Whitlisting Files vs Safelisting Users: Which is Best Practice and Why?

egrizzly

Hi all,

So recently at work our security setup at work has been going crazy with "Lateral Movement Detected".  100% of this activity has been false positives since the alert is always triggered by Deskside/Network Support guys transferring files like printer drivers, etc to the admin share of endpoints.  During our status meeting my solution was to safelist the support guys in the HIDS to reduce the noise.  The counter-solution from to mine from management was to leave the support users alone, but to whitelist the inventory of files all the supporting groups use for maintenance (i.e. Database, Deskside Support, Networking, Project Management, etc).  This is close to 150 files easily.  

Without arguing my position further and for the sake of being objective, do any of the best practices, frameworks, or SANS courses, any related body of knowledge, etc point to to the ideal solution to this whether it be the whitelisting of the files or safelisting the users?  

As always ladies and gentlemen, thanks for the tips, solutions, or comments.

UnixGuy

What happens if one of the 'safelisted' users get compromised?

I don't have an easy answer, but whitelisting files has never been easy

JDMurray

You have discovered that many TTPs used by bad actors are also used by good actors during occasional, expected activity (e.g., change controls) or in business-as-usual (BAU) activity (e.g., production environment operations). If someone knocks on my front door, is that a robber, a delivery person, or a neighbor checking if someone is at home? They all use the same technique.

There is no hope of 100% automated determination of good vs. bad activity on a network or endpoint. There will always be activity that is potentially caused by a bad actor, but most likely results from the activity of a good actor. However, you, "human," have to check it out anyway. Here's one plan for doing this:

First, you must strictly define what your security team regards as "lateral movement" and all its (mis)use cases before determining how to detect it. Second, you must perform a baseline collection and analysis of all network and endpoint activity to determine how often your lateral movement cases occur in your good traffic. (Assume all traffic in your baseline is "good" even though bad actor activity might be present in it.) Third, determine how you will configure your network security monitoring controls to detect the lateral movement activity you want to log and possibly alert on. Finally, create alert handling procedures used by your SOC team to quickly and efficiently inquire in the lateral movement cases that are likely to be good actor activity, but could be really bad if it's bad actor activity. (For example, someone logging into a root account and creating an Internet gateway might be a 99.99% chance of expected and proper activity, but you can't take the chance it might be a bad actor--insider or outsider--so you have to check every time anyway.) Also consider that the people creating much of this "non-malicious positives" activity can alert your SOC team ahead of time, thus resolving the alerts even more quickly.

JDMurray

And further more

AllowListing is an attempt to NOT violate a cardinal rule of Information Security, "Do not enumerate badness," which is performed when we use DenyListing. (Yes, I'm now using the politically correct terms in workplace and public forums.) An AllowList attempts to enumerate "goodness," presumably because there are fewer good objects than (potentially) bad objects in the known universe. To do this, each item on an AllowList has three possible states: 1) RecognizedAndAllowed, 2) UnverifiedAndAllowed, and 3) DisallowedByDefault. You can also describe these states as: 1) Good, 2) Indifferent, and 3) Bad (because the object is not on the list).

Several problems with AllowListing are: 1) There are usually millions of objects to identify as "good" and therefore to allow, 2) AllowListing is typically static and therefore the lists must be maintained manually, 3) the AllowList maintenance must be coordinated with all teams who add/modify/delete files on all endpoints, and 4) you will need a full-time security team that handles just the problems associated with implementing, maintaining, and troubleshooting your AllowListing solution. Your best hope of implementing AllowListing is to only use it on your high-value information assets (a.k.a., "The Crown Jewels") on your network to keep it small and manageable and not try to "boil the ocean" by AllowListing every object on your network.

egrizzly

So @UnixGuy and @JDMurray are you all leaning to the best-practice on this to being to white-list the files (no matter how tedious) or safelist the users?

veritas_libertas

As stated by JDMurray, I'd start with enumerating how often this happens, when it happens, and by whom. Allow-listing your Deskside folks and/or their PCs/IPs makes me cringe. These folks usually have elevated permissions. Another option might be alerting based on unusual times, thresholds, etc. I don't know your environment so this is only another option. I do think whitelisting the files will probably turn into a sore spot that might eventually get ignored because of how tedious it is.

JDMurray

egrizzly said:

or safelist the users?

Users are the most common targets of bad actors for gaining illicit access to an information network. Safe-listing user accounts is only for "noise reduction" and will not prevent those accounts from becoming compromised--especially from malicious insiders who have authorization to use their own accounts. To detect such bad actors, you will need a more complex and dynamic solution, such as UBA/UEBA and a full-time insider threat team.

UnixGuy

egrizzly said:

So @UnixGuy and @JDMurray are you all leaning to the best-practice on this to being to white-list the files (no matter how tedious) or safelist the users?

So if I understand your questions correctly, I'll say it's a not 'whitelist files' vs 'safelist users'.   To me those are two different things and neither have a direct correlation with 'Lateral Movements'...

First I wouldn't 'safelist users' because you won't have visibility if said users are compromised

Whitelisting files yes is generally a safer approach but it's also hard to accomplish and it takes time to get right

For Lateral Movement and as JD said, i'd be looking at baselining but what normal behaviour looks like and then take it from there. Again, not a straightforward activity by all means