Happy WDAC Wednesday! As we’ve covered previously in the series Application Control for Business (ACFB) is highly effective at blocking malware as part of a defense in depth security strategy. The Australian Cyber Security Centre (ACSC) states that “Application control is one of the most effective mitigation strategies in ensuring the security of systems”, which is why it forms a key part of the Essential Eight Maturity Model.
Many Australian federal and state government departments are required to comply with the Essential Eight and are actively implementing application control solutions. However, achieving compliance requires careful planning and execution. In this edition of WDAC Wednesday we’ll cover some of the controls to be aware of for each Maturity Level of the Essential Eight.
Maturity Level 1
Application control Maturity Level 1 (ML1) requires that an application control solution, such as ACFB, be implemented on workstations. It specifies specific folders and types of executables that must be governed by the solution, restricting execution to an “organisation approved set” of applications. This requirement is the most important critical aspect of the control.
Importantly, the “organisational approved set” requirement means the Intelligent Security Graph (ISG) capability of ACFB cannot be used. While the ISG is a powerful feature – leveraging millions of Microsoft’s security intelligence indicators to determine whether software has known good reputation – it introduces external influence (from Microsoft) over what is allowed. If the ISG is enabled in a ACFB policy, applications with a known good reputation may execute even if they are not explicitly permitted in the policy.
While ISG can significantly reduce the operational overhead of managing and maintaining the application whitelist, as it will allows trusted applications to execute while blocking unknowns. However from the Essential Eight compliance perspective, this approach compromises the requirement to strictly control the organisation approved set of applications. In effect, Microsoft partially determines what is allowed within your organisation. For example, the ISG may permit the Dropbox application to run, even though your organisation may have legitimate reasons to prevent its use.
Maturity Level 2
Maturity Level 2 (ML2) builds on ML1 by requiring additional and enhances requirements to strengthen application control:
- Application control be enforced on internet facing servers, as they are more exposed and vulnerable to attack.
- Implementation of the Microsoft recommended application blocklist is required. This blocklist prevents many of the “living off the land” techniques, especially those that could be used to bypass ACFB. Be aware some of these blocked tools are legitimately used by administrators or developers.
- Application control logs must be ingested into a centralised solution, such as Microsoft Sentinel. This centralised logging is supports operational management by helping to refine policies by analysing impact event data and to detect potentially malicious activity.
- ACFB rules must be reviewed at least annually, which means your application whitelist should be documented and reviewed on a semi-regular basis to ensure it remains accurate and relevant.
- An incident review and reporting process must be defined and followed – which is common across many Essential Eight measures.
Maturity Level 3
Maturity Level 3 (ML3) is the highest level of maturity with the following additional requirements:
- application control must be deployed to all servers. This can require significant effort, as it involved analysing the applications and services running across all server roles within the organisation.
- Cyber incident review and reporting processes must be uplifted to include analysis of events and reporting for all servers, not just workstations and internet facing servers.
- In addition to the Microsoft recommended application blocklist, the vulnerable driver blocklist also be deployed. This block list helps prevent exploitation via vulnerable drivers and can can be enabled directly within Windows 11.
What’s next
In the next WDAC Wednesday we’ll look at planning to fail with ACFB so you’re prepared to handle the situation where things don’t quite go as expected.