Whitelisting, blacklisting, and greylisting control IT access through their respective principles of explicit trust, distrust, and quarantining.
Also known as allowlisting, denylisting, and tracklisting, respectively, these cybersecurity principles apply broadly throughout information technology (IT) and can help manage a wide range of threats across assets and sources.
We will explore the pros, cons, and use cases for each technique, in brief in the chart below and then in greater depth.
| Technique | Security type | Default Setting | When to Use | Main Drawback |
|---|---|---|---|---|
| Whitelist (aka: Allowlist) | Trust-centric | Always Deny | Strictly limit access to known good sources | Difficult to maintain |
| Blacklist (aka: Denylist) | Threat-centric | Always Allow | Block known malicious sources | Never-ending process |
| Greylist (aka: Tracklist) | Threat-centric | Quarantine, then investigate | Quarantine potentially malicious sources | Can block legitimate sources |
Table of Contents
Take control of what can run on your endpoint with ThreatLocker® Allowlisting
ThreatLocker® Allowlisting implements least privilege technologies to:
What is Whitelisting?
Whitelisting, or allowlisting, uses the fundamental principles of “zero trust” to deny access by default and only allows explicitly permitted sources to access an asset. Whitelisting can be applied to any asset (network, endpoint, application, etc.) to permit specific access to any type of source (users, devices, applications, IP addresses, etc.).
The U.S. National Institute of Standards and Technology (NIST) has published a Guide to Application Whitelisting that recommends using two of the following attributes together to define an application for whitelisting:
- File Path allows all applications to execute within a specific file path or directory, which is a broad attribute that can’t prevent malicious software from executing within the correct path.
- File Name allows a particular naming convention to execute but does not check for renamed malicious files or malware-infected files.
- File Size checks for the file size only, and can easily allow malware of the appropriate file size to execute.
- Digital Signature can be a unique value for an application, but may become obsolete as patches and updates are applied.
- Cryptographic Hash enables the most unique and least spoofable value for whitelisting, but will be invalidated by any patching and updates applied to the software.
These guidelines apply specifically to applications, but the methods help to illustrate considerations that apply to whitelisting in general: How to define the allowed source sufficiently to be recognized uniquely, but not so narrowly that slight changes deny access.
Advantages of Whitelisting
Whitelisting very effectively blocks untrusted sources and provides superior protection against malware and attacks. Whitelisting restricts access strictly to already known and trusted sources such as existing and approved apps, users, websites, and IP addresses.
Comparing against a whitelist will be computationally efficient compared to the full analysis of a source. Using whitelists also reduces the possibility of a false positive analysis that incorrectly declares a malicious source to be safe.
A hidden benefit (and challenge) is that whitelisting forces the enforcement of basic asset and user tracking. Assets and users that are not included in the whitelist will be rejected, which will automatically deny rogue devices, unauthorized software, and unauthorized users.
| Whitelisting Advantages | Whitelisting Disadvantages |
|---|---|
• Blocks untrusted sources• Computationally efficient• Enforces basic asset and user tracking strictly | • Labor intensive• Time consuming• Can slow productivity |
Disadvantages of Whitelisting
Whitelisting can be labor-intensive and time-consuming to maintain. Every new user, device, application, or IP address will be initially denied until the team maintaining the whitelists can add the information to every relevant whitelist.
Delays in adding resources to whitelists will slow productivity and make the security team a potential bottleneck unless the whitelisting can be linked to resources such as identity and access management (IAM), privileged access management (PAM), Network Access Control (NAC), Active Directory groups, etc. To counteract such delays, organizations need to be proactive with onboarding and adding resources so that the teams adding resources to whitelists will be notified in a timely manner or self-service options can be made available.
Whitelisting Use Cases
Whitelisting should be used whenever the access can be well-defined, such as for internal resources. Examples of effective whitelisting use cases include:
- Email address whitelisting to ensure proper email delivery from trusted senders in an email security program
- IP address whitelisting on a firewall for branch offices
- Web address whitelisting on a server to reduce the potential outside connections for a vulnerable asset
- Device MAC Address whitelisting to allow access to corporate devices on a network
- Application whitelisting for corporate applications to access an internal database
- User whitelisting for an internal corporate application
What is Blacklisting?
Blacklisting, or denylisting, is a security measure that blocks known malicious users, IP addresses, web sites, machines, or programs from accessing an organization’s resources. Many security solutions will build in a blacklist as part of an anti-malware or an attack-blocking security feature and an organization can manually add to some lists. Blacklisting does not satisfy the principles of zero trust because the default condition for access will be to generally allow access unless blacklisted.
Advantages of Blacklisting
Blacklisting proactively blocks malicious sources and can be accomplished without great technical effort. Similarly to whitelisting, blacklisting effectively blocks untrustworthy sources and reduces the danger of false negatives in which a legitimate source is incorrectly declared to be malicious.
| Blacklisting Advantages | Blacklisting Disadvantages |
|---|---|
• Blocks untrusted sources• Reduces false negatives in threat detection | • Labor intensive• Time delayed• More risky than whitelisting• Useless against unknown threats |
Disadvantages of Blacklisting
For manual blacklists, the process is simple, but labor intensive. As with an infinitely large game of whack-a-mole, malicious actors can easily change IP addresses, URLs, machines, and users to constantly add to the list of items to add to a blacklist. For example, every day over 450,000 new potentially malicious or unwanted applications are registered by the AV-TEST Institute.
Many commercial tools (next generation firewalls, secure web gateways, antivirus, endpoint detection and response, etc.) will automatically update blacklists. However, there will naturally be a delay between the launch of a malicious campaign (malware, malicious IP, malicious spam url, etc.), the detection of the malicious component, and its addition to a blacklist.
However, once a device, URL, or IP address is blocked, it will become difficult to remove it. A potential customer placed on the blacklist because of a previous (and since removed) botnet infection will find it difficult to use the blacklisted domain or device to contact the organization to be removed from the blacklist.
Lastly, unknown threats cannot be stopped by a blacklist. Blacklists require a threat to be identified distinctly in order to be added.
Blacklisting Use Cases
Blacklisting will often be the solution of choice when the potential access sources cannot be easily defined, such as for public resources. Examples of effective blacklisting use cases include:
- Email address blacklisting of known spam or malware-sending email addresses in an email security program
- IP address blacklisting of the source of malicious attacks in a firewall
- Web address blacklisting of pornography websites on a DNS server
- Device MAC Address blacklisting of known-malicious devices such as known botnets
- Application blacklisting such as malware signatures in an antivirus program
- User blacklisting of user that violated community rules in a discussion forum
What is Greylisting
Greylisting, or tracklisting, is equivalent to a less-stringent blacklist. Greylisted items are temporarily blocked until they can be further analyzed and confirmed to be either safe or dangerous. Tools can automatically quarantine users, email addresses, IP addresses, and other items until it is determined if they should be moved to a whitelist or a blacklist.
Advantages of Greylisting
Greylists provide temporary protection against potential threats until they can be analyzed. Commercial tools that use greylisting will typically recognize new sources or unusual activity on existing sources and perform automatic actions to add the source to a greylist pending further investigation.
Similar to blacklisting and whitelisting, greylisting can block untrusted sources and reduce false negatives in threat detection that might otherwise allow malicious sources incorrect levels of access. Greylisting can be used more aggressively than blacklisting since formal processes for review can be established and executed to evaluate greylist sources regularly.
| Greylisting Advantages | Greylisting Disadvantages |
|---|---|
• Blocks untrusted sources• Reduces false negatives in threat detection | • Labor intensive• Time delays• Can slow productivity |
Disadvantages of Greylisting
Although tools can automatically add sources to a greylist, IT staff must often manually review quarantine lists for categorization. This can be labor-intensive and introduce time delays for legitimate sources.
