Threatlocker Enables the Essential Eight

Our application whitelisting and ringfencing technology has been growing by leaps and bounds lately, and we have been seeing adoption of this approach to security in Australia as well.  We thought it was worth the effort to do a quick breakdown on how ThreatLocker can enable this critical strategy for Australian Businesses.  

The Essential Eight While is a set of noted solution that are recommended recommended by the Australian government as a baseline for a better security posture for organizations. The Essential Eight, sets in place the bedrock for a future state of security and in truth makes it much harder for adversaries to compromise systems with simple security fixes. Using the Essential Eight proactively is a cost-effective approach to cyber security in terms of time, money and effort.  By leveraging these suggested solutions organizations enable micro segmentation which allows them to better respond to a cyber security incident. The Australian government has a suggested implementation order for each technology to assist organisations in building a strong cyber security posture for their systems. 

The suggested implementation order for each solution is aimed at assisting organisations in quickly setting a strong cyber security posture. After an organisation has implemented the desired mitigation technology at an initial level, they should focus on continuing to increase the maturity of their implementation so that they reach full alignment with the overall strategy.

The Essential Eight suggests these approaches to security with these technologies as the first solutions that should be chosen.

Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.

Why: All non-approved applications (including malicious code) are prevented from executing.

Restrict administrative privileges (AKA Ringfencing) to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don't use privileged accounts for reading email and web browsing.

Why: Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain full access to information and systems.

Additionally, based on the Australian governments breakdown of the maturity model of the first solution that should be chosen, application whitelisting, there is a progression of this technology to the infrastructure.  Below is a breakdown of that three step model.

Application whitelisting Maturity Model

An application whitelisting solution is implemented on all workstations to restrict the execution of executables to an approved set.

An application whitelisting solution is implemented on all servers to restrict the execution of executables to an approved set.

An application whitelisting solution is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set.

An application whitelisting solution is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set.

An application whitelisting solution is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set.

An application whitelisting solution is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set.

Microsoft's latest recommended block rules are implemented to prevent application whitelisting bypasses.

https://www.cyber.gov.au/node/100

Threatlocker’s technology can immediately enable these steps.  Within hours our system can be deployed and enabled to enable your organization to move from the level 1 maturity to the end state, or level 3.  The Essential Eight is a solid approach to security for Australian organizations to subscribe to. Our solution makes this strategy achievable and honestly, easy to employ.


How Application Whitelisting and Ringfencing protects you from BlueKeep RDP vulnerability

AdobeStock_281055329.jpeg

The latest “oops” moment for Microsoft is the discovery that an attacker can infect a connecting machine with malware from a Remote Desktop Session. Every few months a new vulnerability is discovered in Windows. Generally, by the time the vulnerability is public knowledge, Microsoft has released a security patch in Windows Update.

We have to assume that new exploits are going to continue to appear. And while patching these exploits is extremely important, sometimes our patch management speed or the release of these patches is not going to happen fast enough.  
 

How can we protect ourselves from these vulnerabilities before Microsoft patches them?
 
Security should be more than a single layer. We must assume our security is going to fail at some layers, and that is why having multiple levels of security defenses is essential. 
 
Before I get into how Application Whitelisting and Ringfencing would help stop this exploit from infecting your computer, we should discuss how BlueKeep RDP vulnerability infects computers. 
 

When connecting to a server infected with malware, with clipboard sharing enabled using a Remote Desktop Session, the infected host can transmit malware onto your computer. As soon as you perform a copy or paste function, the exploit will allow malware to transmit at the same time. It does not appear that the exploit executes the malware on the connecting computer.  The malware, however, is often saved into a startup folder, so it will run when you restart your computer. 
 
This vulnerability is worse for I.T. professionals and managed service providers who often connect to remote hosts regularly, in some cases to help with malware remediation. 
 
You should not underestimate the importance of patching your computer to remove this vulnerability. However, it is also essential to make sure you have other layers to protect you from threats like this. 
 
Application Whitelisting is a concept that is common practice in the federal government and other large enterprises as a method of stopping malicious software, including both known and unknown malware. Recently there is a significant uptake in smaller to medium-size businesses and Managed I.T. Services providers using Application Whitelisting to protect their endpoints.  This recent uptake is in part because of the systematic failures of antivirus software, combined with ThreatLocker's unique approach to application whitelisting, making it easier to deploy and manage.


Application Whitelisting is an extremely useful tool at stopping malware from executing on your endpoints that was transmitted using the KeepBlue vulnerability.  Even though whitelisting itself does not stop the vulnerability from transmitting, it does stop it from executing. 
 
Ringfencing and Data Storage Control goes one step further. Data storage control allows you to stop write access to protected areas of the system, such as the startup folders. While Ringfencing builds fences around applications to define how they can integrate with other software, files, network, or registry resources. 
 
If you would like to see how ThreatLocker® is an excellent addition to your security stack, book a free web demonstration. 

 

 

 

 

Anti-Vaxxing and Cyber Security

I read almost everything the CDC publishes and I am a fanatic for the NIH publications on disease and medical innovations.  I personally just think it’s amazing the things that such brilliant people can dedicate research and ultimately find either a cure or a way to treat the condition. 

