Why should you care?
Having no policies around PUPs is indicative of a lack of control in your environment. It is simply not enough to rely on antivirus tools and firewalls to keep the threats away from your network and endpoints. In both of the above scenarios, we can make the following assumptions:
- The employer is not practicing application or browser whitelisting
- If they’re not whitelisting on those, they’re less likely to be whitelisting IP, domain, email, etc.
- If there’s a lack of whitelisting as a security gap, we can assume there are security gaps elsewhere
Avoid time suck
Also consider the response and counteraction required by security analysts in an environment with loosely enforced PUP policies. Investigating unwanted software will take up a lot, if not the majority, of the analyst’s day-to-day. Untrusted software creates a lot of noise on sensors and antivirus, along with a plethora of data to sift through. Moreover, a good amount of programs classified in the PUP family are so poorly written that their behavior actually looks like malware—even when it’s not.
Part of a security analyst’s function is to conduct open-source research and evaluate the rest of the security community’s inputs on a particular artifact or tactic, technique, and procedure (TTP). This includes checking binaries against the opinions of AV vendors. This is where PUPs make things tricky: if 10 vendors classify a file as “adware” and 10 other vendors classify the same file as a “trojan,” which is it? This may force the analyst to go down a rabbit hole and perform a deeper-dive on analysis, which ends up being a time suck. Imagine the time saved by automating PUP detections so that your analysts can focus on detecting definitely unwanted programs.
Red Canary has three main types of detections: malicious, suspicious, and unwanted (aka PUP). Most PUP detections are initially discovered by our detectors that alert on malware. Again, PUPs tend to behave like malware, and once it’s determined they’re not, they are subcategorized into one of three categories: adware, riskware, or P2P.
From here, the analyst team evaluates the potential threat of the functionality of the software in question. If deemed as a potential threat in our customer environments, we will create a product detector for that specific program. Now, we fully understand that some of these programs are allowed or sometimes required, depending on the customer environment. The CIRT makes it easy for our customers to manage their unwanted detections, with features available to mute detections on these as a whole, or just on particular endpoints.
Here’s what a PUP detection looks like for Red Canary users:
Endpoints with PUP detections are more likely to have malicious detections. For endpoints that received both malicious/suspicious and PUP detections in 2019, 67 percent first saw a PUP detection then received one or more follow-on, malicious or suspicious detection(s).
Additionally, as the percentage of PUP detections drops by endpoint, so does the number of endpoints with malicious detections. We looked at several large samples across entire customer environments and found the following:
- Environments in the top quartile of percentage of endpoints with PUP detections saw, on average, 3.75 percent of their endpoints having malicious or suspicious detections
- Environments falling within the bottom quartile of percentage of endpoints with PUP detections had less than 1 percent of their endpoints affected by malicious or suspicious detections
This is not to say that ALL third-party utilities, browser extensions, P2Ps, and VPNs are bad. Some organizations require these types of programs, but those that do should remember to employ due diligence in researching and selecting them from an enterprise-class, reputable vendor.
Otherwise, it’s helpful to have an updated software inventory and organizational policy regarding PUPs. Beyond that, security departments should consider developing software review and approval processes, application whitelists, and remediation playbooks for PUPs, to name a few controls.