Blacklists: Cyber ​​Defense in the Age of Advanced Sustainable Threats

Due to the abundance of reports of database theft in trading companies, industrial espionage with the help of advanced persistent threats, the taking of important data into hostages by ransomware of important data, it becomes clear why many in the field of information security began to refuse preventive measures and focus on the identification of threats and timely response to emergency situations.

Most modern security systems are based on blacklists. However, analyzing signatures, antiviruses and reputation lists of IP addresses prove by their example that technologies based on blacklists are already ineffective. After all, an attacker does not cost anything to change IP or build a new executable file. Nevertheless, many companies continue to expand their networks, the security of which depends entirely on blacklists. And the transfer of efforts to the field of identifying threats and timely response will not help to improve the situation until we learn to reliably block most attacks. Moreover, it is now very difficult to compile and maintain black lists of IP addresses, because due to the exhaustion of the IPv4 address space, dozens of different domains can use the same address through the content delivery network (CDN) .

A striking example of a virus that inflicts heavy losses was CryptoLocker . It is usually distributed via phishing emails with an archived executable file. When it starts, the application installs itself in the Application Data folder of the current Windows user profile. The trojan then calls the remote control server, requests the cryptokey and encrypts all data on the computer that it can reach. After that, the extortion of money begins for the provision of a decryption key. If the victim does not want or can not pay, then you have to restore the data from the backup. The authors of the virus took care of the tools to quickly generate new versions of the executable file, which makes all signature-based detection systems ineffective. And generating a new malicious payload costs almost nothing.
')
An effective way to combat CryptoLocker is to use the whitelist of applications on the user's computer. If the application is not trusted, then its execution should not be allowed. Unfortunately, most implementations are too uncomfortable and difficult, which is why this approach has not gained much popularity. On the one hand, all corporate and server versions of Windows have a software restriction policy (Software Restriction Policies) or AppLocker, so additional software costs for the company can be neglected. However, you need to spend time and effort on the introduction of the mechanism of white lists. But the cost of its support does not exceed the cost of recovery after the "infection". Most importantly, whitelisting reduces the risk of a security breach many times over.

Since the days of Tripwire, whitelisting technology has evolved markedly. For example, static hashes are used to identify changes. New solutions, like AppLocker, can use signatures, file hashes and path rules to create more flexible rules. For example, with the help of a signature, you can whitelist any application starting with a certain version, and all other releases will inherit the prescribed policies.

Although the control of placement paths is not technically as effective as the control of hashes or publishers, it still makes it difficult for attackers to work, because the white list cannot be edited from under non-administrator accounts. The attacker cannot simply deceive the user by presenting his virus as a “good” application, he will have to use vulnerabilities in the transfer of privileges, which makes it difficult to achieve the goal. In addition, the control of publishers and placement paths can help the weekend support service deal with all after-hour applications without putting them on whitelisting policies. And as soon as the client machines enter the corporate network, the VPN will allow them to update policies for new applications prepared for remote users.

Cost of infection

Consider the cost of recovery after infection with some simple virus. Most companies rightly believe that once an infected computer can no longer be considered trusted, and its system must be reinstalled from the image. For example, you can use System Center Configuration Manager to create images. It takes at least two hours to copy data from an infected computer, check it for cleanliness, roll up the system from an image, fill it with data back to a computer and conduct final checks with a technician. Even if the user is provided with a backup laptop for this time, some time is lost for replacement. And when a restored car is returned to him, there are temporary losses to bring the system to its usual state. Suppose a techie’s work hour costs $ 25, and a user $ 50; then the total cost of the restoration will be about $ 150, not counting the costs of the work of the infrastructure for restoring images, and eliminating other possible damage. Idle time can be reduced if you provide a backup laptop to the user, but in any case there will be a loss of performance due to the replacement procedure, the transfer of files and data, and the installation of the necessary software on the laptop.

Comparative table of the cost of restoration in a company with 800 employees:

Cost type	Without whitelists	With white lists
The number of restorations from images and the number of rules	Weekly need to restore 1-2 computers	Every week you need to explore 2-3 new applications and create rules for them
The cost of one incident	$ 50 to restore the computer	$ 50 per hour sysadmin
Performance loss	$ 50 user waiting for a backup computer	$ 25 user waiting for whitelisting
Annual costs	$ 5 200–10 400, not counting the higher risk of a serious security breach	$ 5,200–6,800

Costs increase significantly if the virus manages to get to important data. Computer and technical expertise can cost hundreds of dollars per hour. If a whole network is compromised, which often happens during large-scale attacks, a trustworthy examination can exceed $ 100,000. In 2014, the average cost of one data leakage was about $ 3.5 million. This is the nightmare of every company executive.

The cost of white lists

Here, the main expenses depend on the time it takes for system administrators to add applications to the white lists. According to statistics, one application takes less than half an hour. If at this time the user is forced to wait, then the cost of work doubles. But even in this case it turns out twice cheaper compared to the simplest recovery after infection. Add to this another multiple reduction in the risk of data leakage, which can be considered as paying for the costs of using white lists.

The annual cost data presented in the table are obtained on the basis of statistics of incidents occurring in the company where Aaron Böring and Kyle Salus work, before and after the introduction of white lists. Under the conditions of that IT-environment, the cost of supporting white lists does not exceed the cost of recovering from infections, and the risks are much lower.

