The software vendor ships software to resellers and partners through the supply chain. If the original software is already "infected" at the manufacturer, this has consequences for all downstream companies that use the application.
The first step in such an attack is usually to deceive employees at the company into revealing user credentials with phishing emails. Ideally, the attacker will find a particularly privileged account with poor security measures. More likely, however, he spends several weeks making very slow, careful lateral moves to reach his target undetected. The attacker exploits as many native, i.e., system tools as possible in the process. The Solarwinds attack was also successful because the attackers left almost no traditional indicators of compromise. The attack targets were obviously blind to the intruders in their networks.
After a cyber attack, the operation of one of the largest gasoline pipelines in the US had been temporarily shut down. Extortion software was said to have been involved.
A cyberattack reportedly from Russia targeted more than 30 prominent Polish officials, ministers and deputies of political parties, and some journalists by compromising their email inboxes. (June 2021)
In most cases, the culprits gain access to sensitive data by deliberately deceiving unsuspecting government employees: Nine out of ten cyberattacks start with such a phishing email to employees. The attackers then encrypt the government data and demand enormous ransoms for decryption.
Langenhagen. The city administration is believed to have become the target of a hacker attack. The attackers had sent an e-mail to employees. This was intended to persuade them to download malicious computer code that could, for example, infect operating systems or damage computer systems.
Risks to industrial production and control systems (ICS) result from threats that, due to existing vulnerabilities, can cause harm to the ICS and thus to an enterprise. National security agencies such as the BSI (which is the German Federal Office for Information Security) compile the most frequently occurring critical threats to ICS on an annual basis. With the mission of sharing knowledge, innovation and best practices, the BSI work to improve organisations all over the world. From their report, they have identified that the leading threat is the infiltration of malware via removable media and external hardware (e.g., Bad USB).
Prominent example: the Stuxnet attack was carried out via a removable storage device (USB drop attack). It was so invasive because it infiltrated industrial systems by passing them through USB sticks, and they in turn commandeered plugged-in USB sticks, which were then reused.
+++ American healthcare firm Universal Health Systems sustained a ransomware attack that caused affected hospitals to revert to manual backups, divert ambulances, and reschedule surgeries (September 2020)
+++ Loss of patient dataA ransomware attack at the Brooklyn Hospital Center in New York hitting several computer systems caused permanent loss of some patient's data.
Comprehensive security for your data, systems and endpoints consists of a plurality of solutions. Depending on the attack tactics, there are different use cases, which we will discuss in the following sections.
Our solutions: Application Control, Application Behavior Control, Device Control, Security Awareness
Application whitelisting turns the blacklisting logic on its head: you create a list of acceptable entities (applications, software libraries, scripts) that are allowed to access a system or network, and the system automatically blocks the execution of non-whitelisted software . It is based on a "Zero Trust" principle that essentially denies everything and allows only what is necessary.
Given that blacklists are limited to known variables (documented malware, etc.) and malware variants are constantly evolving to circumvent behavioral or signature-based detection methods, it is now widely believed that whitelisting is the more sensible approach to information security.
"From a security perspective, it makes more sense to ban everything across the board and only allow the select few."
Allowing only approved software and applications to run will also minimise the chances of malware taking root on the system. What you want to run on your system is a much smaller set of acceptable entities compared to the ones you don't need. We apply this model to other aspects of security in our lives: For example, who do you let into your house? You don't keep a list of all the bad people in the world. Rather, you only let the people you trust into your home.
DriveLock gives you the best of both worlds - blacklisting and whitelisting.
So, on the one hand, you allow only the software, software libraries and scripts that are needed to work. And on the other hand, you can blacklist built-in tools that are abused by perpetrators or restrict their use to certain administrative users.
How do you configure application whitelisting with DriveLock? To set up application whitelisting on your end, you need to make the necessary settings in DriveLock's policies.
Isn't the configuration a lot of work? To reduce and simplify the effort of Application Whitelisting with DriveLock, there are a few options:
In addition, the application control is able to administer the invocation of scripts and sub-processes.
You want to prevent your browser from launching PowerShell and potentially bringing malware onto your computer. To do this, you use DriveLock to create a rule that prohibits the browser and all processes it launches from starting PowerShell.
Creating malicious subordinate processes is a common malware strategy. Malware that abuses Microsoft Office documents as a vector often runs VBA macros and exploit code to download and execute additional payloads. However, some legitimate line-of-business applications can also generate subordinate processes for innocuous purposes, such as triggering a command prompt or using PowerShell to configure registry settings. You stop this with DriveLock Application Behavior Control with an application rule.
