How Logitek Implements Critical Application Defense

The defense-in-depth strategies proposes applying different protection mechanisms at different levels within an ICS OT installation. In this way, if one layer of protection fails, there will be other inner layers that will prevent the attack from materializing, thus decreasing the level of operational risk that industrial assets may have.

In previous posts, we have discussed how to protect network perimeters, how to increase the level of protection of the internal network, and how to protect the equipment itself.

However, there are threats and attack vectors that do not use the network to achieve their aims, for example, a phishing campaign combined with the use of removable media (DVDs, USB drives, or other gadgets that can be connected to a computer) can spread through the very human action of curiosity, causing malicious code to bypass network, perimeter, and even computer protections (lack of patching and/or updates).

The host protection, as we have seen, is mainly based on the use of technologies that rely on signatures to detect and block attacks or different types of Malware, which requires these technologies to be continuously updating their database of known attacks to be effective.

These protections, while effective, do not guarantee 100% protection, or even in ICS OT environments, where we often find equipment that cannot have endpoint protection installed, either due to obsolescence of the equipment itself or due to incompatibilities with the industrial control application.

In these cases, the defense-in-depth strategy tells us to protect the applications that are running on these computers or, due to the application’s own criticality, to take specific protection measures.

What Does Application Protection Mean?

An application, like any other software, is a program that executes a series of instructions to carry out a particular function. Every program can contain programming flaws that can be potentially exploited for malicious purposes.

A demonstration of this is the constant news of the discovery of new vulnerabilities in applications, famous operating systems, etc.

Another threat to applications is malware that may have bypassed the computer’s protection and “infected” the application, modifying its executable files or libraries. With this action, the execution of the application chains the execution of “something else” on the computer, and this “something else” can materialize certain threats that, depending on the environment of the process, can have serious consequences at an economic, physical, copyright, legal, and/or legislative level.

Therefore, for the protection of the application it is necessary:

• That the application itself has its own mechanisms for user authentication.
• It should also have authorization mechanisms to delimit which actions can be executed by each of the authenticated users.
• It should also have traceability mechanisms for the actions performed and for the changes made if appropriate.
• Have update mechanisms, both in online and offline mode.

How Can We Protect Applications?

From Logitek we follow a double strategy for the protection of applications:

1. Software limitation and verification solution

On the one hand, through a software limitation and verification solution that can be executed on each of the computers.

Thanks to the application whitelisting, we protect the execution of software by ensuring:

• The application has not been modified. This solution stores a digital signature of each application (executables) and its libraries (dll, etc.) to certify the integrity and the non-existence of any modification in them.
• Only authorized applications can be executed, preventing the execution of any other code.
• A low impact on the equipment and compatibility with obsolete operating systems (Windows NT, XP, 2003 Server, etc.)

2. Solutions to analyze the execution flow

On the other hand, there are solutions capable of analyzing the execution flow of applications and preventing that flow from deviating from normal behavior. Virsec Trusted Execution^TM is an example of this type of solution.

Composed of:

• A small agent that is installed on the servers with the critical applications.
• An analysis and mapping module of the RAM memory structure used by the execution flow of critical applications.
• A reporting module, visualization, alert, management, etc.

When the application is protected by Virsec Trusted Execution^TM it means that its normal operating flow has been mapped, from then on, no CPU instruction or the use of any different RAM memory structure than the mapped one will be allowed, thus preventing that, even if the application has been breached or infected, the malicious code cannot be executed.

Therefore, this solution:

• Protects against 0-day attacks.
• Protects against 0-day vulnerabilities.
• Does not have a latency impact on the execution of the application.
• Prevents memory attacks.
• Prevents FileLess attacks (attacks that do not modify disk files).
• Prevents registry modifications.
• Prevents DLL injections.
• Prevents the execution of exploits.
• Does not depend on signatures or updates.
• Does not have false positives.

In short, it guarantees that the applications execute the code for which they have been programmed, regardless of whether or not they have vulnerabilities.

Related links with defense in depth

• Defense-in-depth strategy in industrial cybersecurity.
• How Logitek Implements Perimeter Defense.
• How Logitek Implements Internal Network Defense.
• Defense in depth.

For more information, do not hesitate to contact us.