Content disarm and reconstruction technology essentially shifts the focus from file-based malware detection to prevention by applying a zero-trust framework to data.
From the time the Russian invasion of Ukraine began on Feb. 24, cybersecurity has been top of mind for government agencies at every level – federal, state and local.
In March the White House issued a statement by President Joe Biden warning of potential cyberattacks backed by the Russian government and targeted at U.S. public- and private-sector organizations. The Cybersecurity and Infrastructure Security Agency, for its part, issued a rare Shields Up warning about potential cyberattacks from Russia, advising that “every organization – large and small – must be prepared to respond to disruptive cyber incidents.”
File-based cyber disruption
Among the most chilling forms of cyberattack perpetrated by Russia-backed threat actors is wiper malware.
Wipers are often file-based attacks in which the attacker entices users to open common filetypes such as .DOCX and .PDF. When the document is opened, it runs a macro that installs a digitally signed binary that rewrites the master boot record – destroying all data on the drive. A wiper can corrupt the master boot record and erase all data on an infected hard drive -- a nightmare scenario for any organization.
In the runup to Russia’s invasion of Ukraine, threat actors targeted Ukrainian enterprises and government agencies with multiple wiper attacks. These included HermeticWiper, which manipulates the master boot record and results in a boot failure. WhisperGate not only corrupts the master boot record and encrypts files but also displays a ransomware message. Affected files are unrecoverable, however, even if the ransom is paid.
CISA warns that even if the cyberattacks in Ukraine aren’t targeted at other nations, they can easily spill over and circulate around the world. A likely way that will occur is through phishing campaigns. In fact, more than 90% of successful cyberattacks begin with a phishing email.
Safer content through CDR
Security-focused organizations like CISA and the FBI recommend practical steps to mitigate against file-based attacks. These include turning on strong spam filters to prevent phishing emails from reaching employees and configuring antivirus software to perform frequent scans to protect against known malware signatures.
Content disarm and reconstruction (CDR) technology offers an important additional layer of defense that can safeguard agencies against file-based malware. It works by deconstructing and reconstructing files as they traverse the network in real time.
The technology starts by extracting only the valid business information from a file. It then builds an entirely new, fully functional and malware-free file to carry the information to its destination. The original file, along with any malware it might have contained, can be quarantined or simply discarded.
CDR performs this step on all files -- from Microsoft 365 documents and images to web application data -- whether or not they contain known or unknown threats. In this way, it always delivers content that’s safe, even from zero-day threats. CDR protects against attacks in email, webmail, web browsing, web downloads, web applications, file uploads, filesharing and social media.
CDR shifts the focus from file-based malware detection to prevention. Rather than trying to sniff out any malware concealed in the volumes of data traversing an agency network, CDR assumes that all transmitted data is potentially dangerous. This approach to CDR essentially applies a zero trust framework to data.
It’s important to note that not every form of CDR takes this zero trust approach. Some CDR solutions only detect and remove known exploits and executables, or they only detect and repair known malformed structures. A more secure strategy is to never trust any file, never deliver executable code and deliver only straightforward structures. Zero trust CDR rebuilds and safely delivers every file, every time.
Government organizations -- even smaller state and local agencies -- are beginning to recognize that it’s not a matter of if, but when, they’ll face a cyberattack. It’s likewise no longer a matter of if, but when, such an attack will involve file-based malware.
Cybersecurity basics like strong spam filters and frequent AV scans are a necessary part of good cyber hygiene. But as government agencies face heightened risk of sophisticated attacks from dangerous threat actors such as adversarial nations, zero trust CDR offers greater assurance of protection. With CDR technology, users and agencies can feel more confident they are safeguarded against file-based attacks.