Sapsiwai - Fotolia

British innovation targets file manipulation malware

Innovative British security software firm Glasswall Solutions is tackling the growing threat of malware that tampers with files and exploits structural weaknesses in popular business document formats

Cyber criminals are increasingly circumventing traditional signature-based security controls by manipulating the file structures of business documents to hide malware.

According to innovative UK-based security firm Glasswall Solutions, 94% of all successful cyber attacks start with malicious documents attached to emails.

An analysis of nearly 140,000 malware samples from Virus Total reveals that manipulated files account for most of the malware associated with Micosoft PowerPoint (87%) and PDF (75%) documents.

Malicious files account for nearly half of malware associated with Microsoft Excel and nearly a third of malware associated with Microsoft Word. The remainder is associated with macros and embedded files.

“The Word statistics are slightly less in the main due to the high number of macro attacks (69%), but given the volume of Word documents exchanged, 30% of structural vulnerabilities is still extensive,” said Chris Dye, vice-president of alliances at Glasswall.

Glasswall’s patented software is aimed at tackling this growing threat of malware that tampers with files and exploits structural weaknesses in popular business document formats.

The privately funded company is among the UK companies innovating in the field of information security. It is supported by leading security industry figures on its advisory council, including former GCHQ director Iain Lobban.

Taking employees out of the firing line

In January 2016, the company announced a partnership with cyber security consultancy group ZeroDayLab, which recognised the value of Glasswall’s technology while conducting an independent penetration test of its software.

At the time, ZeroDayLab managing director Kevin Roberts said: “Glasswall Solutions has developed a highly innovative answer to solve the single biggest cyber threat facing organisations worldwide, presented by the corruption of email-bound documents.”

Glasswall’s philosophy is simple: focus on the known good and use a policy-driven approach to take employees out of the firing line by not relying on them to identify document-related risks.

“Relying on employees to recognise phishing emails is unrealistic, which is why taking control at the network gateway through granular policy management is essential,” said Greg Sim, chief executive officer at Glasswall.

Zero-day attacks

The software also significantly reduces the risk of increasingly popular ransomware attacks, which are mostly delivered through malicious email attachments and links, which Glasswall is designed to strip out before they ever reach employees.

Traditional security controls have tended to focus on identifying known bad, but with hundreds of thousands of malware samples being identified each day, it is becoming increasingly difficult for such technologies to keep up with the rapidly shifting and evolving threats.  

By assuming files are good until they are known to contain bad, traditional security controls fail to protect organisations from exposure to unclassified threats commonly known as zero-day attacks.

The Glasswall software works by breaking attached document files down to byte level, searching only for “known good” and matching the file structures against manufacturers’ file format standards to pass on to users clean, regenerated files.

The underlying principle is that the most commonly used files will have a design standard or structure and that a file conforming to its design standard is safe. This is because a file will no longer conform to the standard if cyber attackers have tampered with it.

Read more about the GDPR

The approach is to assume every file is potentially bad until proven otherwise by checking it at a binary level against its manufacturers design standard to allow in only files known to be good.

Using this approach, the Glasswall software is able to identify instances were attackers have changed just two bytes in a PDF file to crash the reader software and trigger malware or hidden malware in the whitespace at the end of the file.

“The technology will reconstitute the file with the whitespace and malware removed by returning the end of file indicator to where it should be according to standard for the PDF format,” said Sim.

This means Glasswall software will even eliminate malware embedded in a legitimate business document sent from trusted partner that has been compromised by attackers.

Avoiding interference in real time

In the case of PDF files, Glasswall performs more than 3,000 conformance checks against the ISO32000 standard in near real time to avoid any interference with business processes.

According to Dye, processing time is minimal, with most files checked and sanitised in under 250 milliseconds, with some being passed on to users in as little as 10 milliseconds to maintain business continuity.

“Because it is 100% software-based, it is scalable with no license restrictions on architecture and flexible enough to deploy anywhere along the email chain, on premises or in private cloud environments,” he said.

The Glasswall software enables organisations to set policies and apply these to specific users or groups, such as allowing Excel files with macros only for the finance department.

By ensuring only known good files are allowed in and out, Sim said an organisation not only reduces the risk of file-based malware, but also promotes trust by making it safer to do business with.

Safer business

“It also means that organisations can exchange work documents with suppliers and partners without fear of file-based infections or reputational damage from file-based targeted attacks,” he said.  

The ability to apply policy at granular level and ensuring best practice, audit and compliance requirements are adhered to will become increasingly important, said Sim, when the EU General Data Protection Regulation (GDPR) comes into force.

The current version of the GDPR, which is widely expected to be adopted and put into force by early 2018, provides for fines of up to €10m or 2% of turnover for failure to implement appropriate security controls. It also fines for serious data breaches of up to €20m or 4% of worldwide annual turnover, whichever is greater. 

Read more on Hackers and cybercrime prevention