Content Disarm & Reconstruction (CDR): What It Is and Why It Should Be in Your Toolbox 

By John Masserini, Senior Research Analyst, TAG Cyber  

As more and more enterprises move towards modernizing their infrastructures and solidifying their new, post-pandemic business models, unexpected attack vectors have emerged. After decades of throwing network and endpoint-based controls at the problems, we have inadvertently opened brand new delivery mechanisms by which the ever-evolving threat actors are taking advantage of.  

If we look at a typical enterprise, the long-accepted practice of ‘defense in depth’ is on full display; Firewalls/IPS/Endpoint for the network and Secure Email Gateways (SEGs)/Exchange Anti-virus/Sandboxing for email are probably two of the most fundamental architecture models in use. However, as more organizations are digitizing the entire consumer experience, more and more artifacts are now being delivered only digitally, forcing companies into developing means to ingest these documents as well.  

This has never been more apparent than in the financial industry, where applying for a loan with a major financial institution involves uploading countless PDFs of checking statements, loan forms, investment accounts, and paystubs – all to a cloud-based portal driven by automated workflows which deliver the documents to the various loan processors within the organization. While the entire process is focused on making it easy for both the consumer and the business, the attack vectors in this new world pose significant risks to the enterprise.  

The Rise of Content Disarming  

In our legacy worlds, we relied, almost solely, on malware and antivirus scanners to pull apart email attachments and determine if malicious code buried within. This worked fairly well as email was not just the primary, but virtually the only way to share documents across companies or customers. Today, however, with the advent of Microsoft Office365 and Google Workspace, along with the enterprise upload solutions like FileCloud, JScape, and Filestack, the ability of an attacker to infiltrate an enterprise with malicious documents is as easy as ever. This is where Content Disarm and Reconstruction comes into play.  

Content Disarm and Reconstruction (CDR) solutions evaluate documents at the file-structure level, either in cloud-based file repositories, email platforms, or as part of the enterprise’s file-sharing solution. CDR solutions disassemble documents into their various objects and evaluate the objects individually for malicious content, reconstructing them once the analysis is complete. These solutions approach file security in two distinct ways: identifying known-bad malware and removing it, or presuming the file is bad and rebuilding it with known-good objects.   

CDR solutions that use a known-bad methodology evaluate file objects for malware based on known malicious signatures or heuristics, which is a very similar approach to the anti-virus scanning we’re all accustomed to. Unfortunately, such solutions tend to fall into the same trap as well – with known bad signatures changing so rapidly, it’s nearly impossible to keep them current, even if leveraging the most up-to-date threat intel feeds.  

Conversely, solutions that leverage a known-good approach presume every document has embedded malware within its objects. In this case, following deconstruction, file objects that are identified as known-good are moved onto a clean, new file template, leaving behind unknown or malicious bits and bytes, therefore ensuring that the final version of the file is free from any type of malicious content.

A New Approach to an Old Issue  

Conceptually, content disarm and reconstruction is an approach whose time has come. Most security teams will acknowledge that signature-based scanning, while still useful for older attacks, fails to identify today’s constantly changing attack methods until it is too late. Additionally, almost since the first sandbox solution was sold, attackers have been finding ways around detonating within them, leaving them virtually useless against today’s assailants.   

Whether it is email based, a browser download, or a file transfer, malicious documents are finding their way deep into critical areas of the infrastructure. Today’s enterprises need a modern approach to file security, one that will fully support the evolving cloud strategy of the infrastructure, while invisibly ensuring that the documents being uploaded are indeed safe to use. Modern CDR solutions address both necessities of the modern enterprise, while substantially reducing the overall risk from document-born malware risks. Layering on a CDR solution will not only provide substantial insight into where other platforms are failing but may also ultimately replace the older, outdated technology with one that can actually address today’s threat vectors.