Analyzing the data processed by CERT-RO over the past few years on various malware alternatives, as well as the information published by various cybersecurity organizations during this period, there is an obvious trend to diversify, specialize and increase the complexity of malware, whether we are talking about APT (Advanced Persistent Threats), botnet, bank botnets or Ransomware.

Malicious software is one of the most widespread and dangerous types of cyber threats, primarily because of the negative impact it can have on an infected computer system.

There are currently a variety of techniques and technologies designed to combat this type of threat, such as well-known antivirus solutions, firewalls, IDS, IPS, etc., which are still quite effective. However, this text is about the “Application Whitelisting” concept, which I consider its implementation as of particular importance for combating the malware threat.

“Application Whitelisting” involves implementing a mechanism to ensure that only an authorized / known (approved i.e. whitelisted) software runs within an IT system.

At first glance, it seems idealistic and perhaps this is one of the main reasons why such a mechanism does not have a high implementation rate, especially among small organizations and even households. The concept itself is not something new, as it represents an application-level extension in the TCP / IP stack of the “default deny” approach (not allowed by default) long-used by firewall technologies.

The correct implementation of “Application Whitelisting” implies:
Tools to facilitate the identification of executables and software libraries (such as DLL in Windows) and which allow or block their running;
Methods for identifying executables and software libraries should not be based on poor rules, such as the file name or its location in the directory structure. The most effective method is to identify them based on their digital certificates or, if not signed, on the basis of “hash” digital fingerprints;
ACLs (Access Control Lists) that prevent users from changing the allowed list of software.

Currently, “Application Whitelisting” is considered to be one of the most important strategies for combating malware threats. There are already several technical solutions that can be implemented, including by home users, especially in Windows operating systems where implementation can be done using the tools already contained by the operating system:
SRP (Software Restriction Policies) – a feature in the Group Policy tool, starting with Windows XP;
AppLocker – the recommended tool from the Windows 7 operating system, with the same purpose as the SRP facility of the Group Policy.
For Linux / Unix operating systems, the implementation of “Application Whitelisting” can be a bit more difficult and resource heavy, meaning it is not natively supported by the kernel, and there is no tool dedicated to this in the major Linux distributions. However, there are some commercial solutions that facilitate implementation, but they depend on the kernel version used and problems with upgrades may occur. Other alternatives would be using the SELinux or AppArmor tools, although they were not designed for this purpose and would require consistent implementation and testing resources.

In some cases, the implementation of “Application Whitelisting” may prove difficult and resource-consuming, but the benefits from preventing malware infections are considerable. Furthermore, a high level of visibility is gained regarding executable files and software libraries introduced into an information system, which is a very useful aspect of the cybersecurity incidents investigation process.
In conclusion, although no security solution can be considered a panacea, “Application Whitelisting” is probably the most effective way to reduce the impact of malware in today’s computer systems.

Cătălin Pătraşcu | Head of Information Security and Monitoring Department, CERT-RO

Other Magazines