What is Content Disarm and Reconstruction (CDR)?
The process of proactively protecting against known and unknown dangers that may be found in documents by eliminating executable material is known as Content disarm and reconstruction (CDR), which is also known as Threat Extraction.
The approach stands out from other security measures due to the fact that, unlike most others, it does not depend on detection. The removal of executable material from a document occurs regardless of whether or not the content has been identified as posing a risk to the user. Because of this, CDR is able to provide genuine zero-day protection while simultaneously delivering files to consumers in a timely manner.
An Infection with Malware Will Frequently Begin with a Document
Phishing emails are responsible for the overwhelming majority of malware infections worldwide. A significant proportion of them make use of a corrupted document as the vehicle for carrying out their harmful intent. In the year 2020, more than 70% of malicious email attachments or links were sent using documents such as PDF, Microsoft Office Word, Excel, and PowerPoint. On the web, malicious downloads accounted for around 30% of all infections.
However, just because a document may be weaponized does not always indicate that it is inherently harmful in every way. Documents created with Microsoft Office are saved in a compressed archive format known as ZIP, which includes subfolders that each hold their own unique collection of data. This indicates that the potentially harmful script included inside an Office file is only one of numerous files that the document as a whole includes.
PDFs are comparable in that they are also constructed using a number of distinct components at their core. A malicious PDF file will include a lot of objects inside it, and these items will work together to build the final product that the receiver will view. Nevertheless, the malicious script code that is concealed inside the page is only present in a few or a few of these objects.
Disarming the Content and Beginning the Reconstruction Process
It is fraught with peril to send a Microsoft Office or PDF file that could contain malware to the person who is supposed to receive it. There is always a potential that the receiver may open the file, activate macros, and allow malicious software to infect their machine. In addition to that, this strategy is dependent on the identification of the dangerous information. On the other hand, erasing the file completely carries with it the possibility that the receiver will be unaware of vital information that was included inside the manipulated document. A risk-free alternative to just obstructing access to dangerous files is offered by the content disarm and rebuilding process.
Only a tiny portion of the files or objects that comprise a weaponized Microsoft Office or PDF file are capable of causing harm to the user. These files or objects make up the document. These include any material that can be executed and is included into the document. Using CDR, these components that are executable are removed from the document, and the document is then reassembled using the bits that were left behind. In most cases, all that is required to do this is to rebuild the files that are utilised by Microsoft Office or a PDF reader in order to delete references to the material that was removed.
Advantages of Utilizing a CDR Checkpoint The Threat Extraction technology developed by SandBlast provides a Content Disarm and Reconstruction (CDR) solution that is the most advanced in its field. SandBlast Threat Extraction offers a variety of advantages, including the following, for both the cybersecurity of a business and the productivity of its employees.
Impact on the Receiver Is Minimal Because any harmful material is intended to be undetectable to the recipient, CDR has no effect on the information that is really being sent by the file.
Safe Delivery: When the executable component of the document is removed, the document itself becomes safe for the receiver. This makes it feasible to send it on to the recipient without running the risk of infecting them with malware.
CDR eliminates executable material regardless of whether or not it has been identified as harmful, providing zero-day protection. Because of this, it is able to defend itself against zero-day attacks.
Rapid Delivery: CDR removes delays that are associated with conventional sandboxes and allows real-world deployment for zero-day protection in prevent mode, all while providing cleaned data to customers promptly. This is made possible by CDR's Rapid Delivery feature.
Access to the Original File: It is possible that access to the executable content of benign files is needed in certain circumstances. The user is able to view the original file via Check Point SandBlast after it has been validated as safe following a sandbox examination.
CDR Security Options Are Available Across the Board Thanks to Check Point Harmony
Phishing emails are by far the most prevalent and well-known technique of sending dangerous documents and malware to a receiver; however, this does not mean that they are the only alternative available. It is possible for harmful information to be distributed via corporate collaboration platforms (such as Slack and Microsoft Teams), through text messaging, through social media and other mobile applications, and through downloads from malicious or hacked websites.
In order for CDR to be successful, it is necessary to implement it in such a way that it protects each of these possible infection vectors. All platforms are supported by Check Point's Harmony technology, which includes the endpoint security solution Harmony Endpoint, the mobile security solution Harmony Mobile, as well as the browser and email security solutions Harmony Browse and Harmony Email (Avanan).
An company may protect its users against the most prevalent means of delivering malware by implementing the Harmony technology from Check Point. This can be done while minimising the effect that the deployment has on staff productivity. Employees will be able to get data fast thanks to the multi-stage delivery of potentially harmful files (i.e., ones that include executable code), but they will only be allowed to access executable material after it has been confirmed that it is safe.