Unlike models of malware elimination that precede it, Content Disarm and Reconstruction (CDR) deconstructs incoming files and inspect them for malicious components. After removing these components, it then rebuilds the files to create a fresh, clean version that goes through to the end-users on the network. In a time of mass phishing attacks, CDR is a great option for avoiding malware.
It does not need confirmation of malicious activity; it assumes that all files are potentially infected and needs to determine that no file has components not permitted under the organization's cybersecurity policy. Hence, it does not rely on detection. Instead, it uses a zero-trust approach to ensure that no unwanted file component escapes sanitization.
In some way, CDR works like a Secure Web Gateway. It inspects files to remove components that are not permitted by the organization’s cybersecurity policy, and not just malicious content.
CDR vs Other Technologies
Threat detection solutions, as do antiviruses and firewalls, rely on prior knowledge of existing threats to determine what to look for and mark as malicious. They are good for detecting known threats, but weak against zero-day attacks, which are increasing by the day.
VPNs are different, since legacy platforms like ExpessVPN and NordVPN are aimed at traffic data encryption, not malware detection. On the other hand, emerging and fast-growing platforms like Switcherry VPN and Hotspot Shield are focusing on strengthening their zero-trust framework by integrating next-gen technologies like software-defined perimeter and secure web gateway. This will be a major security upgrade in the future for combating zero-day attacks.
In general, the problem with legacy cybersecurity solutions is that they are signature-based and are always adapting to threats so are always at least a step behind attackers. CDR is a proactive solution: instead of detection, it focuses on threat prevention.
Since the limitation of anti-virus software became apparent, many alternatives have emerged including file conversion (which renders files unusable) and double conversion (which compromises the file as well as productivity). These challenges led to the development of true CDR.
1. Combating Advanced Malware Threats - CDR makes sandboxing redundant. In fact, many security organizations are rethinking sandboxing because of the rise of sandbox evasion. Many attackers have mastered the use of evasive techniques with sandbox-aware malware becoming increasingly popular. According to a study, about 98% of malware uses at least one evasion technique. Further, 32% of malware could be classified as ‘hyper-evasive’ as they used six or more evasion techniques.
Given that sandboxing is the primary technique used in traditional cybersecurity software, it is not hard to see why those alone cannot be relied upon. While sandboxing still holds its place, it requires integration with non-detection-based technologies to fight advanced malware threats.
2. Preventing Data Breaches - According to Verizon’s 2020 Data Breach Investigations Report, 22% of data breaches in 2019 involved phishing and despite a 6.6% reduction compared to the previous year’s figures, phishing is the top threat action variety in breaches. Phishers rely on embedding malicious content in various files and making them innocuous enough to evade detection.
CDR can be used to protect the organization’s endpoints, functioning as an email gateway that filters all incoming files before delivery into the intended recipient’s inbox. This greatly reduces the likelihood of phishing attacks since malicious content would not even reach the recipient at all and so cannot cause damage.
3. Eliminating Detection Errors - Detection-based cybersecurity tools are limited by human knowledge of current threats. Hence, they are helpless in the face of zero-day attacks.
Detection-based technologies require regular patch updates to secure systems against newly-discovered threats, but the period between patches is enough time for attackers to wreak havoc. It is a common practice for cyber-criminals to launch attacks just after a patch has been released, knowing that it would take several days or weeks until a new update, which may or may not fix the vulnerability.
Not to mention the fact that the occurrence of false-positive alerts by detection-based tools derails the discovery and containment of actual vulnerabilities and threats. CDR is an automatic system that carries out its work in the background and needs not even alert a human agent.
4. Balancing Security with Productivity - CDR aids productivity. Anti-virus and anti-malware software mark files as potentially malicious with the option of removal, but you can’t remove every file that is embedded with malicious components, certainly not when they are required for important and sensitive business operations. The resulting dilemma is how to determine which file to keep and which to remove.
CDR does not only solve this dilemma, but it also eliminates the need to even remove any file. Instead, you get clean copies of files, their unwanted components having been removed. The entire process is automatic, quick (could take less than a second), takes place in the background. Hence, it does not disrupt the pace of work.
File-based malware is a serious threat and incidents have been on the rise; CDR is an important need for organizations going forward since we have now recognized the limitations of detection-based technologies.