Is Whitelisting a panacea? | Peter Cohen

BizInsight-on-BizRadio-600x250.jpg

insight

So what is Whitelisting exactly? In lay mans terms: the use of anti-spam filtering software to allow only specified e-mail addresses to get through…mwr-logo

Whitelisting is correctly seen as an important security control and is considered so effective against targeted attacks that the Australian DSD rated it one of the four most important controls. By allowing only approved processes to run, whitelisting can significantly raise the bar for attackers and if attempted policy bypasses are investigated, be an early-day warning of an attack.

“However, whitelisting does not prevent attack, it just makes it harder for the attacker. Organisations that may be targeted by more advanced actors need to consider whitelisting merely as part of a mature set of controls and account for its weaknesses.”

However, whitelisting does not prevent attack, it just makes it harder for the attacker, and organisations that may be targeted by more advanced actors need to consider whitelisting merely as a component of a mature set of security controls that provide much stronger holistic protection in combination than whitelisting would alone.

A number of actors have been observed using strategies that bypass the whitelisting in place and as it grows in popularity then this will only become more common.
Memory-resident exploits

Many attacks exploit web browsers or common document editing software, such as Microsoft Office or Adobe Reader, in order to gain code execution inside the process that was exploited. At this point, more common attacks will use the code execution achieved to download full-feature malware as a binary executable to run on the system. This would be prevented by whitelisting as the downloaded malware would not be allowed to run.

However, more advanced attackers will not download a binary directly and may remain fully memory-resident within the memory space of the exploited process. To avoid losing control when the targeted software is exited, the memory-resident malware may migrate to the memory space of another approved process that is expected to remain running for as long as the system is powered on, such as explorer.exe.

Alternatively, a new approved process may be launched and used specifically to host the memory-resident malware. This technique is known as “process hollowing” and involves launching an approved process permitted by whitelisting and replacing the executable code in memory with malicious code. Recently, “Duqu 2” made use of this technique to make it appear that legitimate security software was running and active whilst really rendering them inactive and simultaneously using them to host Duqu’s own malicious code.

Alternatively, a new approved process may be launched and used specifically to host the memory-resident malware. This technique is known as “process hollowing” and involves launching an approved process permitted by whitelisting and replacing the executable code in memory with malicious code. Recently, “Duqu 2” made use of this technique to make it appear that legitimate security software was running and active whilst really rendering them inactive and simultaneously using them to host Duqu’s own malicious code.

However, this technique is not limited to use against administrative users. Privilege escalation attacks could be used as a second stage attack in order to get around whitelisting.
For example, our security consultants used a kernel exploit as part of a Chrome browser exploit in Pwn2Own to both gain remote code execution and escalate privileges to break out of the browser sandbox and gain administrative level access. At this point, whitelisting protection could be disabled.mwr-logo

Poorly configured whitelists

Whitelists are a good control but not all whitelists are created equal. Each organisation will set up a whitelist that suits its working habits and in MWR’s experience, there are often holes in the whitelisting that an attacker can exploit to gain persistence. Common flaws include:

  • Validating only the program name – this can easily be circumvented by renaming
  • No validation of DLL loads – common tools such as rundll32.exe can be used to load executable content as DLLs instead
  • Writable paths – Path rules are commonly used to allow execution and if these are writable then the whitelist can be bypassed by writing malicious executable content to the allowed paths

By identifying a flaw such as these, the attacker can compromise a system with whitelisting in place.

Scripting and bytecode engines
Many whitelisting tools monitor native binary loads but do not appropriately account for other ways of executing arbitrary code. These are common scripting and byte code engines that are either default or commonly installed by enterprises and can be used to achieve arbitrary code execution. Common examples include:

  • Java
  • PowerShell
  • Office Macros
  • VBScript
  • Batch files
  • InstallUtil bypass

Our security consultants have successfully exploited environments with whitelisting in place using some of these technologies. Many whitelisting solutions cannot directly control these technologies other than to fully disable the entire scripting engine, which is often not viable when the technology is required for business applications.

Attacking hosts not subject to whitelisting

A simple bypass assumes not all hosts in an environment will be using whitelisting. Whilst whitelisting might have been rolled out to the majority of corporate desktops, alternative operating systems such as servers, Linux desktops and OSX hosts may not be whitelisted so aggressively. By targeting these hosts, attackers can gain the foothold on the network they need. For example, by targeting a Linux hosted web application or a marketing user with a MacBook, it may be that whitelisted solutions focused on windows hosts can be avoided completely.

Similarly, not all user profiles are subjected to whitelisting restrictions. Typically administrators and sometimes developers are able to run arbitrary executable code and so whitelisting can often be avoided by targeted these users. They also often have the highest privileges on the network and so are particularly attractive targets for an attacker anyway.

Prevention alone is not enough – attack detection is required

Application whitelisting is a great preventative security control and is arguably the most effective first line of defence against initial endpoint compromise. However, no security control can protect against every attack and so it does not replace the need for good attack detection for when preventative controls fail.

A large enterprise without strong whitelisting controls is likely to have endpoints compromised by generic malware and adware that anti-virus misses regularly. An advanced attack is likely to slip under the radar easily in this situation.

Whitelisting can help reduce the noise of common malware infections, such that if a confirmed compromise is detected on a well patched endpoint with strong application whitelisting in place, then it is immediately cause for a stringent investigation, as it is much more likely to be the result of an advanced, targeted attack. Additionally, due to the low noise from common malware infections there should be much more resource available for investigation.

 

https://www.mwrinfosecurity.com/

 

mwr-logo

 

About eBizRadio

eBizRadio is a live multi- platformed social media service providing an online forum to the business community for holding conversations on the key issues related to specific businesses as well as availing a space for cross-business collaboration in response to key issues affecting the world of business. The place to go if you want to know about business and lifestyle
Don't be shellfish...Share on Reddit
Reddit
0Tweet about this on Twitter
Twitter
Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin
eBizRadio

eBizRadio

eBizRadio is a live multi- platformed social media service providing an online forum to the business community for holding conversations on the key issues related to specific businesses as well as availing a space for cross-business collaboration in response to key issues affecting the world of business. The place to go if you want to know about business and lifestyle

scroll to top

Login

Please enter the correct answer: *


Register | Lost your password?