Application control is a highly effective mitigation strategy for ensuring the security of systems, forming an integral part of the Essential Eight from the Strategies to Mitigate Cyber Security Incidents. This publication offers guidance on the concept of application control, what it encompasses, what it doesn’t, and how to implement it.
What Application Control Is:
Application control, as a security approach, aims to safeguard systems against the execution of malicious code or malware. A robust implementation ensures that only approved applications, such as executables, software libraries, scripts, installers, compiled HTML, HTML applications, control panel applets, and drivers, can be executed. While its primary purpose is to prevent the spread of malicious code, it also hinders the installation or use of unauthorized applications.
What Application Control Is Not:
Certain approaches are not considered application control, such as providing a portal for approved applications, using web or email content filtering, checking application reputation through cloud-based services, or relying on next-generation firewalls to identify approved network traffic.
How to Implement Application Control:
The implementation involves steps like identifying approved applications, developing control rules, maintaining these rules through a change management program, and regularly validating and updating them. Methods like cryptographic hash rules, publisher certificate rules, and path rules are suitable for enforcement, while file names or easily changed attributes are not recommended.
Application Control within Microsoft Windows Environments:
For Windows environments, the use of Windows Defender Application Control (WDAC) is suggested. Group Policy settings can be applied to enhance security, and additional hardware requirements may be necessary for virtualization-based security.
Why is Application Control Important?
Understanding the perspectives of various users, including business users, IT users, risk managers, and threat actors, emphasizes the need for application control to balance the benefits of application usage with the potential risks.
Maturity Levels of Application Control:
The document outlines three maturity levels for application control:
- Maturity Level 1: Application control on workstations to prevent the execution of potentially malicious code, primarily using whitelisting.
- Maturity Level 2: Extending application control to internet-facing servers, with a focus on logging allowed and blocked execution events.
- Maturity Level 3: Expanding application control to all servers, including additional measures like blocking malicious drivers and regular validation of application control rulesets.
Application control is a critical aspect of cybersecurity, limiting the execution of applications to protect users and organizations from potential threats. Advanced maturity in application control involves well-defined processes, regular updates to rulesets, and proactive monitoring for signs of compromise. Implementing application control requires a strategic and cautious approach to avoid disruptions while ensuring enhanced security.