Implementing the ACSC Essential 8 Maturity Model. Mitigation Strategy 1: Application Control

What is Application Control?

Applications are great! With the increasing digitisation of organisations, newer and better applications are being created every day to help perform business and personal tasks. 

However, applications can also be dangerous. For example, an application downloaded from a random website, phishing emails or torrents could be hazardous and include something malicious in the application. 

Managing applications is even more difficult today, given most organisations have moved to a hybrid working environment. Even for smaller organisations, managing the ever-increasing number of applications can be daunting, let alone large organisations. 

The proliferation of device types from servers, workstations, BYOD devices and all the applications that come with them does not help. Therefore, it is essential to control the use of applications within an organisation.

Application control limits the use of applications on endpoints and servers to prevent attacks.

Why is Application Control important?

To understand why application control is essential, we must empathise with our users on how and why they use applications.

👩‍💼Business users

• I use applications to help me do my work
• I want to be able to do my work with the tools I need
• I download and install applications that help me do my work
• I have no idea if an application is malicious or not
• I sometimes download and install applications that are not work related
• I don’t know which email attachments are malicious
• It’s my device, so I should be able to install everything I need (BYOD)
• I created some applications without IT knowing because it takes too long for them to do anything (shadow IT)
• I don’t know much about application security, vulnerabilities, exploits

👩‍💻IT users

• I want to protect the CIA of our IT environment, and it’s in my KPI
• There are so many applications out there, I don’t know what is / is not helpful or malicious

✅Risk managers

• I want to minimise the risk of malicious applications to my organisation
• I want to be compliant with the standards
• I want to be able to quantify the risk, likelihood, and impact

😈Threat actors

• I want to install malware into a device so I can cause damage and make money
• I want to find organisations that are high-value and easy to penetrate

As you can see, business users want to use applications but need to know what is malicious. IT users want to protect their environment. Still, there are so many applications out there that risk managers want to limit the risk of malicious applications, and threat actors want you to install as many malicious applications as possible.

Essential 8 is saying users do not understand which applications are malicious and the threat is greater than the benefits, so it is better to restrict users before they unwittingly do damage.

Maturity Level 1: Application Control

The execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets is prevented on workstations from within standard user profiles and temporary folders used by the operating system, web browsers and email clients.

Application control is generally best achieved with whitelisting. First, identify applications within your organisation that are required for business purposes. A scanner may be used to help identify a complete list of applications currently in use first, which can then be limited if no application control exists.

Files that have not been whitelisted could potentially be malicious. Therefore this control prevents users from unwittingly running potentially malicious code.

To meet this requirement users should not be able to run unapproved files on workstations such as .exe, .com, .dll, .ocx, .ps1, .bat, .vbs, .js, .msi, .mst, .msp, .chm, .hta, and .cpl from within standard user profiles or temporary file folders.

Applying an application control solution may be worth using it in monitoring mode first to cause less user impact and test it out on a small sample before rolling it out to the broader organisation.

Note that at Maturity Level 1, this requirement only applies to workstations.

Maturity Level 2: Application Control

Application control is implemented on workstations and internet-facing servers.

At Maturity Level 2, application control must be applied on workstations and internet-facing servers. While Maturity Level 1 did not require an application control solution, it does for Maturity Level 2.

Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.

Unapproved applications should not be able to run from any location on a user’s file system.

Allowed and blocked execution events on workstations and internet-facing servers are logged.

Not all application control solutions are the same, and often it’s not the solution but how it is configured. There may be requests that are no longer valid, and applications constantly change, being bought and sold by one another. An older version might be okay, but vulnerabilities are found, so these must be continuously updated. If not, the risk of an incident occurring increases.

Therefore, it is important to keep logs to understand better what has happened to be able to improve upon application control configuration and to identify what has happened in the event of a cyber incident.

This is the first time we see logging in Essential 8. Logs are necessary when things go wrong, and you or your forensic partners need to understand what happened. 

Maturity Level 3: Application Control

Application control is implemented on workstations and servers.

At maturity level 3, application control extends from workstations and internet-facing servers to all servers.

Start by reviewing applications on your servers, chat with your admins to understand what is required for business purposes, document any changes, and apply application control solutions to prevent unapproved applications from running.

Ideally, your application control solution extends to all servers to centralise the ongoing management and deployment of application control rulesets.

Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications, control panel applets and drivers to an organisation-approved set.

Device drivers are powerful. They allow us to use hardware in your computers or plug into it. They also allow access to the kernel. Since Windows 10, Microsoft has required drivers to sign through their Driver Signature Enforcement feature. In addition, Microsoft has validated signed drivers, so they have less potential to be malicious.

