In the cybersecurity industry, there is an arms race. Cybersecurity services providers and products are increasing their efforts in detecting new attacks (called zero-day vulnerability exploitations).
At the same time, cybercriminals are finding unheard ways to exploit networks. So far, ransomware gangs are winning – now is the time to invent or re-think if the current detection-only methodology is working.
We propose a new augmented whitelisting, which allows users to access unknown or not yet approved websites in a walled garden
When users click on a link (in email or broswer), AP Lens see three scenarios:
- Whitelisted websites: these websites have been previously marked as safe: the user can browse them as usual
- Known malicious websites: traffic is denied
- Unknown websites: the user will be sent to AP Lens – Remote Browser; this browser is run on a virtual machine and any malicious activity will therefore not affect the end-users; however, from their point of view, the experience is undistinguishable from usual internet browsing.
In an arms race, the end result is that damages or threats are getting more destructive. First-generation ransomware only encrypts files.
Now, the latest ransomware attack uses inventive methods to maximize their threats. The attackers would extract a large quantity of sensitive information from victims before encrypting data, and then threaten to release or sell the stolen information, exerting greater pressure and urgency on the victims to pay the ransom.
Lockfile evades detection
AI and ML are used to detect abnormal behaviour in the network or PCs. But ransomware or malvertising developers are not sitting ducks. Recently, there is new ransomware called Lockfile, using an innovative file encryption technique to evade detection.
It does not continuously encrypt files, it encrypts 16 bytes of data in a file and then skips 16 bytes. This saves time and is also harder to detect by cybersecurity tools. The data file is damaged (or taken hostage ) nevertheless. LockFile is just one example of this cat and mouse game, never-ending!!
“The use of blacklisting as a form of cybersecurity protection is common, but it requires security personnel to keep a permanent eye out for any malware they want to block from an agency’s IT environment. That can be a daunting prospect.” said Erin Brereton from fedtechmagazine.
One method able to end this arms race is URL whitelisting. IT managers can isolate their network using whitelisting and only allow a list of trusted or pre-approved domains for users to access. These whitelists should only include well known, vetted and trustworthy websites, like banks or government websites.
Since ransomware is not hosted on these websites, it is impossible for ransomware to download or upload data as each network connection to malicious websites is blocked by default.
Whitelisting websites has its disadvantages and it is why it is not popular. Firstly, it reduces productivity – users are not able to access new websites or anything outside the whitelist. Secondly, maintaining the whitelist is resource-intensive with a complicated risk assessment process to approve new websites and add the domain name into the whitelist.
The inversion of whitelisting is blacklisting, which most of the security vendors are offering. They constantly collect logs, netflow or file hashes and then send alerts, threat intelligence or Indicator of compromise (IOCs).
Company security teams convert these alerts or threats intel into firewall rules or web filtering rules. It is a never-ending game and only effective if your company has a team of cybersecurity professionals. Collecting logs and user activities without violating privacy laws is also challenging!
“At first blush, this (whitelisting) seems to make security a snap: you don’t have to worry about new malicious code emerging as a threat to your infrastructure because the only things your machines can access are things you already know are safe.” by Josh Fruhlinger, journalist from CSO Online.
Augmented Whitelisting - walled garden appraoch
Traditional whitelisting is not user-friendly. Hence, we propose a new augmented whitelisting, which allows users to access unknown or not yet approved websites in a walled garden.
With AP Lens augmented whitelisting, pre-approved or well-known websites are allowed and users access it directly. For example, the top 100K websites in users’ countries. When accessing a new website outside of this 100K domain, users are forwarded to an AP Lens virtual browser session.
The virtual browser is delivered to the end-user instantly without any software install and in the same Chrome/Firefox/Safari/Edge. The website is opened automatically inside AP Lens with full user interactions.In this new setup, the user’s freedom is not restricted and there is no blocking of information flow. The new website is fully operational inside a remote sandbox totally segregated from the company network.
The organisation should develop a web domain whitelist for each HyperText Transfer Protocol Secure domain and Secure Socket Layer domain. Augmented Whitelisting means you enforce 100 per cent network protection without sacrificing users’ freedom or productivity. The walled garden by AP Lens is the key to augmented whitelisting. Users are using the internet inside a sandbox hosted in a cloud-based system.
Any attack or exploitation is totally separated from the company network. The uniqueness of AP Lens is that users can access the Internet instantly without IT support manually updating the whitelist which solves the major drawback when implementing whitelisting — a time-consuming process to update the URL whitelists. With AP Lens, productivity and cybersecurity are balanced, by combining whitelisting and cloud-based remote secure browsers.
Agentless and supports four popular browsers (Chrome/Firefox/Safari/Edge) on smartphone/desktop, AP Lens is a distributed cloud system that offers both low latency and also robust cloud infrastructure. Each AP Lens session is disposable which means that any attack or downloaded code is not stored or affecting the next session.
Do not overly rely on resource-intensive cyber threats detection and blocklist. Lockdown the network and let users access the internet in a walled garden offers simple and balanced web access protection.
The blog post too long! No worries.
Summarised in 2-min video for you!