You want to specify that Dynamic Link Libraries (DLLs) may only be loaded from certain directories, e.g. you want to prevent Windows Media Player from loading DLLs from network drives. Create a rule for this with DriveLock.
You want to prevent browser from executing VB scripts (*.vbs). Restricting the execution of scripts allows organizations to achieve a high level of security. DriveLock offers you a holistic approach and full configurability for this. You can restrict the execution of script files based on
The scripts and their interpreters can be extended at any time. For example, you can use DriveLock to configure the whitelisting of .BAT files. This can be extended with .CMD files at will. The procedure is the same for any type of file interpreted by an application, such as PS1, VBS, JS, HTA, JAR, etc.
For example, you want to ensure that only your own banking software has read access to a certain directory, and you want to prohibit read access for other applications. This is because it would be possible for malware to gain read access to this directory via a security hole in the browser and thus read your bank data. To do this, configure a rule with DriveLock.
You want to specify that a certain browser (Google Crome, Mozilla Firefox) is not allowed to write to the "Documents" folder. Since you want to define this for all users and not only for some users, you work here with so-called placeholders during rule creation.
You want to control registry access for your banking software from use case 5. No problem; with DriveLock you create two application permissions so that only the banking-software.exe is allowed to read the registry in the specified KEY. (Ex: HKEY_CURRENT_USER\SOFTWARE\Bank Software\).
DriveLock provides rules based on the MITRE ATT&CK™ framework. MITRE ATT&CK™ is a globally accessible knowledge base of tactics and techniques. The ATT&CK knowledge base serves as the foundation for developing specific threat models and methodologies in the private sector, government, and cybersecurity product and service communities.
You can import these rules into the EDR (Endpoint Detection & Response) node. The purpose of these rules is not to block or allow actions, but simply to report specific events on the particular computer, which are then processed by the event filters and alarms.
Occasion-related security awareness can be very important, especially in times of the home office, when users work in isolation from each other and do not ask their colleagues or IT directly about dubious mails. For example, if a new application is launched, DriveLock can check whether it is a secure application and, if in doubt, play out a short security campaign on the topic of "dealing with new applications" and provide appropriate security advice.
For example, you would like to display a security awareness campaign every 14 days whenever the user starts Outlook? You create a file property rule for this purpose.
An example of port-based control is the control of Bluetooth devices. For example, you can whitelist a Logitech Spotlight Bluetooth presentation stick.
DriveLock allows detailed settings for connecting devices via Bluetooth. For example, pairings with new devices can be completely prevented or restricted to desired Bluetooth services, such as audio streaming or services required for HID devices like pens and keyboards. The synchronisation of contact data or the transfer of files can thus be effectively prevented.
In addition, you can enable automatic learning mode to have devices of the type currently installed or connected automatically whitelisted when the client computer is rebooted - after enabling the policy with this setting.
This will whitelist the built-in Bluetooth controllers for that client computer.
Imagine they could plug a seemingly harmless USB drive into the computer and use it to install a backdoor, exfiltrate documents, steal passwords or perform many other attacks. All of this can be accomplished with well-crafted keystrokes. If you were sitting right in front of that computer and had photographic memory as well as some sophisticated scripts, it would take you a few minutes. A BadUSB device does this in seconds. It abuses the trust computers have in humans by pretending to be a keyboard - injecting keystrokes as if a user were typing on the keyboard.
DriveLock Device Control can control human interface devices (HIDs) through device whitelisting. It can also allow access to newly connected HIDs only if the user accepts a usage policy by authenticating with their domain password as a prerequisite.
Encryption 2-Go is part of DriveLock Device Control and provides a fully integrated solution for encrypting external drives. Encryption 2-Go gives you the choice to protect your data on removable media with either container encryption or folder-based encryption. This ensures that your trusted data is protected even when it leaves the company via mobile storage media such as USB drives. At the same time, you meet regulatory requirements to protect the confidentiality and integrity of data.
Encryption 2-Go provides a full-featured encryption management tool for external media:
You can choose between container-based encryption or folder-based encryption.
One of the pillars of the Zero Trust security strategy is to deny external storage drives by default and only allow certain drives when needed. The same concept applies to allowing only authorized users to use external drives and denying access to other users. DriveLock blocks unknown drives by default. Thus, only known external drives can be used and accessed by authorised users.
Access to the drives is logged. Files that are read and written are also monitored.
To approve external drives, you can use either vendor/product ID rules or drive collection rules. With a manufacturer/product ID rule, you can approve the following: