For years I have been asked by reporters about data breaches as they made the news. We “pundits” had pre-fabricated responses for everything. The story says that an IT administrator had misconfigured a system. The pundit opens up the toolbox, takes a look, and tells the reporter that the solution is to get more sleep and eat breakfast to help with concentration. Unlike many potential responses, at least that one is actionable.

Here are a few more responses from the pundit’s bible:

• A user was phished = User education and multi-factor authentication.
• The company was using an outdated operating system = Take the damned honeypot off of the corporate network.
• On average, malware stays undetected in an enterprise for 200 days to 200 hundred years = Use quality anti-malware, network segmentation, IDS, IPS, EDR. SIEM, Advil.
• A known vulnerability, for which a patch existed, was exploited. Let’s all say this together… Patch, Patch, Patch!!!

In one of my all-time favorite LinkedIn posts, long-time security veteran Greg Thompson said “Argh! If I hear Randy another security pundit tell the world that we have to get better and faster at patching….isn’t it about time we throw in the towel and admit that staying on top of patching is not sustainable or even possible – especially for large complex organizations? We’re at a crossroads and we need to re-think how we control/manage vulnerabilities… And I’m afraid the answer isn’t patch and pray!”

Take notice. Greg DID NOT say patch management, he talked about managing and controlling vulnerabilities. But, what does that mean? First and foremost, it means stopping exploits from reaching vulnerable applications. Least user privilege, network segmentation, etc. can sometimes do this, but those types of approaches are more about damage control when the inevitable happens. That’s important too. But to prevent exploits from reaching vulnerable applications we need to understand how exploits are being delivered. UPS? DHL? USPS, stork? No, mostly through email attachments. According to multiple sources, roughly 90% of malware is delivered through email. Attachments such as PDFs, Word Documents, and Excel spreadsheets are the most common delivery mechanisms for malware, including zero-day and known exploits. Block the malware from reaching the victim application and you are effectively managing vulnerabilities. Patching is still important, but patching is reactive and leaves a window of vulnerability.

Content disarm and reconstruction is a highly effective means of virtually shutting down the email attack vector. It is important to understand that CDR is content agnostic. CDR is effective against unknown malware and exploits because everything is assumed to be malicious. Detection is irrelevant.

Here’s how CDR works when an email hits the server:

CDR assumes that every picture in the universe, except those of LOLCats, contains steganography. Malware sometimes uses steganography for covert payload delivery and covert communications. If there are pictures in the email, they are processed as follows. All pictures, without exception, are sanitized. Sanitized is the term for objects processed with CDR. Sanitized does not mean the object wasn’t clean before processing. Badness isn’t detected. Goodness isn’t detected. Existence is detected, and that’s enough evidence to assume extreme danger.

Hyperlink is short for hyper-dangerous link. Fine, I made that up, but the role of hyperlinks in phishing attacks is so common and effective that they have spawned a multi-billion dollar user security awareness education industry. Hyperlinks are also sanitized before the email reaches the recipient. Links in emails may be removed, unlinked, routed through a link scanner, or other custom actions may be used with a properly designed system.

Now onto documents and other files. Whether in email or across a network, supported filetypes are sanitized, even if they have used copious amounts of hand sanitizer and are wearing filemasks. The exploit and malware containers of choice are Office documents, PDFs, and zip files.

Content disarm is relatively easy. It’s the reconstruction that is the difficult challenge. To give an extreme example, an email with a picture, a hyperlink, and a zip file containing multiple levels and types of embedded objects hits the email server. The zip file contains a PDF an image, and a Word document. The PDF has scripts within it. The document has pictures, an embedded PowerPoint Presentation, a CAD drawing, and a spreadsheet. Of course, the spreadsheet has macros and links to external objects. CDR must recursively sanitize every file no matter how deeply embedded. Finally the entire blob is reconstructed until the email that was torn asunder has been reconstructed and delivered to the user’s inbox… prior to being misdetected as spam and filed as such. That’s not CDRs fault.

There is a plethora of products that attempt to protect unpatched systems, however few are as versatile and effective as CDR. Think about BYOD and unmanaged devices. Regardless of what applications you may or may not be able to put in these devices, corporate email typically comes via corporate servers. CDR is usually deployed at the server level. Email is sanitized before reaching unmanaged devices. Files uploaded to corporate servers can also be sanitized in transit.

Vulnerability scanners are extremely important as part of a layered vulnerability management and remediation defense system. Asset management is important. You don’t know what you don’t know, ya know? You’ve got to identify vulnerable assets.

CDR can be deployed for email servers, web traffic, and network file transfer. CDR can be deployed on kiosks which are often used to scan files that must traverse an air-gapped network. If you are accepting file uploads from vendors, then you definitely want to deploy CDR inline with those uploads. These vendors are supply chain, not that supply chain has ever been a problem 😊

While CDR can be deployed in various locations, email is likely to be your broadest attack surface. Rein it in.

In closing, patching is still critical whenever possible and as expeditiously as possible, but seriously consider deploying CDR.

Randy Abrams
Senior Security Analyst
SecureIQLab