linux systems
play

Linux Systems Compromised Understanding and dealing with break-ins - PowerPoint PPT Presentation

Linux Systems Compromised Understanding and dealing with break-ins Michael Boelen michael.boelen@cisofy.com Ede, 5 February 2016 Agenda Today 1. How do they get in 2. Rootkits 3. Malware handling 4. Defenses 2 Michael Boelen


  1. Linux Systems Compromised Understanding and dealing with break-ins Michael Boelen michael.boelen@cisofy.com Ede, 5 February 2016

  2. Agenda Today 1. How do “they” get in 2. Rootkits 3. Malware handling 4. Defenses 2

  3. Michael Boelen ● Security Tools ○ Rootkit Hunter (malware scan) ○ Lynis (security audit) ● 150+ blog posts ● Founder of CISOfy 3

  4. How do “they” get in

  5. Intrusions ● Passwords ● Vulnerabilities ● Weak configurations 5

  6. Why? 6

  7. Keeping Control ● Rootkits ● Backdoors 7

  8. Rootkits 101

  9. Rootkits ● (become | stay) root ● (software) kit 9

  10. Rootkits ● Stealth ● Persistence ● Backdoors 10

  11. How to be the best rootkit?

  12. Hiding ★ In plain sight! /etc/sysconfig/… /tmp/mysql.sock /bin/audiocnf 12

  13. Hiding ★★ Slightly advanced ● Rename processes ● Delete file from disk ● Backdoor binaries 13

  14. Hiding ★★★ Advanced ● Kernel modules ● Change system calls ● Hidden passwords 14

  15. Demo

  16. Demo 16

  17. Demo 17

  18. Continuous Game 18

  19. Detection

  20. Challenges ● We can’t trust anything ● Even ourselves ● No guarantees 21

  21. Rootkit Hunter Detect the undetectable! 22

  22. Dealing with malware

  23. Activate your plan! ● Owner? ● Risk? ● What if we pull the plug? 24

  24. Quarantine VLAN Bogus DNS Looks Real™ 25

  25. Consider Research Memory dump (Volatility) Static analysis 26

  26. Restore Does it include malware? 27

  27. Defense

  28. Best protection At least ● Perform security scans ● Collect data ● System Hardening 29

  29. Frameworks / Patches ● SELinux ● AppArmor ● Grsecurity 30

  30. Compilers ● Remove ● Limit usage 31

  31. Harden Applications ● Use chroot ● Limit permissions ● Change defaults 32

  32. Kernel Hardening ● sysctl -a ● Don’t allow ptrace 33

  33. Automation

  34. Tip: Lynis ● Linux / UNIX ● Open source ● GPLv3 35

  35. Conclusions

  36. Conclusions ● Good rootkits are hard to detect ● Use cost-effective methods ● Detect ● Restore ● Learn ● Apply hardening 37

  37. Success! You finished this presentation

  38. More Linux security? Presentations michaelboelen.com/presentations/ Follow ● Blog Linux Audit (linux-audit.com) ● Twitter @mboelen 39

  39. 40

Recommend


More recommend