All about Ransomware: Application Whitelisting
Antivirus and many other security technologies use a blacklist approach. They detect and block malicious programs based on code signatures, behavioural traits, indicators of compromise and other attributes. However, in an era where more malware is being produced than applications, the blacklist approach may not be sufficient anymore.
Back in 2015, the U.S. National Institute of Standards and Technology (NIST) had published a guide on the basics of application whitelisting as well as how to plan and implement whitelisting technologies throughout the security deployment lifecycle. The contents in the guide remains relevant till today.
Here are 4 tips when considering to adopt the application whitelisting approach:
Consider using application whitelisting technologies already built into the host operating system, particularly for centrally managed desktops, laptops, and servers, because of the relative ease in managing these solutions and the minimal additional cost.
Use products that support more sophisticated application whitelisting attributes. Choosing attributes is largely a matter of achieving the right balance of security, maintainability, and usability. Simpler attributes such as file path, filename, and file size should not be used by themselves unless there are strict access controls in place to tightly restrict file activity, and even then there are often significant benefits to pairing them with other attributes. A combination of digital signature/publisher and cryptographic hash techniques generally provides the most accurate and comprehensive application whitelisting capability, but usability and maintainability requirements can put significant burdens on the organisation;
Test prospective application whitelisting technology before deploying. This testing should include a thorough evaluation of how the solution reacts to changes in software, such as installing an update. An application whitelisting technology might be considered unsuitable if, for instance, it had to be disabled in order to install security updates for the operating system or particular applications.
Use a phased approach for deployment to minimise unforeseen issues and identify potential pitfalls early in the process.