John Stevenson by John Stevenson | | Blog

In 2018 the SANS institute noted that 90% of unknown, undetected malware was delivered via the Web and the threat landscape in 2019 looks no different. Deep Secure’s John Stevenson looks at why the attackers continue to outwit traditional Web security defences and argues that it’s time for a rethink.

Dangerous Downloads

We all know that downloading documents and images from the internet is potentially dangerous, opening the user to significant risk from attackers. A document download from the Web is an incredibly popular vector for cyber criminals to use to deliver malware, attacks and exploits - because it works! Just look at something like Emotet, one of the most notorious, active and successful pieces of malware ever seen. Emotet is successful for two reasons. Firstly, it’s concealed in everyday business documents such as Word or Excel files. And Secondly, the attackers work full time on ensuring that defences are always playing catch up, subtly mutating it so that it continually evades detection.

Uncertainty and Risk

The list of defensive tools and techniques being used to address this problem grows ever longer. Of course anti-virus at the gateway is the most established – but it’s widely acknowledged that it struggles to detect and combat malware concealed in documents.

Sandboxing can be useful in quarantining suspect documents and running them – rather like a bomb squad performing a controlled explosion on a suspicious package. The problem here is that the bad guys have spotted how to identify when their malware-infected document is in a sandbox and will lie low until they document has been declared safe. A further problem with sandboxing is that it can introduce a lot of delay into the simple process of clicking on a document to download it – making it unpopular with users.

Some use browser isolation, whereby all browsing is performed “at arms length” effectively inside a virtual machine within the physical host machine. On the face of it this looks like a great option – but as soon as someone wants to edit a document they are viewing within the isolated area – wants to “reach in” and grab it – you’re back to trying detect the presence of malware – with all the attendant uncertainty and risk that accompanies that approach.

Time for a Rethink

It’s time to rethink how we defend. By that, I mean the fundamental paradigm we apply. At Deep Secure we’ve pioneered a zero-trust based paradigm born out of defending military data assets. This approach starts from the premise that since it is impossible to be certain that any given document does or doesn’t contain malware (the bad guys are just too good at hiding it) then the only way to be certain is to trust nothing and render everything safe by transforming it.

The transformation process involves extracting the useful business information from a document, discarding the original and creating a new one with the information in it to give to the user. This type of content threat removal 100% guarantees threat-free document downloads because none of the original downloaded digital file ever reaches the user or the endpoint.

Content Threat Removal

Content Threat Removal has benefits across the organization from risk mitigation to user productivity. Most important of all, it takes the onus away from the defender to try and second guess an attacker’s next steps and makes the Web a place where users can download documents with confidence.

For more information about Deep Secure Content Threat Removal for Web Gateways you can download the solution brief here.

- # -

John Stevenson is Head of Content and Communications at Deep Secure.


View all posts

Are you ready to talk to Deep Secure?