Dr Simon Wiseman by Dr Simon Wiseman | | Blog

With the news that Mitsubishi Electric has been breached by criminals taking advantage of a zero-day exploit in its anti-malware software, Dr Simon Wiseman, CTO , from Deep Secure asks what lessons can be learnt and how best to defend a cybersecurity defence from a determined attacker. 

Mitsubishi Electric says cybercriminals have taken advantage of a zero-day in its anti-malware software, prior to the vendor issuing a patch. Details of what was stolen are still unclear but are thought to include email messages between the company and the Japanese Defense Ministry and Nuclear Regulation Authority, as well as documents relating to projects with firms such as utilities, railways and automakers plus the personal data of more than 8,000 people.

The use by the criminals of a vulnerability in anti-malware software to attack a target, raises important questions about both the efficacy of signature-based anti-malware and how best to secure the defence itself from being exploited.

Can I Be Sure My Malware Detection Defence Can’t Be Exploited?

You can’t be sure. Looking for malware means handling the complex protocols and data formats that make up the modern world. Applications struggle to cope with this functionality, which is where vulnerabilities creep in. But the same problem faces security software that goes looking for malware.

Detection-based anti-malware must match the data bytes in a file against the long list of signatures that identify known malware. But simple detection-based anti-malware, is defeated by the way complex applications operate. To remain effective, it must dig deeper into the file data before it can check for signatures, and so it becomes vulnerable to mistakes made when handling the complexities. One easy example – to look for macros in a Microsoft Office document the defence has no option but to open up the complex file structures, which leaves the checker itself exposed.

So, if you can’t know whether your malware detection software can be compromised, what can you do? The answer lies in adopting a zero-trust cyber security defence that is not based on trying to detect malware but on eliminating it.

Zero Trust Cyber Security

With a cybersecurity defence based on zero trust, the focus moves to treating everything as dangerous. Regards malware, data can only be trusted if it is built by software that can be trusted, so data received from the outside world can never be delivered. Instead, the information carried by received data must be extracted and new data built to carry it forward.

Instead of checking data for malware, we now have a two-step process. First information is extracted from the original data, and second new data is built to carry the information. The first step handles complex data supplied by potential attackers, and so is not to be trusted. But the second step handles the extracted information, which is in a much simpler form making it possible to trust the software. In addition, it becomes possible to independently verify that the information is structured as expected to make sure the built software only gets what it can handle safely.

That means every piece of data is rendered totally safe by extracting valid business information (for example, extracting just the necessary words and formats from a Word document) from it and delivering new data that means the same, instead of trying to detect what is bad in the original. The process works by ‘transforming’ all data into something new that’s known to be safe.

Deep Secure’s Threat Removal Platform uses this “extract, verify, build” approach. It trusts nothing. Everything is transformed. There’s no attempt to detect malware, the software isn’t trying to understand all the complex ways malware could exploit the data formats and protocols but prevents all malware attacks by ensuring there’s no need to deliver the unsafe data. There are two advantages. First it defends against unknown malware, second it defends itself against malware which attacks it, which seems to be how Mitsubishi was breached.

Hardsec – Defending the Defence!

The extract-verify-build process makes it possible to trust the defence. The extract step handles the complex data that’s likely to hide malware, but it isn’t trusted to handle this correctly. If it falls victim to malware, the verify step will stop damage spreading to the build step. But suppose there’s a common fault in the implementation of the verify and build software. A sophisticated attack could now exploit this to spread from one step to the next. Unlikely, but not impossible. And for some applications, nothing short of impossible is acceptable. In these cases the only answer is to replace the software by hardware logic, an approach called Hardsec.

Hardsec is the implementation of security controls in hardware. Not the conventional hardware that uses CPUs capable of a near-infinite number of tasks. Rather, the use of Field-Programmable Gate Arrays (FPGAs) designed for the purpose, with the controls programmed into the firmware so they can’t be changed or exploited without direct physical access to the hardware itself.

Deep Secure’s Threat Removal platform can be deployed with FPGA hardware performing the verification function, eliminating the software attack surface entirely. With this in place, the most determined and sophisticated attacker will fail because they have no software to attack. It is the ultimate in zero trust security, as the data received is never trusted and the software that ensures the data is made safe is not trusted either, completely eliminating the risk of a Mitsubishi-style breach.

Find Out More

Deep Secure’s Threat Removal platform can be deployed wherever untrusted data is handled, from conventional network perimeters to cross-domain solutions and cloud interconnections. For more in-depth analysis, read the new report from London based corporate advisors Peel Hunt looking in detail at zero trust security, Hardsec and how transforming data to render it safe has the power to redefine the future of cybersecurity.


View all posts