How Trusted Application Protection Builds on Application Control & Endpoint Privilege Management

Trusted Application Protection (TAP) is a powerful capability of BeyondTrust’s Privilege Management for Windows product. TAP enhances security against malware—including ransomware--and phishing attacks by adding context that stops attack chain tools that may exploit commonly used and legitimate applications. This also gives organizations protection against fileless malware and living off the land (LotL) attacks. Working together, the BeyondTrust privilege management product’s least privilege, application control, and application protection capabilities give organizations a powerful way to secure users, sessions, and endpoints against a broad array of common and sophisticated attacks to drastically reduce the enterprise threat surface, while always optimizing for end-user productivity.

In this blog, I’ll briefly cover how the Trusted Application Protection capability evolved and how it works, and I will also provide some examples, including a short video.

Usability, Productivity, & Security

As a consultant specializing in endpoint privilege security, my role allows me to engage with many organizations who are looking to improve their security posture wherever possible. You may be thinking that this is a tough (and rewarding) gig—and you’d be correct! Most challenges to security controls rightly revolve around one main area – end-user productivity. If we could switch off the Internet, it would solve many problems – but ultimately, the end users will suffer productivity loss.

While end users, generally, cannot be impeded in their day-to-day role, the big challenge is that end user-interactions often instigate security issues; clicking on the wrong link, visiting the wrong website at the wrong time, or opening that one attachment that got through filtering.

Privileges/privileged access is one of the vectors favored by attackers. By default, privileges are frequently over-provisioned. Sometimes this is due to lack of IT visibility and awareness of the humans, applications, machines, etc. that have privileges. Other times, overprovisioning privilege is a conscious trade-off IT teams make when they lack the right privilege management tools, and they don’t want to impede users in their jobs. After all, rarely does anyone ever complain to IT about having too many privileges. Of course, incurring a security incident due to excess privileged access can derail business continuity.

Over the past 8 years, I’ve worked with organizations to implement BeyondTrust Endpoint Privilege Management (comprised of solutions for Windows, Mac, Unix, Linux, and more) so they don’t have to make those hard, and often, perilous, trade-offs between security and productivity. BeyondTrust’s solution is the most powerful, flexible technology for implementing the principle of least privilege (PoLP). This is the single biggest improvement to the end-user device security that you can make, validated again this year by findings and analysis in the 2020 Microsoft Vulnerability Report. Our Endpoint Privilege Management solution can deliver precisely the right access and only for that finite period of time privileges are needed. This aspect of ensuring ephemeral privileges/privileged access is today known as just-in-time privileged access management.

You could stop at these powerful capabilities, and you would still be talking about an industry-leading endpoint PAM solution However, there is much more to BeyondTrust Privilege Management for Windows & Mac than privilege management alone. Since endpoint privilege management provides an engine to target many types of applications for elevation, it makes sense to use the same engine for process control – application allow listing and block listing.

Why Trusted Application Protection?

Traditional application control remains a powerful capability and is an important part of BeyondTrust’s Endpoint Privilege Management solution. Allow listing, block listing, and grey listing help ensure only legitimate approved applications are allowed, reducing the threat surface and enabling productivity.

To understand Trusted Application Protection, which builds on the foundation of Windows and Mac privilege management and application control, I believe it helps to show the history behind the feature.

In 2015, sandboxing was introduced into endpoint privilege management as a feature, designed to run defined processes in isolation. It was largely based on the principle of using temporary, local accounts for privilege separation, rather than using much more complex hypervisor-based solutions that were around at the time. This worked as an effective security measure, running processes that are commonly targeted for exploit, such as browsers and document handlers, away from the logged in user context and data.

While this did layer on some protection around the endpoint; it introduced some challenges. A lot of large enterprises made use of user data folder redirects and roaming profiles, which required an evolution of the feature to ensure productivity was not hindered. With the balance between security and productivity being paramount on end user devices, a further evolution was needed.

What we now have in our Privilege Management for Windows product—whether you’re deploying our solution on-premise or in the cloud—is Trusted Application Protection, which focuses on the core principles of disrupting attack chains, and delivers them in a policy-driven, user-friendly way that scales in the enterprise.

The 2020 Verizon Data Breach Report revealed that Office documents and Windows apps remain the preferred malware filetypes of attackers. Our alliance partner, McAfee reported a 400% increase of PowerShell based attacks in 2019, which presents a serious challenge to organizations. The threat of ‘living off the land’ by misusing common tools is what BeyondTrust aims to mitigate. Trusted Application Protection, as a core part of BeyondTrust Privilege Management for Windows & Mac, delivers much more effective protection when coupled with privilege management and application control features, and our customers can add this quickly and easily to their endpoint security toolset.

How Trusted Application Protection Works

Trusted Application Protection adds context to the process tree, allowing restriction of common attack chain tools, such as PowerShell and Wscript that are spawned from commonly used applications, such as browsers or document handlers (Word, PowerPoint, Excel). TAP does not rely on reputation or signatures, and adds context to the decision process. This means that, when a user is tricked, such as via a phishing email, into opening a malicious document, the ransomware payload or script is automatically blocked from launching. This capability is an effective measure of defending against common attacks that look to exploit trusted applications in the user environment.

TAP is implemented as a series of pre-populated, extensible configurations which may be imported into the solution’s policy management tools (QuickStart). These configurations can be defined in isolation, for example, early in a deployment process where it may not be practical to implement default-deny allow listing (e.g. due to the potential to impact users until their requirements are fully understood). In this case TAP can offer an immediate attack surface reduction with minimal effort and low risk.

Here’s an example of a workflow involved initiation of Trusted Application Protection:

These are the basic steps displayed above:

This applies only to processes or DLLs that are a descendent of a TAP application
Any excluded process or DLL will not have any restrictions applied by TAP and will be subject to normal rules of the solution.
Block listed processes will be blocked regardless of level of trust
Any process or DLL not owned by a trusted user or signed by a trusted publisher will be blocked
Any other process not blocked by TAP will then be subject to normal Endpoint Privilege Management workstyle rules

Trusted Application Protection hardens security around the endpoint and protects against dangerous attacks that may slip by other defenses—without inhibiting user productivity.

If we look at the examples of this as shown below, we can see that, by restricting high risk application that are commonly used in attack chains, such as Wscript, CScript, PowerShell and unknown applications with context, it can deliver very simple and effective defense layer on your endpoints.

Here are two example scenarios:

Example 1: Word document email attachment containing a macro to open CME.exe and bring down payload:

Example 2: Brower-based exploit through Flash that will call PowerShell to download payload.

Learn more about Trusted Application Protection & Endpoint Privilege Management

To learn more about Trusted Application Protection, watch the short video overview of the solution below. I’ve also included further resources on BeyondTrust Endpoint Privilege Management. And, if you have questions or would like to explore the solution further, contact us today.

Demo video of Trusted Application Protection feature of Privilege Management for Windows