HIPS as MAC: Practical Considerations

TL;DR

Host Intrusion Prevention Systems (HIPS) can function *like* Mandatory Access Control (MAC), but aren’t a true replacement. They offer application-level control and policy enforcement, similar to MAC’s subject/object restrictions. However, HIPS relies on rules and signatures, making it less granular than kernel-level MAC systems like SELinux or AppArmor. This guide explains how HIPS achieves MAC-like behaviour, its limitations, and practical setup considerations.

Understanding the Concepts

Before diving in, let’s clarify:

• MAC: A security model where access rights are determined by system policies, not individual user permissions. Think of it as ‘what an application is allowed to do’, regardless of who runs it.
• HIPS: Software that monitors a computer for malicious activity and blocks suspicious behaviour. It focuses on controlling what applications can *do*.

While MAC operates at the kernel level, HIPS typically works in user space.

How HIPS Achieves MAC-Like Control

1. Application Whitelisting/Blacklisting: This is a core feature. By only allowing pre-approved applications to run (whitelisting) or blocking known malicious ones (blacklisting), HIPS restricts the ‘subjects’ that can operate on system resources (‘objects’).
2. Behavioural Analysis: HIPS observes application actions – file access, registry changes, network connections. Policies are created based on these behaviours. For example:
   • “Block any application attempting to write to the Windows Registry key associated with startup programs.”
   • “Allow web browsers to connect to port 80 and 443, but block all other applications from making outbound connections on those ports.”
3. Rule-Based Control: HIPS uses rules to define allowed/disallowed actions. These rules act as the ‘access control lists’ (ACLs) in a MAC system, specifying what each application can and cannot do.

   // Example rule (syntax varies by HIPS vendor)
   IF Application = "notepad.exe" AND FileAccess = "Write" AND Path = "C:ImportantFile.txt"
   THEN Block

4. System Call Interception: Some advanced HIPS solutions intercept system calls (requests from applications to the operating system kernel). This allows them to enforce policies at a lower level, providing more control.

   Note: System call interception is less common due to complexity and potential for instability.

Limitations of HIPS as MAC

1. Signature/Rule Dependency: HIPS relies on updated signatures or well-defined rules. Zero-day exploits or new malware can bypass protection if not covered by existing rules. True MAC systems are less susceptible to this because they focus on application behaviour, not specific signatures.
2. User Space Operation: Operating in user space means HIPS is vulnerable to being disabled or bypassed by rootkits or other malicious software with kernel-level access.
3. Complexity of Rule Creation: Creating and maintaining comprehensive rules can be complex and time-consuming, requiring deep understanding of application behaviour. False positives (blocking legitimate applications) are common.
4. Granularity: HIPS typically offers less granular control than kernel-level MAC systems. It’s harder to define precise access restrictions based on specific data elements or context.

Practical Setup Considerations

1. Choose a Reputable Vendor: Select a well-established HIPS vendor with good signature updates and support (e.g., CrowdStrike Falcon, SentinelOne Singularity XDR).
2. Start in Monitor Mode: Initially configure the HIPS in monitor mode to observe application behaviour without blocking anything. This helps identify legitimate applications and create accurate rules.

   // Example command (syntax varies by vendor)
   hipscli --mode monitor

3. Gradually Implement Rules: Start with broad rules and gradually refine them based on observed behaviour. Focus on critical system areas first (e.g., startup programs, registry keys).
4. Whitelisting vs. Blacklisting: Whitelisting is generally more secure but requires more effort to maintain. Blacklisting is easier to set up but less effective against new threats. A combination of both approaches is often best.
5. Regular Updates: Keep the HIPS software and its signatures/rules updated to protect against the latest threats.

   // Example command (syntax varies by vendor)
   hipscli --update

6. Integration with Other Security Tools: Integrate HIPS with other security tools, such as endpoint detection and response (EDR) systems and threat intelligence feeds, for a more comprehensive security posture.