What is Content Threat Removal (CTR)?

March 2, 2021

As organizations look to enhance their data security programs, they need to start thinking “outside the network.” Whether maintaining an in-office, remote, or hybrid workforce, companies increasingly find that traditional network security, like firewall policies, no longer provides a complete data security solution. As malicious actors seek to find new exploits, organizations need ways to secure the data itself, not just the places where they store, transmit, collect, and process it. Understanding what content threat removal is and how to use it as an effective data security solution can proactively mitigate cybersecurity risks. At the same time, knowing the gaps in content threat removal – and how Positive Selection technology offers all the benefits of CTR but fills the gaps – is also important to fully assessing your content risk.

So, What is Content Threat Removal?

Content threat removal (CTR) is a data security solution that secures content from undetectable threats, such as malware embedded in digital content. CTR platforms provide proactive threat detection by intercepting data that users share with each other, such as documents and emails. These solutions then remove risky elements, such as macros or scripts, that malicious actors use to hide malware. Once the data is “cleaned up,” the CTR solution forwards on the business information.

What are the Data Security Risks that CTR Addresses?

CTR solutions work to prevent cybersecurity risks inherent in daily digital content transfers. Increasingly, malicious actors use phishing attacks as a way to deliver malware.

Images

Although limited in reach, hiding malicious code in an image is often undetected. Image steganography toolkits are easy to find online and some offer no-code, drag-and-drop capabilities. As more companies place logos and employee photographs in their email headers, the likelihood of a potential image compromise increases.

Portable Document Formats (PDFs)

Many organizations use PDFs as a way to prevent unauthorized changes to a document. PDFs are a readable format that “lock” users from being able to change the content. The recipient needs to download the document and open it in an application that can read it. The information displays as intended and prevents the reader from undermining the data integrity. For example, when a company hires a consultant, it may send the contract or internally generated content in PDF form. The recipient can add a text box overlay on top of the locked PDF but cannot change the substantive data in the document itself.

However, PDF file structures make them susceptible to malicious code insertion at various points within the file structure, including:

  • Header
  • Body
  • Cross-reference table
  • Trailer

Documents

People rely on documents as a way to communicate internally and externally. Business-critical document types include:

  • Word documents
  • Excel spreadsheets
  • PowerPoint presentations
  • Google Docs
  • Google Sheets
  • Google Slides

Knowing that businesses need to use these documents, malicious actors often try to place malicious code in them. For example, Microsoft Office leverages macros as a way to automate tasks, but malicious actors insert macro malware into these documents as a way to infiltrate corporate devices, networks, and software.

Google Suite can also be compromised. Particularly with the rise of a remote and hybrid workforce, Google Docs, Sheets, and Slides become an effective entry point. In August 2020, cybercriminals found a way to exploit the “manage versions” capability.

How does CTR work?

At a high level, CTR detects all code embedded in business communications, removes the it, then forwards the relevant file to the intended recipient. Files often include embedded code, such as Macros, that are innocent, but innocent code can be manipulated by malicious actors.  Many organizations think that using an anti-virus tool will protect them from malware hidden in images, PDFs, and documents. However, while most malware hides in content, not all content contains malware.

Identify

CTR assumes that all digital content, both active and passive, is risky. In many ways, CTR takes a similar approach to data that a “zero trust” architecture takes to a network. Nothing is safe until the CTR confirms it.

With passive content, an application opens the content. The underlying assumption with passive content is that the application has no security flaws that can be exploited. However, in the real world, this is not always the case.

With active content, the data defines whether an application will open it or not. In most cases, active content is detected by anti-malware tools that notice something risky in the data and tell the application not to open it.

Block

After identifying all content, CTR then blocks active content, which is good for security but bad for end-users. CTR differs from anti-virus blocking because it looks at the content without comparing it to a known pattern. Anti-virus protects only against known unsafe patterns, while CTR blocks all active content. CTR prevents the following issues:

  • False positives: incorrectly flagging innocent content as malicious
  • Time lags: the time between detecting new malware and deploying update
  • Cybercriminal targeting: malware that disables antivirus

Simultaneously, blocking active content can be a problem for the person receiving the document. For example, if a sender has active content embedded in a PDF, the person receiving the document may get an error message and be unable to open it.

Extract

CTR takes all files transferred, both active and passive, and extracts the relevant business information. CTR dissects content based on the content’s template, including data like:

  • Document.xml
  • oleObject.bin
  • [Content_Types].xml
  • App.xml
  • Core.xml
  • Container

This enables organizations to mitigate the risks associated with macros while continuing to deliver business-critical information necessary for workforce collaboration.

Rebuild

After breaking the files down into the component parts, CTR rebuilds the business information on top of a safe, clean template. Often, the solution includes some of the following capabilities:

  • Replacing Document.xml, app.xml, and core.xml with safe pre-set elements
  • Processing embedded objects
  • Analyzing content directories
  • Repackaging files

In other words, CTR removes the business level information such as words or numbers that the sender intended to share, removes code that cybercriminals use to deliver malware, and sends clean information to the receiving party.

Why Does CTR Secure Data Better than Some Other Tools?

CTR helps ensure that an organization’s workforce can communicate using traditional technologies while mitigating the problems that many anti-virus solutions create.

Continuous Threat Protection

Since CTR cleans all content the same way, organizations can enhance their security posture without worrying about outdated application algorithms and software development delays. Since CTR proactively sanitizes all incoming content, it prevents the risks that previously unknown, or “zero-day,” file-level attacks can cause. Additionally, it applies the same level of security for all files, no matter how they come into an organization, including:

  • Email messages
  • Email attachments
  • Links
  • Web uploads and downloads
  • Password-protected files
  • Zipped files

Speed

CTR does not block or quarantine files before passing them on. Many file-level security tools require manual touchpoints, such as approvals or review, before releasing files to recipients. CTR instantly sanitizes and delivers information so that companies maintain security and productivity. Files can be sanitized in milliseconds without negatively impacting network or file-sharing speed.

Reduced Noise from False Positives

CTR technology focuses on finding the “safe elements” in a file rather than blocking risks. Since cybercriminals continuously evolve their malware code, even the best anti-virus solutions can send security teams false positives. With CTR, safe information is extracted from a file then rebuilt in a matter of seconds. This approach eliminates the need for security teams to review alerts associated with “predictive” technologies and ensures they can focus on securing other areas of the IT stack.

Why does Positive Selection technology secure data better than CTR?

Positive Selection offers all the benefits of CTR but removes the end-user frustrations. When CTR removes suspicious elements like macros, it can negatively impact a file’s integrity. For example, if a Word document is converted to a PDF, the PDF may have Active.AllowAcroForms active content. CTR will remove the active content. However, this process might lose important formatting that can make the business-critical information unusable, like removing columns for financial data.

Positive Selection solves the problems traditionally associated with CTR. By dissecting the file into content, templates, and objects, Positive Selection retains content, text, and layout. Positive Selection also allows organizations to create safe file templates to prevent formatting or data integrity issues.

How Votiro Protects Data While Reducing Risk 

In the modern world, clean data means secure business operations, which is why many companies use anti-virus and CTR tools. However, while those technologies provide security, they also come with end-user issues that reduce productivity or negatively impact data integrity. Votiro’s Secure File Gateway protects organizations from traditional malware threats without reducing productivity. Our Positive SelectionTM technology works in the background to extract a file’s safe elements to eliminate the risks of embedded malicious code without impacting your end-users’ ability to do their jobs.

Votiro’s Secure File Gateway for Email protects against potential risks associated with business email compromise. When someone sends an email with malicious code embedded in either the email or an attachment, our Secure File Gateway for Email scans for all the safe content, rebuilds it, and then forwards it to the recipient–all without impacting the time it takes to get there.

For organizations to ensure continued security, they need to take proactive steps and stay more than one step ahead of cybercriminals. Votiro offers organizations peace of mind knowing that their workforce can stay secure without having a negative impact on the day-to-day data sharing activities necessary to stay productive in a competitive business landscape.