The Pros and Cons of Behavioral Based, Signature Based and Whitelist Based Security
There are several different approaches to IT security, including blacklisting, whitelisting, and behavioral based technologies, and there is an ongoing debate in the IT security industry over the efficacy - or lack thereof - of each of these approaches. In a recent interview, Mark Russinovich made a strong case for the idea that whitelisting will play a big role in the future of security. However, Larry Seltzer and others have expressed doubts that whitelisting can work.
In this article, we take a look at how each of these security approaches operates and the strengths and weaknesses of each, along with a brief discussion of sandboxing and virtualization as security mechanisms.
Approaches to Security
Whether you are trying to keep potentially dangerous people off an airplane or potentially dangerous code out of your network, you can take one of several approaches to deciding who/what gets in or does not. In the case of the first scenario, consider these methods of screening passengers:
- You could compile a list of known terrorists and criminals, and check IDs at the gate, looking for names that match your list and not allowing them to board. This is an example of blacklist based security and it is used by the airlines and Transportation Security Administration (TSA) and other law enforcement officials at most airports.
- You could compile a list of "known good" persons - people who have already undergone background checks and proven to be upstanding citizens, issue them special ID cards and let them get on the plane without extensive scrutiny. This is a form of whitelist based security and it was the basis for the TSA's proposed "trusted traveler" program (now known as the Registered Traveler program).
- You could station law enforcement personnel who are trained in behavioral profiling at the airport to question and observe persons who have tickets and those who act suspiciously would be detained or denied boarding. This is behavioral based security and is used to some extent in the U.S. and to a larger extent in some other countries.
How do these examples apply to network security?
- Blacklisting can be used to filter spam, whereby you have a list of email addresses or domains that are known spammers, and when the filtering software sees that a message is from one of those sources, it puts it in the Junk Mail folder. Blacklisting can also be used to protect systems against malicious code. You have a list of files or programs that are known to be malware, and those are blocked from opening or running.
- Whitelisting can likewise be used to filter spam, whereby you have a list of senders or domains that are considered "safe." Mail from those sources is allowed through; all other mail is blocked. Whitelisting can also be used to protect a system from malicious code. You have a list of desirable programs that are allowed to run, and executables that aren't on the list are not permitted to run.
- Behavioral methods attempt to assess the risk that code is malicious based on characteristics and patterns. Signature and anomaly based security mechanisms perform a type of behavioral based security. Files and programs that are likely to present a threat, based on their behavioral patterns, are blocked.
All of these are valid methods, and all of them have their strengths and weaknesses, which we will look at in the next sections.
Betting on Behavior and/or Signatures
Behavioral security is useful for those cases where a person, program or file has not previously been classified as "good" or "bad." It is an effective (but not perfect) way to detect new threats without waiting for them to first do harm. We have all heard the old adage that "if it looks like a duck, walks like a duck and talks like a duck, it probably is a duck." At the simplest level, that is the basis for behavioral based security.
Law enforcement officers use many different techniques as part of their behavioral profiling. They observe a subject's body language, facial expressions, words and actions to attempt to determine whether the person's intent is malicious or benign. Eye movements, voice pitch and other physiological factors can indicate stress, which in turn may indicate that a person is trying to hide something and is not what he or she purports to be. Likewise, behavior based security algorithms look for indicators that a file or piece of code is not the legitimate program that it appears to be but is in fact malware.
A signature based security filter operates somewhat like a law enforcement officer who seeks to identify criminals based on their modus operandi, or mode of operation. Specific actions and/or code sequences are compared against a database of known signatures, or predefined strings in code that are indicative of malware. Anomaly based security is less specific; it targets behavior or instructions/commands in the code that are out of the ordinary, raising what law enforcement officers refer to as "reasonable suspicion."
Heuristic algorithms are often used to identity anomalies, by analyzing past network traffic, email, etc and comparing it to current patterns or by analyzing the structure of the code itself. Heuristic engines today are typically rule-based, and heuristic engines can "learn" from previous experiences and build new rules accordingly. Most anti-virus programs use heuristics to identify malware threats and variants before signature updates are available.
An important point made by (retired) FBI criminologist John Douglas, a well known expert in criminal profiling, is that it is only one of many tools that can be useful in a criminal investigation and in fact, profiling should be used only after more traditional investigative methods have been used. In other words, profiling alone is just not accurate enough to be relied upon as an indicator of criminality. And by the same token, behavioral based security alone will not adequately protect your network and computers. Rather, it would allow some known malware through because it is written to look like legitimate code, and perhaps more importantly, it would tag some of your legitimate programs as malware because they exhibit traits considered suspicious. The risk of false positives is inevitably higher with behavior based security.
