Delivering the CDR Promise

Traditional CDR is no longer up to scratch.

To be effective it first has to find the code that needs to be removed, but code is not always obvious. Any data that’s treated as code by the recipient, but isn’t recognised by CDR, gives the threat actor a way in. But the code might be inside some other data, and for CDR to find the code it must understand the data format that’s holding it. And if the code is to be removed, CDR must understand the format well enough to reconstruct it.

Another problem is that the code the threat actor wants to run might not be in the file but instead is already in the target system. No amount of looking by the CDR will find it. In this case, the attacker includes in the file some kind of reference to the code. It might be a link or the ID of a service that is to be run. The application that opens the file, follows the reference and causes the code to run. To stop this, CDR has to find the references and understand how they work, removing unsafe ones and leaving safe ones to be delivered.

The Ethos of CDR is to Play it Safe

If CDR finds some data or reference in a file that it doesn’t understand, it must assume it is unsafe and remove it. This means files often need to be modified, not just those that contain some code. Generally doing this is far more complex that the easy case of removing an executable attachment from an email, and the result is that the CDR process will often end up breaking the file. This leads to a bad user experience, or worse it introduces a security risk that wasn’t there to start with.

The idea of CDR is to remove potentially unsafe content from files before they are delivered. But what makes data unsafe is determined by how the application handling it behaves in practice. Not how the file format specification suggests it should behave. The problem is that specifications invariably have a lot of options and obscure elements which are poorly understood, and it’s too hard to test applications completely. So, faults and strange behaviour often arise when an application meets unusual data, even if it does follow the specification – usually this manifests itself as a random crash. However, when driven by an attacker there’s scope for the failures to be directed to cause specific damage.

Pulling apart a complex file to find the code is a complicated process. Things like this generally go wrong, especially when a threat actor is trying to make them go wrong. It means that the CDR process itself is open to attack. The better CDR gets, by handling more file formats and doing a better job by digging deeper into the files, the more exposed it becomes. The defence becomes the target, and there’s nothing to defend it.

Conventional CDR

So conventional CDR is good, but it’s not easy to get right. And as a result, it can fail to deliver the security promise and can provide a poor user experience.

What’s needed is CDR that’s been engineered to eliminate these problems, and that’s what’s been done for Everfox CDR. Everfox CDR has the desired effect of conventional CDR, but it works differently. Instead of looking for unsafe data to be removed, it looks at the file to determine what information it is conveying. It then describes this information in a way that is easily assessed to confirm it does not contain anything unsafe. Then a completely new file is created that conveys the same information, discarding all the original data. In effect, Everfox CDR takes the extreme view that all data from a potential attacker is potentially unsafe, so it must all be thrown away.

When the new file is created, it is only built using normal options. Ones that are well understood. These are the options that are well-tested by the user community on a daily basis, so are known to work ok. That way, obscure vulnerabilities in the applications are avoided – the attacker has no way of exploiting them, as their data never reaches them.

Beyond CDR

Everfox Content Disarm & Reconstruction, like conventional CDR, has a difficult and complex job to do, but because it works differently it’s possible to avoid it becoming the target of an attack. Everfox CDR works in two phases – extract and build – and it’s the first phase that must handle data from a potential attacker and handle the complexities of the file formats. The build phase handles the much simpler internal description of the file’s information. It has a much smaller attack surface compared to the extract phase. By keeping the two parts separate, it’s possible to contain an attack against the extract phase – a successful attack here does not let the attacker in.

Where the impact of a successful attack is high, it is even possible to remove the software attack surface completely. By independently verifying the validity of the internal description and the protocols carrying it using specialised hardware logic – Everfox High Speed Verifier (HSV).

So, CDR is good, compared to detection-based defences, but to be truly effective it needs to be implemented right.

Everfox CDR goes beyond conventional CDR, delivering unsurpassed security and user experience, because it is implemented right.

How Everfox Can Help?

At Everfox, we provide preventative solutions that defend against the most sophisticated cyberattacks. Our unique approach adds an advanced layer of security, against even the most sophisticated cyber threats. The Everfox CDR solution protects networks, data and users from malicious content. Rather than trying to detect malware, they assume nothing can be trusted. It works by extracting the valid business information from files (either discarding or storing the originals), verifying the extracted information is well-structured, and then building new, fully functional files to carry the information to its destination. 

Everfox Threat Protection Solutions are a game-changer for mitigating against the threat of even the most advanced Zero Day attacks.

Ready to Go Beyond CDR?

Zero Day attacks are challenging in the cybersecurity landscape. However, by prioritizing prevention over detection, you can reduce the risk of these attacks causing significant harm. Discover how Everfox is transforming Threat Protection Solutions with high-assurance cybersecurity. Download my whitepaper, 'Beyond CDR to Everfox CDR' (opens a new window), to explore how we're redefining secure data sharing in high-threat environments.

Download the Whitepaper (opens a new window)