Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Handling of compromised Linux systems

2,278 views

Published on

This presentation of 40 minutes gives a quick introduction in the world of Linux malware and incident handling. We cover malware, like rootkits and how they hide on the system. Finally we look at how to handle with a compromised system, and go into the possible defenses to limit the risks.

Published in: Technology

Handling of compromised Linux systems

  1. 1. Linux Systems Compromised Understanding and dealing with break-ins Ede, 5 February 2016 Michael Boelen michael.boelen@cisofy.com
  2. 2. Agenda Today 1. How do “they” get in 2. Rootkits 3. Malware handling 4. Defenses 2
  3. 3. Michael Boelen ● Security Tools ○ Rootkit Hunter (malware scan) ○ Lynis (security audit) ● 150+ blog posts ● Founder of CISOfy 3
  4. 4. How do “they” get in
  5. 5. Intrusions ● Passwords ● Vulnerabilities ● Weak configurations 5
  6. 6. Why? 6
  7. 7. Keeping Control ● Rootkits ● Backdoors 7
  8. 8. Rootkits 101
  9. 9. Rootkits ● (become | stay) root ● (software) kit 9
  10. 10. Rootkits ● Stealth ● Persistence ● Backdoors 10
  11. 11. How to be the best rootkit?
  12. 12. Hiding ★ In plain sight! /etc/sysconfig/… /tmp/mysql.sock /bin/audiocnf 12
  13. 13. Hiding ★★ Slightly advanced ● Rename processes ● Delete file from disk ● Backdoor binaries 13
  14. 14. Hiding ★★★ Advanced ● Kernel modules ● Change system calls ● Hidden passwords 14
  15. 15. Demo
  16. 16. Demo 16
  17. 17. Demo 17
  18. 18. Continuous Game 18
  19. 19. Detection
  20. 20. Challenges ● We can’t trust anything ● Even ourselves ● No guarantees 21
  21. 21. Rootkit Hunter Detect the undetectable! 22
  22. 22. Dealing with malware
  23. 23. ● Owner? ● Risk? ● What if we pull the plug? Activate your plan! 24
  24. 24. VLAN Bogus DNS Looks Real™ Quarantine 25
  25. 25. Consider Research Memory dump (Volatility) Static analysis 26
  26. 26. Restore Does it include malware? 27
  27. 27. Defense
  28. 28. Best protection At least ● Perform security scans ● Collect data ● System Hardening 29
  29. 29. Frameworks / Patches ● SELinux ● AppArmor ● Grsecurity 30
  30. 30. Compilers ● Remove ● Limit usage 31
  31. 31. Harden Applications ● Use chroot ● Limit permissions ● Change defaults 32
  32. 32. Kernel Hardening ● sysctl -a ● Don’t allow ptrace 33
  33. 33. Automation
  34. 34. Tip: Lynis ● Linux / UNIX ● Open source ● GPLv3 35
  35. 35. Conclusions
  36. 36. Conclusions ● Good rootkits are hard to detect ● Use cost-effective methods ● Detect ● Restore ● Learn ● Apply hardening 37
  37. 37. You finished this presentation Success!
  38. 38. More Linux security? Presentations michaelboelen.com/presentations/ Follow ● Blog Linux Audit (linux-audit.com) ● Twitter @mboelen 39
  39. 39. 40

×