According to research published by both Verizon and FireEye, most companies don't detect that they’ve suffered a security breach until many months later. When the company finally does learn of the compromise—often from a third-party—the investigators must invest a tremendous amount of time and resources to identify which systems the attacker has compromised.
To avoid, or at least mitigate the impact of, such a scenario, I recommend the following courses of action:
- Prevent the compromise through proactive measures
- Contain the compromise to reduce the probability of lateral movement
- Detect and respond to the compromise quickly
Want to learn more? Join me in this BeyondTrust-sponsored webinar, How to Attack a Linux System + Ways to Detect and Respond Swiftly. Register now
In this blog I will review how to address each of these courses of action in the context of a Linux attack.
Preventing a Linux Attack
Most companies don't put nearly enough effort into prevention. As in medicine and software engineering, prevention ultimately requires far fewer resources than dealing with a problem. Prevention in a cybersecurity context entails eliminating known vulnerabilities in software via patches, while implementing a security development lifecycle to avoid, find and eliminate vulnerabilities in code that is created in-house. Preventive measures also include technologies such as firewalls and intrusion prevention systems (IPS), as well as tactics such as system hardening. Of course, when you use third party services (like SaaS), you implement those primarily with contracts and risk assessment activities.
Unfortunately, preventive measures won’t eliminate all risk — they just lessen the likelihood of compromise. But, they’re a critical start.
Containing a Linux Attack
Despite our best efforts at prevention, a potential for compromise remains, so we need to also put adequate effort into threat detection and containment.
Containing an attacker's lateral movement involves preventing him moving from his initial beachhead, like a single compromised system, to his end goal, say the credit card transaction database. For example, on a red team exercise, the attacker will always gain access to one system, whether through phishing, breaking into a building, or simply leaving USB thumb drives scattered in a parking lot. If you strongly segment your network, you may stop him from ever reaching the intellectual property, protected health care information, or customer credit card information he sought.
Containment also operates at the host level, especially with host-based tools, ranging from SELinux, AppArmor, and seccomp to sudo, host-based egress firewall rules and Set-UID lockdowns. These tools and measures reduce a compromised program's ability to even initiate connections to another computer. With that said, your attacker may find a successful path through your containment measure. And as we all have seen recently, SELinux and sudo have their own vulnerabilities.
Detecting & Responding to a Linux Attack
At this point, we put our effort into detection. With an average detection time spanning months, there's substantial room for improvement. My favorite measures here detect an attack or a compromise, take action to repel or contain it, and shout "incoming" to the blue team so they can start the human part of the defense. OSSEC is one such tool that can help you here.
OSSEC is a host-based intrusion detection tool that can execute programs or scripts that you set up. For example, it can automatically configure a temporary firewall block against an attacker who has unsuccessfully tried to connect to twenty of your systems within a short time window. Or, it can shut down an account that has tried to open a "honeypot" data file on the system, say one that claims to be a database backup. Of course, free tools will only take you so far, which is why it might be necessary to investigate a more complete commercial solution for Linux security, like a server privilege management solution.
Want to learn more? Join me in this BeyondTrust-sponsored webinar, How to Attack a Linux System + Ways to Detect and Respond Swiftly, where I'll attack a Linux system, achieve initial access, escalate privilege, and then take the first step to move laterally. I'll then demonstrate how to detect the attack and automatically respond to it. I will then hand off to BeyondTrust Product Manager, Paul Harper, who will discuss how with the right enterprise solution, such as PowerBroker, you can scale your detection and containment to hundreds of machines.
This is going to be an intensive and demo-centric webinar you won't want to miss. How to Attack a Linux System + Ways to Detect and Respond Swiftly.
Jay Beale, co-founder, COO and CTO, InGuardians
Jay Beale has created several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the “Stealing the Network” series. He has led training classes on Linux Hardening and other topics at Black Hat, CanSecWest, RSA, and IDG conferences, as well as in private corporate training. Jay is a co-founder, Chief Operating Officer and CTO of the information security consulting company InGuardians.