Dr Simon Wiseman by Dr Simon Wiseman | | Blog

In the world of physical security, a variety of techniques are used to protect us against unsafe or undesirable content. These aim to detect explosives or contraband so the threat can be removed. Similar techniques can be applied in the cyber world. But how well do they stack up and can new zero trust security models help turn the tables on the bad guys?

Deep Secure CTO Dr Simon Wiseman investigates.

The X-Ray Scanner

In the physical world objects are scanned at the airport, by operators looking for patterns of known unsafe content, such as weapons and drugs. The cyber equivalent is anti-virus scanning. Here a file is scanned, matching the bytes inside it against a database of patterns that uniquely identify malware. The problem with applying this technique to the cyber world is that scanning is limited to detecting unsafe content whose nature is known. Malware that’s entirely new will not match any pattern in the database and so won’t be stopped.

The Controlled Explosion

In the physical world robots can be used to open up suspect baggage to see if it detonates, while the general public are kept well back. In cyber space the equivalent process is called sandboxed detonation. A suspicious file is opened up, and the resulting behaviour is monitored. If there are any unsafe or unusual actions, then the content is deemed unsafe. If all looks good, the content is deemed safe and allowed to continue its journey. The problem here is that the canny attacker can simply craft the exploit to not do anything odd while in the sandbox – for example, it can wait for certain user interactions to take place before triggering.

Sanitisation

In the physical world, the airport scanning process looks for unsafe content, but in many cases if something is found the passenger is not prevented from boarding. Often, the offending object - such as a bottle of water - is removed and discarded with no further investigation. The cyber space equivalent is called Content Disarm and Reconstruct (CDR). Here a file is dismantled into discreet data components and these are checked against a database of parts that are known to have the potential to be unsafe. Once all potentially unsafe parts have been discarded, CDR re-assembles the remaining parts to form a new file that’s as close to the original as possible, given some bits are missing. The problem here is that CDR is a detection technology. It can only stop attacks that rely on parts which are known to be potentially unsafe. Attacks that rely only on parts thought to be safe will get through.

Replacement

There’s another form of physical security that’s used only in very special circumstances, where the risk posed by something potentially hazardous is so great that it is simply not allowed in. For example in a factory where the product must be assembled in a clean room, the technicians are required to change from their normal clothes into special suits. This is because their clothes cannot be inspected or cleaned to the required standard. This is a zero trust approach in which something that has the potential to be unsafe is replaced with something that’s equivalent, but which is known to be safe. In cyber space the equivalent to this zero trust approach is Content Threat Removal (CTR).

Zero Trust Security

CTR takes a file and extracts the business content, for example the text, layout and styling from it. Anything that does not have known and understood behaviour is ignored – for example, code and scripts in the file are not examined, because it is invariably impossible to determine what such things do under all circumstances. The result of the examination is a description of what makes the file unique. Once this description has been created, the original file is discarded. In its place a new file is created, one that exactly meets the description of the original. This is known to be safe, because it is built from new known parts and does not contain any parts from the original file. It is this safe file that is passed to the user.

Crucially, Deep Secure CTR applies this zero-trust security approach to every file ensuring that the content presented to the user is always 100% threat-free and delivering true protection against all known - and unknown - document-based malware.


View all posts

Are you ready to talk to Deep Secure?