Subscribe
About

White, grey and black - lists...

By Karel Rode, security consultant at Performanta Consulting.
Johannesburg, 11 Dec 2012
[Source: http://www.everything-microsoft.com/2010/07/16/malware-attacks-exploiting-windows-xp-vulnerabilities/]
[Source: http://www.everything-microsoft.com/2010/07/16/malware-attacks-exploiting-windows-xp-vulnerabilities/]

Having just completed reading Zero Day, a novel by Mark Russinovich, where a massive malware outbreak all but cripples various sectors of industry, including airliners, power, hospitals and financial, to name a few, I am again reflecting on how my years of exposure to advanced systems management solutions and information security management has shaped my views and thoughts.

As devastating as it may sound, the reality is that updates to systems are necessary, but Trojaned applications that are cleverly engineered can ride in on such waves to commence devastating destruction, if programmed to do so.

Imagine for a moment an automated pain dosing system in a hospital that gets a programmed instruction to increase all dosages 10 to 100 fold. Yes, the consequence will be tragic; likewise, a malfunction of the very redundant flight control systems that are now in our 'fly by wire' enabled aircraft could also only have the same devastating outcome.

Malware as we know it today is evolving and will evolve even more going forward. Where once these authors focused on publicising their skills, we now see creative ways to monetise through exploitations of new and old vulnerabilities.

We can also agree that the user is probably the easy target for exploitation and those technical vulnerabilities within operating systems and applications take a much greater effort to expose. Moreover, malware vendors are all reporting significant increases in the sample rates of new or modified variants of code that are presented to them; bad news for all system admins, security teams and users alike.

Updating anti-virus signatures and managing operating system and application patches are becoming more and more demanding as the rate of updates and changes are accelerating, leaving a threat exposure window that is forever widening.

As all pure signature-based approaches to malware detection and remediation are reactive by nature, for example, only capable of responding to the "known bad", we will see a continuous trend in that the malware exposure window will continue to widen as time marches on.

Could application white listing be the silver bullet? During my time with a well-known ISV, I was fortunate to be exposed, as a user, to some very good end-user system management tools.

Ongoing development in vulnerability management tools, anti-virus capabilities as well as security information and event management tools led me to believe that this company knew how to deal with users, the user demands for self-service to COTS applications, as well as strict policy enforcement of what are 'approved for business use applications'.

Technically, they managed an application white list with the system management tools capable of uninstalling non-approved software from an end-user computing device. Trust me, it was not a draconian system, but rather one that involves the user throughout the process.

I eventually asked the obvious question of "can the end-user systems management tool provide a list of approved end-user applications that can be consumed by the anti-virus software, allowing those applications that are listed as safe to compute, and all others as grey?"

Given the federated nature of the organisation and limited cross communications, I never saw a response, but to this day, we still can see the value of integrating information from an application configuration management database with the advanced features of malware detection software.

Given the option to consume a white list of approved applications versus the sure magnitude of a black list, this approach will be a much more manageable option, with potential user input and a closed loop system for feedback to the CMDB, should applications be found on the user device that are not defined on the approved-for-use list.

How will this increase my malware detection rates and reduce recovery times from such attacks or negate system compromise?

Knowing what is approved for use will provide the application stack with a set of known and approved services and TCP ports that should be used for day-to-day computing tasks. Profiling usage patterns will also contribute to what falls outside of the nom, reducing investigative effort to focus on deviations from the norm.

Moreover, having a list of trusted applications will deem all applications and processes that are non-approved as suspect, and could, through systems management tools or host based intrusion prevention technologies, suspend or terminate these services in a controlled and audited manor.

By blocking untrustworthy applications from executing, we reduce the attack surface that a standard computer presents. With fewer intrusions from malware, we have less work to recover infected systems, freeing up the anti-virus software to deliver on the promise of finding the known bad that it was tooled for in the first place.

Share