DriveLock Endpoint Protection: Use Cases

Use cases for effective deployment of application control and device control

 

Types of attacks

Supply chain attack using social engineering

+++ Cyber attackers attacked the supply chain at U.S-based Solarwinds in 2020, which specialises in network management software

The software vendor ships software to resellers and partners through the supply chain. If the original software is already "infected" at the manufacturer, this has consequences for all downstream companies that use the application.

The first step in such an attack is usually to deceive employees at the company into revealing user credentials with phishing emails. Ideally, the attacker will find a particularly privileged account with poor security measures. More likely, however, he spends several weeks making very slow, careful lateral moves to reach his target undetected. The attacker exploits as many native, i.e., system tools as possible in the process. The Solarwinds attack was also successful because the attackers left almost no traditional indicators of compromise. The attack targets were obviously blind to the intruders in their networks. 

 

+++ Hackers shut down major U.S. pipeline

After a cyber attack, the operation of one of the largest gasoline pipelines in the US had been temporarily shut down. Extortion software was said to have been involved.

 

Attack on authorities

+++ Cyber criminals attack government officials

A cyberattack reportedly from Russia targeted more than 30 prominent Polish officials, ministers and deputies of political parties, and some journalists by compromising their email inboxes. (June 2021)

 

+++ Authorities are increasingly becoming a popular target of cyber criminals (source: Behördenspiegel)

In most cases, the culprits gain access to sensitive data by deliberately deceiving unsuspecting government employees: Nine out of ten cyberattacks start with such a phishing email to employees. The attackers then encrypt the government data and demand enormous ransoms for decryption.

 

+++ Hackers attack the town hall (Source: Hannoversche Allgemeine Zeitung, 23.05.2020)

Langenhagen. The city administration is believed to have become the target of a hacker attack. The attackers had sent an e-mail to employees. This was intended to persuade them to download malicious computer code that could, for example, infect operating systems or damage computer systems.

 

Attack on Industrial

Risks to industrial production and control systems (ICS) result from threats that, due to existing vulnerabilities, can cause harm to the ICS and thus to an enterprise. National security agencies such as the BSI (which is the German Federal Office for Information Security) compile the most frequently occurring critical threats to ICS on an annual basis. With the mission of sharing knowledge, innovation and best practices, the BSI work to improve organisations all over the world. From their report, they have identified that the leading threat is the infiltration of malware via removable media and external hardware (e.g., Bad USB).

Prominent example: the Stuxnet attack was carried out via a removable storage device (USB drop attack). It was so invasive because it infiltrated industrial systems by passing them through USB sticks, and they in turn commandeered plugged-in USB sticks, which were then reused.

 

 

Attack on hospitals

+++ American healthcare firm Universal Health Systems sustained a ransomware attack that caused affected hospitals to revert to manual backups, divert ambulances, and reschedule surgeries (September 2020)

+++ Loss of patient data

A ransomware attack at the Brooklyn Hospital Center in New York hitting several computer systems  caused permanent loss of some patient's data.

 

 

The big question is: Could these attacks have been prevented?

Comprehensive security for your data, systems and endpoints consists of a plurality of solutions. Depending on the attack tactics, there are different use cases, which we will discuss in the following sections.

Our solutions: Application Control, Application Behavior Control, Device Control, Security Awareness

 

File-based malware

Some of the attacks mentioned could have been prevented by Application Whitelisting. The principle is fundamentally different from that of an antivirus scanner, which works with a database of known viruses and malicious programs (blacklist).

How does Application Whitelisting work?

Application whitelisting turns the blacklisting logic on its head: you create a list of acceptable entities (applications, software libraries, scripts) that are allowed to access a system or network, and the system automatically blocks the execution of non-whitelisted software . It is based on a "Zero Trust" principle that essentially denies everything and allows only what is necessary.

Given that blacklists are limited to known variables (documented malware, etc.) and malware variants are constantly evolving to circumvent behavioral or signature-based detection methods, it is now widely believed that whitelisting is the more sensible approach to information security.

"From a security perspective, it makes more sense to ban everything across the board and only allow the select few."

 

Allowing only approved software and applications to run will also minimise the chances of malware taking root on the system. What you want to run on your system is a much smaller set of acceptable entities compared to the ones you don't need. We apply this model to other aspects of security in our lives: For example, who do you let into your house? You don't keep a list of all the bad people in the world. Rather, you only let the people you trust into your home.