I have been personally following the Anti-Vaxxing movement for a few years now.  It has been interesting to see the early impetus for the proliferation of Anti-Vaxxing starting with the Lancet article in the late 1990’s.  That article didn’t really hit like it’s publisher had hoped within the medical community, and the professional responsible for publishing it was ultimately disbarred from practice, and the entire article was rescinded as “utterly false” by it’s editors.  Fast forward a few years from then and a prominent former Playboy model gains media attention with her “facts” around how vaccines cause Autism and watch as she does the global media dance while referencing that same article and the firestorm of message proliferation spreads.  Just because of that one person who happened to have a spotlight nearly a century of studies and factual data countering her assertions were collectively accepted as at least worthy of consideration, and in thousands of new cases parents fought vaccination for their children. One more jump forward in time and those thousands of un-vaccinated children are now of school age and are being noted as starting points for measles outbreaks in areas where the anti-vaccination movement was strongest.  Polio and whooping cough, diseases that had been essentially eradicated from the planet have now returned to existence. 

How does this apply to cyber security you might ask?

Organizations across the globe are engaged in a fight against the proliferation of “disease”, AKA cyber failures.  The reality of the threat space is that the spread of these “diseases” requires the digital anti-bodies out there to essentially enable “infection” for the “disease” to not just survive but thrive. 

The industry knows that if you choose to ignore the facts around the failure of those bad practices means that your organization will become “infected” at some point.  Added to that it’s one thing to knowingly choose to ignore the data that says you will fail if you ignore those items, but it’s entirely another to “infect” others in the network or via third party connections, it’s willingly propagating failure and knowingly make other businesses “sick”.

Just as with anti-vaxxing the “diseases” in cyber security don't care if you believe or don't believe that you can or will be infected.  If you don't have a realistic security plan in place that includes simple, but very effective fixes for the problems (like simply shutting off every application that isn't in use on an endpoint) then you will ultimately get sick.  In our opinion and we think it makes sense. Don’t avoid using the medicine that both science and history say will work because of a herd mentality or hype. Use a simple effective solution and fix the problem at its core and get back to business.


A Simple Remedy for the Ransomware Epidemic.

Most people think ransomware is some new attack that has only recently come to the forefront of the cyber defense space.  Not so. In truth, ransomware dates back to an original piece of malicious code, known as AIDS, written in 1989 by Joseph Popp. That’s right, 1989.  30 years ago. This original ransomware would replace AUTOEXEC.BAT on infected systems, and would allow for 90 reboots of the system before it hid all of the directories and claimed to encrypt the files. So, in reality we have been collectively operating in a world with ransomware in effect for over 3 decades, wow.

Today’s ransomware is usually malicious software that either copies your data, or encrypts your data, or possibly even changes key system passwords, this software essentially holds the infected systems ransom until a payment is made.  Once the ransomware has been executed on your system. The attacker will either encrypt or lock you out of your system. Or copy your data. 

Most people think this attack will only target valuable data, but the attack can be much more malicious in nature.  Thanks to the power that the attackers can wield in unprotected systems they could leverage embarrassing data as part of an extortion agenda. The attacker can use your web history, recording your camera, or customer data such as healthcare information against you as part of this extortion operation.

Ultimately, the attacker will make a demand. Pay a large amount of money if you want the decryption keys to your data, otherwise they will destroy or permanently encrypt your data; rendering it unusable.  Or if you don’t pay they may threaten to post your customer data on a social media site such as Twitter or Facebook. All of which can be very, very bad.

Ransomware can technically execute in a variety of methods. Some of the common methods include:

  1. Email attachment that could contain an embedded piece of malware.

  2. A file downloaded from the internet.

  3. A malicious actor logging into your server using weak password and executing some kind of software.installing,

  4. Breaking into your I.T. management tools. 

  5. A vulnerability on a system, that allows malware to run.  Basically, via bad patch management.

  6. Code hidden inside of aAn executable document that runs existing software on your computer to encrypt or copy your data.

The main problem that we have collectively accepted is the reality when it comes to combating ransomware is that normal Anti-Virus solutions are “built” to stop this threat.  This is wrong. Anti-Virus tries to stop ransomware by blocking its execution based on known ransomware or tracking previous patterns and leveraging those signatures to stop the threat upon its execution. That works fine for “normal” or “known” samples of ransomware but in many cases, as has been shown by all the ransomware exploits in the news, the specifics of the ransomware aren’t ever known.  Or in the other cases that were mentioned above there is no way for Anti-Virus to stop the malicious software because the software itself is being executed by an authenticated user, so the system doesn’t pick up on the attack.

ThreatLocker approaches stopping the problem that ransomware presents in an entirely different, and more elegant manner. First ThreatLocker blocks everything that is not trusted by your I.T department, period.  Everything that is not authorized specifically by your IT team is not allowed to execute. This stops all ransomware that does not use tools that are built directly into your operating system.