Adding control over drivers at maturity level 3 indicates that the ACSC has seen malicious drivers for targeted Australian organisations. For example, suppose your organisation uses operating systems such as XP or Windows 7. In that case, the ACSC says you need to upgrade, and if you cannot upgrade, you need to control the drivers in your environment.

Most application control solutions will enable you to meet this requirement.

Microsoft’s ‘recommended block rules’ are implemented.

Since Essential 8 was written with Microsoft organisations in mind, and there is a high chance that Windows Defender Application Control (WDAC) is used, the ACSC wants to ensure your organisation is aware and implements solutions to protect against its limitations.

Microsoft has realised that WDAC can be bypassed by an attacker using trusted files. As a result, Microsoft’s recommended block rules be implemented unless your organisation needs access to them.

Review your organisation’s use of applications to see if those on the recommended block list is used before blocking them to limit the impact on users.

Microsoft’s ‘recommended driver block rules’ are implemented.

As mentioned, drivers are hugely helpful in getting hardware to work but can also cause quite a lot of damage as it accesses the operating system’s kernel.

In the previous requirement, you have already limited the number of drivers to an approved organisation set.

If your organisation’s approved drivers are Microsoft-signed drivers, you have already reduced your attack surface. However, that is not to say signed drivers cannot be malicious, as we saw in 2022 when Microsoft signed drivers were used in ransomware attacks. 

To implement these recommended driver block rules, if your organisation uses Windows 11 2022, updated in September 2022 or later, these driver block lists have been automatically applied. If you are on Windows 10 20H2 or Windows 11 21H2, block lists are available but are optional. If you want to do it manually, Microsoft also provides instructions on refreshing the WDAC policy refresh tool and a binary of vulnerable drivers that should be blocked. 

This block list is typically updated 1-2 times per year, so these must be updated regularly.

Application control rulesets are validated on an annual or more frequent basis.

Applications and business needs change constantly. New vulnerabilities are found in applications every day. Therefore, applications must be reviewed at least on an annual basis to update the control rulesets.

To achieve this, you will need to have application control processes, procedures, and logs to understand how Applications rulesets are tested, validated, and reviewed and the frequency at which this is completed.

This requirement ensures your application control rulesets are up to date.

Allowed and blocked execution events on workstations and servers are centrally logged.

As you work through the other Essential 8 controls, you will notice that at maturity level 3, a SIEM solution is required to centralise logs.

If you have achieved maturity level 2, it is time to ingest those and all your server logs into a SIEM solution for storage, analysis and decisioning.

Event logs are protected from unauthorised modification and deletion.

At maturity level 3, logs become vital, and it is no surprise that logs should be protected.

Logs are necessary for analysis and forensics. If a threat actor were to get into and persist within your system, they would not want to leave traces behind. Unprotected Logs can be modified or deleted by threat actors or by accident. Without logs, forensic teams are blind to see what has happened.

Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected.

While it is great to ingest all logs centrally into a SIEM solution and as good as cyber security software vendors make out their AI to be, you will still need someone to monitor.

SOC analysts augmented with AI solutions are a great way to monitor application controls for signs of compromise. It can also help improve the user experience as it can identify applications that typically get blocked or executed, making it better for reporting to management should they need this information.

Concluding Application Control

Application controls limit the applications users can execute on their systems. This protects users from inadvertently running a malicious application. Organisations with advanced maturity application controls have clearly defined processes and procedures to handle application control to update and manage application rulesets regularly. They also need to monitor and respond to application control issues should they arise.

Whether implementing application control for the first time or bolstering your application control, it is always safer to take a test-and-learn approach as restricting applications and ensuring change management teams are involved. The last thing you want to do is to deny a C-level executive use without knowing why or who to contact to fix the issue. It could be a career-limiting move!

Where to Next?

Get your applications under control. Accelerate your Essential 8 program and reach out to a CyberOxide Specialist to help uplift and assess your Essential 8 Mitigation Strategy 1: Application Control Maturity Levels.

Continue learning about Essential 8 with our next article on Essential 8 Mitigation Strategy 2: Patch Applications.

Continue with our Essential 8 series

Overview:

• Exploring the Origins and Significance of the Essential 8

8 Essential Mitigation Strategies:

1. Application Control
2. Patch Applications
3. Configure Microsoft Macros
4. User Application Hardening
5. Restrict Admin Privileges
6. Patch Operating Systems
7. Multifactor Authentication
8. Regular Backups

Adoption:

• Navigating Cybersecurity Excellence: The Essential Eight Meets Prosci's OCM Approach

Looking to accelerate your Essential Eight implementation?

Learn about our Essential 8 Accelerator or simply contact a CyberOxide specialist to find how we can help you.