By Josh Neame, Chief Technology Officer at BlueFort Security
I often paraphrase the timeless speech US Secretary of State for Defence, Donald Rumsfeld gave, when he talked about the most difficult threats being the ‘unknown unknowns’. It’s a fitting concept when it comes to cybersecurity because it applies to so many areas, and illustrates in simple terms the general unpredictability of the threat landscape.
Zero-Day Threats On The Increase
The obvious example (though there are many others) is zero-day threats. While there are numerous known vulnerabilities – including almost 300,000 publicly disclosed vulnerabilities catalogued by the CVE Program – which security teams must review, prioritise, and address; the most dangerous are those that are not yet known. They are called zero-day threats because the responsible party (for example the software developer or vendor) has had exactly zero days to fix the vulnerability. After all, you can’t fix a problem you don’t know exists.
In late 2024, the National Cyber Security Centre (NCSC), alongside its ‘Five Eyes’ counterparts in Australia, Canada, New Zealand, and the United States, issued an advisory listing 15 of the most routinely exploited vulnerabilities of the previous year. According to the NCSC, zero-day exploitation is on the increase. The majority of these key vulnerabilities were first exploited in the wild as zero-days, and threat actors used this to compromise higher-priority targets. The routine exploitation of zero-day vulnerabilities, which continued in 2024 (and we can safely assume into 2025), was referred to by NCSC Chief Technology Officer, Ollie Whitehouse, as “the new normal” both vendors and end-user organisations need to adapt to.
From Patch Tuesday to Tech Talk Tuesday
Patching vulnerabilities, once they are identified, is very much part and parcel of the software – and subsequently the IT security lifecycle. In the early 2000s, Microsoft’s ‘Patch Tuesday’ set the benchmark for many popular software providers in releasing information about vulnerabilities and distributing patches regularly – specifically on the second Tuesday of every month. Despite the potential for withholding a known vulnerability for several weeks (and the natural emergence of ‘Exploit Wednesday’) this patching calendar is a helpful tool for IT security teams managing a vulnerability management process.
Looking at alerts for the third Patch Tuesday of 2025, Adobe released seven bulletins addressing 37 CVEs in Adobe Acrobat Reader – a reminder that application vulnerabilities are still one of the most common vectors threat actors will utilise to compromise target organisations. Both simple file formats like Word documents and PDFs, as well as more complex files like AutoDesk CAD, can be used as vehicles to deliver hidden malicious payloads. Typically, functionality like embedded objects, macros, hyperlinks, or scripting will be used to trigger the execution of malicious content that can compromise systems and lead to backdoor malware distribution, remote access, and privilege escalation.
Exploiting both existing and zero-day vulnerabilities within commonly used productivity applications is so effective, both because it draws on the human element, and because traditional security tools cannot guarantee detection of every possible type of malware hidden within these files. Social engineering techniques like spear phishing are used to encourage people to open compromised files, and with millions of novel or modified strains of malware emerging annually – including those specifically created to target and avoid detection from existing anti-virus solutions, sandboxes and anti-malware engines – the odds are that an attack will break through eventually.
For security teams, building an effective defence for this type of attack vector – like many others – is a balancing act between protecting the organisation and impacting user productivity. On Tuesday 25th March, I’ll be hosting my Tech Talk Tuesday (a distant cousin of Patch Tuesday!) where I’ll be doing a deep dive into Deep Content Disarm and Reconstruction (CDR) – a technology that is emerging as a critical tool in this area. You can register to join my ‘Deep CDR in 20 Minutes’ webinar here.
What is Deep Content Disarm and Reconstruction (CDR)?
CDR stands for content disarm and reconstruction. Also known as data sanitisation, CDR is an advanced proactive threat prevention technology that doesn’t rely on detection, and can protect against exactly this type of threat.
It follows the zero-trust philosophy by treating every file that enters the organisation as malicious. When a file is received, the CDR technology follows a three-step process:
- Identification: When a file is received, the CDR verifies the file type and identifies all of the active embedded content within the file. Files are evaluated and verified to ensure consistency with more than 4,500 file types, also checking file extensions to see if anything complex is masquerading as a simpler file. Files are scanned to identify any embedded active content that may pose a risk to the organisation – for example macros, hyperlinks and object linking and embedding (OLE) objects – and anything deemed to be malicious, is flagged to the security team.
- Sanitization: Any potentially malicious content is removed, and the file is reconstructed to a known good standard using only legitimate components. By separating file elements into discrete components, the technology can remove potentially malicious elements before reconstructing the metadata and file characteristics in a way that retains the integrity of the original file structure and functionality.
- Delivery: The finished product is delivered quickly and securely as a threat-free file to the user, while the original file is quarantined for backup or additional investigation. This is the case for both simple and complex files, for example, it won’t remove animation from a PowerPoint file and leave the user with a dumbed-down version of the original file.
As the files are dissected in this way, any potential threat is removed – whether it’s a known threat that may have been picked up by security controls or otherwise. For this reason, CDR technology is highly effective for preventing the type of zero-day targeted attacks and threats that are becoming increasingly common, even those that are equipped with malware evasion technology, such as fully undetectable malware, VMware detection, and obfuscation.
Deep CDR In High-Value Target Industries
While Deep CDR technology will benefit any organisation, it’s becoming an important tool for high-value target industries like financial services, as well as operational technology (OT)-rich environments like defence and critical infrastructure.
At BlueFort, we work with a select group of carefully vetted vendors, to ensure our customers have access to the tools and expertise needed to effectively deploy emerging technology solutions like Deep CDR. OPSWAT is a leader in critical infrastructure technology, and is trusted by more than 1,700 organisations worldwide to protect their critical data, assets, and networks from device and file-borne threats. BlueFort has partnered with OPSWAT because its Deep CDR technology is market-leading, and the first and only CDR technology to achieve a 100% total accuracy rating from SE Labs.
OPSWAT’s solutions are specifically focused on securing critical infrastructure. Join me for my Tech Talk Tuesday to hear more about how OPSWAT’s Deep CDR supports heavily regulated, OT-rich, or high-profile organisations, and how you can use it to significantly improve your organisation’s cybersecurity posture, prevent downtime, and meet industry regulations.
It’s a short 20-minute discussion, where I’ll be covering:
- What Deep CDR is, how it works, and why it is becoming essential for financial services, defence, and other critical infrastructure targets.
- How and why the financial, OT-rich and defence sectors are adopting Deep CDR.
- How Deep CDR neutralises hidden malware, exploits, and zero-day threats.
- Implementation and best practice for integrating Deep CDR into your cybersecurity strategy.
Register to join the ‘Deep CDR in 20 Minutes’ webinar here.
