File-Based Malware Defense – GCN

Since the beginning of the Russian invasion of Ukraine on February 24, cybersecurity has been at the heart of the concerns of government agencies at all levels – federal, state and local.

In March, the White House issued a statement by President Joe Biden warning of potential Russian government-backed cyberattacks targeting U.S. public and private sector organizations. The Cybersecurity and Infrastructure Security Agency, for its part, published a rare Warning Shield Up on potential cyberattacks from Russia, advising that “every organization – large and small – must be prepared to respond to disruptive cyberincidents.”

File-Based Cyber ​​Interruption

Among the most chilling forms of cyberattacks perpetrated by Russian-backed threat actors are erasure malware.

Wipers are often file-based attacks in which the attacker tricks users into opening common file types such as .DOCX and .PDF. When the document is opened, it runs a macro that installs a digitally signed binary that overwrites the master boot record – destroying all data on the drive. An eraser can corrupt the Master Boot Record and erase all data from an infected hard drive – a nightmare scenario for any organization.

In the run-up to Russia’s invasion of Ukraine, threat actors have targeted Ukrainian businesses and government agencies with multiple wiper attacks. These included HermeticWiper, which manipulates the Master Boot Record and results in boot failure. WhisperGate not only corrupts Master Boot Record and encrypts files but also displays ransomware message. However, the affected files are unrecoverable even if the ransom is paid.

CISA warns that even if cyberattacks in Ukraine do not target other countries, they can easily spread and circulate around the world. This will likely happen through phishing campaigns. In fact, more than 90% of successful cyberattacks start with a phishing email.

Safer content with CDR

Security-focused organizations like CISA and the FBI recommend practical steps to mitigate file-based attacks. These include enabling strong spam filters to prevent phishing emails from reaching employees and setting anti-virus software to scan frequently to protect against known malware signatures. .

Content Disarming and Reconstruction (CDR) technology provides an important additional layer of defense that can protect agencies against file-based malware. It works by deconstructing and reconstructing files as they traverse the network in real time.

The technology begins by extracting only valid business information from a file. It then creates an entirely new, fully functional, and malware-free file to carry the information to its destination. The original file, along with any malware it may have contained, can be quarantined or simply deleted.

CDR performs this step on all files, from Microsoft 365 documents and images to web application data, whether or not they contain known or unknown threats. This way, it always provides safe content, even against zero-day threats. CDR protects against attacks from email, webmail, web browsing, web downloads, web apps, file uploads, file sharing, and social media.

CDR shifts the focus from file-based malware detection to prevention. Rather than trying to detect any malware hidden in the data volumes traversing an agency network, CDR assumes that all transmitted data is potentially dangerous. This approach to CDR essentially applies a zero-trust framework to data.

It is important to note that not all forms of CDR adopt this zero trust approach. Some CDR solutions only detect and remove known exploits and executables, or they only detect and repair known malformed structures. A safer strategy is to never trust any files, never provide executable code, and only provide simple structures. Zero Trust CDR securely rebuilds and delivers every file, every time.

Government organizations – even the smallest state and local agencies – are beginning to recognize that it’s not a question of if, but when, they will face a cyberattack. Likewise, it is no longer a question of whether, but when, such an attack will involve file-based malware.

Cybersecurity basics, like strong spam filters and frequent virus scans, are an integral part of good cyber hygiene. But as government agencies face an increased risk of sophisticated attacks from dangerous threat actors such as adversarial nations, Zero Trust CDR offers greater assurance of protection. With CDR technology, users and agencies can feel more secure about being protected against file-based attacks.