Validating the Payload

November 2014

In the blog Secure Delivery of a Payload we discussed how secure information exchange consists of two distinct elements: the information you need to convey – the payload, and the technical method used to carry the payload – the protocol. Attackers wishing to break into your network can exploit either of these: the protocol or the payload.

The previous blog looked at protecting protocol-based attacks. In this blog we look at content-based attacks – on the payload.

Hacker Inside Logo - Validating the Payload

The Attack Vector

The principle behind a content-based attack is that when delivered, the payload contains malware that will cause the end system to do something unexpected, which the attacker can take advantage of – usually to gain access.

The most common and effective technical mitigations are:

  • Patching – to ensure your applications have known vulnerabilities removed
  • Anti-Virus – to detect known malware

(Aside: This is why these two mitigations are fundamental to the UK Governments baseline security standard, Cyber Essentials)

However, both of these mitigations have one thing in common, they work on known problems. The skilled attacker that really wants to get you will exploit an unknown problem – the so called Zero-Day.

Threat Reduction

To reduce this threat we can use the following techniques, first described in the White Paper Protecting confidential information using Data Diodes and which explores these concepts in much more depth.

  1. Accept the risk. Patching / Anti-Virus may be sufficient for the threat you face.
  2. Do a very strict pattern matching on the payload, only accepting payloads recognised to be conformant (i.e. whitelisting). For example, only accept “text” files with 7bit ASCII characters in it. More advanced scenarios will perform strict schema checking on the file to ensure it conforms to an expected set of rules.
  3. Convert the payload itself. Essentially, take all information out of the source file, and create a new one with the same contents. The White Paper Preventing Document-Based Malware from Devastating your Business talks about this defense technique in much more depth.
  4. Do a combination of the above. For example: only accept JPEG files, convert those to PNG and drop all other payloads.

One of the most difficult aspects of the above is not technical. It’s deciding which level of control is necessary and relevant to your business or application scenario – this is where Threat Analysis, as discussed in A Brief Introduction to Threat Analysis, fits. This is not easy, and it is why you need to consider engaging with experts that can help understand your exact situation and provide advice on the right solution for your situation.

Do you have the right level of content protection in your business?


Author Bio – Colin Robbins

Colin Robbins is Nexor’s Managing Security Consultant. He is a Fellow of the IISP, and a NCSC certified Security and Information Risk Adviser (Lead CCP) and Security Auditor (Senior CCP). He has specific technical experience in Secure Information Exchange & Identity Systems and is credited as the co-inventor of LDAP. He also has a strong interest in security governance, being a qualified ISO 27001 auditor.


Be the first to know about developments in secure information exchange