Preventing Malware Infection using Application WhitelistingPresented by Peter GubarevichMCT, MVP: Enterprise SecurityCCSI, CEH
2 Agenda
Application Whitelisting (AWL) Concept Common AWL Implementation Challenges Implementing Application Whitelisting in Enterprise Q&A
3 Ransomware Execution ScenarioYou don’t want to see this in your PC, do you?
4 Let’s try to open some documents from your USB storage***
*** Can be delivered by any other transport, be it E-mail or Skype
5 Eventually, you will end up with this
No, it was not a document. And antivirus has failed to detect this.
6 Application Whitelisting Concept#1 recommendation in NSA IAD’s Top 10 Mitigation Strategies
7
A surprising number of administrators consider simply installing antivirus software to be enough to provide reliable protection from a malware.
Unfortunately, defenses such as antivirus programs areoften ineffective because of “blacklisting” technology used.
8 In fact, Blacklisting and Whitelisting are both designed to prevent malware from running
Blacklisting Considers everything is
allowed to be launched by default
Only prevents known threats to be launched
Example: Antivirus Software
Whitelisting Considers everything is
prevented from launching by default
Only permits launching previously approved software
Example: AppLocker Policies
9 Application WhitelistingConfiguration Example
Everything from Windows folder is permitted for launching
Everything from Program Files is permitted for launching
Everything signed by Microsoft or Adobe is permitted for launching
Three Line-Of-Business Application hashes are permitted for launching
Everything else is prohibited
10 What Application Whitelisting really isand what it is not? It prevents viruses and trojans from being launched from hard
disk or USB flash drives, but neither stops you from saving virus to a disk, nor searches for or removes viruses from it;
It prevents viral modules from launching automatically from a user profile, but does not prevent exploiting scripts from within the legitimate software, such as Microsoft Excel;
It prevents exploits from being launched from a disk, but does not stop an attacker from exploiting unpatched flaws in your system;
It prevents unlisted software from running, but does not stop you from manually adding malware to a whitelist;
It prevents unwanted software from being launched by a user, but does not stop him from downloading it.
11 AWL Implementation ChallengesMost of them are not technical, though
12 Challenge #1: Cultural Readiness
Management Engagement. The senior leaders must see the value of AWL as a core doctrine, not an additional security restriction;
Many companies do not restrict individuals from installing software. AWL limits who can install programs. Be ready for complaints and requests for exclusions from users;
Many companies do not limit what software can be installed. Not all the software that users find useful or convenient will be allowed. Many of users may want to keep their status quo because of that;
In most cases, AWL represents a cultural shift and new operational realities for IT workforce. AWL requires a particular level of discipline for IT enforced.
13 Challenge #2: Process Readiness
Company is required to maintain a reasonably accurate software inventory, and have a knowledge of specialized applications, network processes and operational requirements;
A standardized application authoring procedure should be established. Then, existing OS image and application distribution framework may get involved;
AWL requires an ability and experience to implement and rollback changes incrementally across the enterprise;
Clear communication mechanisms between users, IT support and AWL project managers must be established.
14 Challenge #3: Technical Readiness
A company must have enough resources to manage project implementation in a timely manner. AWL requires skilled IT Pro workforce availability;
Seamless AWL implementation requires preparation such as reasonably long auditing of currently used applications, especially ones which are rarely executed;
An appropriate AWL methodology must be chosen taking into account supported OSs and application feature requirements;
Additional licensing costs for third-party solutions may be applied.
15
Configuring Application WhitelistingSoftware Restriction Policies (SRP) in an Active Directory domain
16 Demo #1: Configuring SRP Auditing
Steps performed: Configuring SRP Verbose Auditing Policies Deploying SRP Log Rotation PowerShell Script Collecting SRP Logs [Optional] Analyzing SRP Logs using third-party
tools
17 Demo #2: Configuring Whitelisting
Steps performed: Configuring SRP Whitelisting Policies Deploying SRP Event Notification PowerShell Script Testing Application Whitelisting [Optional] Testing SRP in a real AWL-Enabled
Enterprise
18 Addendum: PowerShell Scripts
Download PowerShell Scripts and other files used in this presentation from the following sources:
http://blog.windowsnt.lv or https://srp.windowsnt.lv
[email protected] or [email protected]
Send AWL-related questions or comments to:
19 Q&A
Top Related