7
White Paper A proactive control against malware threats Application Whitelisting
White Paper
A proactive control against malware threats
Application Whitelisting
2
Introduction
Malware threats have been on the rise for the last few years, disrupting businesses with ransomware, crypto-malware and spyware. Despite the use of anti-malware controls by organisations and individuals, malware continues to be a threat. The high-profile exploitations of NotPetya, as well as Mirai malware, has demonstrated that adversaries are now using innovative security bypass techniques to avoid detection by anti-malware controls, resulting in the successful breach of hundreds of thousands of systems all over the world.
The inherent weakness of anti-malware controls is that they can only protect what they know through the use of signature-detection technology. This method worked well in the past when attack techniques were well-understood, resulting in the development of appropriate signatures to detect attack techniques. However, as attack techniques have become more sophisticated, signature-detection technologies are beginning to fail. Adversaries are now developing malware by testing the code against anti-malware controls before releasing it into the wild. The more sophisticated adversaries are also developing new exploit techniques that act on undocumented features of hardware and operating systems which anti-malware vendors are not aware of, thus increasing the likelihood of success of a malware exploitation.
Even with the emergence of Endpoint Protection Platform (EPP), which uses machine learning techniques to detect unusual malicious behaviours, there is still a likelihood that the attack technique can be so unique that it completely bypasses known process behaviour and manipulates machine learning behaviour to avoid detection. At this point, one of the most effective security controls to protect against such covert attacks, is the use of application whitelisting.
Relevance of application whitelisting
Application whitelisting is not a new technology – it has been around the Information Technology industry for at least 15 years. This security control works in a very straightforward manner by comparing an executable code, script or software library (henceforth known as application), that is to be executed to a whitelist table. If the application is listed, it will be permitted to be loaded into memory and be processed by the computing processor for execution. The whitelist table may contain information such as filename, file size, digital signature and/or cryptographic hash of permitted applications. As such, an application with the exact name and file size listed in the whitelist table, but with non-matching cryptographic hash, will not be permitted to run.
When deployed correctly, application whitelisting can also be used to perform software inventory tracking in which the security control can alert the organisation as to what software is running in their computing environment, as well as track for unauthorised changes in the computing environment.
White Paper
One of the most effective security controls to protect against covert attacks is the use of application whitelisting.
The table below shows the advantage of application whitelisting mitigation against various threat scenarios, versus anti-malware and host intrusion prevention controls.
Scenario ThreatPotential Impact
Anti-malware
Host Intrusion Prevention
Application Whitelisting
Contractor with unprotected and infected laptop connects to department network and infects machines on local area network.
Wannacry ransomware spreads, infects, encrypts and blocks access to critical files on servers and workstations.
Several servers and workstations are offline for many hours to days until services are restored to normal and back-ups utilised.
First line of defence on machines and limits scope of infection.
Protects against variants of Wannacry, Petya and other known emerging threats.
WILL prevent unauthorised attempts to execute code even on unpatched systems.
Automated network-borne worm bypasses perimeter defences from trusted 3rd party connection, as it is like legitimate business traffic, to gain access to servers.
NotPetya worm spreads from server to server and consumes network bandwidth, bringing services down.
Network is brought down and takes several days to return services to normal.
First line of defence but CANNOT block network bandwidth choking.
Blocks spread of network worm between protected servers.
WILL prevent unauthorised attempts to execute code on servers even with stolen credentials.
Determined criminal hackers or insiders exploiting zero-day vulnerability.
Zero-day remote code execution exploit of vulnerability via phishing and follow-up hacks. No patch is available to fix the vulnerability for days.
Sensitive Microsoft operating systems are compromised resulting in data theft and/or system breach making critical services unavailable.
First line of defence but CANNOT block data exfiltration as it does not have signatures to detect attack.
CANNOT block data exfiltration as attack bypasses HIPS controls via legitimate services.
Will prevent unauthorised attempts to exfiltrate data by blocking execution of unauthorised binary files.
Typically, an organisation cannot be completely certain what applications are running on their servers and workstations unless application profiling is performed (which can be conducted using the application whitelisting control). After a malware outbreak occurs, it can be hard for an organisation to differentiate between a clean system versus a tampered system. Complicating the recovery process, the organisation has to determine which system needs to be rebuilt and this can be time consuming and expensive.
However, if an application whitelisting control is in place, the organisation has visibility into which system the malicious code has been added, and can then designate the appropriate resources to rebuild the system. Even if the affected system remains unfixed, any existing malicious code residing on it cannot create further damage due to the enforced application whitelisting control, thus helping to mitigate the threat completely. As such, application whitelisting helps organisations get back to business normalcy at a faster rate using fewer resources.
