New study from CISA: CDR reduces risk content in files by >98%

New study from CISA: CDR reduces risk content in files by >98%

In a recent study from the Cybersecurity and Infrastructure Security Agency (CISA) that was presented at RSAC 2023 [1], Tom Ruoff and Dr. Olga Livingston showed results of a pilot assessment model for anti-malware controls that tested three CDR solutions in a chained configuration. The results showed that the CDR solutions reduced risk content in email attachments by more than 98%, when compared to a ‘static’ (i.e. not sandbox) detection-based control.

Ruoff, chief of the methodology branch in CISA’s vulnerability management division, said that the prototype platform has serial CDR, which feeds the results of one CDR product into a second product for review and then possibly a third. “What our research found is that CDR products — regardless of the name – are highly effective. But they are really, really effective when you use one, and then another, and then another.”

Content Disarm and Reconstruction (CDR) – until recently, a specialists tool –  is now arriving to the main stage, gaining attention due to the unique offering that combines sandbox-like efficacy, realtime processing, and broad applicability that spans all content, on all routes. Essentially, CDR delivers extreme content-borne threat mitigation – without compromising business efficiency – and frequently even enhancing it.

CISA's risk content reduction scoring and measurement platform

CISA’s ‘before and after serial CDR’ risk content reduction scoring platform presented at RSA 2023 (source: RSA ’23 [1])

Serial CDR delivered a very significant reduction in risk content in email attachments, compared to a detection-based (‘static’) tool (source: RSA ’23 [1])

CDR is an anti-malware technology that does not rely on detection to obstruct hidden malware in files – making it one of the few tools that can meet the challenge of zero-day malware, also known as ‘signature-less’, custom or morphing malware. This kind of malware is becoming more prevalent due to the growing involvement of nation-state sponsored cybercrime, the conglomeration of cyber gangs, and the most recent development – AI-enhanced malware development . ChatGPT has repeatedly been shown to be easily manipulated to deliver variant code snippets which can then easily be crafted into variant malware by skilled cyber criminals.

CDR can be considered a zero-trust technology even though it doesn’t have a place in current zero-trust models, because it does not require a lining-up of identity-authority-circumstance. Every incoming email and file are treated as if they are already compromised – with an equal level of distrust for all. To exemplify, in CDR’s ‘trust-less’ world, even the file type itself is suspect. Before doing anything else – CDR will ask questions such as:

  • Is this a file (or several files)?
  • What kind of file is it?
  • Is it what it claims to be?
  • What kind of content do I expect to see in such a file
  • What content shouldn’t be in this kind of file?
  • Where is the functional content stored in this kind of file?

To summarize, CDR can create an effective virtual content barrier around a network, if the CDR controls are positioned on all routes leading content into the organization. That includes email, file-transfer applications, web-downloads, USB imports, and any cross-network programmatic data transfers. CDR is a promising network security technology that should seriously be considered when seeking to notch-up network defenses to meet all types of content-borne threats.

View the presentation on line

GateScanner is a suite of CDR based anti-malware solutions delivering content sanitization on a variety of routes – including email, MFT (on-premises and cloud-based), web-download, USB import and API based data transactions.

Sasa Software develops CDR solutions to protect networks from file-based attack. Sasa Software’s GateScanner solutions are a staple components in the security infrastructure of critical networks in government, security agencies, infrastructure, enterprise and healthcare actors in Israel and around the world, since 2013.

Keywords: CDR, Content Disarm and Reconstruction, zero-day malware, content-borne threats, email security, content security, serial CDR, CISA, Cybersecurity and Infrastructure Security Agency 

[1] ‘Wanna Get Malware Out of Emails? CISA’s Latest Research’ – retrieved on June 20 from

Share on:


Scroll to Top
Scroll to Top