Implementation of Application Whitelisting - Coursework Example

ybеr Intеlligеnсе Аssignmеnt 2: Application Whitelisting Introduction The Australian Signals Directorate (ASD) has 35 mitigation strategies that were published in 2010 and revised in 2014 based on ASD’s evaluation of cyber intrusions across the government of Australia (Australian Government Department of Defence Intelligence and Security 2014). The first four mitigation strategies, also known as the “Top 4” strategies, are regarded as “the most effective security controls an organisation can implement at this point in time” based on ASD’s current evaluation of threats that relate to the cyber environment (Australian Government Department of Defence Intelligence and Security 2013, p. 3). This essay will focus on one of the Top 4 mitigation strategies. Specifically, the essay will address how tactical intelligence would be applied in addressing application whitelisting, which is the first of the Top 4 mitigation strategies. What is application whitelisting? Application whitelisting is a security strategy that is designed to safeguard against the execution of a malicious or unauthorised code on a system (Australian Government Department of Defence 2016). Through this approach, application whitelisting aims to make sure that only those applications that are authorised, for instance software libraries, programs, installers and scripts can be allowed to operate. This means that through application whitelisting, programs that have not been approved, such as installers, scripts and .DLL files are not allowed to operate on the targeted systems (Australian Government Department of Defence Intelligence and Security 2014, p. 2). The fascinating thing about application whitelisting is that whereas the strategy is primarily intended to avert the execution as well as spreading of malicious codes, it can also be utilised to prevent the use or installation of unauthorised applications. However, it is indicated that making application whitelisting functional throughout an organisation can be a daunting task (Australian Government Department of Defence 2016). For instance, there is need to determine all potential sources of threats that can affect various departments of the organisation. This can be demanding, especially for large organisations with many departments and many potential sources of threats. This means that some level of tactical intelligence needs to be applied to ensure that application whitelisting becomes successful as a mitigation strategy. Application of tactical intelligence in mitigating threats through application whitelisting It has been argued that if implemented correctly, application whitelisting can be a very effective means of guaranteeing the security, steadiness and consistence of a computing environment (Australian Government Department of Defence Intelligence and Security 2013, p. 10). However, the concept of application whitelisting is oftentimes poorly implemented or misunderstood, a situation that may result in an environment appearing to be more secure than it is in real sense. As well, it has been noted that many of the existing solutions to mitigate threats do not adequately address the problem that is caused by zero-day, sophisticated and targets attacks such as memory exploits and advanced persistent threats (APTs) (Huffman 2010, p. 3). In order for such challenges to be addressed, there is need to understand the computing environment of an organisation as well as the potential threats in that environment. From the point of view of cyber security, threat intelligence embodies the synthesis of information regarding possible threats with a concrete understanding of operations, network structure and activities. Threat intelligence can be defined as evidence-related knowledge, including strategies, pointers, corollaries and advice that can be acted upon, about a present or emerging hazard or menace to property that can be used to as a basis for making decisions in regard to the response of the subject to a hazard or menace (CERT-UK 2014, p. 2). So as to generate evidence-based knowledge that has value in regard to the defence of networks, information about indicators and mechanisms of various threats needs to be contextualised by comparing it with baseline information about network activity. The gathering of information about different threats represents the phenomenon of threat intelligence, which then notifies security analytics about the need to improve the probability of detecting the threats (CERT-UK 2014, p. 2). At the tactical level of intelligence management, threat intelligence makes it possible for the person involved in protecting a given computing environment to monitor potential threats very closely and in real time by doing a number of things. First is that the person exposes methodology as well as infrastructure that is employed in different types of attacks. Secondly, the person in charge of securing the computing environment identifies an emerging or existing hazard or menace. Thirdly, the person in charge also contrasts observed activity with tactics that are already known, or known “tactics, techniques and procedures” (CERT-UK 2014, p. 3). The fourth point is that the concerned person highlights the ramifications of a “compromise and actionable advice” (CERT-UK 2014, p. 3). Last but not least, the concerned person makes a decision regarding defensive actions and mitigation strategies that need to be implemented to deal with current threats. On the basis of the accuracy and reliability of the information that is available about threats, effective threat intelligence also takes into account three time-based aspects: the past, the present, and the future. This implies that threat