Preventing file-based attacks on critical networks

Oren  Dvoskin, Sasa Software
Oren Dvoskin, Sasa Software

File-based attacks, in which bad actors send files, such as Word documents or Adobe Acrobat PDFs, containing embedded malware that executes once an intended target opens the file, remain among the most popular ways that malefactors compromise PCs.


“The challenge with file-based attacks is a combination of their delivery routes, together with the relative ease of creating weaponised content that is capable of evading detection,” says Oren Dvoskin, global marketing director at Sasa Software, who will be presenting on 'How to prevent file-based attacks on critical networks’, at the ITWeb Security Summit 2020, to be held as a virtual event from 25 to 28 August.

He says unlike other vectors, file-based attack usually begin by ingestion via legitimate content route such as email, Web browsing, business file transfers, and even portable (USB) devices.

“Files from these routes are allowed into the organisation and bypass security layers,” adds Dvoskin. “This is combined with the fact that malware is increasingly sandbox-aware, and obfuscated in ways that signature-based scanning, as well as next-gen detection, are often ineffective in blocking the threats.”

ITWeb Security Summit 2020

Register now for the ITWeb Security Summit 2020 virtual event, and experience four days of international keynotes, sessions and workshops all for one price. The event will feature over 50 speakers, with all content being made available on demand online. To register, and for more information, please click here.

When it comes to why businesses aren't defending themselves successfully against these attacks, he says this boils down to a combination of factors. Firstly, the belief that detection-based technologies are enough to stop the attacks.

“Specifically, the reliance on endpoint detection and response (EDR) solutions.

In reality, EDRs and intrusion detection serve as a last line of defence, to alert of anomalous activities indicating that the organization has been compromised. That is, assuming the anomaly was detected in the first place,” says Dvoskin.

“Next, and unfortunately, something we see with too many organisations, is the lack of proper network separation. Many organisations have “flat”, highly interconnected networks, and lack sufficient security controls between network segments, including those with critical OT/ICS operations,” he explains.

A ship shouldn’t sink if a single compartment is compromised.
Oren Dvoskin

This puts businesses at extreme risk since today’s attackers strive for an enterprise-wide impact. “The lack of proper segmentation can lead to severe operational disruptions,” Dvoskin stresses.

During his presentation, he will review recent attack patterns which behave as he has described - using mutations of known threats that enter organisations via “trusted” channels, and will talk about fundamental prevention-focused security steps.

He will also discuss how the journey to a better security posture starts with accepting that prior practices aren’t sufficient, especially with the trend of wiper ransomware incidents that have been seen since early 2019.

When a detection technology inspects a file, “no threat found” doesn’t necessarily mean the file is safe, it could still be malicious. “It’s therefore imperative to consider technologies such as content disarm and reconstruction (CDR) that ensure files received are harmless (neutralised), even if they originally carried undetectable weaponised content that has never been seen before.”

Another takeaway from Dvoskin’s presentation will be the importance of re-designing network perimeters. “There is increasing pressure on security architects to enable the need for unlimited, cloud-based connectivity. However, this introduces significant risks. Security incidents are inevitable, and with insufficient network separation controls, an initial breach can become a catastrophe. A ship shouldn’t sink if a single compartment is compromised.”