1 WHITE PAPER Finding Threats in Linux Memory The Value of Memory Integrity Verification Linux powers critical web and cloud infrastructure for organizations around the world. Not surprisingly, it has become a major target for cybercrime and cyber espionage. In the past year, financially motivated attackers have launched large-scale Linux-targeted threat attack campaigns across critical infrastructure, retail, healthcare, and financial and brokerage organizations. This white paper explores the magnitude of threats against Linux systems, and why organizations are looking at memory integrity as a superior approach for detecting threats on Linux systems. Memory integrity ensures that systems are running exactly the software they are supposed to be running, and flagging anything that should not be there.
3 Contents 1. Linux Systems: A Major Target 4 2. Threat Attacks on the Upswing 4 3. Threats Spare No Industry 5 Critical Infrastructure 5 Retail 5 Healthcare 5 Financial and Brokerage Services 5 4. How SureView Memory Integrity Works 6 SureView Memory Integrity Graphical User Interface 7 Integration with SIEMS 7 5. Conclusion 8 6. About Raytheon Websense
4 Linux Systems: A Major Target Linux is an open source operating system beloved by enthusiasts because the price is right and the license provides the freedom to tinker. From its earliest days, Linux has powered numerous web servers and other Internet infrastructures worldwide. Over the past decade, Linux has increasingly been adopted for commercial use. Today, Linux is widely used in corporate data centers and is a formidable presence in nearly all realms of computing. What is even more surprising is that only 58% of IT professionals indicated they run antivirus on both Windows and Linux servers. 1 Threat Attacks on the Upswing In early 2014, Syngress published the Malware Forensics Field Guide for Linux Systems, which stated that: servers. 3 The Linux botnet Mayhem, which spread through ShellShock exploits, affected 1,400 servers. 4 Unfortunately, Operation Windigo and Mayhem are still active using the ShellShock Bash vulnerability and other means to spread to new victims. Throughout 2014, Linux continued to be hounded by longstanding, widespread, and easily exploited vulnerabilities, such as the aforementioned ShellShock, a.k.a. Bashdoor. ShellShock enables the processing of requests that an attacker can use to gain unauthorized access to assets. One report noted that it was unclear how many systems ShellShock affected, but it was likely in the millions. 5 Trends in malware incidents targeting Linux systems combined with the ability of modern Linux malware to avoid common security measures make malware incident response and forensics a critical component of any risk management strategy in any organization that utilizes Linux systems. 2 Those words were prophetic. It turns out that 2014 was the biggest year to date for cyber-attacks, and there is no indication that things are about to slow down. Given the incredible number of threat attacks reported in 2014, and the fact that Linux systems are a growing threat target, this paper assumes that a major percentage of past and future attacks have and will target Linux systems. Nearly every large organization has business critical systems based on Linux including critical infrastructure providers, utilities and energy companies, banks and other financial services, health care companies, media and entertainment firms, and high-tech companies. As it has moved from niche player to a core technology underpinning for global enterprises, Linux has become a major target for cybercrime and cyber espionage. Marketoonist, LLC Then there were the targeted cyber-espionage operations that used custom threats targeting Linux systems attributed to government-resourced attackers, such as Evanescent Bat and Turla. The Turla campaign, also known as Epic Turla, spread into 45 countries in an infection spree aimed at government operations and pharmaceutical companies. Linux Attacks Were On The Move in 2014 Windigo Infects 500,000 Computers March ShellShock Continues to Infect Millions September In 2014, Linux fell victim to several large-scale threat campaigns run by financially motivated attackers. Operation Windigo infected more than 500,000 computers and 25,000 dedicated July Mayhem Infects 1,400 Servers December Turla Affects 45 Countries 1 Source: Sophos Research Report, You might be surprised by how few businesses protect their Linux servers with antivirus. May 26, John Zorabedian. https://blogs.sophos.com/2015/05/26/you-might-be-surprised-by-how-few-businesses-protect-their-linux-servers-with-antivirus/ 2 Source: Cameron H. Malin, Eoghan Casey, James M. Aquilina, Malware Forensics Field Guide for Linux Systems (Syngress, 2014), Source: and com/2014/03/operation-windigo-linux-malware.html 4 Source: 5 Source: 4
5 Threats Spare No Industry Threats are not limited to specific industries. Hackers follow the money and attack critical infrastructure, retail, healthcare, and financial sectors. One key component of successful attacks, regardless of industry, is that overburdened IT and security teams fail to notice the incursions until it is too late. With threats spanning industries and use of Linux systems on the rise, it is likely that Linux is a threat target in every organization. Critical Infrastructure According to the Department of Homeland Security (DHS), an unnamed U.S. public utility was attacked in The hack sought access to the utility s control system network. The report notes that, hackers may have launched the latest attack through an Internet portal that enabled workers to access the utility s control systems. This brute force attack was not the only one launched on critical infrastructure. DHS also reported that an attacker gained access to a utility s mechanical device and maintained access over a period of time. Although the number of Linux systems affected was not specifically reported, it can be assumed that some number of them were Linux based. Retail The retail business is littered with attacks. Target is the most high-profile example, and that was a damaging incursion that will take years for the company to recover from. However, there were others in retail that suffered from attacks, including Neiman Marcus, Michaels, ebay and Home Depot. The breach of Target cost the company $148 million. 