Connect with Joseph Steinberg


Why File Based Attacks Still Inflict Severe Damage After 30+ Years

Why File Based Attacks Still Inflict Severe Damage After 30+ Years

File-based cyberattacks, in which attackers send files, such as Microsoft Word documents or Adobe Acrobat PDFs, poisoned with embedded malicious code that executes once an intended target opens the file, are among the most common ways that hackers compromise computers. Of course, file-based attacks are not new – they have been around for almost as long as personal computers themselves; over 20 years ago, for example, the Melissa worm inflicted over a billion dollars of damage by exploiting a relatively simple malicious macro stored within a Microsoft Word document.

There are several reasons that file-based attacks remain a serious problem after so many years, despite the advent of many technologies intended to block malware-bearing files from ever reaching users. I recently discussed several of them with Dr. Oren Eytan, former head of the Israeli military’s cyber-defense unit, and currently CEO of the cybersecurity product firm, Odix. (I met Dr. Eytan after seeing an announcement that the European Union’s Horizon 2020 Research and Innovation program granted Odix $2 Million to optimize Content Disarming and Reconstruction technology (discussed below) – which typically can be found in use only in larger enterprises – for the SMB market.)

Here are some highlights from our discussion about why file-based attacks continue to plague cyberdefenders around the globe:

1. Files are a common attack vector.

While apps, software, and operating systems vary quite a bit between platforms, essentially every modern hackable computer utilizes files of some sort. Likewise, a large portion of the data utilized by both individuals and modern-day corporations resides within files. As such, as Dr. Eytan pointed out, files offer tremendous potential for reaching targets.

2. Files continue to grow larger with time.

As Dr. Eytan pointed out, it is significantly easier to hide malware (from both humans and cybersecurity countermeasures) within large files, than within small files whose sizes appear suspicious when malware payloads are added. As such, the tremendous growth in the average size of files over the past couple decades has helped enhance the attractiveness of files to cyberattackers looking for distribution mechanisms for malware. In one generation, for example, we have migrated from text files on 1.44-Megabyte floppy disks to high-definition-video files on 4-Terabyte portable hard drives – opening the door for the file-based hiding of malware that is many times larger and more sophisticated than was previously possible.

3. Signature-based anti-malware systems often miss new malware variants.

Hackers create many new variants of malware every day. Yet, at least historically speaking, many anti-malware technologies block malware by looking for only known strains. As I have discussed before, by definition, such a reactive approach is deficient – as it will always miss the most recently released malware, about which the security software obviously has no knowledge, and which often represents the most potentially damaging malware in the wild.

4. Heuristic analysis is imperfect.

Various advanced anti-malware technologies that look for suspicious behavior patterns exhibited by code as it runs may catch some as-of-yet unknown strains of malware, but, are likely never going to be 100% effective; as is also the case with the aforementioned signature-based defenses, heuristics often miss both the most advanced variants of malware and the most targeted forms of malware, which are also among the most likely variants to inflict the worst damage. As Dr. Eytan pointed out, sandboxing and analyzing software also utilizes significant computing resources – meaning that heuristic analysis technologies can slow down systems, introduce unwanted latency, and otherwise adversely impact performance – all while delivering inadequate results. Such systems are also prone to occasionally raising false alarms – which can unnecessarily disrupt various business functions.

5. People are curious – and social engineering works.

Attackers often socially engineer people in order to get the latter to open poisoned files. Whether through mass emailed salacious-subject emails, or targeted messages bearing alarming subjects and impersonating known senders, criminals know how to pique human curiosity so as to incentivize people to open a file. As I have mentioned many time before, the ease with which cyberattackers can exploit human vulnerabilities is not readily addressable: security software has advanced by many generations over the past 30 years, but it takes the human brain many millennia to evolve significant improvements.

6. USB ports are ubiquitous.

It is not a secret that because people are curious, they are prone to inserting untrusted USB devices into computers; it is easy to ship malware-infected USB devices to targets in the mail as “giveaways,” leave poisoned USB thumb-drives in the parking lots of corporate office buildings, or utilize various other means of ensuring that innocent-looking attack-vehicles reach the hands of employees within a target organization.

7. Email is the number one way of targeting smaller businesses.

Dr. Eytan also mentioned that because email is one of the most commonly used forms of communication, and, because, by default, it allows anyone to send untrusted attachments to anyone else, it is the primary method by which attackers send malware into smaller businesses, which are often not equipped with security software to stop email-borne attack-code from reaching unsuspecting users.

8. Hackers innovate.

Creative hackers constantly find new ways to hide malware within files, and develop mechanisms that help their cyberweapons avoid detection by anti-malware technologies. From embedding their cyberbombs within password-protected and encrypted documents, to splitting malware into multiple files, to embedding poisoned files within non-poisoned files (e.g., poisoned PDF within a DOCX), to using stealthy malware that self-encrypts into various different forms before spreading, to any one or more of many other advanced techniques, attackers find ways to help ensure that dangerous files reach users.  Remember, attackers have a huge advantage over defenders in this regard – the former can design malware and test it against anti-malware security products available on the market, allowing them to refine and improve their code until it reaches the level of non-detectability that they wish it to have.

A promising approach to defense

One interesting and promising approach to addressing the file-borne attack conundrum is known as Content Disarming and Reconstruction, a technology that protects against poisoned files, not by looking for malware embedded within them, but by sanitizing all files; files are deconstructed and reassembled as new files that do not include any types of unfamiliar file content that may have been present in original files. Of course, different reassembly rules may apply to different organizations, or even to people within organizations: A firm may ban all Excel Macros in general, for example, but allow the CFO and her staff to use specific authorized Macros; a CDR implementation in such a case would rebuild Excel files without Macros for general users, and rebuild Excel files with only approved Macros for the accounting team. As mentioned above, I met Dr. Eytan after seeing an announcement about the EU granting his firm $2 Million to build CDR technology for smaller businesses. In fact, while many large security vendors have begun to add various CDR capabilities to their existing product suites, startups focusing on the space are already making names for themselves with innovative offerings, and, are also actively spreading the technology downstream – which will hopefully soon allow small and mid-sized business, as well as individuals, to join their larger counterparts in taking advantage of CDR capabilities, and, thereby, reduce their exposure to file based attacks.

Continue Reading

More in CyberSecurity




* indicates required