DriveLock gives you the best of both worlds - blacklisting and whitelisting.

So, on the one hand, you allow only the software, software libraries and scripts that are needed to work. And on the other hand, you can blacklist built-in tools that are abused by perpetrators or restrict their use to certain administrative users.

How do you configure application whitelisting with DriveLock? To set up application whitelisting on your end, you need to make the necessary settings in DriveLock's policies.

Isn't the configuration a lot of work? To reduce and simplify the effort of Application Whitelisting with DriveLock, there are a few options:

  • Integrate a software deployment agent
    You can integrate software distribution systems, patch management systems, and stand-alone updaters with DriveLock's Application Control. Thus, you significantly reduce administrative overhead.
  • Include a trusted source
    To further simplify application control, you can classify file stores (central or local) from which trusted applications are allowed to run. This eliminates the need for auditing in future cases.
  • Temporary Unlocking
    Configuring temporary unlocking of your local machine for manual software installations frees up IT professionals. IT departments have the ability to offload responsibility to end users and don't have to be asked every time software is installed. End users with appropriate authorisation can install software without having to wait for confirmation from the IT team. IT managers then check centrally which applications have been installed and started by self-releases.

In addition, the application control is able to administer the invocation of scripts and sub-processes.

Test DriveLock now 30 days free of charge & without obligation

 

Fileless attack tactics

The attack on the software company's supply chain by social engineering mentioned earlier shows that, contrary to the classic understanding of file-based malware, attackers are increasingly using native, legal tools and scripts, misusing them and converting them for their own purposes. These cases can be prevented if the applications allowed on the whitelist, including Windows' own scripts, are restricted in their use by so-called application permissions.

What methods do attackers use that would have prevented application permissions?
All of the use cases described below can be easily mapped in the DriveLock rule set. For more info, visit https://drivelock.help/versions/current/index.html

Use case 1: Prevent PowerShell from starting

You want to prevent your browser from launching PowerShell and potentially bringing malware onto your computer. To do this, you use DriveLock to create a rule that prohibits the browser and all processes it launches from starting PowerShell.

 

Use case 2: Preventing subprocesses (child processes) from being started

Creating malicious subordinate processes is a common malware strategy. Malware that abuses Microsoft Office documents as a vector often runs VBA macros and exploit code to download and execute additional payloads. However, some legitimate line-of-business applications can also generate subordinate processes for innocuous purposes, such as triggering a command prompt or using PowerShell to configure registry settings. You stop this with DriveLock Application Behavior Control with an application rule.

 

Use case 3: Restrict loading of a DLL

You want to specify that Dynamic Link Libraries (DLLs) may only be loaded from certain directories, e.g. you want to prevent Windows Media Player from loading DLLs from network drives. Create a rule for this with DriveLock.

 

Use case 4: Run scripts

Application Behavior Control - Run Use Case ScriptsYou want to prevent browser from executing VB scripts (*.vbs). Restricting the execution of scripts allows organizations to achieve a high level of security. DriveLock offers you a holistic approach and full configurability for this. You can restrict the execution of script files based on

  • a hash value,
  • a digital signature,
  • a path or,
  • a file owner.

The scripts and their interpreters can be extended at any time. For example, you can use DriveLock to configure the whitelisting of .BAT files. This can be extended with .CMD files at will. The procedure is the same for any type of file interpreted by an application, such as PS1, VBS, JS, HTA, JAR, etc.

 

 

Use case 5: Reading a specific directory

For example, you want to ensure that only your own banking software has read access to a certain directory, and you want to prohibit read access for other applications. This is because it would be possible for malware to gain read access to this directory via a security hole in the browser and thus read your bank data. To do this, configure a rule with DriveLock.


Use case 6: Writing to a specific directory

You want to specify that a certain browser (Google Crome, Mozilla Firefox) is not allowed to write to the "Documents" folder. Since you want to define this for all users and not only for some users, you work here with so-called placeholders during rule creation.


Use case 7: Restrict access to the registry

You want to control registry access for your banking software from use case 5. No problem; with DriveLock you create two application permissions so that only the banking-software.exe is allowed to read the registry in the specified KEY. (Ex: HKEY_CURRENT_USER\SOFTWARE\Bank Software\).


