Summary
Application control allows organisations to restrict the execution of specific software packages on their systems. This control can include a previous control, application allowlisting, which only permits specific programs to run. Application control can also include limiting the types of files that can be downloaded, open, or run.
Application control has evolved over time and is now a feature found in most modern endpoint security software that can help to alleviate the need for manually configuring policies and rules. Endpoint security software should include regular updates from the vendor to detect and block the latest malware behaviours.
Organisations can use endpoint protection alongside application control to prevent malware incidents caused by “drive-by downloads” – unintentional downloading of files from websites or malicious email attachments. Additionally, organisations can use application configurations and policies to restrict the downloading of certain file types or extension types that are commonly used in these kinds of attacks.
Purpose
Devices used in the organisation are protected with software that can prevent malicious software from running, and only allow programs that are commonly run or expected to run.
Measuring success
Successful application control has straightforward and measurable criteria. Any differences between organisations for this control will be in the configurations set and the operational processes followed.
Use the following criteria to measure your success in this control.
- Your organisation enforces access controls that allow the correct policies to be applied to the correct group of end users.
- Your organisation has software installed on all devices that enforces application control policies.
- These policies are automatically managed using learned behaviour and other algorithms. Manual policies and rules can also be created and enforced by administrators.
- Your organisation enforces the principle of least privilege which limits an end-user’s ability to bypass the policies.
- Your organisation monitors known policy-bypass techniques and includes this in your vulnerability management process.
- Your standard build-hardening process includes deploying endpoint security software, with the relevant policies and rules, to any new devices accessing organisational data. This includes workstations, servers, laptops, mobile devices, and any other device that accesses organisational data, including BYOD devices.
- Your policy and configuration blocks file execution of unknown or untrusted files. You should also block high risk file types from being downloaded from the internet and opened/executed.
- When an unknown, untrusted or high risk file is attempted to be opened/executed, logs of what occurred are recorded and stored in a central location. These logs are configured to trigger alerts that feed into operational processes, such as incident or change management. An emergency change management process is followed when critical programs are blocked.
Application allowlisting: key takeaways
- Application control has evolved from manual configuration to a feature that, to some extent, comes included in common endpoint protection software. You can save resources by relying on the system to tell you what programs or actions should or should not be executed.
- Use application control features that come with the operating system if you can. These policies and configurations can usually be managed centrally. It can help reduce the cost of the control, instead of purchasing another piece of software.
- Application control is one security control that should be paired with others in the CERT NZ critical control list for a “defence in depth” approach. Attackers can bypass even very strict rule conditions by hiding their malicious code in other trusted and allowed applications or software packages. However, application control is not effective if the applications are vulnerable and unpatched.
- When enforcing a policy with file or folder-based rules, it’s important to consider access controls for users who have write and execute permissions on a folder, as they could modify or execute an untrusted file. Therefore, it is important to receive alerts when something is blocked, either through a tool or centralised logging.
- Ransomware attackers have been known to disable tools to disguise their activity, making it crucial to raise an alarm if the tool is ever disabled on an endpoint.
- With users often being required to open or run files downloaded from the internet, and attackers using this to trick users into running malware, consider using this control to restrict the ability to download and open/execute high risk file types from emails or websites and alerting to the execution of these.
Advice for implementation