ThreatLocker

ThreatLocker

Lately, there doesn't seem to be a week that goes by without a cyber attack occurring as a result of a software vulnerability. Of course, we're all aware of major breaches, such as the SolarWinds Orion breach and the Microsoft Exchange vulnerability. However, for every major breach that makes the headlines, there are thousands of breaches that do not.

Applications are the necessary evil required on every computer. They are what turns hardware into a business function. Whether your application is a Chrome Extension, an accounting package, or Microsoft Exchange, applications all have a dirty secret — they can all see more than they need to.

"What many do not realize is - when downloading Chrome extensions to clip coupons or change the color of our browser, these Chrome Extensions can see the content we read, and possibly the passwords we enter."

By installing payroll software, you might be aware that a vulnerability could allow an attacker to access payroll data. However, many fail to realize that the moment compromised software begins to run, it gives an attacker access to everything that the user has access to. Whether you are using software as a local administrator or regular user, software has access to all the software that we have access to.

Zero day exploits occur frequently. Macros in Microsoft Office documents, or commands in PowerShell are weaponized and used maliciously.

To prevent vulnerable or compromised applications from eating our data, we must go beyond installing patch updates. Ringfence^TM applications so they can only access what's needed. During the SolarWinds breach, Ringfencing^TM was the unsung hero that stopped the attack from happening. The breach required the embedded malicious code to reach out to the attacker's site to get the instruction. A simple policy that restricted which sites the application could reach out to was all it took to foil the attack.

By limiting which sites your applications can reach out to, you can stop them from sending data to rogue places, or getting instructions to run fileless malware. Take RunDLL and RegSRV as additional examples that can run remote code in memory, making it difficult to detect until after a breach. Because neither of these applications need to reach out to the internet, it's important to add Ringfencing^TM policies in order to effectively stop them from carrying out malicious behavior. By only allowing access by exception, you foil the misuse of software.

Ringfence^TM applications to create a relationship list of how they interact with other parts of the system. This is incredibly important and ultimately foiled several breaches, including Exchange, Zoom, Internet Explorer vulnerabilities, and built-in features in Office Macros that called on PowerShell.

A simple PowerShell command can iterate through all of your documents, and upload them to the internet. Just like RegSrv and RunDLL PowerShell do not need access to the internet, they also don't need access to your documents or network shares. Ringfence^TM applications so they can only access the network shares they need to access. By doing so, the data they can access will be significantly limited when compromised.

Ultimately, software is going to have vulnerabilities. The best way to stop software from being an entry-point into your business is to not let it run. We cannot block all software, so limit what applications can do once they are running. Does this application need untethered access to your data, the internet, or other applications? If not, Ringfence^TM it. Categorize what it needs to access, and block everything else. This will give your organization a headstart in effectively protecting from cyber threats.