Linux Systems Compromised Understanding and dealing with break-ins Michael Boelen michael.boelen@cisofy.com Ede, 5 February 2016
Agenda Today 1. How do “they” get in 2. Rootkits 3. Malware handling 4. Defenses 2
Michael Boelen ● Security Tools ○ Rootkit Hunter (malware scan) ○ Lynis (security audit) ● 150+ blog posts ● Founder of CISOfy 3
How do “they” get in
Intrusions ● Passwords ● Vulnerabilities ● Weak configurations 5
Why? 6
Keeping Control ● Rootkits ● Backdoors 7
Rootkits 101
Rootkits ● (become | stay) root ● (software) kit 9
Rootkits ● Stealth ● Persistence ● Backdoors 10
How to be the best rootkit?
Hiding ★ In plain sight! /etc/sysconfig/… /tmp/mysql.sock /bin/audiocnf 12
Hiding ★★ Slightly advanced ● Rename processes ● Delete file from disk ● Backdoor binaries 13
Hiding ★★★ Advanced ● Kernel modules ● Change system calls ● Hidden passwords 14
Demo
Demo 16
Demo 17
Continuous Game 18
Detection
Challenges ● We can’t trust anything ● Even ourselves ● No guarantees 21
Rootkit Hunter Detect the undetectable! 22
Dealing with malware
Activate your plan! ● Owner? ● Risk? ● What if we pull the plug? 24
Quarantine VLAN Bogus DNS Looks Real™ 25
Consider Research Memory dump (Volatility) Static analysis 26
Restore Does it include malware? 27
Defense
Best protection At least ● Perform security scans ● Collect data ● System Hardening 29
Frameworks / Patches ● SELinux ● AppArmor ● Grsecurity 30
Compilers ● Remove ● Limit usage 31
Harden Applications ● Use chroot ● Limit permissions ● Change defaults 32
Kernel Hardening ● sysctl -a ● Don’t allow ptrace 33
Automation
Tip: Lynis ● Linux / UNIX ● Open source ● GPLv3 35
Conclusions
Conclusions ● Good rootkits are hard to detect ● Use cost-effective methods ● Detect ● Restore ● Learn ● Apply hardening 37
Success! You finished this presentation
More Linux security? Presentations michaelboelen.com/presentations/ Follow ● Blog Linux Audit (linux-audit.com) ● Twitter @mboelen 39
40
Recommend
More recommend