As with blacklisting, a near-infinite number of new sources can attempt to access company resources and be added to a greylist, including many legitimate sources that may simply be new. Greylists can more effectively stop unknown threats than a blacklist, but will introduce more false positives (adding legitimate sources to the greylist) because it will generally be applied more aggressively than a blacklist.
Greylisting Use Cases
Greylists, similar to blacklists, will be most effectively applied to public resources when the list of potential access sources cannot be easily defined. Greylists should be used instead of blacklists to quickly quarantine suspicious sources for future review.
Many tool providers use artificial intelligence (AI) or machine learning (ML) algorithms to detect anomalies and new sources to automatically add them to a greylist. Examples of effective greylisting include:
- Email address greylisting of potential spam resources (most common usage)
- IP address greylisting of suspicious packets passing through a firewall
- Web address greylisting of URLs with recent creation dates (often an indicator of malware sources) on a secure web gateway
- Device MAC Address greylisting of devices for an internal network that don’t meet patch update requirements and pushing those devices into a DMZ network pending remediation
- Application greylisting for unknown applications on a company computer that just connected to the network
- User greylisting of self-enrolled users pending internal approval for access to an application or network
Whitelisting vs. Blacklisting vs Greylisting? Use Them All
Blacklisting, whitelisting, and greylisting all perform specific functions with specific pros and cons. However, all three protect against malware or malicious access and thus generally reduce vulnerabilities and the risks from outside threats.
However, none of these solutions are foolproof. Malicious devices can use stolen whitelisted user credentials, malicious users can compromise whitelisted devices, and attackers can spoof whitelisted resources to cause damage.
Similarly, some users, IP addresses, or devices added to a blacklist may be temporarily compromised, such as a computer infected with a botnet used to generate distributed denial of service (DDoS) attacks. Once the botnet infection is removed, the device will return to being a legitimate user unworthy of a blacklist.
Despite potential weaknesses, each technique independently improves security, and becomes even more powerful when used in combination with each other. Examples of lists used in combination include:
- Blacklist known malware domains on firewalls protecting a network, greylist unknown devices, and whitelist known, trusted users and machines to access a network management console
- A secure web gateway may offer a whitelist for known-good devices, a blacklist for known-malicious URLs, and a greylist for suspicious users, devices, and URLs
A combined approach reduces the likelihood that a single mistake on any one list will lead to significant damage either to the organization (from malicious attacks) or to operations (from inappropriately denied access).
To determine the optimal mix for an organization, the managing security team must determine:
- How many resources can be deployed to maintaining lists or evaluating quarantined sources?
- How strict or flexible should access be to specific resources?
- What are acceptable risks?
- How will these techniques complement and improve the security stack?
Alternative Terms
Although whitelisting, blacklisting and greylisting remain industry standard terms, many users, vendors, and organizations now push to use less-loaded terms. The colors of white, black, and gray link uncomfortably to racial prejudice and will probably be phased out within a few years.
Many vendors, such as VMware, have already made the transition, so professionals need to be familiar with all variations so they can locate the appropriate options within their security tools:
- Whitelist: allowlist, allow-list, permitted-list, approved-list
- Blacklist: denylist, deny-list, blocked-list, disapproved-list
- Greylist (or graylist): track list, inspect list, quarantine list
Bottom Line: All Listing Techniques Strengthen a Security Stack
Whitelisting, blacklisting, and greylisting all play important roles in protecting data and assets. However, they each also have limitations so these techniques cannot be relied upon independently. To be truly effective, an organization must incorporate listing strategies into their security stack in a way that reduces their risk without overly taxing their resources.
Read next:
This article was originally written by John Iwouzor on August 26, 2021. It was updated and rewritten by Chad Kime on November 3, 2023.