Back to Blacklisting
Blacklisting is a well known concept and it got a bad reputation when used in a political context, most famously in Hollywood in the 1940 and 1950s when certain screenwriters were blocked from working in the motion picture industry because of their political affiliations. In computer security, blacklisting is a simple and straightforward method of preventing known malicious programs from running or preventing messages from known spammers and other undesirable senders from reaching the user's mailbox. Updates to the list can be done quickly through an update server. Most antivirus programs use a form of blacklisting, blocking known threats. Spam filtering is often dependent on blacklisting.
Blacklisting works well in certain applications. But a blacklist is only as good as the content and integrity of the list. We saw the problem with blacklisting in 2004 when a U.S. senator was prohibited from flying because a similar name had been used as an alias by a terrorist suspect and was thus on the government's "no fly" list.
A common problem with blacklist based spam filtering is the blockage of legitimate senders who were reported to or added to the list not because they are spammers, but out of personal animosity. Some individuals and organizations have found it difficult to get their addresses removed once they're on the list. Those who control the widely distributed blacklists have a large amount of power and responsibility to ensure that innocent individuals and organizations are not either inadvertently or deliberately put on the blacklist. When you use a commercial blacklist, you give much control over your network traffic to a third party vendor.
Another problem with blacklisting is that it works only against known undesirable persons, programs and senders. It does not protect against new threats (zero day attacks). Scanning incoming traffic and comparing it to the blacklists can also use considerable resources and slow down the network traffic.
Whys and Wherefores of Whitelisting
Whereas blacklisting works on the principle of allowing everything that is not specifically prohibited, whitelisting take the opposite approach, denying everything that is not specifically allowed. Whitelist technology works from a list of "known good" entities (programs, email addresses, domains, URLs) and allows only those that are on the list. Whitelisting has many advantages:
- It is not necessary to run antivirus software that must be constantly updated. Anything not on the list will not be allowed to run.
- Systems are protected from zero day attacks.
- Users cannot run unauthorized programs that are not on the list, so you do not have to worry about them deliberately or inadvertently installing infected executables, time wasting personal programs such as games or P2P programs, or unlicensed software that could result in fines if your company is audited by the software vendor or BSA.
Whitelisting is simple and gives the administrator/company the most control over what comes into the network or runs on the machines. The advantage of whitelisting is that nothing that is not on the list can run or get through. The disadvantage is that, well, nothing that is not on the list can run or get through.
When used alone, whitelisting is very effective at keeping malware and spam out, but can also keep legitimate code from running and legitimate messages from getting through. For most users, a pure whitelisting solution does not work well for email filtering because we often receive mail from people we do not know that is, nonetheless, legitimate and desirable mail. It certainly is not practical for sales people who get inquiries from strangers, writers who receive mail from readers, or other business people who regularly get mail from potential customers. It may work fine for the personal email accounts of individuals who only want to correspond with a set group of friends and family members.
Whitelisting is growing in popularity and is often used in conjunction with other security methods. For example, many email clients include spam filters that analyze messages and flag those meeting certain criteria (keywords, formatting, repetition, etc.) as spam. However, they also allow users to compile "safe sender" lists (whitelists) so that mail from those addresses will not be marked as spam even if it otherwise meets the spam criteria.
In the typical business setting, whitelisting is useful for controlling what executables can run on a machine. Even here, it can cause problems if, for example, a particular control that is needed to properly display a web site is not on the whitelist and a user needs access to that site to do his or her job. However, if the whitelist is properly constructed, this should not often pose a problem. Adopting the whitelisting approach puts the burden on administrators' shoulders to know what programs should be allowed to run on their networks.
Each approach to security has its advantages and disadvantages. Each can result in false negatives and/or false positives. Different approaches work best for different situations. When it comes to spam filtering, a combination of all three approaches seems to work best. Allow heuristics filters to analyze mail for common spam criteria, but also allow for blacklists by which mail from certain senders or domains can be blocked even if it does not meet the criteria, along with whitelists whereby mail from certain senders or domains will be allowed through even if it does meet the spam criteria. This is the approach taken by the most effective anti-spam software solutions.In the business environment, pure whitelisting is the most secure solution when it comes to running code on the computers. Some have voiced concerns that whitelisting is not practical because of the large number of programs that are out there. However, the typical business organization uses a limited number of applications since many applications are used by multiple users. And when a file runs, it only has to be checked against the contents of the whitelist, which is a far smaller database than the typical blacklist of virus signatures. There is a good commentary and rebuttal of some of the most common concerns about whitelists here.