Rob Allen, VP of Operations, ThreatLocker challenged the Computing CyberSecurity Festival audience to think about some of the software they used, such as Microsoft PowerShell, to see if that software needed to access data like only Office documents, or even if he needed to be able to talk to the Internet as a whole.
This is all part of the least privilege, Zero Trust, approach to cybersecurity, which is the approach taken by solutions such as ThreatLocker.
Allen explained to the audience that older solutions based on detecting software and then deciding whether that software was good or bad failed to keep up with newer types of attacks. According to Allen, every 11 seconds a business is attacked by ransomware. Also, the threat is no longer data encryption. Around 80% of attacks now involve the threat of exfiltrated data leakage.
While businesses may well be backed up and able to restore data, if even some of that data leaks onto the internet, it can cause terrible reputational damage. Allen cited examples such as the cyberattack on the Heath Service Executive of Ireland where around 100,000 people have yet to be contacted because their data has been leaked.
“Even if you pay, you are dealing with criminals. How do you know they will restore your data? that the data they told you at the time they destroyed it was not and is asking for more money,” Allen said.
Zero Trust Principles
“You have to remember that malware is just software,” Allen said. “Heuristics, threat hunters, next-gen AV tools, what they are fundamentally are detection tools based on identifying and making decisions about what is good and what is bad.”
It’s clear from the level of ransomware we’re all subjected to that it doesn’t work.
The only solution that will work, Allen says, is “to grant access only where access is required.”
The principle of least privilege and the definition of zero trust cited by Allen are those borrowed from the Biden administration in the United States in response to the attack on the Colonial Pipeline last year.
Let’s assume a breach is unavoidable or has probably already happened.”
Allen introduced the idea of a defensive triangle, with user education on one side, detection on the other, and control on the other. It is clear that the sensing and human aspects of this equation are fallible. ThreatLocker aims to complete the third side of the triangle which is control.
Some controls already exist in most organizations, such as firewalls and two-factor authentication.
Allow List is another example of a long-standing control, but Allen raised the issue that good software can be as dangerous as malicious type.
“How many remote access tools are running in your organization?” he asked the audience. “Some you won’t know. There will be some you don’t know are there. A recent customer had six different remote access tools. They also had TeamViewer running on almost twenty percent of their machines and they don’t even use Team Viewer as a company. Detection tools won’t stop any of these, but can they be used against you? Absolutely.
ThreatLocker can be deployed in learning mode which identifies these unnecessary applications. This is the start of the process by which you can prevent certain tools such as PowerShell from accessing data attached to other applications such as Office.
“At the end of the day, that’s why ransomware works,” Allen said. “Once you have access to data, everything you run has access to that data.”
Blocking these interactions is part of the zero trust strategy. Another aspect is the removal of local administration rights as standard and the selective restoration of rights when necessary for certain applications. Storage control is a third aspect. Control which programs can access your data.
” Block all programs from accessing data, then selectively allow applications that need to access data such as Office, Acrobat, and Teams. If SQL .exe needs to access your SQL databases, leave the – but block everything else.”
Network access controls are the fourth aspect. Centrally controlling who can access machines is crucial.
“Don’t depend on Windows Firewall, because it depends on users making decisions about what is trusted and what isn’t. Control it centrally and dynamically.” Allen said.
#Good #software #dangerous #bad #ThreatLocker