Credit: David Werbrouck
Something as simple as a malicious document can initiate an attack chain that significantly impacts the services necessary for our daily lives. The technologies employed to combat file-based malware and protect critical infrastructure are often unfamiliar to those outside critical infrastructure protection (CIP). To gain insight into the defences needed to stop this attack method, we’ll explore how criminals exploit files to target networks and delve into the technologies used by organisations globally to secure critical applications.
File-Based Threats Bypass Single-Engine Antivirus Scans
Threats can be hidden in file uploads, file transfers, removable media, or email attachments. Anyone of these delivery methods can significantly impact your company and environment if the proper controls are not in place to take preventive actions.
Businesses that depend on a single antivirus engine or don’t use an antivirus (AV) solution face significant risk. Research shows that single-engine antivirus solutions offer detection rates ranging from 40% to 80%, while having just four AV engines can increase the detection rate to over 80%, and 30 engines can yield 99% threat detection.
Malicious Active Content Hidden in Files
Active content in files enhances efficiency and creates a better user experience. For instance, an Excel macro allows for automating repetitive tasks, resulting in time-saving benefits. Other forms of active content found in files include add-ins, data connections, colour-theme files, links to external pictures, JavaScript, and embedded objects.
While it is useful, active content can be manipulated by cybercriminals to launch a wide range of attacks. By altering the code, they can execute malware without user interaction, for example opening a document or visiting a website.
How to Protect Against Advanced File-Based Threats
1. Increase Threat Detection Rates with Multiscanning
Simultaneously scanning files with multiple antivirus engines, or multiscanning, provides 83% - 99% detection of all known malware. The most advanced level of protection against sophisticated file-based threats can be achieved by integrating several antivirus engines.
2. Disarm All Malicious Active Content with Content Disarm & Reconstruction
As malware becomes more complex, it is increasingly easier to evade traditional AV solutions. Zero-day malware can bypass conventional signature-based AVs, which only detect known malware. Content Disarm and Reconstruction (CDR) is a dynamic threat prevention technology that removes both known and unknown malware. CDR effectively mitigates potentially harmful embedded content, including malware that exploits zero-day vulnerabilities.
3. Prevent Sensitive Data Loss
Uploaded and transferred documents, emails, and removable media can contain sensitive and confidential information. These types of data are also lucrative targets for cybercriminals to attack and hold ransom. Data Loss Prevention (DLP) is a vital technology to secure sensitive data and prevent data breaches and compliance violations.
Implement Cybersecurity Content Inspection for Network Traffic
Cybercriminals can upload malicious files through network traffic to penetrate organisations’ environments or move laterally across networks. One way to protect against lateral movement is content inspection, a network-based anti-malware, and data loss prevention solution to identify malicious code and sensitive data by analysing data in transit. By integrating a content inspection solution with a load balancer or web application firewall, organisations have a plug-and-play option for more comprehensive security.
Key Questions to Prevent File-Based Threats
To prevent the most advanced file-based threats, ask these questions to review what security practices you have in place:
- Do you have any preventative security for file-based threats?
- How many antivirus engines do you use to scan for threats in content?
- Do you have a preventive strategy for unknown malware?
- Do you have a preventive strategy to protect sensitive and confidential data?
- Do you inspect content moving through your network?
The team at OPSWAT would love to talk to you if you would like more information or if you have a gap or risk in your environment from file-based threats that we can help with. Learn more at www.opswat.com/.
