Documents: a Hackers Gateway to your Enterprise

April 2013

Your business, just like Nexor, probably uses documents as a key tool in sharing and disseminating information. As we have known for a very long time now documents can be a source of security infection, but technology does not see to be coping very well in protecting against it – UNTIL NOW.

Attack Scenario

Hopefully by now, we all know how an attack of this type works, the following description is from Symantec when describing Operation Shady Rat:

Target organizations are selected and then emails are created and sent to individuals within those organizations. The emails follow the typical targeted attack modus operandi—that is they contain some subject or topic that may be of interest to the recipient, such as rosters, contact lists, budgets, and so forth. The attached file contains the details promised in the email text, as part of a social engineering ploy. In our investigations we’ve uncovered many such emails covering a whole gamut of topics. These emails contain various attachments, typically Microsoft Office files such as Word documents, Excel spreadsheets, PowerPoint presentations, and PDF documents. These files are loaded with exploit code, so that when the user opens the file the exploit code is executed, resulting in the computer becoming compromised.

Role of Anti-Virus Technology

Surely protecting against this is relatively easy: make sure you have up-to-date Anti-Virus technology installed. Right? Do the following quotes from leading player in the Anti-Virus technology supply base worry you?

• “Signature AV does not really work except for the obvious stuff” James Lyne, Director of Technology, Sophos
• “It’s no secret that there is a huge industry devoted to bypassing anti-virus.” Rob Rachwald, Director of security strategy at Imperva
• “The truth is, consumer-grade antivirus products can’t protect against targeted malware” Mikko Hyyponen, Chief Research Officer of F-Secure
• “The game has changed from the attacker’s standpoint. The traditional signature-based method of detecting malware is not keeping up.” Phil Hochmuth, Industry Analyst, International Data Corporation

They should do! They are essentially saying the traditional approach to Anti-Virus does not work – and the evidence from the increasing rate of security disclosures supports this

What is wrong?

The technical challenge is that viruses / malware technology has evolved to a level such that it is very easy to morph the attack such that it evades the signature based detection mechanisms used by Anti-Virus technology. The Anti-Virus industry is busy pushing solutions to this based on heuristic techniques. But there is still a fundamental issue here: these approaches are all about trying to detect signatures or behaviour that are known to be bad.

Look for Known Good

At Nexor, we have implemented a solution in Nexor Merlin that turns this model in its head. When importing a document into a network (via email, web or file transfer), rather then examine the file to see if it contains bad stuff, we create a completely new file built from elements that are known to be good. What determines “good”? Well, that depends upon your risk appetite! More information will follow in the coming weeks about how this approach works. If you can’t wait, please contact us directly or leave a comment below! To summarise, rather than trying to detect security attack vectors such as used by Operation Shady Rat and Beebus by looking for historically is known to be bad, this patented new approach enables us to protect a business by only allowing the import of data this is know to be good, thus significantly reducing the attack surface of the organisation.

Author Bio – Colin Robbins

Colin Robbins is Nexor’s Managing Security Consultant. He is a Fellow of the IISP, and a NCSC certified Security and Information Risk Adviser (Lead CCP) and Security Auditor (Senior CCP). He has specific technical experience in Secure Information Exchange & Identity Systems and is credited as the co-inventor of LDAP. He also has a strong interest in security governance, being a qualified ISO 27001 auditor.

• LinkedIn profile
• View all of Colin's posts