Cybercriminals are creative agents. They are constantly finding ways to evade detection mechanisms deployed by well-funded cybersecurity research firms like FireEye, Sophos, etc. So far cyberattackers’ creativity is winning this cat and mouse game!
Each time security teams come up with new controls and security measures, cybercriminals find ways to circumvent them and gain access to critical information.
URL Whitelisting is boring but effective
That’s where whitelisting comes in. But before we go into any specifics, we must understand what web whitelisting is in the most basic sense.
URL Whitelisting is the practice of allowing only specific website or domain to be accessed by company's device like PCs or smartphones. These websites are vetted and meet certain security requirements, which means the website is not controlled by adversory nor distributing malwares. For example, assume an extreme safe whitelist is adopted (i.e. ONLY banking website is allowed), there is impossible for the PCs using protected by whitelist to download malware from the web.
Phishing and Fake Website
Phishing email or messages are difficult to stop. A normal website may look like "bank.com", cybercriminals could create phishing website looks like "bahk.com" or "I3ANK.com". Users are tricked to click on these phishing links and visit a website loaded with attacks. If URL Whitelisting is enforced, only the real "bank.com" is allowed. When an user clicks fake websites (like "bahk.com"), the fake URL is stopped automatically without any delay. The access rejected decision is made without any guess work, website analysis or malware detection. Whitelisting removes one major uncertainty when using threat detection tools and eliminate detection error totally.
URL Whitelisting as an Anti-ransomware Tool
Cyberattacks have several stages, with each of them having specific sub-techniques. Protection in each of the stages must be enforced to prevent and mitigate further damage.
1. Deployment stage - Download rootkit or malicious codes ( inbound data)
2. Discovery Stage - Send victim’s network and environment data to hackers (outbound data)
3. Checkmate Stage - Steal sensitive data or send the file encryption key (outbound data)
At each stage, ransomware developers are trying to evade detection enforced by anti-virus, endpoint security solutions, and network monitoring agents. Security teams today need to be on their toes and be prepared to act.
How would URL whitelist stops ransomware?
If a company opts for a URL whitelist, it means that only content originating from the pre-determined sources is allowed into the system. This stops ransomware at Stage One Development. Without whitelist, detection agents or network monitoring will need to stop the download process in real time. Advanced cybersecurity tools are using behavior analysis, AI or machine learning. The success rate on real time detections depend on past data collected and also on the AI learning algorithms. There are some degree of detection errors.
Even the ransomware is successful deployed to the company network via USB or email attachments, URL whitelisting can stop the cybercriminals from phoning home in Stage Two Discovery and Stage Three Checkmate. In one ransomware example obtained and analyzed by US agencies, the connections were made with 2 domains ( “https://paymenthacks[.]com “, “https://mojobiden[.]com” ) and three IP addresses. These domains are not in the URL whitelist database and any connection will be stopped.
While cyber risk cannot be elimitad completely , a whitelist URL in the internet gateway can stop these connections before a sample of ransomware is obtained. This means that organizations can implement a mechanism to block malware before it corrupts the system, preventing the need to incur the costs associated with this type of attack.
Like to see a demo. Let us know.