Use Case 8: Detecting attacks with the exemplary MITRE ATT&CK™ rules

DriveLock provides rules based on the MITRE ATT&CK™ framework. MITRE ATT&CK™ is a globally accessible knowledge base of tactics and techniques. The ATT&CK knowledge base serves as the foundation for developing specific threat models and methodologies in the private sector, government, and cybersecurity product and service communities.

You can import these rules into the EDR (Endpoint Detection & Response) node. The purpose of these rules is not to block or allow actions, but simply to report specific events on the particular computer, which are then processed by the event filters and alarms.


Use Case 9: Display a security awareness campaign at Outlook startup

Security Awareness Training on PhishingOccasion-related security awareness can be very important, especially in times of the home office, when users work in isolation from each other and do not ask their colleagues or IT directly about dubious mails. For example, if a new application is launched, DriveLock can check whether it is a secure application and, if in doubt, play out a short security campaign on the topic of "dealing with new applications" and provide appropriate security advice.


For example, you would like to display a security awareness campaign every 14 days whenever the user starts Outlook? You create a file property rule for this purpose.

 

Test DriveLock now 30 days free of charge & without obligation

 

Attack via data carriers and external devices

DriveLock can monitor and control the flow of data across disks, drives and external devices. DriveLock Device Control, like Application Whitelisting, takes the approach of denying anything that has not been explicitly allowed.

Use Case 1: Bluetooth Devices

An example of port-based control is the control of Bluetooth devices. For example, you can whitelist a Logitech Spotlight Bluetooth presentation stick.

DriveLock allows detailed settings for connecting devices via Bluetooth. For example, pairings with new devices can be completely prevented or restricted to desired Bluetooth services, such as audio streaming or services required for HID devices like pens and keyboards. The synchronisation of contact data or the transfer of files can thus be effectively prevented.

In addition, you can enable automatic learning mode to have devices of the type currently installed or connected automatically whitelisted when the client computer is rebooted - after enabling the policy with this setting.
This will whitelist the built-in Bluetooth controllers for that client computer.

 

Use Case 2: Bad USB

Imagine they could plug a seemingly harmless USB drive into the computer and use it to install a backdoor, exfiltrate documents, steal passwords or perform many other attacks. All of this can be accomplished with well-crafted keystrokes. If you were sitting right in front of that computer and had photographic memory as well as some sophisticated scripts, it would take you a few minutes. A BadUSB device does this in seconds. It abuses the trust computers have in humans by pretending to be a keyboard - injecting keystrokes as if a user were typing on the keyboard.
DriveLock Device Control can control human interface devices (HIDs) through device whitelisting. It can also allow access to newly connected HIDs only if the user accepts a usage policy by authenticating with their domain password as a prerequisite.

 

Use Case 3:Removable Disk Encryption

Encryption 2-Go is part of DriveLock Device Control and provides a fully integrated solution for encrypting external drives. Encryption 2-Go gives you the choice to protect your data on removable media with either container encryption or folder-based encryption. This ensures that your trusted data is protected even when it leaves the company via mobile storage media such as USB drives. At the same time, you meet regulatory requirements to protect the confidentiality and integrity of data.
Encryption 2-Go provides a full-featured encryption management tool for external media:

  • Encryption of files on external storage media (USB sticks and external hard drives)
  • Enforced encryption according to company policies
  • Configurable user selection dialogs when plugging in external drives

You can choose between container-based encryption or folder-based encryption.



Use Case 4:Drive control - prevent data loss or malware injection

One of the pillars of the Zero Trust security strategy is to deny external storage drives by default and only allow certain drives when needed. The same concept applies to allowing only authorized users to use external drives and denying access to other users. DriveLock blocks unknown drives by default. Thus, only known external drives can be used and accessed by authorised users.
Access to the drives is logged. Files that are read and written are also monitored.


Use case 5: Restrictive use of external drives

To approve external drives, you can use either vendor/product ID rules or drive collection rules. With a manufacturer/product ID rule, you can approve the following:

  • Drives from a specific manufacturer
  • A specific product from a specific manufacturer
  • A specific drive by manufacturer ID, product ID, and serial number
  • Multiple drives with the same manufacturer ID and product ID, but different serial numbers
A Drive Collection rule is the approval of a collection of external drives by manufacturer ID, product ID, and serial number, but may have different manufacturer IDs. It facilitates the management and approval of new drives.

 

 

 

Test DriveLock 30 days free of charge & without obligation.

Please enter your data here. You will receive further information about your test account shortly.