Linux Systems Compromised Understanding and dealing with break-ins - - PowerPoint PPT Presentation

linux systems
SMART_READER_LITE
LIVE PREVIEW

Linux Systems Compromised Understanding and dealing with break-ins - - PowerPoint PPT Presentation

Feb 17, 2023 201 likes •611 views

Linux Systems Compromised Understanding and dealing with break-ins Michael Boelen michael.boelen@cisofy.com Ede, 5 February 2016 Agenda Today 1. How do they get in 2. Rootkits 3. Malware handling 4. Defenses 2 Michael Boelen

slide-1
SLIDE 1

Linux Systems

Compromised

Understanding and dealing with break-ins

Ede, 5 February 2016

Michael Boelen

michael.boelen@cisofy.com

slide-2
SLIDE 2

Agenda

Today

  • 1. How do “they” get in
  • 2. Rootkits
  • 3. Malware handling
  • 4. Defenses

2

slide-3
SLIDE 3

Michael Boelen

  • Security Tools

○ Rootkit Hunter (malware scan) ○ Lynis (security audit)

  • 150+ blog posts
  • Founder of CISOfy

3

slide-4
SLIDE 4

How do “they” get in

slide-5
SLIDE 5

Intrusions

  • Passwords
  • Vulnerabilities
  • Weak configurations

5

slide-6
SLIDE 6

Why?

6

slide-7
SLIDE 7

Keeping Control

  • Rootkits
  • Backdoors

7

slide-8
SLIDE 8

Rootkits 101

slide-9
SLIDE 9

Rootkits

  • (become | stay) root
  • (software) kit

9

slide-10
SLIDE 10

Rootkits

  • Stealth
  • Persistence
  • Backdoors

10

slide-11
SLIDE 11

How to be the best rootkit?

slide-12
SLIDE 12

Hiding ★

In plain sight! /etc/sysconfig/… /tmp/mysql.sock /bin/audiocnf

12

slide-13
SLIDE 13

Hiding ★★

Slightly advanced

  • Rename processes
  • Delete file from disk
  • Backdoor binaries

13

slide-14
SLIDE 14

Hiding ★★★

Advanced

  • Kernel modules
  • Change system calls
  • Hidden passwords

14

slide-15
SLIDE 15

Demo

slide-16
SLIDE 16

Demo

16

slide-17
SLIDE 17

Demo

17

slide-18
SLIDE 18

Continuous Game

18

slide-19
SLIDE 19

Detection

slide-20
SLIDE 20
slide-21
SLIDE 21

Challenges

  • We can’t trust anything
  • Even ourselves
  • No guarantees

21

slide-22
SLIDE 22

Rootkit Hunter

Detect the undetectable!

22

slide-23
SLIDE 23

Dealing with malware

slide-24
SLIDE 24
  • Owner?
  • Risk?
  • What if we pull the plug?

Activate your plan!

24

slide-25
SLIDE 25

VLAN Bogus DNS Looks Real™

Quarantine

25

slide-26
SLIDE 26

Consider Research

Memory dump (Volatility) Static analysis

26

slide-27
SLIDE 27

Restore

Does it include malware?

27

slide-28
SLIDE 28

Defense

slide-29
SLIDE 29

Best protection

At least

  • Perform security scans
  • Collect data
  • System Hardening

29

slide-30
SLIDE 30

Frameworks / Patches

  • SELinux
  • AppArmor
  • Grsecurity

30

slide-31
SLIDE 31

Compilers

  • Remove
  • Limit usage

31

slide-32
SLIDE 32

Harden Applications

  • Use chroot
  • Limit permissions
  • Change defaults

32

slide-33
SLIDE 33

Kernel Hardening

  • sysctl -a
  • Don’t allow ptrace

33

slide-34
SLIDE 34

Automation

slide-35
SLIDE 35

Tip: Lynis

  • Linux / UNIX
  • Open source
  • GPLv3

35

slide-36
SLIDE 36

Conclusions

slide-37
SLIDE 37

Conclusions

  • Good rootkits are hard to detect
  • Use cost-effective methods
  • Detect
  • Restore
  • Learn
  • Apply hardening

37

slide-38
SLIDE 38

You finished this presentation Success!

slide-39
SLIDE 39

More Linux security?

Presentations

michaelboelen.com/presentations/

Follow

  • Blog

Linux Audit (linux-audit.com)

  • Twitter

@mboelen

39

slide-40
SLIDE 40

40