Advertisement
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems
Handling of compromised Linux systems

Check these out next

Oksana Safronova - Will you detect it or not? How to check if security team i...
Oksana Safronova - Will you detect it or not? How to check if security team i...
NoNameCon
Linux Security
Linux Security
nayakslideshare
Implementing ossec
Implementing ossec
Jeronimo Zucco
Introduction to Exploitation
Introduction to Exploitation
UTD Computer Security Group
If security is hard, you are doing it wrong - Fabio Locati - Codemotion Amste...
If security is hard, you are doing it wrong - Fabio Locati - Codemotion Amste...
Codemotion
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP
kali linux.pptx
kali linux.pptx
anumeha bhatnagar
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
1 of 40

Handling of compromised Linux systems

Feb. 6, 2016
Download to read offline
Technology

This presentation of 40 minutes gives a quick introduction in the world of Linux malware and incident handling. We cover malware, like rootkits and how they hide on the system. Finally we look at how to handle with a compromised system, and go into the possible defenses to limit the risks.

Michael Boelen
Providing companies a software solution to audit their systems (Linux, macOS, UNIX) at CISOfy
Advertisement
Advertisement
Advertisement

Recommended

Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with LynisMichael Boelen1.2K views52 slides
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to ToolingMichael Boelen1.9K views52 slides
Linux HardeningLinux Hardening
Linux HardeningMichael Boelen2.3K views60 slides
Dealing with Linux MalwareDealing with Linux Malware
Dealing with Linux MalwareMichael Boelen1.8K views35 slides
Lynis - Hardening and auditing for Linux, Mac and Unix - NLUUG May 2014Lynis - Hardening and auditing for Linux, Mac and Unix - NLUUG May 2014
Lynis - Hardening and auditing for Linux, Mac and Unix - NLUUG May 2014Michael Boelen3K views17 slides
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen3.4K views85 slides

More Related Content

Slideshows for you(20)

Oksana Safronova - Will you detect it or not? How to check if security team i...Oksana Safronova - Will you detect it or not? How to check if security team i...
Oksana Safronova - Will you detect it or not? How to check if security team i...
NoNameCon170 views
Linux SecurityLinux Security
Linux Security
nayakslideshare2.2K views
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco8.5K views
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
UTD Computer Security Group926 views
If security is hard, you are doing it wrong - Fabio Locati - Codemotion Amste...If security is hard, you are doing it wrong - Fabio Locati - Codemotion Amste...
If security is hard, you are doing it wrong - Fabio Locati - Codemotion Amste...
Codemotion374 views
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP330 views
kali linux.pptxkali linux.pptx
kali linux.pptx
anumeha bhatnagar4K views
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days810 views
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Anne Nicolas2.9K views
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter Security
Eng Teong Cheah94 views
Managing Application Config and SecretsManaging Application Config and Secrets
Managing Application Config and Secrets
Eng Teong Cheah130 views
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition
Xavier Mertens1.3K views
Kali linuxKali linux
Kali linux
afraalfalasii580 views
HAcktive Directory - Microsoft Meetup July 2020HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020
Yossi Sassi333 views
Kevin wharramKevin wharram
Kevin wharram
Kevin Wharram550 views
Migrate from windows to linuxMigrate from windows to linux
Migrate from windows to linux
MarJose Darang22 views
BASIC OVERVIEW OF KALI LINUXBASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUX
Deborah Akuoko1.2K views
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network Security
Eng Teong Cheah160 views
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
Security Bootcamp2.3K views
Kali LinuxKali Linux
Kali Linux
Jack Gidding4.9K views

Similar to Handling of compromised Linux systems(20)

Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website security
Drew Gorton275 views
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest Protection
Federico Franzoni339 views
Wordpress Security 101Wordpress Security 101
Wordpress Security 101
Robert Rowley6.7K views
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
Adrian Sanabria533 views
On hacking & security On hacking & security
On hacking & security
Ange Albertini1.8K views
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
DynamicInfraDays2.4K views
Olivier Cleynen: Overtaking Proprietary Software Without Writing Code [24c3]Olivier Cleynen: Overtaking Proprietary Software Without Writing Code [24c3]
Olivier Cleynen: Overtaking Proprietary Software Without Writing Code [24c3]
OpenSlidesArchive830 views
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
GangSeok Lee1.1K views
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
London School of Cyber Security809 views
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
Michael Gough2K views
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
CloudOps2005965 views
2569 protect yourdatawithbitlocker_gs_windows7_external2569 protect yourdatawithbitlocker_gs_windows7_external
2569 protect yourdatawithbitlocker_gs_windows7_external
Expert Outsource Pvt Ltd170 views
Introduction to SlickIntroduction to Slick
Introduction to Slick
Knoldus Inc.10 views
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
Tom Limoncelli14K views
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi2.7K views
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
Ramon1.7K views
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
Deepanshu Gajbhiye1.1K views
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough1.7K views
Stop pulling the plugStop pulling the plug
Stop pulling the plug
Kamal Rathaur755 views
Protecting Your Data with Windows 8 BitlockerProtecting Your Data with Windows 8 Bitlocker
Protecting Your Data with Windows 8 Bitlocker
David J Rosenthal487 views
Advertisement

Recently uploaded(20)

