Whitelisting: there is more to it than just blocking or allowing applications


Technical control wise it is one of the strongest yet it is often not used or people simply use it for controlling applications (software). Many people argue against it since it is expensive, fiddly to install and maintain. Defence wise it can stop unknown malware from executing and installing or stop users installing unlicensed software thus saving disputes. Whitelisting can be applied to almost anything which we will explore later.

What is wrong with blacklisting you may ask? It effectively permits 99% of the World Wide Web (or software) and a blacklist tries to block the 1%. The 1% will change by the second and no service or product can ever keep on top of it. Antimalware companies run hours or days behind. Spear phishing websites may only exist for minutes or hours. Take a white-collar criminal for instance, you cannot profile one as the following: 42 years old, navy stripped jacket, reddish tie, cufflinks, gold watch & jewellery, illicit white powder on the table and surrounded by woman. If you have not worked it out yet, this is DiCaprio in Wolf of Wall Street. Trying to block the 1% does not simply work and products cannot profile as profiling does now work.

Think of a night club, let’s pick Boujis, the royal and celebrity night club in salubrious South Kensington, West London. On some nights they will operate on a guest list only basis. Turn up and they will check your name (and identification) against a paper list. If you are not on the door the smartly dressed SIA door supervisors will deny you access. Thus denying undesirables, criminals, terrorists or people not classy enough access.

Application whitelisting or other types is similar. It typically operates based on a hash (unique ID), file name, product name, digital signature and vendor (Oracle, Microsoft, McAfee, Symantec, HP etc.). Thus if an attacker sends you a fake 7-Zip executable installer, you can download it but it will not run since the “installer” is not actually made by 7-Zip. This saves an infection and is stronger than antimalware since it maybe a zero hour attempt or unique targeted attack.

TeamViewier is a good example of “genuine” software. It is made by a good company, is virus free and is digital signed. Like anything, a gun or knife can be used for good or bad. To save a life on a operating table or perform a gang-land hit. TeamViewer could be used to bypass controls and will not be stopped by antimalware since it is not a virus. 443 (https) is used to communicate which will not be blocked as standard as it cannot be.

Moving on from application whitelisting… Malware infections typically start with an exploit, then they download the payload and communicate back over different “random” URLs or IPs using a DGA (domain generation algorithm). Would it be good if you could block both stages? Web security gateways operate by scanning traffic (https likely not), downloads and categorising URLs. Again they cannot have an up-to-date category list nor catch or have total visibility. Solution? Whitelisting URLs not just blocking known ones like: gambling, pornography, spam, phishing and malware sites.

Employees come to work not read news, watch videos and gamble all day unless you are a gaming firm maybe. How about reverse the method? You only allow known safe and productive sites, and block everything else. Firstly it may increase productivity (and annoy users yes) but also stop people getting infected or current infections from communicating back to CnC (command and control) servers. Send a survey to permanent staff asking them what they want to visit, then HR and information security vet the list and implement it. Main sites like news, banking, business sites etc. are allowed but others are not. Thus if a spear phish comes through and someone clicks on it the link likely will never load.

Network application control which is layer seven has existed for years and is a function within UTM (unified threat management) firewalls and web security gateways. It operates using the same principle as endpoint application whitelisting but looks at traffic instead. It is a little bit like an IPS (intrusion prevention system) which uses signatures. You can block applications like Skype, TeamViewier, Ammyy etc. Thus even if someone installed Ammyy (iffy remote access software) it would be blocked regardless. Or to make it stronger, only permit certain applications outbound to stop unknown malicious applications from talking back.

Two others whitelisting defence options. 1. DNS: only permit certain URLs and this is powerful since it sees all endpoints, servers and ports. It can also highlight an infection. DNS is a core protocol so it is a great place to start. Finally, 2. only permit certain IPs for public facing administration back-end sections. Say you have a CMS (content management system) which is used by front-end users. The back-end should only be permitted for certain IPs. Think of off the shelfs like Joomla, Drupal, Wordpress etc. Not a malware control but helps secure publicly facing websites.

Whitelisting is an excellent defence and can prevent the unknown other controls miss. Turn your company into an exclusive (night) club where only desirables are let in and out!