Trust, it’s a fundamental concept in cybersecurity and plays a vital role in the decisions we make, particularly if a risk-based approach is taken to decision making. However, we don’t often think about how the concept of trust influences our decisions. This blog post will explore what role trust plays, in file-based security.
First, it’s important to note that trust is not a one size fits all concept and is unable to be applied equally across situations. For example, trust between family members must be thought of as a completely different concept to trust between networked computer endpoints.
The oxford dictionary defines trust as:
Noun: “Firm belief in the reliability, truth, or ability of someone or something”.
Verb: “Allow someone to have, use, or look after (someone or something of importance or value) with confidence”.1
Looking at the above definitions, neither truly describes the concept of trust, when applied to files. Let me propose a more suitable definition (taking some inspiration from the Noun above):
“Firm belief in the purpose, origin and expected behavior of a file or software package”.
Let me clarify this statement. In order to decide if you should ‘trust’ a file you must satisfy the following criteria:
1) Context – The file must exist to serve a particular purpose and be attributable to an application or function. Humans should ask, why does the file exist?
2) Predictability – The file must behave in a predictable and consistent way when executed or handled. Humans should ask, does the file behave in a manner that is expected, given its context?
3) Integrity – The file must provide assurance that it has not been modified or tampered with in an unauthorized manner. Humans should ask, does the file have integrity?
Answering these questions for every file on an average operating system can prove to be a daunting task, one that would simply be unfeasible using manual processes. Ultimately, we must rely on frameworks which can assist in determining if ‘trust’ should be placed in a file, at scale.
Frameworks can take many forms, such as a threat intelligence feed, hashing algorithm or even a digital certificate validation mechanism. Regardless of their function, these frameworks must be robust, as we rely upon them to provide accurate information to inform our decisions.
Now you may be thinking, what if I don’t fully ‘trust’ (have a firm belief in the reliability, truth or ability) the framework I am using? Where possible you should aim to use more than one framework to provide multiple answers for the ‘context’, ‘predictability’ and ‘integrity’ of a file. Multiple answers provide an opportunity to compare the results across frameworks to ensure truthful answers are provided.
Typically, vendors/operators attempt to answer these questions using one or more of the following methods:
- Has the file been seen by a large number of users?
- Has the file been signed by a vendor?
- Is the file located on the correct path?
- Does the file have a description explaining its purpose?
- When is the file invoked?
- Does the file perform any unexpected behaviors when invoked? (loading interpreters, spawning/hooking processes etc)
- Does the file request elevate permissions?
- Does the file load into the expected process?
- Does the file perform any system modifications? Drop files?
- Does the file extension match its content?
- Is the file digitally signed by a vendor?
- Does the files hash value match a vendor-provided hash value?
- Has the file changed hash values since I have seen the file?
- Does the files hash match a known good sample based on threat intelligence?
These methods are not an exhaustive list and barely scratch the surface, but hopefully provide a starting point for some ideas which can be used to determine if you should trust a file or not.
Airlock Application Whitelisting provides a robust solution enabling administrators to easily choose which files they should trust in an environment. Most importantly, Airlock incorporates multiple frameworks which are needed to quickly determine trust.