John Stevenson by John Stevenson | | Blog

According to Cyber security research firm CyberSecurity Ventures, the cyber security market has grown in value from $3.5 billion in 2004 to an expected $120 billion in 2017, with predictions of over £1 trillion by 2021. The numbers are eye watering but then the exploits the spending is designed to combat get ever more carefully crafted, a fact borne out by the recent breach at Docusign and the ensuing spear-phishing campaign.

DocuSign, is a vendor of electronic signature products. Following a security breach in which customer email addresses were stolen, attackers have mounted carefully targeted phishing campaigns. Docusign customers and users are being sent emails purporting to be from the vendor containing highly plausible subject lines that indicate the presence of documents requiring signature. In fact, the messages contain a link to a malicious, macro-enabled Word document.

DocuSign says it has more than 100 million users and it is understandable that some could be duped. After all, the attackers are able to target users who might reasonably click on links in emails from DocuSign and who are most likely to be responsible for signing off on legal matters, acquisitions, purchases and the kinds of transaction that would warrant the use of electronic signature technology. Those in charge of signing off on such transactions are high value assets in the eyes of cyber criminals.

One of the morals of the story is that the more valuable the assets in an organisation are, the more important it is that they are thoroughly protected. To this end, here at Deep Secure we recommend that a regular review is undertaken to identify high value assets (data, individuals and functions) and that these assets are appropriately zoned so that content passing into that zone has any threat removed from the business content.

This is best achieved by bolstering aged threat detection defences with the Deep Secure Content Threat Removal platform. The Deep Secure Content Threat Removal platform can be deployed on the zone boundary for each of the main ingress routes for business documents into the zone – email, web and file transfer.

Unlike First or Second generation cyber security tools the Content Threat Removal platform doesn’t attempt to either detect or isolate. Instead, it removes the threat and here’s how.

The platform works by using a process of transformation to prevent any exploit contained in seemingly valid business communication from entering an organisation. The platform enforces a protocol break at the ingress point and removes the business information, before creating wholly new content from scratch on the other side of the protocol break and sending it forward to its destination. In this instance, the spear-phishing email may well get through to its intended target, but the Word document will contain nothing more than some fairly useless text because the threat has been removed and discarded during transformation.

The platform supports a wide range of application-to-application and general business communication across the network boundary and has a number of benefits. It works against unknown attacks. It does not need to maintain a list of known attacks and attack techniques. It works without needing to interact with the vendor. There is no need for updates to be brought in regularly from the Internet. There is no need to report behaviour to a central control system for correlation. Using this approach you don’t need to “detect” the exploit or “isolate” it to observe the behavioural characteristics. You just remove it.

Campaigns like the one targeting Docusign customers highlight the importance of identifying high value assets within the organisation and ensuring that they are appropriately protected. Before you sign off on any further cyber security expenditure, talk to Deep Secure about Content Threat Removal – the best way to protect those assets you simply cannot afford to be compromised.

View all posts