BREAKING NEWS: “Endpoint Security Earthquake Hits: McAfee Actively Endorses Application Whitelisting. Magnitude & Ramifications Are Significant.”

This week, McAfee, one of the two dominant forces in reactive, blacklist-based endpoint security, actively and unequivocally endorsed Application Whitelisting. Ironically, in hard coverage of Symantec’s recent problems with pcAnywhere, the industry is actively recommending application whitelisting too.

First, let’s cover the major quake: McAfee’s active endorsement of application whitelisting—for corporate desktops and laptops. In a series of videos on the popular video sharing site, YouTube, McAfee joins CoreTrace in educating the market about the shortcomings of traditional blacklist-based solutions, the advantages of application whitelisting, and McAfee Application Control’s purported advantages (most of which are unique compared to other whitelisting solutions but are not unique compared to CoreTrace (e.g., trusted change and memory protection)). You can view the initial video here here . While you are at YouTube, make sure to check out CoreTrace’s video channel too.

While CoreTrace has successfully competed with our friends from McAfee on application whitelisting projects on fixed function systems (e.g., critical infrastructure, POS terminals, servers), the antivirus giant has never publically announced that whitelisting can and should be used on corporate desktops and laptops—until now. In the introductory video, McAfee senior product manager Swaroop Sayeram directly states: “Simplistic whitelisting might fit just fixed function systems… Dynamic whitelisting is a great fit for servers… and it is now a good fit for corporate desktops as well. These days, most of the deals we are seeing are to secure servers and corporate desktops.”

Second, let’s cover the story of the related tremors: The industry’s recommendations to utilize application whitelisting to solve problems like those created by Symantec’s pcAnywhere code theft. While Symantec’s own advisory to pcAnywhere users only includes its boilerplate old-school recommendations, experts throughout the industry are recommending whitelisting as one of the main solutions. As an example, as a part of his recommendations in a FoxNews.com interview , Anup Ghosh, founder and CEO of Virginian security firm Invincea, told FoxNews.com “Businesses should deploy application ‘whitelisting.’ This will prevent unauthorized malware from running on computers.”

So, McAfee has dramatically shifted the endpoint anti-malware landscape. Now the question is, with the ground shifting beneath its feed, what will Symantec do? Stay tuned for future coverage of this developing story…

“While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.”

Also earlier this week, McAfee released a report that just about everyone in the security industry has likely now read, “Revealed: Operation Shady RAT”. The report, written by Dmitri Alperovitch, VP Threat Research at McAfee, is an eye opening read covering targeted intrusions into over 70 global companies, governments and non-profit organizations over the last 5 years. The report covers the types of organizations hit the hardest (not shockingly, defense contractors led the list with 13 of the intrusions detected), the ramifications of the breaches, estimated times each were compromised (shortest being 1 month, an honor shared by 9 victims) and even outlines the generic attack approaches utilized:

The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.

(Side note: Not to be outdone, Symantec did their own analysis of the attacks, which adds even more details. You can find that analysis here.)

In short, the McAfee report does an excellent job of driving home Dmitri’s (and most security professionals’) key message:

“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”

Which finally brings me to the objective of this post. This is an Open Letter to McAfee, Symantec and the Australian DoD. Let’s find a way of making the “Operation Shady RAT” project truly useful. Please combine the known attacks from “Operation Shady RAT” with the best practice mitigation methodology utilized by the DoD in creating their 35 mitigation recommendations. Truly analyze the security processes and procedures that were in place at each victim, perhaps categorized by their effectiveness in shortening or avoiding the breach (I have to believe that the 9 entities that had the shortest compromises were doing something different than the ones that remained compromised for years), and create a modified (if necessary) version of the DoD’s mitigation recommendations. That would be truly useful… beyond the BFO (blinding flash of the obvious) from the original report: That all entities with any valuable infrastructure or information fit “into two categories: those that know they’ve been compromised and those that don’t yet know.

