Application Whitelisting. A Proactive Control against Malware Threats
Author: TM Ching and Yalcin Adal
Malware threats have been on the rise for the last few years, disrupting businesses with ransomware, crypto-malware and spyware. Despite the use of anti-malware controls by organisations and individuals, malware continues to be a threat. The high-profile exploitations of NotPetya, as well as Mirai malware, has demonstrated that adversaries are now using innovative security bypass techniques to avoid detection by anti-malware controls, resulting in the successful breach of hundreds of thousands of systems all over the world.
With the adoption of next-generation technology, miners are now prime targets for cyber attacks - a business risk that can seriously damage the bottom line.
The inherent weakness of anti-malware controls is that they can only protect what they know through the use of signature-detection technology. This method worked well in the past when attack techniques were well-understood, resulting in the development of appropriate signatures to detect attack techniques. However, as attack techniques have become more sophisticated, signature-detection technologies are beginning to fail.
Adversaries are now developing malware by testing the code against anti-malware controls before releasing it into the wild. The more sophisticated adversaries are also developing new exploit techniques that act on undocumented features of hardware and operating systems which anti-malware vendors are not aware of, thus increasing the likelihood of success of a malware exploitation.
Even with the emergence of Endpoint Protection Platform (EPP), which uses machine learning techniques to detect unusual malicious behaviours, there is still a likelihood that the attack technique can be so unique that it completely bypasses known process behaviour and manipulates machine learning behaviour to avoid detection. At this point, one of the most effective security controls to protect against such covert attacks, is the use of application whitelisting.