The modern digital world is all about information sharing.  

You either need to access data, perhaps downloading a product datasheet. Or you need to receive data, such as a spreadsheet from a coworker. You want that data, or at least the information it is carrying.   

But data isn’t always safe to handle, and it can be a malicious world out there. By downloading or receiving data, organizations run the risk of letting something bad in. What looks like desirable or safe data might be hiding an attack. That’s what a Trojan Horse attack is – in the original story, the Trojans defending the city liked the look of the wooden horse that the Greeks had left behind, so they brought it in. What they didn’t want and didn’t know about was the Greek soldiers hiding inside.  

In today’s digital world that unwanted visitor might be malware – software written for malicious purposes – or it might be data that causes your system to malfunction in an unsafe way – the basis of living off the land attacks.   

Anti-Malware Scanning 

The entry level defence against this kind of attack is “anti-malware scanning”. Where defenses are looking for traces of data that are characteristic of known attacks. If they don’t find any previously seen code anti-malware scanning assumes that the data’s ok to let into your network. Which is acceptable for defending against known attacks but not good if the attack is new.  

“Zero-days exploited in wild jumped 50% in 2023.” – Google Researchers 

Sandboxing 

The next level of defense is “sandboxing”. Which utilises a safe environment to open up the data to see if it executes any unwanted actions. If no apparent bad behaviour is seen it is assumed that the data’s ok and is let into your network. Sandboxing catches new, previously unseen malware that triggers automatically. However, it is not effective against sophisticated malware that hides itself when run in the sandbox.  

Content Disarm & Reconstruction (CDR) 

Beyond traditional cybersecurity solutions the next level of defense organizations can employ is “CDR”. Content Disarm and Reconstruction, breaks down all incoming data into its main components and any executable code is removed. CDR defenses make no judgement as to whether any code is safe or unsafe, it’s all removed. This works against new or sophisticated malware. However, most CDR solutions do not find unknown unsafe data elements, so living off the land attacks may possibly pass through defenses.  

These are highly complex serious attacks which in some cases may be a risk organisation can live with. For organizations, such as governments and critical industries however, those risks must be stopped. They are not going to be comforted by a defence that works, except when faced by expert attackers.  

High-Assurance Cyber Solutions 

Facing hundreds of sophisticated and targeted attacks daily, global governments, financial services and critical industries need a break. Specifically, a data break.  

This requires a defence that goes beyond traditional CDR, not just dismantling data into is main components, but taking it down to its atomic level. The idea of a data break is that none of the original data is ever delivered to the protected system. Instead, new data that behaves exactly like the original is built and is delivered – This means that if the original data did contain anything unsafe or malicious, it is left behind and isn’t delivered with the new data. For example, a macro enabled word processing document gets turned into an ordinary document that can be viewed and edited just like the original, but there’s no macros to run.  

Like all cyber defenses, a data break needs to be tested, and there are two things we need to be sure of:  

• The first is to present a new file that behaves the same as the original – Organizations don’t want bits of a document or presentation to go missing or get corrupted. That’s easily tested, using lots of sample data harvested from the web.  
• The second is more difficult to test – we need the data break to eliminate all malware and unsafe data, but we don’t know what that is. We can easily test it works in the obvious cases, like removing macros or external links, but not where it’s some living off the land oddity that has never seen before.   

The Data Break

Living off the land attacks rely on odd behaviour in the applications, driven by abnormal bits of data. Normal data doesn’t cause problems, and we know that because it is tested endlessly by the application’s large user base. The trick then is to make sure the data break creates normal data, that way we gain all the testing done by the users. We first need to know what’s normal, and generally the file format specifications tell you that and when the applications save a new file it’s invariably normal so test cases can be generated. Then we just need to test for normality, and that’s the Everfox way. 

Everfox Content Disarm and Reconstruction (CDR) 

It’s not just CDR, but CDR that truly doesn’t trust any data, a true implementation of zero trust. Everfox CDR takes files apart to the atomic level and produces new files that are completely normal, fully revisable and in near real-time. All of which is testable, giving confidence that the users receive files that are safe and not corrupted.  

“Ultimately, we chose Everfox CDR because of its reputation and the elegant simplicity of its solution.” Paul Martin, Director, ALTA Registry 

Everfox Threat Protection Solutions take additional steps to ensure data is safe. Stopping data reaching applications, preventing vulnerabilities being triggered and stopping attackers potentially inducing undesirable interactions with the wider environment. 

Further, the Everfox approach means that its implementation can be closely integrated with a protocol break implemented in hardware logic, to produce a high-assurance, high-performance defence.