By Dr. Simon Wiseman, CTO, Deep-Secure
Deep-Secure CTO Dr. Simon Wiseman explains how content threat removal is a game-changer in the battle to ensure business content is threat-free by using a transformative approach to boundary security and the problem of weaponized business content.
Digital content (documents and images) informs and facilitates every aspect of business and commerce. Little wonder then that it is the cyber criminal’s preferred carrier for an ever-increasing range of threats and kit-built exploits. Indeed, from the very beginning, cybersecurity defenses have struggled to deal with the digital content threat.
Often portrayed as an arms race in which the criminals constantly have the upper hand, the response of the cybersecurity industry to this threat – attempt to detect the content threat or try to isolate the content itself – has been largely ineffective in the face of relentless attacks from highly skilled criminals using sophisticated zero-day techniques.
Detection-based anti-malware defenses have been easily breached using polymorphic viruses and fileless malware. Sandboxed detonation has been rendered irrelevant with evasion techniques built-in to off-the-shelf malware kits as standard. Even defenses in highly sensitive government systems that employ deep content inspection to try and detect weaponized business content struggle to deal with sophisticated attacks from cybercriminals.
Weaponized Business Content
The fundamental reason for the cybersecurity industry’s inability to offer its customers the levels of protection they might reasonably expect is that the cyber defenses of the last 25 years are all based around trying to detect the presence of malware or an exploit and thus second guess the attacker. However, the truth is that the attacker is always one step ahead of this type of detection-based approach. Take a look at this week’s (in fact any week’s) cybersecurity headlines. 99% of the successful exploits are with weaponized business content crossing undetected across the network boundary in the documents, PDF, spreadsheets and images we all use every hour of every day.
The severity of the problem is escalating. Attackers are now employing against commercial targets the kind of sophisticated zero-day exploits that were hitherto the province of nation-state intelligence entities. They have taken evasion to new heights. They are using steganography to hide attacks, conceal command, control channels, and exfiltrate sensitive information stealthily. They are employing information hiding techniques that render detection completely impossible.
Content Threat Removal
The key to addressing the problem is to get ahead of the attacker and giving organizations the levels of protection from weaponized content they need. To do so the solution lies with Content Threat Removal (CTR), a technology that doesn’t depend on detection to stop the threat.
CTR works by assuming that all data is unsafe. It doesn’t try to distinguish good from bad. Whatever information an attacker sends it gets blocked. There’s no decision to make between safe or unsafe, so there’s nothing to get wrong. So how does this work – and how will the business get the information it needs?
Content threat removal transforms data. Using a technique called information extraction. This works by extracting the business information from the digital content received. The data carrying the information is then discarded, and new safety data is created to carry the business information to its destination. This way the attackers cannot get in and the business gets what it needs. When it comes to the content threat, in terms of efficacy, this approach cannot be beaten. The security team is satisfied because the threat is removed. The business team is satisfied because they get the information they need.
Turning the tables on the Bad Guys
CTR removes threats, concealed using polymorphism and steganography by intercepting all business content (documents and images), extracting the business information from them and creating brand new ones for onward delivery. This approach is a game-changer when it comes to dealing with sophisticated and indeed undetectable attacks because, nothing is trusted, everything is transformed and the threat is eliminated. It is the way to get ahead of the attackers and stay ahead because it eliminates the threat and leaves no opportunity for evasion techniques.
Threats Concealed in Plain Sight
The real proof content threat removal’s power is in its ability to eliminate any threat concealed using image steganography completely. Steganography is the covert hiding of data within seemingly innocuous files. It’s a way of encoding a secret message inside another message, called the carrier, with only the desired recipient able to read it. Now Stegware, the weaponization of steganography by cyber attackers, is on the rise. It is offered by default in malware-as-a-service kits on the Dark Web. It has been used in Malvertising campaigns to extort money from thousands of users and bring reputable news sites to their knees. It has been used in conjunction with social media websites to steal high-value financial assets concealed in seemingly innocuous images. Detection-based defenses cannot protect the business because steganography, done properly, is impossible to detect.
Content threat removal does not attempt to detect the threat. Image steganography works by hiding information in redundant parts of data. Content threat removal works by extracting useful information from data, and this process naturally leaves behind any information encoded in redundant data. Content threat removal defeats steganography by ignoring it.
Cyber Security Transformed
In a report from May 2018 “Beyond Detection: 5 Core Security Patterns to Prevent Highly Evasive Attacks”, industry analysts Gartner pinpointed content transformation as an essential technique in defeating the threat posed by weaponized business content.
Integrated into a content removal platform and deployed across the email, web, and file sharing boundaries, transformation delivers safe business content to users. As such, it will become the de facto way organizations ensure that content crossing the network boundary is 100% threat free.
It is the only way to defeat all content threats – known, unknown/zero-day, and undetectable – without the need to understand or identify the threats and without isolating the business from the content it needs.
About the Author
Simon Joined the Royal Signals and Radar Establishment (RSRE) – a UK Ministry of Defence research establishment in Malvern, which became the Defence Research Agency (DRA), then the Defence Evaluation and Research Agency (DERA) before being privatized to become QinetiQ. He joined from QinetiQ in 2010 and his pioneering work has
led to techniques for handling classified data with mainstream commercial software, the Domain Based Security method of risk assessment and techniques for combatting the use of Steganography.
Simon is responsible for the technical strategy at Deep-Secure, devising unique solutions to hard cybersecurity problems. He has pioneered work on the use of data transformation to defeat attacks in digital content culminating in the development of the Content Threat Removal (CTR) strategy, along with the products and services that bring it to market.