White Paper
3
Application whitelisting is a security control technique recommended by the USA National Institute of Standards and Technology (NIST) in Special Publication 800-167, UK National Cyber Security Centre (UK NCSC) in the “Mitigation Malware” Guidance document, Australian Signals Directorate (ASD) in the ASD Essential 8, New Zealand Government Communications Security Bureau (NZ GCSB) in the New Zealand Information Security Manual Section 14.2, as well as Gartner, being noted as one of the top 10 security projects for 2018.1 As such, it has been universally recognised as an effective security control in mitigating against malware attacks.
Industry applicability
Application whitelisting has applicability to the industries listed below, assisting to secure the environment in the following ways:
Manufacturing, Construction, Mining, Energy: These industries invest significantly in operational technology and include Industrial Control Systems (ICS) deployed in their environment. The key security challenge for these industries is to ensure the availability and integrity of the ICS devices managed by the IT systems, and ensure a safe and highly-resilient operating environment. As some of the IT systems managing the ICS systems are not built with security in mind, and that most of the ICS systems are deployed with a 10 to 20 years lifecycle, these industries are laden with systems that can neither be replaced, patched, nor upgraded, which make these systems extremely susceptible to vulnerability exploitations.
Even if there are processes in place to institute proactive patch management for vulnerable ICS systems, processes can be hindered if the ICS environment is completely air-gapped or does not have any network access to obtain patches for speedy deployment.
In the above two scenarios, regardless of the obsoleteness of the systems, or the inaccessibility of the network, application whitelisting can be effective as it is not dependent on the up-to-date version of the software being used, and it does not need outward Internet access to protect the systems. As ICS systems do not significantly change in the setup, and that the processes running in these systems are highly repeatable, application whitelisting works extremely well without running the risk of disrupting the operational workflow, by ensuring that any unauthorised applications introduced into the system, intentionally or unintentionally, will not be allowed to run. In the absence of up-to-date patches and signature updates, legacy and unsupported systems can still operate securely.
Healthcare: Medical devices used in hospitals and clinics are now connected to IP-based networks connected connected to patient monitoring systems to improve care by tracking the status of patients in real-time. Medical devices share the same security issues and concerns as ICS systems, in which most medical devices may be unsupported or are not connected to Internet to obtain real-time anti-malware signatures to protect against the latest security threats. Application whitelisting can also secure medical devices in the same way it is used to secure ICS systems.
Retail: As conduits that capture sensitive credit card information, point-of-sale (POS) terminals are highly targeted by cyber-criminals. To intercept credit card information, cyber-criminals will attempt to use different exploitation techniques to run spyware on these systems and ex-filtrate this captured information across the network. If retail organisations do not have the resources in place to proactively monitor and manage POS terminals, application whitelisting can reduce the attack vector by ensuring
White Paper
4
1 Gartner Top 10 Security Projects for 2018 https://www.gartner.com/smarterwithgartner/gartner-top-10-security-projects-for-2018/
Application whitelisting: noted by Gartner as one of the top 10 security projects for 2018.
only permitted processes in the POS terminals are allowed to operate, and malware of any nature that is unanticipated, can be blocked without worrying if the systems have up-to-date anti-malware controls in place.
Defence/Government: Application whitelisting works extremely well in sensitive computing environments such as government or military networks. Such environments are usually not connected to the Internet and access to the computing systems within such environments is highly restricted, thus, patches and signature updates may not occur frequently. Systems such as these can be susceptible to advanced persistent threats (APT) through compromised USB drives or hardware that has been tampered with along the supply chain. In such environments, application whitelisting can mitigate any 0-day threats that typically target this industry.
Potential issues with application whitelisting
The biggest challenge in enforcing application whitelisting is to know which applications are to be whitelisted. This will require the organisation to know what software and applications are legitimately required to deliver a business outcome. However, not every business stakeholder may be fully aware of the detailed breakdown of the executable code, scripts, software libraries and third-party software that is required to operate within the computing environment. Missing any of these critical components in the whitelisting process may result in the application whitelisting control preventing the computing environment from delivering the required business outcome, as certain application components are prevented from running.
Due to this problem, application whitelisting is typically harder to implement in a general computing environment such as one with office PCs or mobile laptops. Such computing environments allow users to run a broad set of applications over a period of time, making it onerous for the security team to setup an application whitelist table for these applications, ie without compromising user experience and disrupting business workflow in such an environment.
The same issue is made worse in a development environment where developers are constantly developing applications and code. Application whitelists will have to be updated constantly for the developers to test their code, otherwise the application whitelisting control will be an impediment to their work.
