printer friendly version

Using CDR to combat emerging threats

CDR stands for content disarm and reconstruction. CDR, also known as data sanitisation, is an advanced threat prevention technology that does not rely on detection, it follows the zero-trust philosophy and assumes all files are malicious and sanitises and rebuilds each file ensuring full usability with safe content. This means that files are dissected and anything that has the potential to be dangerous is removed and then the file is reassembled.

CDR technology is highly effective for preventing known and unknown threats, including zero-day targeted attacks and threats that are equipped with malware evasion technology, such as Fully Undetectable malware, VMware detection, obfuscation and many others.

OPSWAT CDR technology, called Deep CDR, assumes all files are malicious. It ingests files and then regenerates these files in a way that ensures the regenerated file is both usable and harmless. Hence, CDR technology provides protection without needing to know whether a suspected file is ‘good’ or ‘bad’.

CDR follows a three-step process

1. Identify and scan files

Files are evaluated and verified as they enter the sanitisation system to ensure file type and consistency, with identification of over 4500 file types. Each file is scanned to identify all embedded active content in the file, such as macros, hyperlinks and OLE objects. File extensions are examined to prevent seemingly complex files from posing as simpler files and red-flagged for malicious content, alerting organisations when they are under attack. OPSWAT Deep CDR supports sanitisation for over 100 common file types, including PDF, Microsoft Office, HTML, many image file types, JTD and HWP.

2. Sanitise files

The files are rebuilt in a fast and secure process. File elements are separated into discrete components, malicious elements are removed and metadata and all file characteristics are reconstructed. The new files are recompiled, renamed and delivered, preserving file structure integrity so that users can safely use the file without loss of usability.

3. Use files

The newly regenerated files can now be used. Even complex files remain usable, for example, animations embedded in PowerPoint files remain intact after the CDR process is completed. Finally, the original files are quarantined for backup and further examination. By rendering fully usable files with safe content, the CDR engine protects organisations against the most sophisticated threats while maintaining user productivity

Two common CDR use cases

Can CDR prevent threats based on software vulnerabilities? A software vulnerability refers to the weakness of an asset that can be exploited by cyber attackers. Both known vulnerabilities and unknown vulnerabilities can be the root cause of security incidents. Many vulnerabilities leverage files to compromise file containers.

For example, hackers can leverage the disclosed Adobe Acrobat and Adobe Reader vulnerability, CVE-2019-16451, to distribute backdoor malware capable of controlling an infected system, providing attackers with the ability to install programs; view, modify and erase data; create new accounts with full user rights.

OPSWAT Deep CDR is effective for addressing file-based vulnerabilities since rebuilding the file removes malicious commands and exploits hidden in images, videos and other innocent file formats.

Can CDR protect against the risk of increasingly complex file formats? File formats are allowing increasingly complex functions through embedded scripts, macros and programming designed to streamline workflows and boost productivity. For example, PDFs may contain elements including hyperlinks, media files, forms, Unicode characters and encrypted data.

This complexity allows users to be more productive, but also enables malicious actors to embed scripts and exploits that take advantage of the flaws in applications.

OPSWAT Deep CDR further enhances the security effectiveness of CDR by diving ‘deep’ into nested layers of compression and embedded objects, such as an Excel chart inside of a Word document that is embedded in a PDF that was delivered to your inbox zipped up into a single file.

How to select a CDR technology

There are many CDR solutions available on the market today. How do you know which solution is best for your organisation? Below are key questions to ask during the evaluation process for a Content Disarm and Reconstruction solution.

1. What type of archive formats are supported?

Archives have become increasingly prevalent over the past couple of years to integrate and store multiple file types in a single volume. Ask to review the list of archives the CDR supports and check that you can control related features, such as the level of recursion. For example, if a PDF is embedded within a PowerPoint file, can the technology analyse and reconstruct both files?

2. How many file types are supported?

There are more than 5000 known file types. Ask how many file types the CDR supports, review evidence per file type and compare the list of file types to the ones your organisation uses.

3. Is usability preserved?

When you deal with files such as PowerPoint that include animation builds, or Excel where you want to preserve macro functionality, you need to ensure the rebuilt file will retain these capabilities. One way to test this is by processing a sample file as part of your evaluation process.

4. Does the CDR support comprehensive configurations to fit your use case?

Check to see if you can configure the embedded objects that should be removed/sanitised for each file type. Check that you can fine tune the sanitisation process as well as image quality, hyperlink handling, etc.

5. Can you create an audit trail?

For example, make sure the CDR records and logs which objects were removed and which objects were sanitised? Also find out if you can verify the integrity of an archive.

6. Can you deploy different policies for separate data channels?

For example, will the CDR allow you to retain an Excel macro for internal emails while removing it for external emails?

7. Which operating systems does the CDR support?

If your organisation supports both Windows and Linux, can the vendor support both?

8. What is the performance per file type?

Different file types should have different performance. Deploy the CDR technology and run some sample files, including large files and multi-level archives to verify that the CDR performance meets your organisation’s requirements.

9. How secure is the design?

Is a secure design pattern applied? How is the CDR engine protected? Is Secure SDLC (Software Development Lifecycle) implemented, enabling you to review a static analysis code review. Are third-party libraries used? Ask to review a CDR design architecture and challenge the design with questions about compromised CDR components.

10. Is the technology sustainable?

How many engineers are actively working on the CDR technology? Ask to see an organisation chart to validate the number of resources and their backgrounds. Ask to review their engineering QA procedures. Is the build process safe? Do they have a solution to prevent malware embedded into the build chain? What security certification does the vendor have?

11. How is the CDR technology tested?

Is there any third-party validation by a government agency or other independent organisations? Ask to see their pen test results. How big is the test data set? Ask to see true malware samples and zero-day attack samples. Ask to manually verify test data sets. Do they test with recent threats? Request a data set.

12. How easily does the CDR integrate with your current products?

Ask to review the REST API documentation.

13. Is the technology continuously updated?

Ask to see the release history for the past two quarters. Ask to see the product roadmap.

14. How quickly can they support a new file type?

There are 5000 file formats, how many can they support? Ask about specific file types you use in your organisation, including regional file types such as HWP or JTD.

15. Is the IP properly protected?

If the technology leverages third-party libraries, are they properly licenced? Ask to see the EULAs for the list of libraries or other supporting documents. Ask about any technology patents.

Altron CEO, Mteto Nyati, says the country has some of the best policies to curb cyber crime, but the problem is implementation. “At Altron Arrow, we have various cybersecurity solutions from top international suppliers around the world, including OPSWAT’s CDR and other solutions, to assist in cyber crime prevention and recovery.”

Share this article:

Further reading: