The Challenge of Identifying File-borne Breaches and Incidents

Posted on 2022-09-02 by Pedram Amini

Pop Quiz: What do these acronyms (DOC, GIF, HTML/HTM, JPG/JPEG, MP3/MP4, MPG/MPEG, MOV, PDF, PNG, RAR, RTF, ZIP) have in common?

For most of our readers, the answer is simple. These are file extensions any Internet denizen will encounter while reading emails, downloading files, or viewing websites. Most of them are so pedestrian - and experienced so frequently - that we don’t even give them a second thought. As common as vehicle brands on the highway - instantly recognized and accepted - we just go about our daily lives opening them, saving them, forwarding them, etc. And therein lies exactly the problem.

The average Internet user sees a harmless file that contains something to be read, viewed, or run - either for pleasure or as a responsibility. They just want to get on with their daily task list. Attackers, just as drug smugglers, see this complacency - vehicles where illegal substances can be hidden from view in the undercarriage, a door panel, or some other area of a vehicle that no one commonly (or easily) checks on a moment-by-moment basis. Next thing you know, you’ve been phished, or ransomware has locked up your business.

We need not ask if this is a significant security matter. It’s easy enough to find “whew, glad it’s not me” headlines on an increasing basis. The question is, why - after all of our defense-in-depth efforts, literally for years now - are file-borne breaches and incidents so rampant and effective? And, by extension, could you be next?

First, let's consider the scale of the problem. In a typical large organization, there could be thousands to tens of thousands of new files entering your network daily via email, web connections, or end-user devices connecting directly or via VPN - all of which are now in motion, in use, or at rest within your environment.

Second, the problem is compounded by the ‘asymmetric advantage’ afforded to threat actors. It is trivial to arbitrarily layer files within one another and nontrivial to detect. In fact, the trend we're seeing is toward an increased use of multi-layered threats.

As an example, it could begin as an email containing a malicious link, malicious logic, or perhaps an exploit. Just considering the case of a "bad link", imagine the link is resident in a Microsoft Office document, embedded within a PDF - which is then compressed into a password-protected Zip archive. Your typical off-the-shelf email security solution has zero visibility here. And this is but one example of an infinite myriad of plausible attack scenarios.

Third, there is no silver bullet. Regardless of what static or dynamic file analysis solutions you may stack in front of your users, clever actors will eventually find a temporary way around them. To protect users, we must reconsider the materials they may have already received, that we now know should not have made it through in the first place. Enter the power of automated remediation fueled by InQuest RetroHunting.

Fortunately for the commercial world, this class of security problem plagued the Pentagon user community for years. And from that dilemma, a new approach was born: File Detection and Response, or FDR. Here at InQuest, we are 100% focused on FDR.

The security industry widely accepts that prevention is now - and forever will be - wholly insufficient as a security defense-in-depth approach. Detection and response is the focus these days. That is not a revelation. What is worth asking, however, is “Will my organization have the bases covered with EDR, NDR, and XDR? Our belief (along with our customers) is that those solutions - while each with its own merit - do not form a complete detection and response picture. FDR is the missing link.

Want to learn more? Check out our overview here. But if you prefer a few simple takeaways, consider this:

  • The number of files in your environment is undoubtedly large and growing
  • Adversaries are very skilled at embedding well-cloaked malware, ransomware, phishing, scam and fraud tricks in files - continuing to fuel the end-user security gap
  • Traditional detection and response approaches are simply not covering this gap
  • InQuest FDR is the answer to closing the end-user security gap

Have coworkers or compatriots who might prefer a quick minute and a half video on the topic? Check out this video.

Thanks for your interest in InQuest!


Tags

Get The InQuest Insider

Find us on Twitter for frequent updates, follow our Blog for bi-weekly technical write-ups, or subscribe here to receive our monthly newsletter, The InQuest Insider. We curate and provide you with the latest news stories, field notes about innovative malware, novel research / analysis / threat hunting tools, security tips and more.