In the event that the applications in the computing environment are changed due to upgrading or patching, the application whitelist table must be able to map which executable code, scripts or software libraries are modified. Changes to the filename, file size and cryptographic hash must be appropriately updated to ensure that the applications can continue to operate without any issue.
Lastly, it is important to note that application whitelisting as a standalone control should only be deployed under the specific conditions listed previously. By itself, it is only useful as a preventive and detective control, but not very useful as a response control. In blocking unauthorised applications from running, it has no visibility into what the intent of the unauthorised applications are, nor how these applications are introduced into the system. As such, it is limited in assisting in incident response activities. From a defence-in-depth strategy, application whitelisting works best side-by-side with security controls such as EPP which provides the visibility as to what the unauthorised application tries to do, as well as User and Entity Behaviour Analytics (UEBA) which can provide the visibility as to the user responsible for the introduction of the unauthorised application.
White Paper
5
From a defence-in-depth strategy, application whitelisting works best side-by-side with other security controls.
Implementation guidance
Before implementing application whitelisting in a computing system, an inventory of what software is residing in the computing system needs to be taken. The organisation must also define what kind of application whitelisting enforcements they want to implement: strict enforcement, in which only approved applications meeting all four characteristics (filename, file size, digital signature and cryptographic hash), are permitted to run; or partial enforcement, in which applications meeting partial characteristics (eg: digital signatures from certain vendors, or filenames with certain extensions), are permitted. The latter enforcement is typically not encouraged, as different applications digitally signed by the same vendor can be abused if not managed carefully. However, it is a pragmatic way to commence the application whitelisting process as it helps the organisation to progress towards a stage where they are ready for strict enforcement.
When the application whitelist table is defined, it is important to test this table under an audit mode in which the application whitelisting control does not proactively prevent the execution of unauthorised applications not listed in the table. The testing has to be done over a period of time to ensure that the table is properly defined, and that the required applications are allowed to execute, and any unauthorised applications in any form are prominently flagged. Enforcement mode should only be enabled when there are no false positives flagged by the application whitelisting control throughout the testing period.
As application whitelisting can be disruptive, it is important to implement application whitelisting in phases. There are different suggested approaches in implementing this control. One approach would be to implement application whitelisting first on servers which tend to operate in a very rigid manner with a standard set of applications running on them, as well as very little human interaction. Another approach would be to implement application whitelisting control on new systems introduced into the computing environment, as the hardened systems can be used to establish a baseline to define the standard application whitelist table for a particular software without the distraction of other application components.
Lastly, while application whitelisting control can work as intended on stand-alone systems, it is important that all systems with application whitelisting control are centrally managed and monitored. This allows the security administrator to enforce a consistent application whitelisting policy for each of the appropriate applications, as well as to detect potential malicious activities that have been stopped by the application whitelisting control.
White Paper
6
Organisations must define what kind of application whitelisting enforcements they want to implement.
Conclusion
Application whitelisting is a highly effective security control to meet the security challenges posed by today’s threat landscape. Organisations implementing application whitelisting cultivate a proactive approach to security as they are fully aware and take control of what applications are permitted to run within their environment. It is a useful tactical security control that can be deployed in systems where the option of patching or running up-to-date anti-malware controls is not feasible, and for protecting legacy systems that are no longer supported but are still required by the business. When security controls such as anti-malware or EPP fail to detect 0-day exploits, application whitelisting is the last line of defence that will stop such attacks dead in their track.
About the Authors
TM Ching
TM Ching is the Chief Technologist, Security, for DXC Technology in Australia and New Zealand, and is responsible for DXC’s cybersecurity strategy, vision and execution across the region. He works closely with clients and internal teams, identifying future technological evolutions and disruptions, and developing roadmaps for both clients and DXC Security to achieve service readiness to meet those technological changes.
Yalcin Adal
Yalcin Adal is the DXC Principal Consultant leading the Melbourne Security Advisory Services team. Yalcin has significant experience in information security and risk management. He is a solution-oriented and result-driven Information Security expert with a record that demonstrates the successful delivery of a broad range of cybersecurity initiatives for more than 18 years.
www.dxc.technology
White Paper
About DXC Technology
DXC Technology (DXC: NYSE) is the world’s leading independent, end-to-end IT services company, serving nearly 6,000 private and public-sector clients from a diverse array of industries across 70 countries. The company’s technology independence, global talent and extensive partner network deliver transformative digital offerings and solutions that help clients harness the power of innovation to thrive on change. DXC Technology is recognized among the best corporate citizens globally. For more information, visit www.dxc.technology.
© 2018 DXC Technology Company. All rights reserved. MD_8516a-19. July 2018