Toney Jennings, CoreTrace CEO and a former Air Force information warfare officer, recently blogged on the US DoD’s “Strategy for Operating in Cyber-Space”. The main objective of his “DoD Cyberspace Strategy: Is the DoD really ready to embrace new technologies & companies???” post was to openly challenge the US DoD to modify their procurement and evaluation processes to enable small and innovative companies to assist in cyber defense. However, Toney also made a few other key points. Most relevant to this post is that Toney highlighted that the document was extremely high level and highly prone to status quo thinking and actions, e.g.,

“Unfortunately, a significant portion of the document is simply reiterating the government’s ‘business as usual’ tactics. I’ve got to believe that for the five strategic initiatives, the DoD already has active programs in place. Therefore, the first question that comes to mind is how effective are these defenses? I suspect that the fundamental problem with the existing defenses is that the government is using traditional security solutions that don’t measure up against evolving cyber attacks. The root of this problem stems from the fact that the government continues to favor status-quo, ‘no one ever got fired for buying from’ large companies and contractors.”

Which brings me to the Australian DoD. In contrast to the high-level US cyberstrategy document, the Australian DoD’s “Strategies to Mitigate Targeted Cyber Intrusions”” plan is detailed, well-researched and supported, and focused on proactively solving security problems rather than blindly reinforcing outdated and ineffective strategies. There is a nice blend of old and new in the list of thirty-five mitigation recommendations, with a strong recommendation to implement the top four strategies. According to the DoD’s Defence Signals Directorate (DSD):

“While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.”

I strongly recommend reading the whole document, but here are the four key strategies:

1. Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.

2. Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.

3. Minimize the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.

4. Implement application whitelisting to help prevent malicious software and other unapproved programs from running.

I sincerely hope the the US DoD will take a page from their Australian counterparts. Learn, adapt, and survive. It is a far better strategy than simply staying pat.

In the article, “Whitelisting on its own not a substitute for antivirus,” Network World’s Ellen Messmer writes how whitelisting should be used as a complementary security defense, not a standalone solution. And we absolutely agree. Here’s why.

Because today’s attack software is so prolific, traditional antivirus can no longer keep up with the tens of thousands of new malware and malware variants that surface each day. However, this doesn’t mean organizations should drop antivirus altogether. They should continue to take advantage of the valuable information blacklist-based solutions provide to help identify as many “known bad” applications out there as possible. On the flip side, application whitelisting blocks any unauthorized applications from executing on a system, in essence allowing only “known good” applications to run.

The fact is, many of today’s leading whitelisting solutions like CoreTrace’s cross-platform Bouncer application whitelisting solution actually include Cloud-based blacklists to clean up systems without impacting the performance of the system. Through its Trusted Change capabilities, Bouncer also allows organizations to extend the whitelist to a very user-friendly capacity that enables IT security professionals to install and upgrade approved applications from trusted sources with minimal IT involvement.

The bottom line is, combining application whitelisting as the primary mechanism for preventing the execution of unknown and malicious applications, with Cloud-based blacklists for reporting and compliance purposes, covers both known and unknown malware code from exploiting a system — and does so in a way that does not impact performance. While we agree that whitelisting enforcement alone is not a complete replacement for antivirus, an anti-malware strategy that includes both whitelisting and blacklisting for application control gives organizations the best of both worlds for defending their network endpoints from more prolific attacks.

According to the article, “Coming soon: ‘Clash of the Banking Trojans’,” a malware programmer plans to release a program known as “Ares”. The malicious software is “a small, lightweight executable that can evade antivirus and be easily placed into PDFs and other exploitable files.”

Despite these unique features, what distinguishes Ares from other malware is a module platform that enables criminals to customize and update it to meet their specific needs. In a post on a criminal online forum, the developer said Ares gives a buyer of the malicious code something other programs don’t — a choice.

“I actually consider this more of a platform which is customized to each buyers liking. This is what draws a line between Ares and other bots.”

While Ares remains only a threat, if released, security experts say the new Trojan could pose a serious danger as it rolls out in numerous versions and targets different businesses. However, systems protected by CoreTrace’s BOUNCER application whitelisting solution need not worry. No matter how the program is customized, BOUNCER proactively blocks all attempts the malicious code makes to run on a system, thereby beating down any new customizable malicious software such as Ares and other malware variants that try to execute on a machine.