D3FEND Framework – #7

Here we are with another entry in our top ten D3FEND protocols. This time, we’re focusing on a protocol from the Isolate branch: Executable Allowlisting. This is one of the more fundamental aspects of defensive cybersecurity planning, especially when you are working in situations where your users are potentially vulnerable to hidden executables and unwitting executable-based viruses. 

(Just to be clear: that is all situations.) 

With that in mind, this technique is important for stopping incidents that have breached the first line of defense. Remember the Cyber Kill Chain–you should have an effective plan at every step for killing a threat at every stage. 

What is Executable Allowlisting?

Executable allowlisting is a security method used to protect computers from harmful software. It works by creating a list of approved applications that are allowed to run, while blocking all others. This is different from blocking known malicious software, as only approved programs can run with allowlisting. 

The method checks the digital signature or hash of an application to see if it matches the entries in the allowlist. If there’s a match, the application is allowed to run; otherwise, it is blocked. Executable allowlisting is commonly used in places where high security is necessary, like government organizations and banks. It helps prevent unauthorized or harmful software from compromising system security. Managing the allowlist requires regular updates to include new applications and avoid accidentally allowing malicious software. 

Why would someone use Executable Allowlisting? 

Hopefully, you already have half an idea on this one. But executable allowlisting can be a challenge, so convincing the completely uneducated might be a challenge. Here’s a few reasons for implementing it in your workflow.

  • Enhanced Security: Executable allowlisting provides a strong security measure by allowing only approved applications to run on a system. By limiting the execution to trusted software, it reduces the risk of unauthorized or malicious programs compromising system integrity. 
  • Protection against Unknown Threats: Unlike traditional antivirus or anti-malware solutions that rely on known threat signatures, allowlisting focuses on explicitly permitting authorized applications. This approach helps defend against zero-day attacks and emerging threats that may not yet have signatures or patterns identified by traditional security measures. 
  • Prevention of Unauthorized Software: Executable allowlisting ensures that only authorized software is executed. This prevents users from installing or running unapproved applications, reducing the chances of malware, adware, or potentially unwanted programs from being installed. 
  • Control and Compliance: Allowlisting grants organizations greater control over their system environment. It enables them to define a standard set of approved applications, ensuring compliance with internal policies, industry regulations, or specific security requirements. 
  • Minimized Attack Surface: By blocking the execution of all non-allowlisted applications, the attack surface is significantly reduced. This decreases the likelihood of successful attacks that rely on exploiting vulnerabilities in unauthorized software. 

How can I implement Executable Allowlisting? 

So, you’ve decided to implement executable allowlisting. Great! But that’s a long process and one which you have to jump through a couple of hoops for. Here’s our nine-step process on moving from defenseless to defended: 

  • Identify and Assess Software: Begin by identifying the applications that are essential for your system’s operation. Determine which software should be allowed to run and create a list of approved applications. 
  • Define Allowlisting Policy: Establish a clear policy that outlines the criteria for including applications in the allowlist. This may include factors such as software authenticity, integrity, and relevance to your organization’s operations. 
  • Determine Allowlisting Mechanism: Choose a suitable method for implementing the allowlisting mechanism. This can be done through built-in operating system features, third-party security software, or specialized allowlisting solutions. 
  • Create the Allowlist: Compile a comprehensive list of approved applications. Include the necessary details for each application, such as file name, digital signature, cryptographic hash, or other identifiers that can be used to verify its authenticity. 
  • Test and Validate Applications: Before deploying the allowlist, thoroughly test and validate each application to ensure it functions as intended. Verify the digital signatures or hashes to confirm their integrity and authenticity. 
  • Configure the Allowlisting Mechanism: Set up the selected allowlisting mechanism according to your organization’s requirements. Configure it to enforce the allowlist by blocking the execution of non-approved applications. 
  • Deploy and Monitor: Deploy the executable allowlisting solution across the targeted systems. Continuously monitor the system to identify any unauthorized software attempts or potential security breaches. 
  • Allowlist Maintenance: Regularly review and update the allowlist to accommodate new software versions, updates, or releases. Remove any obsolete or unnecessary entries from the allowlist to maintain its accuracy and effectiveness. 
  • Incident Response and Adaptation: Establish an incident response plan to handle any unforeseen issues or false positives resulting from the allowlisting process. Continuously evaluate the effectiveness of the solution and adapt it as needed based on evolving security threats and organizational requirements. 

When you’ve done that, you will have an executable allowlisting workflow which completely fits with each step of the Cyber Kill Chain–at least in theory, anyway! 

What tools can I use for Executable Allowlisting? 

Although there is a temptation to run your executable allowlisting plan manually, there is a litany of useful resources which you can use to speed up the process. Many of these aren’t even particularly difficult to use. Here’s our top five: 

  • Microsoft AppLocker: AppLocker is a built-in feature in Windows operating systems (starting from Windows 7 and Windows Server 2008 R2) that allows you to create policies to specify which applications are allowed to run. It provides granular control over executable files, scripts, installers, and DLLs. 
  • Windows Defender Application Control (WDAC): WDAC, formerly known as Device Guard, is another built-in feature in Windows 10 and Windows Server 2016 and later versions. It offers advanced application control capabilities, including allowlisting, using policies based on file hashes, digital signatures, or path rules. 
  • Symantec Endpoint Protection: Symantec Endpoint Protection is a comprehensive security solution that includes allowlisting functionality. It allows you to create policies to define approved applications based on various criteria, such as digital signatures, file attributes, or publisher reputation. 
  • Carbon Black: Carbon Black is an endpoint security platform that offers application allowlisting capabilities. It allows you to create and manage allowlists based on cryptographic hashes, digital signatures, or other indicators of trust. 
  • CrowdStrike Falcon: CrowdStrike Falcon is a cloud-native endpoint protection platform that provides application control features. It enables you to create and enforce allowlists based on file hashes, digital certificates, or other application attributes. 

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.