Also note that all calculations were made on the basis of the adopted work processes and the level of remuneration in that company. Perhaps, in your organization, the cost of supporting white lists will be much lower than the cost of restoration. In addition, nothing prevents the use of white lists only on the most critical areas, when working with the most important data. But the most important thing is not to compare costs, but to reduce risks. This is the main advantage of whitelists, because the cost of their support is not comparable with the possible losses in case of leakage of important data, including reputational data.

Introduction of whitelists

For rarely updated systems, such as kiosks or terminals in retail outlets, you can apply a limited AppLocker policy based on the "golden" image. It allows you to perform only those applications that are available in this image . In more dynamic systems, standard rules and restriction of administrative privileges can be combined, with permission to launch only from folders that can be filled only by administrators. To increase the flexibility of the rules, you can use the control of publishers, that is, to run only applications signed by trusted vendors. This, of course, is not a panacea, this system has its own vulnerabilities. For example, scripting languages ​​or software exploits. All these possible routes of penetration will need to be given separate attention.

According to the best information security practices, end users should not be administrators, and should not even have administrative rights on their own computer. Viruses often use well thought-out approaches from social engineering to infect. Typical tricks include trying to convince a user to click on a link, open a document, or directly install an application. There is no way to keep the user from falling into such traps. This means that in order to protect computers and networks, it is necessary to check and confirm the level of power of attorney of any executable code. And it should be done by those who can confirm the legitimacy of each application. It seems that such an idea scares many participants in the information security industry, but it is still the most effective way to protect today. The idea is not at all revolutionary, it implies only the forced use of policies and procedures that we, as IT security experts, have already created.

End users are provided with computers on which approved applications of respective versions are installed, whose functionality and compatibility has been tested. The use of white lists implies the need to identify programs and provide explicit permission to run them. Each new application must first be whitelisted and then deployed on a machine or in a networked work environment.

With VPN, you can quickly deploy white lists both locally and remotely. By default, you can run any applications installed in the Program Files or Windows folders. Publisher control allows you to install and execute any code signed by a trusted vendor. This reduces the amount of work on supporting whitelists when you only need to create rules for unsigned applications. When configured correctly, users do not have administrator rights, they cannot change the contents of the Program Files and Windows folders, and cannot install applications. On each machine, you can set up a separate admin account with a unique password, from which you can install software remotely using the support service.

White lists allow you to block common infection vectors and common persistence techniques. If attackers cannot rely on their droppers, then for remote execution of the code they will have to rely on software exploits. This usually gives attackers remote access, which, however, will be lost when the system is rebooted or the corresponding process is interrupted. Attack resistance is usually achieved by installing a backdoor. Most often it is placed in the user’s AppData folder, because it does not require administrative rights. But if the white list prohibits execution from any location other than Program Files and Windows, then the backdoor will not start. Then the attacker will have to look for ways to extend privileges.

Many viruses exploit exploits for known vulnerabilities, infecting user machines while visiting infected sites. You can usually defend yourself from this attack vector by regularly patching frequently used software. If an attacker does not have the ability to use known exploits, then you have to develop your own zero-day attacks. This is not a trivial task, as can be judged by the level of awards in the Bug Bounties programs and prices on the black market. A reliable zero-day attack can cost more than $ 100,000. At the same time, an attacker needs to use it wisely so that the vulnerability is not known and it is not closed with a patch. In addition, such an attack should be applied in the case when the potential benefit can recoup the acquisition costs, otherwise the whole point is lost.

Using a number of measures, software developers can significantly complicate the task of developing exploits for attackers. For example, using memory hardening techniques such as DEP ( data execution prevention ), ASLR ( address space randomization ), and SEHOP (structural exception handling). To find out if these technologies were used when compiling the executable files of the applications you use, you can use the BinScope utility or PowerShell scripts . If these security techniques have not been used, then the EMET ( Enhanced Mitigation Experience Toolkit ) toolkit can be enforced. According to research, it is still possible to get around it, but it will require more time and effort.

If your company uses SIEM (Security Information Management System), then you know that there is always a lot of noise on a large and lively network. SIEM collects the activity logs of all major network participants and end users, normalizes them, correlates events based on several sources of information, and warns of suspicious activity. If all these steps are used to prevent low and mid-level attacks, the SIEM system can be configured to search for fairly complex events indicating attempts to bypass an EMET, AppLocker, or firewall, with appropriate alerts. Even if such attacks succeed and attackers penetrate your system, they will be easier to detect and neutralize.

Of course, whitelists will not solve all security problems. Anyway, there remains the possibility that someone will be able to penetrate your network through an unpatched exploit or a zero-day attack. But even in this case, whitelists reduce the persistence of penetration tools. In addition, it would be more difficult for attackers to gain access to privileged systems. That is, you make it so difficult to hack and be present in your network that less advanced hackers will prefer to choose lighter targets.

For built-in scripting languages, such as a batch file language, VBScript, and PowerShell, AppLocker runs address scripts that you can use to prevent the installation and launch of the interpreter. Any whitelist technology has many nuances to consider. For example, macros in Microsoft Office documents, JavaScript in PDF and web browsers. But in any case, the whitelists of executable files and dynamic link libraries themselves will block almost all mass viruses and most of the advanced persistent threats. For example, one of the reports from Mandiant described a phishing email linked to a ZIP archive with an executable file that has a PDF icon. Norton Antivirus did not detect it, and the white list would prevent execution.

If you can limit the number of those who can penetrate your security system to highly skilled individuals and organizations with sufficient resources to develop a successful attack with white lists and exploit blockers, you will significantly reduce your risks and increase the chances of detecting attacks. You no longer have to worry about those who simply bought viruses on the black market and send phishing emails. But the released resources can be sent to detect the activity of more cunning intruders.