Advanced Persistent Threats
Most well-known breaches have been executed by intruders targeting a particular organization or entity with a specific intent. The attacker’s software is compiled and packaged during the final moments just before the attack, often rendering them unknown and unidentifiable to conventional perimeter security protection mechanisms. Some of the recent attacks were executed by foreign entities, possibly even foreign governments, and were politically motivated. These political attacks are very well organized by groups of people united by a common agenda. However the data breach evolution is not so much cyber warfare any longer, rather it’s more along the level of cyber civil warfare launched by hacktivists. What we’re seeing now evolve are attacks that are full-out, well planned cyber robbery and cyber civil warfare.
The increasing incidence of Advanced Persistent Threats (APT) makes it clear that organizations should move to a locked down environment to ensure their users can’t install rogue software on the network (whether purposely or by mistake). A highly-regarded opinion among IT professionals is that controlling rights on personal computers and servers is a crucial part of any security solution. Adhering to the principle of least privileges is in the best interest of all companies, whether commercial sector, healthcare, within government agencies, etc.
Industry-Accepted Best Practices
A good many years ago, progressive thinkers in security put forward whitelisting technology as the perfect enhancement and compliment to antivirus' blacklisting strategy as a way to counter the fast-moving, polymorphic malware that was just then starting to bombard signature-based blocking mechanisms. The constant stream of zero-day attacks and malware variations has made it necessary to utilize many layers of protection to effectively combat the infiltrations. In today’s highly vulnerable online corporate environments, careful control of applications and user-privilege levels are the very foundation of IT security. Most IT professionals agree that controlling which applications are allowed to run (according to their Forensic Reputation) in your environment and reinforcing that protective layer by allowing standard administrative rights only are the best practices for reducing security risks.
There is great danger if administrative rights are allowed in a whitelisting model: users that retain administrative rights may attempt to bypass or uninstall application control agents, and attackers may target the whitelisting mechanism to have bad code recognized as legitimate.
A recent Gartner report indicates that application control provides operational and security benefits, including but not limited to reducing the number of images to support and improve automation, reducing the number of help desk calls, detecting advanced targeted attacks by monitoring for unauthorized change, gathering detailed forensics information in the event of a breach, and more. “Ideally, enterprises would apply both application control and remove administrative rights, but only a few vendors support application control and privilege elevation,” according to Gartner. ("How to Successfully Deploy Application Control," Neil MacDonald, January 2013).
The ideal solution is to remove administrative rights from end users and set up a risk-based application control framework that doesn't necessarily block all unknown applications but instead establishes default behavior for managing applications not yet classified by your organization. These are applications that are not yet part of the white or black lists and are allowed to run on the computer but in a restricted “greylist mode”, with limited privilege rights and access to resources. Through automation and forensic analysis, greylisted applications are processed via reputation ranking and are either whitelisted or blocked. If the application is whitelisted, it continues to run in standard user mode only.
This combination adds a fortified level of application security currently unheard of with the typical whitelisting strategies seen today. Taking a layered approach to security is critical--current events show this is a problem that isn’t going away. This trend will continue to dominate the security landscape with increasingly elegant solutions emerging to create customized and meaningful privilege management regimes.