Implementing cert-manager in K8sImplementing cert-manager in K8s
Implementing cert-manager in K8s
Jose Manuel Ortega Candel7 views
Lists_tuples.pptxLists_tuples.pptx
Lists_tuples.pptx
M Vishnuvardhan Reddy4 views
Cloud Forensics and Incident Response Training.pdfCloud Forensics and Incident Response Training.pdf
Cloud Forensics and Incident Response Training.pdf
Christopher Doman7 views
Enterprise Conferencing Solutions PPT.pptxEnterprise Conferencing Solutions PPT.pptx
Enterprise Conferencing Solutions PPT.pptx
Suma Soft Pvt. Ltd.4 views
DAI.pptxDAI.pptx
DAI.pptx
AM Shamsuddula0 views
Adaptation, Lego: From Traditional Toy Company to Digital CompanyAdaptation, Lego: From Traditional Toy Company to Digital Company
Adaptation, Lego: From Traditional Toy Company to Digital Company
Onri Jay Benally0 views
Tunability of Thin Film Tantalum Nitride Grown by SputteringTunability of Thin Film Tantalum Nitride Grown by Sputtering
Tunability of Thin Film Tantalum Nitride Grown by Sputtering
Onri Jay Benally0 views
Python Control Structures.pptxPython Control Structures.pptx
Python Control Structures.pptx
M Vishnuvardhan Reddy3 views
Failure: Gopher ProtocolFailure: Gopher Protocol
Failure: Gopher Protocol
Onri Jay Benally0 views
Hong Kong Open Source Conference 2023 - Matter matters! A brief intro to the ...Hong Kong Open Source Conference 2023 - Matter matters! A brief intro to the ...
Hong Kong Open Source Conference 2023 - Matter matters! A brief intro to the ...
Amanda Lam0 views
Wireless Computing in 6 slides.pptxWireless Computing in 6 slides.pptx
Wireless Computing in 6 slides.pptx
Mari Xxx4 views
mini-solution.pdfmini-solution.pdf
mini-solution.pdf
rabiprasaddevkota10 views
Software development company in DubaiSoftware development company in Dubai
Software development company in Dubai
MaqUAE0 views
Python Operators.pptxPython Operators.pptx
Python Operators.pptx
M Vishnuvardhan Reddy5 views
Evolución de una arquitectura monolítica hacia decoupled commerce en un retai...Evolución de una arquitectura monolítica hacia decoupled commerce en un retai...
Evolución de una arquitectura monolítica hacia decoupled commerce en un retai...
Marcos Pueyrredon2 views
Is web development a good career path.pdfIs web development a good career path.pdf
Is web development a good career path.pdf
IT Career 0 views
SEARCH-ENGINE-OPTIMIZATION-SEO-BEGINNERS-TOOLS(1).pdfSEARCH-ENGINE-OPTIMIZATION-SEO-BEGINNERS-TOOLS(1).pdf
SEARCH-ENGINE-OPTIMIZATION-SEO-BEGINNERS-TOOLS(1).pdf
GeraldNsofor15 views
12_AI_Model Life cycle1.pdf12_AI_Model Life cycle1.pdf
12_AI_Model Life cycle1.pdf
Elan710 views
temp mapping .pdftemp mapping .pdf
temp mapping .pdf
ManjulaSasikumar0 views
Untitled presentation.pdfUntitled presentation.pdf
Untitled presentation.pdf
SompriyaNarayanaTiwa2 views

Handling of compromised Linux systems

  1. Linux Systems Compromised Understanding and dealing with break-ins Ede, 5 February 2016 Michael Boelen michael.boelen@cisofy.com
  2. Agenda Today 1. How do “they” get in 2. Rootkits 3. Malware handling 4. Defenses 2
  3. Michael Boelen ● Security Tools ○ Rootkit Hunter (malware scan) ○ Lynis (security audit) ● 150+ blog posts ● Founder of CISOfy 3
  4. How do “they” get in
  5. Intrusions ● Passwords ● Vulnerabilities ● Weak configurations 5
  6. Why? 6
  7. Keeping Control ● Rootkits ● Backdoors 7
  8. Rootkits 101
  9. Rootkits ● (become | stay) root ● (software) kit 9
  10. Rootkits ● Stealth ● Persistence ● Backdoors 10
  11. How to be the best rootkit?
  12. Hiding ★ In plain sight! /etc/sysconfig/… /tmp/mysql.sock /bin/audiocnf 12
  13. Hiding ★★ Slightly advanced ● Rename processes ● Delete file from disk ● Backdoor binaries 13
  14. Hiding ★★★ Advanced ● Kernel modules ● Change system calls ● Hidden passwords 14
  15. Demo
  16. Demo 16
  17. Demo 17
  18. Continuous Game 18
  19. Detection
  20. Challenges ● We can’t trust anything ● Even ourselves ● No guarantees 21
  21. Rootkit Hunter Detect the undetectable! 22
  22. Dealing with malware
  23. ● Owner? ● Risk? ● What if we pull the plug? Activate your plan! 24
  24. VLAN Bogus DNS Looks Real™ Quarantine 25
  25. Consider Research Memory dump (Volatility) Static analysis 26
  26. Restore Does it include malware? 27
  27. Defense
  28. Best protection At least ● Perform security scans ● Collect data ● System Hardening 29
  29. Frameworks / Patches ● SELinux ● AppArmor ● Grsecurity 30
  30. Compilers ● Remove ● Limit usage 31
  31. Harden Applications ● Use chroot ● Limit permissions ● Change defaults 32
  32. Kernel Hardening ● sysctl -a ● Don’t allow ptrace 33
  33. Automation
  34. Tip: Lynis ● Linux / UNIX ● Open source ● GPLv3 35
  35. Conclusions
  36. Conclusions ● Good rootkits are hard to detect ● Use cost-effective methods ● Detect ● Restore ● Learn ● Apply hardening 37
  37. You finished this presentation Success!
  38. More Linux security? Presentations michaelboelen.com/presentations/ Follow ● Blog Linux Audit (linux-audit.com) ● Twitter @mboelen 39
  39. 40
Advertisement