The Challenge of Identifying File-borne Breaches and Incidents

The Challenge of Identifying File-borne Breaches and Incidents

Have you ever wondered what DOC, JPG/JPEG, PDF, and ZIP have in common? 

They are all file extensions that have become commonplace in our daily interactions with the internet. These acronyms are ubiquitous and so widely used that we often take them for granted. They have become as familiar to us as the logos of car brands on the highway that we instantly recognize without thinking twice. However, this familiarity can also create a potential problem as we casually open, save, and forward files without considering the risks that may be associated with them.

The average Internet user sees a harmless file that contains something to be read, viewed, or run – either for pleasure or as a responsibility. They just want to get on with their daily task list. Attackers see this complacency as vehicles where illegal substances can be hidden from view in the undercarriage, a door panel, or some other area of a vehicle that no one commonly (or easily) checks on a moment-by-moment basis. Next thing you know, you’ve been phished, or ransomware has locked up your business.

We need not ask if this is a significant security matter. It’s easy enough to find, “Whew, glad it’s not me” headlines on an increasing basis. The question is, why – after all of our defense-in-depth efforts, literally for years now – are file-borne breaches and incidents so rampant and effective? And, by extension, could you be next?

First, let’s consider the scale of the problem. In a typical large organization, there could be thousands to tens of thousands of new files entering your network daily via email, web connections, or end-user devices connecting directly or via VPN – all of which are now in motion, in use, or at rest within your environment.

Second, the problem is compounded by the ‘asymmetric advantage’ afforded to threat actors. It is trivial to arbitrarily layer files within one another and nontrivial to detect. In fact, the trend we’re seeing is toward an increased use of multi-layered threats.

As an example, it could begin as an email containing a malicious link, malicious logic, or perhaps an exploit. Just considering the case of a “bad link”, imagine the link is resident in a Microsoft Office document, embedded within a PDF – which is then compressed into a password-protected Zip archive. Your typical off-the-shelf email security solution has zero visibility here. And this is but one example of an infinite myriad of plausible attack scenarios.

Third, there is no silver bullet. Regardless of what static or dynamic file analysis solutions you may stack in front of your users, clever actors will eventually find a temporary way around them. To protect users, we must reconsider the materials they may have already received, that we now know should not have made it through in the first place. 

Fortunately for the commercial world, this class of security problem plagued the Pentagon user community for years. And from that dilemma, a new approach was born: File Detection and Response, or FDR. 

The security industry widely accepts that prevention is now – and forever will be – wholly insufficient as a security defense-in-depth approach. Detection and response is the focus these days. That is not a revelation. What is worth asking, however, is “Will my organization have the bases covered with EDR, NDR, and XDR?” Those solutions – while each with its own merit – do not form a complete detection and response picture. FDR is the missing link.