Trust-Based Security Models Ineffective: Researchers

Thursday, June 04, 2015

Eduard Kovacs


LONDON - Infosecurity Europe 2015 - The trust-based foundations of whitelisting make it more difficult for organizations to properly protect their networks against cyber threats, Kaspersky Lab researchers have warned.

Juan Andres Guerrero-Saade and Fabio Assolini of Kaspersky Lab’s Global Research and Analysis Team (GReAT) provided numerous examples in which perfectly legitimate applications have been leveraged by malicious actors to achieve their goals.

Whitelisting Technology Not Always EffectiveBenevolent design doesn’t necessarily mean benevolent use, the experts showed during a presentation at the Infosecurity Europe conference in London this week. Trust-based security models such as whitelisting depend on the accurate characterization of the code’s intended use. Whitelisting technology is built on three pillars: verifying if the developer is trustworthy, if the application’s behavior is seemingly benevolent, and if the application is trusted by many users, an aspect the researchers call “crowdsourced trust.”

However, many malicious cyber operations discovered recently have demonstrated that a situation can't be accurately characterized on the basis of these pillars; behavior cannot be preemptively characterized, widely-available or native tools are ripe for abuse, and a developer’s identity cannot be assured.

Guerrero-Saade and Assolini pointed out that many advanced persistent threat (APT) groups use perfectly legitimate tools in their campaigns. For example, the threat actor group known as Equation, believed to be linked to the NSA, has leveraged the functionality of Sleuth Kit, a library and collection of command line forensics tools that allow users to investigate volume and file system data.

Read the rest of this story on

Operating Systems SPAM Viruses & Malware Budgets Enterprise Security Policy Security Awareness Security Training
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.