Documents: a Hackers Gateway to your Enterprise

Your business, just like Nexor, probably uses documents as a key tool in sharing and disseminating information. As we have known for a very long time now documents can be a source of security infection, but technology does not see to be coping very well in protecting against it – UNTIL NOW.

Attack Scenario

Hopefully by now, we all know how an attack of this type works, the following description is from Symantec when describing Operation Shady Rat:

Target organizations are selected and then emails are created and sent to individuals within those organizations. The emails follow the typical targeted attack modus operandi—that is they contain some subject or topic that may be of interest to the recipient, such as rosters, contact lists, budgets, and so forth. The attached file contains the details promised in the email text, as part of a social engineering ploy. In our investigations we’ve uncovered many such emails covering a whole gamut of topics. These emails contain various attachments, typically Microsoft Office files such as Word documents, Excel spreadsheets, PowerPoint presentations, and PDF documents. These files are loaded with exploit code, so that when the user opens the file the exploit code is executed, resulting in the computer becoming compromised.

Role of Anti-Virus Technology

Surely protecting against this is relatively easy: make sure you have up-to-date Anti-Virus technology installed. Right? Do the following quotes from leading player in the Anti-Virus technology supply base worry you?

  • “Signature AV does not really work except for the obvious stuff”
    James Lyne, Director of Technology, Sophos
  • “It’s no secret that there is a huge industry devoted to bypassing anti-virus.”
    Rob Rachwald, Director of security strategy at Imperva
  • “The truth is, consumer-grade antivirus products can’t protect against targeted malware”
    Mikko Hyyponen, Chief Research Officer of F-Secure
  • “The game has changed from the attacker’s standpoint. The traditional signature-based method of detecting malware is not keeping up.”
    Phil Hochmuth, Industry Analyst, International Data Corporation

They should do! They are essentially saying the traditional approach to Anti-Virus does not work – and the evidence from the increasing rate of security disclosures supports this

What is wrong?

The technical challenge is that viruses / malware technology has evolved to a level such that it is very easy to morph the attack such that it evades the signature based detection mechanisms used by Anti-Virus technology.

The Anti-Virus industry is busy pushing solutions to this based on heuristic techniques. But there is still a fundamental issue here: these approaches are all about trying to detect signatures or behaviour that are known to be bad.

Look for Known Good

At Nexor, we have implemented a solution in Nexor Merlin that turns this model in its head. When importing a document into a network (via email, web or file transfer), rather then examine the file to see if it contains bad stuff, we create a completely new file built from elements that are known to be good. What determines “good”? Well, that depends upon your risk appetite!

More information will follow in the coming weeks about how this approach works. If you can’t wait, please contact us directly or leave a comment below!

To summarise, rather than trying to detect security attack vectors such as used by Operation Shady Rat and Beebus by looking for historically is known to be bad, this patented new approach enables us to protect a business by only allowing the import of data this is know to be good, thus significantly reducing the attack surface of the organisation.


2 thoughts on “Documents: a Hackers Gateway to your Enterprise

  1. Interesting approach, but I see a few problems here:
    1) A perimeter defence only works if it really does control the entire perimeter. Most real organisations don’t even know who works for them, so expecting them to define a hard perimeter is asking a lot.
    2) The code that extracts the ‘known good’ parts of all those incoming files had better be absolutely bomb-proof itself, otherwise you are just providing something else that can be attacked.
    3) What happens to attachments that the filter does not understand? Can you afford to ban all the ‘less common’ formats? Can you afford to ignore new stuff while you wait for the filter to catch up?
    4) This scheme completely breaks digital signatures and similar content-integrity systems. It probably removes most of the metadata as well.


  2. Andrew, you are absolutely right with the 4 points you raise. A perimeter solution is only as good as an organisations capability to identify and define the perimeter – but even where there is a weakly defined perimeter there is still a good strength in depth argument, especially when looking at corporate email approached.
    Yes – you have to trust the code.
    Yes – you have to determine what to do with file types you do not understand, but that’s not a reason to do nothing with the types you do not understand.
    Yes – it will break signatures, but that does not prevent the signature being validated and the new document being signed by the gateway – back to the do you trust the code issue.
    I am certainly not claiming it solves the issue, but as part of defence in depth argument it is a new element in our armoury!


Comments are closed.