Addressing the Fundamental Deficiency in Today’s Mainstream Cyber Security Strategies
From Detection to Non-Detection. 

The Current Cyber Security Landscape
Traditionally, for the past few decades, “detection” has been the centre of all the cybersecurity protection tools: be it anti-virus, sand-boxing, machine-learning, threat intelligence, intrusion detection or network analysis tools. Every technology is, at its very fundamental level, trying to “detect the bad guys” in a bid to remove them if found. The deficiency with this approach is, there are countless number of new malwares being developed everyday around the world. Such new malwares range from variants of existing malwares or completely redesigned malwares that are making use of zero-day (meaning new, or “just born”) vulnerabilities in OS-es and commercial applications. Because of this, it becomes increasingly difficult to keep up with the latest zero-day malwares. This is despite the relentless effort of brilliant security researchers around the world working on the best technologies to “detect the bad guys”, whether signature-based, or signature-less. We may detect them today, we can’t tomorrow. That is the reality today and that explains partially why high profile compromised cases due to WannaCry, NotPetya etc continue to get into headlines despite vast investment in advanced protection technologies. With that, a paradigm shift in cyber protection strategy is imminently needed today.

In recent years, with the popularity of AIML (Artificial Intelligence and Machine Learning) technologies, highly advanced protection tools continue to emerge. Such technologies are able to, without supervision, creates large patterns and trends on previously available data and make increasingly accurate predictions on new threats based on techniques such as heuristics analysis.

Despite the above indicated advances in the detection space, malwares and ransomwares are still successfully infecting organizations around the world from time to time. What is fundamentally missing? Are we all barking up the wrong tree?

CDR or CDNR

In consideration of the fundamental inadequacy in detection-centric technologies, they need to be augmented by non-detection based technologies. One such example is “CDR”, an acronym for Content Disarm and Reconstruction.

Specifically, CDR is a technique which, does not determine nor detect malware's functionality but removes all “impurities” that are not approved within the system's definitions and policies. However, in our opinion, this term does not completely reflect what this technology is doing because, in order for it to “disarm”, it needs to detect first whether it is “armed”. Hence, “CDR” might be mistaken as a detection technique and it might not be the most accurate term to describe a non-detection-centric technology.

We propose an alternative term that reflects this technology more accurately. We name it CDNR, Content Deconstruction, Neutralisation & Reconstruction, which means the content is deconstructed first (regardless of it being infected or not), neutralized (sanitized using a set of different techniques based on file types), and then reconstructed back to original file format using its native drivers and creating the file back to its purest, native form. Throughout the process, all the “extra” contents or “impurities” such as hidden scripts and non-complying elements etc., are being dropped. In a nutshell, the main purpose now is not to detect and remove just the “bad guys”, but simply to remove all the “impurities” whether it is bad or good (hence no detection is necessary). This is at its conceptual level, a little akin to a white-listing concept, although it has much more technicalities and complexity in its real implementations.

There are different models of CDNR processes depending on the user’s security and usability risk endurance level:

1.     Maximum-Usability (MU) Model

2.     Maximum-Security (MS) Model

In MU model, the CDNR engine will follow a set of pre-defined rules and policies and drop all components of a file that does not meet the requirement with zero cost in usability. For example, the original file will be restructured using native drivers and matched with a set of rules and policies. Anything that does not match the rules, will be dropped (e.g. macros, embedded scripts, embedded files, etc.,). This method will let the user retain most of the features in the original file but improper configuration in such case may lead to risk of infection despite the CDNR efforts so it is a trade-off for usability with calculated risks and exposure.

In MS model, the CDNR engine will practically rebuild the whole file itself, either by converting to another file format or just recreate the file using native drivers at the minimal or moderate cost in usability. Imagine a DOC file being converted to an HTML file: all the doc-specific features such as macros, embedded files, are essentially crushed in the new environment. Hence, when this HTML file is converted back to DOC file, all the potentially dangerous components are already completely disposed of. This approach is very effective in security point of view since all the impurities, which usually include potentially malicious contents are gone. Such highly stringent option trade usability for a virtually un-hackable screening. However, it is important to note that this example is cited for the simplicity of understanding. In the industry, the top CDR/CDNR engines took years of research and development, and it typically comes with a collection of much more sophisticated technologies to achieve a well-balanced between usability and security.

The Challenge

Security is always use case dependent. It is always a trade-off between usability and convenience. The challenge therefore remains in how to effectively do CDNR at a high security level while also retaining high usability at the other end of the balance. In other words, to perform maximum sanitization yet retaining the file’s original persona.

The above has been a well-researched topic and we are fortunate that today, there is already matured and enterprise-grade CDNR based offering. While its adoption and awareness has increased gradually over the past few years, it is a little unfortunate that such concept is still not very well understood yet at the point of this writing. There is only one such clear leader that is very much ahead of the pack.

Recommendation

With ever increasing sophistication of advanced malwares, it is critically imminent for enterprises to embrace a holistic approach in cyber protection in the perspective of “People, Process and Technologies”. On People, to have multi-level, customized trainings for different levels of staff. On Process, to not just focus on paper compliances and certifications, but to also engage strong cyber audit service providers for regular and deep Vulnerability Assessment and Penetration Tests (VAPT). On Technologies, to not just looking at detection-centric baseline, but to augment it well with a non-detection-centric implementation that covers the necessary threat exposures of the enterprises