The second method ThreatLocker uses to stop ransomware is Ringfencing. This approach is where ThreatLocker controls access to databases and resources based on an application approved access, but again ThreatLocker does not allow default operations or accesses to connect or execute on any asset unless specifically authorized by the IT department.  Our approach stops an application from spawning in the first place, so malicious software cannot execute and therefore never has the chance to cause a ransomware event. Added to that, ThreatLocker stops applications from accessing critical assets or infrastructure accessing the internet, unless they are specifically authorized by the IT department or determined to be a required function of a built-in application. .

Anti-Virus companies want to sell you a great big bag of fail when it comes to ransomware.  Can Anti-Virus help stop malware from running? But no matter what the Anti-Virus approach is contingent upon there being some previously known or observed piece of code from a prior event.  That’s like only being able to stop an infection if the human body had seen every possible iteration of every infectious agent across all of history, sooner or later the immune system would miss one and that’s all it takes.  Why not simply eliminate the threat from ever causing the infection in the first place? If only approved safe software can execute, and only approved and safe connections can take place, there is no possibility of an exploitation.  Problem solved.

ThreatLocker, a simple solution to the ransomware epidemic.

Have a look at a recent interview ThreatLocker did related to this problem.

https://amp.clickorlando.com/news/schemes-and-ripoffs/florida-cities-targeted-by-international-cyber-hackers?utm_medium=social&utm_source=email&utm_campaign=amp_socialshare


Control Access - Don't Block Storage Devices

In the real world, I.T. professions need to make exceptions to rules. They need adjustable parameters, and they need the ability to audit the results of these policies. Businesses need to take a more pragmatic approach to security. They need to permit only what is required and trust nothing else. But that does not mean making it difficult to permit what is required.

Endpoint Security Needs to Change

Today I walked the exhibit hall at the RSA conference and spoke to numerous endpoint security vendors to ask them how they were dealing with new or unknown malware. While the specific answer varied depending on the vendor, all of the answers revolved around a similar strategy. According to the vendors at the booth’s the use of next generation endpoint security products were somehow now better at detecting malware.  This was now magically possible because of technologies such as artificial intelligence, machine learning, or the latest algorithm.

Less Hackable - For Small Business Owners

After nearly 20 years working in cybersecurity, I am still asked the age-old question by business owners: "How can I make myself unhackable?" Seldom do they understand when I try to explain that there is no such thing as unhackable.

The purpose of this guide is to help business owners better understand cyber risks and how those risks can be reduced to an acceptable level. Securing your cyber environment is much like securing your house. It is impossible to make your house 100% secure, but you can take steps to reduce the risk of an intrusion. Most people take steps such as installing an alarm, high-grade locks, and a camera system. The rest of the risk is transferred to the insurance company.

ThreatLocker C.E.O - Danny Jenkins weighs in on Fortnite Battle Royale Breach for News 6

As computer games evolve, gaming businesses are no longer just focusing on better graphics. Game manufacturers are turning to the internet for better collaboration, game rooms, multi-person battles, and even a marketplace to buy and sell items in a virtual world.

https://www.clickorlando.com/news/investigators/fortnite-battle-royale-gamers-at-risk-after-data-breach

Are Macs more secure than Windows?

In the last 12 months, we have seen a growing number of people citing that Apple computers are more secure than Windows computers. We have also seen an increasing number of Macintosh computers with viruses.

We often hear that Macintosh computers are secure and cannot be hacked. The reasons vary from the fact that they build on a Unix base, that they are a different beast, or that Apple blocked unsigned software.

While none of these comments are wrong, they are also not right. It is true that generally speaking, people who use Macintosh computers get fewer viruses than those running Windows. There are many reasons for this, and one valid reason is that there are fewer Apple computers. Therefore, it is more difficult for viruses to spread.

Computer viruses generally stay within their own operating system. It is not common for viruses to be designed to run on multiple operating systems. This makes Mac computers less likely to be infected with a virus, as there are fewer hosts to transmit the virus. That said, the population of Macintosh computers is growing at a steady rate. As the number of people using Macintosh computers increases, so does the likelihood of contracting a virus.

Another point that is often made is that Macintosh computers will not let you run a file that is not digitally signed by a developer who is approved by Apple. While this has some truth, it is no different to Windows blocking the execution of downloaded files using the smart screen. If a user wishes to open the file, they still can just right-click (or two-finger-click) on the file, and then click "run." Anybody who uses a Mac regularly is very familiar with this and does it to install legitimate software all the time. This process is no more efficient than any other annoying error that users inevitably click "yes" to.

Macintosh users are often told that they do not need antivirus software, and not to worry about security on their Mac. However, users should install antivirus software, remain cautious about what software they install, and take all of the same security precautions as Windows users.

Mac computers are less likely to get a virus, but less likely does not mean "will not." Macintosh viruses are certainly not any less aggressive or damaging than Windows viruses. It is also worth remembering that viruses are not the only threat to consider. Quite often, hackers use legitimate RSAT tools to gain access to your data.
While the industry focuses on protecting Windows users, Mac users idly sit by as hackers eye up their computers, data, and financial records.