installed on specific machines, but rather at the network gateway. Therefore, each incoming file can be checked before it enters the network.

How does CDR work?

Content disarm and reconstruction deconstructs a file into its component parts and then identifies and removes any that do not comply with international or vendor file type specifications. Any executable content within a document is also removed or sanitized, whether or not it is a potential threat.

A new clean flat file is then built from the remaining safe content and forwarded on to the recipient. The original file may be accessed by the user only after it is confirmed to be benign and following further analysis, such as sandbox inspection.

Who needs CDR?

While this level of sanitization may be needed in organizations where security must take priority at the expense of productivity, it is not practical in most business cases. However, organizations may benefit from adopting portions of a CDR system instead of full-out CDR processes.

Most CDR systems available today offer the ability to set policies that allow certain types of content to remain within the file so as not to remove harmless JavaScript, macros or hyperlinks from Office or PDF documents. For example, companies can set policies to ensure macros in files sent internally are allowed to remain as part of the file but are removed when received from an untrusted external source.

What to look for in a CDR product

When selecting a CDR system, accuracy of file regeneration and support for multiple file types, including nested files and region-specific formats, if necessary, are important features to look for. In addition, look at the product's reporting capabilities, including what is being sanitized and how, as this will enable security teams to make informed choices when refining configuration settings to meet particular use cases.

Look for vendors whose products offer admin-controlled policies for file formats and user groups to control which embedded objects should be removed, sanitized or sent for further sandbox analysis and when -- for example, based on sender or recipient. Ensure the product doesn't just convert a document to an image. Although this delivers a secure document, it is far less usable. Report dashboards, as always, are an important feature so security teams can quickly evaluate attack strategies and adjust other security control settings accordingly.

CDR: What security teams need to know

MarketsandMarkets predicted the CDR market will reach $298 million by 2023. But, before jumping in and adopting, there are some things that enterprises should know.

Because CDR is signatureless, maintenance is minimal compared to security mechanisms that require continuous updates and is many times faster than sandbox analysis.

But, as always, a defense-in-depth approach is the best strategy to establish a comprehensive threat prevention strategy. Therefore, deploying CDR as an additional layer of protection, alongside sandbox detection-based antivirus, antispam and other controls, is an enterprise's best bet, versus deploying it as a standalone alternative.

A defense-in-depth strategy can also dramatically reduce delays due to sandbox analysis as most day-to-day traffic consists of nonexecutable documents.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing