Preventing Malware Infection using Application WhitelistingPresented by Peter GubarevichMCT, MVP: Enterprise SecurityCCSI, CEH

2 Agenda

Application Whitelisting (AWL) Concept Common AWL Implementation Challenges Implementing Application Whitelisting in Enterprise Q&A

3 Ransomware Execution ScenarioYou don’t want to see this in your PC, do you?

4 Let’s try to open some documents from your USB storage***

*** Can be delivered by any other transport, be it E-mail or Skype

5 Eventually, you will end up with this

No, it was not a document. And antivirus has failed to detect this.

6 Application Whitelisting Concept#1 recommendation in NSA IAD’s Top 10 Mitigation Strategies

7

A surprising number of administrators consider simply installing antivirus software to be enough to provide reliable protection from a malware.

Unfortunately, defenses such as antivirus programs areoften ineffective because of “blacklisting” technology used.

8 In fact, Blacklisting and Whitelisting are both designed to prevent malware from running

Blacklisting Considers everything is

allowed to be launched by default

Only prevents known threats to be launched

Example: Antivirus Software

Whitelisting Considers everything is

prevented from launching by default

Only permits launching previously approved software

Example: AppLocker Policies

9 Application WhitelistingConfiguration Example

Everything from Windows folder is permitted for launching

Everything from Program Files is permitted for launching

Everything signed by Microsoft or Adobe is permitted for launching

Three Line-Of-Business Application hashes are permitted for launching

Everything else is prohibited

10 What Application Whitelisting really isand what it is not? It prevents viruses and trojans from being launched from hard

disk or USB flash drives, but neither stops you from saving virus to a disk, nor searches for or removes viruses from it;

It prevents viral modules from launching automatically from a user profile, but does not prevent exploiting scripts from within the legitimate software, such as Microsoft Excel;

It prevents exploits from being launched from a disk, but does not stop an attacker from exploiting unpatched flaws in your system;

It prevents unlisted software from running, but does not stop you from manually adding malware to a whitelist;

It prevents unwanted software from being launched by a user, but does not stop him from downloading it.

11 AWL Implementation ChallengesMost of them are not technical, though

12 Challenge #1: Cultural Readiness

Management Engagement. The senior leaders must see the value of AWL as a core doctrine, not an additional security restriction;

Many companies do not restrict individuals from installing software. AWL limits who can install programs. Be ready for complaints and requests for exclusions from users;

Many companies do not limit what software can be installed. Not all the software that users find useful or convenient will be allowed. Many of users may want to keep their status quo because of that;

In most cases, AWL represents a cultural shift and new operational realities for IT workforce. AWL requires a particular level of discipline for IT enforced.

13 Challenge #2: Process Readiness

Company is required to maintain a reasonably accurate software inventory, and have a knowledge of specialized applications, network processes and operational requirements;

A standardized application authoring procedure should be established. Then, existing OS image and application distribution framework may get involved;

AWL requires an ability and experience to implement and rollback changes incrementally across the enterprise;

Clear communication mechanisms between users, IT support and AWL project managers must be established.

14 Challenge #3: Technical Readiness

A company must have enough resources to manage project implementation in a timely manner. AWL requires skilled IT Pro workforce availability;

Seamless AWL implementation requires preparation such as reasonably long auditing of currently used applications, especially ones which are rarely executed;

An appropriate AWL methodology must be chosen taking into account supported OSs and application feature requirements;

Additional licensing costs for third-party solutions may be applied.

15

Configuring Application WhitelistingSoftware Restriction Policies (SRP) in an Active Directory domain

16 Demo #1: Configuring SRP Auditing

Steps performed: Configuring SRP Verbose Auditing Policies Deploying SRP Log Rotation PowerShell Script Collecting SRP Logs [Optional] Analyzing SRP Logs using third-party

tools

17 Demo #2: Configuring Whitelisting

Steps performed: Configuring SRP Whitelisting Policies Deploying SRP Event Notification PowerShell Script Testing Application Whitelisting [Optional] Testing SRP in a real AWL-Enabled

Enterprise

18 Addendum: PowerShell Scripts

Download PowerShell Scripts and other files used in this presentation from the following sources:

http://blog.windowsnt.lv or https://srp.windowsnt.lv

peter@optimalsolutions.lv or peter@windowsnt.lv

Send AWL-related questions or comments to:

19 Q&A