Stopping Threats with Advanced CDR Technology

Security Controls
Jul 30, 2018

Cyber defenses are a must for all enterprises, yet many companies deploy solutions that are powerless in an environment where undisclosed and zero-day attacks abound. With cybercriminals becoming more sophisticated than ever and investing enormous effort in preparing successful targeted attacks, a revolutionary approach to cyber protection is required.

This patented Advanced Content Disarm and Reconstruction technology provides the ultimate solution for stopping undisclosed and zero-day threats before they come through an organization’s door.

The Need

Today’s ever-increasing reliance on data brings with it elevated risks, threats, and vulnerabilities for organizations and communication networks, and many of these vulnerabilities are undetectable by traditional network security devices.1 In the past, cyber threats affected only a small portion of business activity. However, as the reliance on data continues to grow, so too does the impact of cyber threats on organizations’ business activity. With the increasingly aggressive nature of cyber attacks, novel approaches to security are needed to successfully protect organizations.

Exploiting a Vulnerability via Targeted Attacks

By design, an exploit targets a vulnerability in an application and typically triggers an intruder’s code. A vulnerability is a “hole” in an application—say, Adobe Reader— that can be exploited to launch an attack on a computer or network system. A common method used by attackers to exploit vulnerabilities is spear phishing: sending targeted email messages that contain a malicious attachment and look harmless to the recipients. When a recipient opens the attachment, malware is deployed and the targeted attack begins.

Life Cycle of a Vulnerability

A software vulnerability opens the door to cybercriminals. A person who discovers a vulnerability can use it to gain entry to a system and then obtain unauthorized access to data.

A vulnerability has a life cycle consisting of three stages: undisclosed, zero-day, and patched.

Stage 1: Undisclosed

At this stage, a vulnerability in an application, a system, or even hardware is unknown to the vendor or the security community but has been discovered by someone, possibly a researcher in a cyber warfare organization—or worse. This type of vulnerability presents a high security threat to everyone and can go undetected for years. Because the application’s vendor does not know of the vulnerability, countermeasures cannot be developed to prevent or block its exploitation. Undisclosed vulnerabilities are frequently used by groups that gather cyber intelligence or trade information to receive large cash payouts.

Stage 2: Zero-Day

At this point, the vulnerability has been disclosed to the vendor and the security community. A zero-day vulnerability is a software weakness that has just appeared for the first time, and no patch has been developed to overcome it. This type of vulnerability presents a high risk of exploitation; intrusion detection systems or traditional protection systems using signature-based detection might identify exploitation activity after gathering and extracting several samples, but an exploit that a hacker has manipulated will be able to avoid signature detection. Zero-day vulnerabilities can go unaddressed for some time, because vendors may take 90 days or even more to respond to reported threats.

Stage 3: Patched

At this stage, although the vendor has already issued a patch for the vulnerability, it can be opportunistically exploited in non-patched environments of out-of-date applications. Large organizations may be particularly susceptible to opportunistic attacks, because patch management is more cumbersome than in smaller organizations. The threat level at this stage is low, because the vendor has provided a patch.

ORIGONE's technology protects entities from cyber attacks brought on by exploits at all three stages of the vulnerability life cycle.

The Solution: Disarming Undisclosed and Zero-Day Exploits

The Advanced Content Disarm and Reconstruction technology is a proactive, signature-less method that targets the file formats that are most commonly exploited via spear phishing, other advanced persistent threats, and cyber attacks. The technology disarms exploit attempts before they reach the end-user environment.

To ensure a successful exploit, malware writers often carefully design and build multiple suspicious objects and embed them in a malicious complex file. For example, a Microsoft® Word file may contain an ActiveX® or OLE object to execute an attack, plus shellcode that is triggered by a malicious image or macro. (Shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability.) The Advanced Content Disarm and Reconstruction engine carefully inspects the file to identify malicious or suspect content and then, after extracting the malicious content, rebuilds the file in such a way as to retain its usability.

The Advanced Content Disarm and Reconstruction technology supports containers, such as ZIP and other archive files, as well as the files within the containers. In the latter case, multiple compressed layers are recursively decompressed, disarmed, and recompressed, preserving the files’ original functionality.


A malicious image has been attached to a targeted email message. The image contains embedded shellcode. For successful exploitation, the shellcode must run on the processor exactly as written, bit by bit. Think of shellcode as a lock in which all the pins must be precisely positioned for the lock to open. An image viewer is supposed to display the pixels of the attached image. However, the image contains an exploit, so an image viewer application that has a vulnerability will execute the exploit when displaying the image's pixels .

The  Advanced Content Disarm and Reconstruction process dissects the raw image data, restructures the bits (the exploit code embedded in the image), and then reconstructs the original file without the exploit code. Now the image viewer can display the pixels without running the exploit.