intelligence identifies network vulnerabilities that may not have been previously identified by relying on details of historical threat incidents; it then prioritises present investigations based on current alerts or active threats; and lastly, it makes it possible for the monitoring of infrastructure for, and prevention, of, repeat attacks, to be accomplished (CERT-UK 2014, p. 3). Implementation of application whitelisting As noted above, application whitelisting makes it possible to prevent unwanted applications from running or installing themselves in a given computing environment or computer network. Therefore, once the potential threats have been identified through tactical intelligence, there is need to ensure that the threats are not allowed into the targeted environment. As such, as noted by Australian Government Department of Defence (2016), the first step in putting an application whitelisting solution in place is identifying the applications or programs that need to be allowed to run on a given system. The second step is to come up with whitelisting rules to make sure that only those applications that are authorised to run on the said system are able to run. Thirdly, it is important to restrict users to using a given set of authorised applications that are needed to carry out specific duties. The fourth point is that there is need to maintain the use of application whitelisting solutions and related whitelisting rules by employing an appropriate change management programme (Australian Government Department of Defence 2016). The capacity of application whitelisting to offer a practical barrier for cyber intrusions that have low or moderate levels of sophistication depends on the type of product that is selected to implement application whitelisting, as well as its configuration settings, and the file permissions that control the directories that a user (and hence malware) execute from and write to (Australian Government Department of Defence 2014). There are several application whitelisting tools that are available in the market. For instance, Bit9 is renowned for its whitelisting solution that authorises safe applications (Li & Clark 2015, p. 100). The agent software of Bit9 interrupts and obstructs any application that has not been approved in the whitelist (Li & Clark 2015, p. 100). Another example of whitelisting tool is McAfee’s McAfee Application Control. This tool provides protection against APTs, provides local and global reputation of applications and files, and offers a whitelisting solution that automatically allows new software that is introduced through channels that are trusted (Intel Corporation 2016). The central role of tactical intelligence in application whitelisting There is no doubt that tactical intelligence plays a critical role in ensuring the success of application whitelisting. As noted above, tactical intelligence in the form of threat intelligence involves reviewing access violations as well as potential intrusions across databases, platforms, applications and network logs. Intelligence-driven application whitelisting measures can help ensure that unauthorised malware or files are blocked from executing on a given computer system or platform. For this to be successful, the intelligence must involve identifying all the potential threats as well as the appropriate application whitelisting tools that can be used to prevent or block such threats. Since application whitelisting makes it possible for only particular processes to run on a given computer system, it can be said to be also part of tactical intelligence in mitigating threats. This is because as noted by Krstevski (2014), deploying application whitelisting technology requires the use of various methods to update all system components and detect potential threats, which is part of tactical intelligence. Conclusion As part of ASD’s Top 4 mitigation strategies, application whitelisting is an important way of preventing threats to computer systems and the computing environment in an organisation in general. As it has been discussed, application whitelisting works by allowing only those applications that have been authorised to operate on a given computer system while blocking unpermitted applications or programs. Tactical intelligence is required to ensure that potentially harmful applications or programs are identified so that they can be blocked or prevented from executing. Since application whitelisting involves the use of tools that update systems and detect harmful applications, it can be regarded as an important part of tactical intelligence. References Australian Government Department of Defence 2014, Strategies to mitigate targeted cyber intrusions – mitigation details, viewed 28 September 2016, . Australian Government Department of Defence 2016, Implementing application whitelisting, viewed 27 September 2016, . Australian Government Department of Defence Intelligence and Security 2013, ‘Top 4’ strategies to mitigate targeted cyber intrusions, viewed 26 September 2016, . Australian Government Department of Defence Intelligence and Security 2014, Strategies to mitigate targeted cyber intrusions, viewed 27 September 2016, . CERT-UK 2014, An introduction to threat intelligence, viewed 27 September 2016, . Huffman, B 2010, Improving endpoint security & control: an introduction to application whitelisting, viewed 28 September 2016, . Intel Corporation 2016, McAfee Application Control, viewed 28 September 2016, . Krstevski, V 2014, Mastering system centre configuration manager, viewed 28 September 2016, . Li, Q & Clark, G 2015, Security intelligence: a practitioner's guide to solving enterprise security challenges, John Wiley & Sons, Crosspoint Boulevard, Indianapolis, IN. Read More