Application Whitelisting: Key Protection Against Targeted Cyber Attacks
Chris Merritt - August 1st, 2011
The Australian Department of Defence recently updated their Strategies to Mitigate Targeted Cyber Intrusions guidelines, and I think it warrants a little discussion.
The relatively short (only two pages!) document from the Cyber Security Operation Centre (CSOC) – part of the Defence Signals Directorate (DSD) – is based on their experience in operational cyber security, including responding to serious cyber incidents and performing vulnerability assessments and penetration testing for Australian government agencies. It ranks 35 mitigation strategies based on an analysis of the costs (incl. user resistance, which might lead to a defensive measure being circumvented) vs. benefits (incl. how it helps mitigate the different stages of an intrusion).
I want to focus on the top-4 protections in their list because, as they say: Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010. In order of “Mitigation Strategy Effectiveness Ranking,” these are:
- Patch Applications
- Patch OS vulnerabilities
- Minimize the number of users with domain or local admin privileges
- Application whitelisting
All of these (and the next eight on the list) have an Overall Security Effectiveness rating of Excellent, but only the last one – application whitelisting – is judged effective in both preventing and detecting intrusions, and in protecting against all three (3) of the stages of a cyber attack (code execution, network propagation and data exfiltration). In other words, application whitelisting now joins some of our other bedrock security technologies – like patching, firewalls and AV – as a must-have layer in our defense-in-depth strategy.
While a closer look at the entire list is certainly worthwhile, I’d like to reserve that to another day. For now, let’s look at the metrics for application whitelisting a little more closely – specifically, the security and cost aspects which the CSOC used to elevate application whitelisting into the top-4.
- Designed to Prevent or Detect an Intrusion – Both. By design, whitelisting prevents unknown or unauthorized applications from executing on your computing assets; but how does this prevent and detect intrusions? A well-designed whitelisting solution will log all attempted executions – so, by monitoring these logs, we can detect rogue code trying to infiltrate our network. And it prevents the attack by not allowing the malware to establish a foothold, which is necessary to do its dirty work.
- Helps Mitigate Intrusion Stage 1: Code Execution – Yes. This is the very definition of whitelisting – instead of trying to filter out the bad stuff, it only allows the good stuff. This makes it more effective against zero-day malware than AV, because it does not need to wait for the malware to be discovered and analyzed, and a signature to be created, pushed out, and deployed. And a well-designed solution will help admins handle the gray area in between.
- Helps Mitigate Intrusion Stage 2: Network Propagation – Yes. Code that cannot execute cannot go hunting for network shares or other places to infiltrate, which eliminates its ability to move stealthily from the entry point to the valuable bits – be it valuable IP or customer data, or admin accounts with which to elevate privileges – stored elsewhere within your network.
- Helps Mitigate Intrusion Stage 3: Data Exfiltration – Yes. The final step – the pay-off – in most cyber attacks is the ability to establish communication with the outside world and to extract data – the credit numbers, the next-gen chip design, etc. However, if the code cannot execute, it cannot communicate – which neuters the attack completely.
- User Resistance – Medium. We end users are accustomed to unfettered access on “our” machines – they are, after all, personal computers – so it’s understandable that we’re not happy when we cannot control them like we’re used to. But a well designed solution will allow the organization to decide who gets what controls on the box, thus mitigating this concern. It’s also mitigated via training and education, which is crucial to all security efforts.
- Upfront Cost – High. Traditional whitelisting solutions were difficult to deploy – understanding what applications resided on all the endpoints, who needed what (and who didn’t need what), how to balance business needs & productivity with security, and so on. Luckily, the new generation of application whitelisting solutions have greatly eased many of these concerns and thus the associated costs.
- Maintenance Cost – Medium. This is another area where traditional whitelisting had difficulty – how to keep up with the seemingly ceaseless patching and upgrading of existing applications, let alone the need for new apps for the business, or specialized apps for a select group. Here again, modern application whitelisting solutions have largely automated these tasks, allowing admins to focus on more strategic tasks.
In the end, I’m impressed to see the CSOC elevate application whitelisting into their top-4, must-have technologies in mitigating cyber attacks (important enough that they wrote a separate Application Whitelisting Explained document), and hope we see more organizations including it in their recommendations or even requirements. As we move into the “golden age” of application whitelisting where many of the traditional objections are removed, we can both improve our overall security posture without undue burden.