One of the recent thoughts that I have notices in the last year in discussions with friends in the industry is that whitelisting is of no use do to:
- "It is hard to do"
- "Bypasses exist so why do it"
- "It does not scale"
Those are the 3 most common ones I have heard with my discussions over drinks, chat rooms and lobbycon sessions with friends. I would like to try to address why for me they are not valid and share my thought process and to the why.
It is hard
The short answers to this is "Yes it is Hard" but.. it depends on the level or maturity of the organization. To be able to do whitelisting and organization must know what is the "normal" in their environment and have control over it. knowing what the normal is and controlling it means that the organization must have at the very least the following:
- Have proper software inventory that gets updated in a frequent basis.
- Have proper configuration management so as to control what application and versions of the application are deployed, including updates for both applications and OS.
- Have process auditing where the base of processes that run on system has been identified.
- Control over administrative rights on the hosts.
Now every point in the list I would say is a must have for any organization that has:
- Support from the business administration to recognize the important of security by approving and supporting these efforts.
- Skilled security staff that know how to setup, maintain and monitor this types of best practices.
- Have a processes in place and executed between operations and security team.
- Have table-top exercises where security and operations work to validate the existing processes.
So when we take this in to a account a home user, small organization with few staff or an operation with a immature security structure it would be hard to implement and to maintain. Now application whitelisting is not something you would implement across the entire company, an evaluation of risks must exist so as to apply it where it makes sense. Another thing that should be considered is that some application whitelisting solutions can be employed in a tactical manner by some organizations so as to block specific trending threats. A rapid changing developer workstation would not be a good candidate for this when a receptionist or HR system will. But without the knowledge of the normal of the environment it is hard to even identify the risk let alone see what are the fast changing systems.
Yes the default configuration and the basics steps recommended to get started do have ways of being bypass. Just like with any other security control it will be as good as the configuration and continuous testing and adjustments made. There are a couple of things to keep in mind when it comes to working with controls like application whitelisting and these are:
- Most attackers are blind in terms of the controls in place when performing an attack.
- Many automated tools do not take application whitelisting bypass techniques in the creation of phishing and client side attacks.
- Tools and techniques are constantly evolving and adjusting to the trends in defense.
When we take this in to consideration it means that unless the attacker is internal or there has been a large operational security violation where information has been leaked most attackers will initially tailor their attack techniques to the most common configurations and controls across the wides range of targets so as to have a bigger chance of success. Building a series of labs and testing techniques is hard and time consuming so the general return of investment is low for many but not all this allows a possible window to detect initial stages of an attack. This does not mean that some attackers are not taking notice and modifying their TTPs (Tactics, Techniques and Procedures) they actually adapt faster than most organizations on public information on new bypasses and techniques. Most bypasses have specific mitigations and other bypasses can be mitigated by the use of other controls in addition to application whitelisting by it self.
It does not Scale
This is one of those arguments where I reply with the line every consultant ushers in most meetings "It depends" and the reason is how you look at application whitelisting. If you look at it as an all or nothing then yes, the amount of overhead is just to high. Now if you look at it as a strategic tool in you arsenal where you can apply it at different levels the yes it scales quite well with the proper planning and procedures in place.
Why do I say it is a tactical tool? My argument on this one is that it serves 2 main purposes for me. They are:
- Blocking specic actions and none trusted applications.
- Source of alerts to better track and correlate other logs for malicious activity.
On the first one we start by blocking on high risk and slow change hosts any activity that it is not the normal, this help us prevent the use of none approved applications and raises the security posture. Then through the work of cooperative engagements between the Red and Blue teams we identify specific risks and address those. The process of a coperative engagement is shown bellow.
Tis will help us fine tune our rules for those host. But it also serves as a source of information and validation of the tactical use of application whitelisting to mitigate across the enterprise specific types of threats, not a full system implementation but a limited one.
Example Windows PowerShell is abused by many attackers do to its low barrier to entry to system APIs and ease of use. We can mitigate this threat by using AppLocker on Windows to specify what users are allowed to run PowerShell scripts and from what location. This approach still allows the use of PowerShell for administrative tasks but blocks it abuse by attackers by emailing the user or for them to use it in post-exploitation activities. Now can they bypass this? yes if they where able to get initial execution but their attempts to bypass will more than likely trigger certain events that can be monitored and alerted on. In table top exercises between the security groups these mitigations are addressed providing possible mitigations, series of IOCs to alert on and steps that can be added to a playbook for containment and tracking. Application Whitelisting was used strategically.
As I was writing this blog post my friend SubTee wrote one on almost the same subject http://subt0x10.blogspot.com/2017/01/my-thoughts-on-application-whitelisting.html hope I was able to add to the discussion.
Main take aways
- A certain level of maturity for the institution and operation must exist to leverage it.
- It should not be considered as an all or nothing but a tactical tool to be used accordingly.
- It is a great source of logs and alerts that in conjunction with other logs provides correlation that is of great value and should not be isolated or ignored.
- It is a control like any that needs to be tested and constantly adjusted as attackers TTPs change and improve.