The document discusses the challenges and effectiveness of whitelisting in cybersecurity, highlighting its potential successes and the complexities surrounding its deployment and bypass mechanisms. It emphasizes the need for better methodologies, visibility, and trust in signed tools, while also acknowledging the limitations and evolving tactics used by attackers. Ultimately, the author encourages the adoption of whitelisting as a standard practice to combat opportunistic attacks.

1. You are making whitelisting difficult
Casey Smith

3. Two Ways to Engage the Enemy
Off Horizon - Collect and Analyze Telemetry
Hand To Hand Combat - Mitigations (User/
Kernel/Hypervisor)

4. Whitelisting is a street fight

5. But I mean, Does it work?
Red October ( For Us ;-) ) - October 22, 2013
Whitelisting Full Enforcement, April 2014. Yes, even DLLs. It is possible.
Was it difficult, YES.
Did it work? YES.
Are there bypasses? YES.

6. Disrupt/Degrade Adversary Capabilities

8. Three Problem Statements

9. admins often do not know where or
how to begin to deploy whitelisting
1.

10. Defenders need to hear the positive results

11. I actually want whitelisting to work.
I worry defenders are not talking about its efficacy.
...for fear attackers will switch tactics?

12. trust by default
instead of
trust by exception
2.

13. More of this please...Ignite 2017 Talk (Aaron & Chris)

14. Trust Decisions made on... publisher…?
● Was this the intent of code signing?
● Verifies Identity and Integrity
● Not Intent

15. trusted signed tools can lead to compromise
3.

16. My experience with bypasses
IEExec - Jan 16, 2014 (Proved my theory Trusted Things Can Execute Things)
InstallUtil - October 31, 2014
RegAsm/RegSvcs - November 6, 2015
Regsvr32 - April 19, 2016
MSBuild - May 27, 2016 - Device Guard Bypass.

17. Exploit Free Evasion - Living Off The Land
Alex Ionescu
James Forshaw
Lee Christensen
Matt Graeber
Matt Nelson
Oddvar Moe

18. dbghost.exe
Discovered accidentally by …
Reading MSDN & :)
Honestly need all need a better
methodology to find these...

19. Significance of dbghost.exe
Unconstrained Script Host
Debug Level Control of an Application
Not Default

20. Does keeping a blacklist for whitelisting even make sense?

21. Current Published Device Guard Bypass Tools

22. How many unknown/other bypass tools exist?

23. Will this scale? We need to consider...

24. How are new bypasses...
Discovered?
Serviced?
Announced?

25. Assume Compromise
You should also assume…
Admin
Execution

26. Call To Action

27. Three Things We Need

28. Acknowledge whitelisting is a boundary. ;-)
1.

29. “sign everything same way”, needs to be
evaluated
notepad.exe == windbg.exe ?
2.

30. more .NET visibility
3.

31. Closing Thoughts

32. No one is building wooden ships for warfare
anymore...

33. Help make whitelisting a new normal
Drive out commodity and opportunistic attacks

34. The Genius of Device Guard
Virtualization Based Security
“Attackers with capabilities to evade, don’t actually give a crap about executing PE
files…”
This can help drive naïve attackers out of the fight.

35. Thank you

36. Questions? Feedback?
Casey Smith