Good software can be as dangerous as bad, say ThreatLocker
VP of Operations explains that software organisations may not even know is running on remote devices can be used by attackers as a route to data exfiltration.
Rob Allen, VP of Operations, ThreatLocker challenged the audience at the Computing CyberSecurity Festival to think about some of the software they were running such as Microsoft PowerShell in terms of whether that software needed to access data such as Office documents, or indeed whether it needed to be able to talk to the internet as a whole.
It all forms part of the least privilege, Zero Trust approach to cybersecurity, which is the approach taken by solutions such as ThreatLocker.
Allen explained to the audience that older solutions based on the detection of software and then deciding if that software was good or bad are failing to keep up with new attack types. According to Allen, every 11 seconds a business is attacked by ransomware. Furthermore, the threat is no longer encryption of data. Around 80% of attacks now involve a threat to leak exfiltrated data.
Whilst business may well be backed up and able to restore data, if even some of that data is leaked onto the internet it can do terrible reputational damage. Allen cited examples such as the cyberattack on the Heath Service Executive of Ireland where around 100,000 people still have to be contacted because their data was leaked.
"Even if you pay, you're dealing with criminals. How do you know they'll restore your data? You don't. Double dipping means that they'll come back in a few months or a years' time, telling you that the data they told you at the time they had destroyed wasn't , and demand more money," said Allen.
Zero Trust Principles
"You have to remember that malware is just software," said Allen. "Heuristics, threat hunters, next-gen AV tools, fundamentally what they are is detection tools based on identification and making decisions on what is good and bad."
It is clear from the level of ransomware that we're all being subjected to that this isn't working.
The only solution that will work says Allen, is "to only grant access where access is required."
The principle of least privilege and definition of Zero trust cited by Allen is one borrowed from the Biden administration in the US in response to the Colonial Pipeline attack last year.
Assume a breach is inevitable or has already likely occurred."
Allen introduced the idea of a defensive triangle, with education of users on one side, detection on another and control on another. It is clear that both the detection and human sides of this equation are fallible. ThreatLocker aims to supplement the third side of the triangle which is control.
Some controls already exist in most organisations such as firewalls and two-factor authentication.
Allow listing is another, long standing example of a control, but Allen framed the problem that good software can be as dangerous as the malicious type.
"How many remote access tools are running in your organisation?" he asked the audience. "Some you won't know. There will be some that you don't know are there. A recent customer had six different remote access tools. They also had TeamViewer running on almost twenty per cent of their machines and they don't even use Team Viewer as a company. Detection tools won't stop any of those but can they be used against you? Absolutely."
ThreatLocker can be deployed in learning mode which identifies these unnecessary applications. This is the beginning of the process whereby you can prevent certain tools such as PowerShell from accessing the data attached to other applications such as Office.
"Ultimately it's why ransomware works," said Allen. " Once you have access to data, everything you run has access to that data."
Blocking these interactions is part of the zero-trust strategy. Another aspect is the removal of local administration rights as standard, and the selective restoration of rights when necessary for certain applications. Storage control is a third aspect. Control which programs can access your data.
"Block all programs from accessing data then selectively allow the applications which need to access data such as Office, Acrobat and Teams. If SQL .exe needs to access your SQL databases, let it - but block everything else."
Network access controls are the fourth aspect. Controlling centrally what can access machines is crucial.
"Don't depend on Windows Firewall because it depends on users making decisions about what is trusted and what isn't. Control it centrally and dynamically." said Allen.