handling of compromised linux systems
TRANSCRIPT
![Page 1: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/1.jpg)
Linux SystemsCompromised
Understanding and dealing with break-ins
Ede, 5 February 2016
Michael [email protected]
![Page 2: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/2.jpg)
Agenda
Today1. How do “they” get in2. Rootkits3. Malware handling4. Defenses
2
![Page 3: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/3.jpg)
Michael Boelen
● Security Tools○ Rootkit Hunter (malware scan)
○ Lynis (security audit)
● 150+ blog posts
● Founder of CISOfy
3
![Page 4: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/4.jpg)
How do “they” get in
![Page 5: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/5.jpg)
Intrusions
● Passwords● Vulnerabilities● Weak configurations
5
![Page 6: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/6.jpg)
Why?
6
![Page 7: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/7.jpg)
Keeping Control
● Rootkits● Backdoors
7
![Page 8: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/8.jpg)
Rootkits 101
![Page 9: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/9.jpg)
Rootkits
● (become | stay) root● (software) kit
9
![Page 10: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/10.jpg)
Rootkits
● Stealth● Persistence● Backdoors
10
![Page 11: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/11.jpg)
How to be the best rootkit?
![Page 12: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/12.jpg)
Hiding ★
In plain sight!
/etc/sysconfig/…/tmp/mysql.sock/bin/audiocnf
12
![Page 13: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/13.jpg)
Hiding ★★
Slightly advanced
● Rename processes● Delete file from disk● Backdoor binaries
13
![Page 14: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/14.jpg)
Hiding ★★★
Advanced
● Kernel modules● Change system calls● Hidden passwords
14
![Page 15: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/15.jpg)
Demo
![Page 16: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/16.jpg)
Demo
16
![Page 17: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/17.jpg)
Demo
17
![Page 18: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/18.jpg)
Continuous Game
18
![Page 19: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/19.jpg)
Detection
![Page 20: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/20.jpg)
![Page 21: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/21.jpg)
Challenges
● We can’t trust anything● Even ourselves● No guarantees
21
![Page 22: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/22.jpg)
Rootkit Hunter
Detect theundetectable!
22
![Page 23: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/23.jpg)
Dealing with malware
![Page 24: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/24.jpg)
● Owner?● Risk?● What if we pull the plug?
Activate your plan!
24
![Page 25: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/25.jpg)
VLANBogus DNSLooks Real™
Quarantine
25
![Page 26: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/26.jpg)
Consider Research
Memory dump(Volatility)
Static analysis
26
![Page 27: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/27.jpg)
Restore
Does it include malware?
27
![Page 28: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/28.jpg)
Defense
![Page 29: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/29.jpg)
Best protection
At least● Perform security scans● Collect data● System Hardening
29
![Page 30: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/30.jpg)
Frameworks / Patches
● SELinux● AppArmor● Grsecurity
30
![Page 31: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/31.jpg)
Compilers
● Remove● Limit usage
31
![Page 32: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/32.jpg)
Harden Applications
● Use chroot● Limit permissions● Change defaults
32
![Page 33: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/33.jpg)
Kernel Hardening
● sysctl -a● Don’t allow ptrace
33
![Page 34: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/34.jpg)
Automation
![Page 35: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/35.jpg)
Tip: Lynis
● Linux / UNIX● Open source● GPLv3
35
![Page 36: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/36.jpg)
Conclusions
![Page 37: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/37.jpg)
Conclusions
● Good rootkits are hard to detect
● Use cost-effective methods● Detect● Restore● Learn
● Apply hardening
37
![Page 38: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/38.jpg)
You finished this presentation
Success!
![Page 39: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/39.jpg)
More Linux security?
Presentationsmichaelboelen.com/presentations/
Follow● Blog Linux Audit (linux-audit.com)● Twitter @mboelen
39
![Page 40: Handling of compromised Linux systems](https://reader031.vdocuments.us/reader031/viewer/2022022202/587b42171a28ab9c0e8b5e43/html5/thumbnails/40.jpg)
40