The Irrelevance of K-Bytes Detection - Building a Robust Pipeline for Malicious Documents

Explore a comprehensive conference talk on building robust document analysis pipelines for detecting malicious content in various file formats. Delve into the challenges faced by security teams in addressing vulnerabilities in PDFs, Office files, and legacy textual formats. Learn about best practices for constructing effective analysis pipelines, including true type detection, sandboxing, signatures, dynamic/static content inspection, isolation, and content disarming and reconstruction. Gain insights into attackers' perspectives and evasion techniques for malicious payloads. Examine evaluation criteria, file type detection issues, and real-time versus offline pipeline implementations. Presented by Dan Amiga and Dor Knafo, this 52-minute Black Hat session offers valuable knowledge for enhancing document security measures.

Introduction
Agenda
Problem Space
File Formats
Click Rates
Web Browsing Security
Mail vs Web
Document Analysis Pipeline
Evaluation Criteria
File Type Detection
Problems with File Type Detection
Webpage Example
Sandbox
CDLs
Remote Viewing
RealTime Pipeline
Offline Pipeline
Summary