7 To date, Home Depot chalked up $48 million for its data breach. 8 Healthcare With millions of records that contain personally identifiable information, healthcare is especially vulnerable to attack. In one healthcare related attack, an operator of more than 200 hospitals in the U.S. experienced 4.5 million patient records stolen. The records included names, Social Security numbers, physical addresses, birthdays and telephone numbers. In August 2014, the Washington Post reported that healthcare breaches hit 30 million patients. The report notes that, since federal reporting requirements kicked in, the U.S. Department of Health and Human Services database of major breach reports (those affecting 500 people or more) has tracked 944 incidents affecting personal information from about 30.1 million people. A majority of those records are tied to theft (17.4 million people), followed by data loss (7.2 million people), hacking (3.6 million) and unauthorized access accounts (1.9 million people). 9 Given the incredible number of threat attacks reported in 2014, and the fact that Linux systems are a growing threat target, this paper assumes that a major percentage of past and future attacks have and will target Linux systems. Financial and Brokerage Services In February 2015, the Carbanak hacking group stole $1 billion from banks around the globe. The operation struck banks in about 30 countries, according to a report of Kaspersky s finding in ZDNet. 10 In its report, Kaspersky notes that the use of a Secure Shell (SSH) backdoor to communicate with the C2 server in (operatemesscont.net) indicates that the attackers did not limit themselves to Microsoft Windows environments. 11 THE COST OF A BREACH What is Your Reputation Worth? The infamous Target data breach cost the retailer more than just financial loss, but the dollars and cents were staggering. Forbes reported the retailer s profit fell nearly 50% in the last quarter of 2013 and more than a third for all of The magazine also reported the hard loss from the data breach came in at $148 million. However, there were other costs as well. The CEO lost his job, and the company suffered a loss of reputation that is incalculable. Maybe your business is not as high profile as Target. So how does a major breach affect you? Ponemon Institute s Cost of a Data Breach study shows that the average cost of a data breach is about $3.5 million. The average cost for a compromised record is more than $ Source: 7 Source: 8 Source: https://threatpost.com/home-depot-breach-cost-company-43-million-in-third-quarter/ Source: health-care-data-breaches-have-hit-30m-patients-and-counting/ 10 Source: 1-billion-from-banks-worldwide/ 11 Source: https://securelist.com/files/2015/02/carbanak_apt_eng.pdf
6 How SureView Memory Integrity Works Threat detection, based on memory integrity verification, is blazing a new trail. SureView Memory Integrity from Raytheon Websense, is a solution that takes a completely different approach to threat detection than traditional endpoint security products. Using memory forensics, it undertakes threat detection through integrity verification. For threats to actively run on a computer, they must do so in physical memory. Instead of trying to identify known threats, which we already know to be a losing proposition, SureView Memory Integrity verifies the contents of memory against what should be in memory, based on known references. It then flags anything found in memory that does not match expectations. SureView Memory Integrity uses the code published by Linux distribution vendors (e.g., Red Hat, CentOS, Ubuntu, Debian, and Fedora) as the basis for what should be running in memory. Users augment this reference set with the custom and thirdparty software in use in their environment. SureView Memory Integrity operates enterprise-wide, reconstructing the state of Linux systems such as programs running, open files, and loaded modules by reading the kernel data structures from physical memory. The solution then verifies that a system is running only known software, while detecting rootkits, backdoors, injected code, unauthorized processes, and other signs of intrusions. When it detects a compromise, SureView Memory Integrity notifies system administrators and security teams and enables quick, in-depth investigation and response. The solution s alerts easily integrate with existing SIEMs. Besides being top defense grade quality, SureView Memory Integrity is also scablable and grows as the organization expands. CUSTOMER PROFILE: Global High-Frequency/Algorithmic Trading Firm Deploys SureView Memory Integrity Enterprise-wide This firm suspected an intrusion and realized it lacked the ability to determine if its Linux systems were compromised. A trusted partner recommended the firm look at signature-less threat detection based on memory forensics. During a proof-of-concept evaluation, SureView Memory Integrity detected stealthy threats that no other product found. The firm subsequently deployed SureView Memory Integrity enterprise-wide on 5,000 globally distributed servers and workstations with no impact on critical production systems. SureView Memory Integrity Architecture Enterprise Scale Linux Memory Integrity Verification SureView Memory Integrity Server Reference Data Repository Linux Targets SIEM SureView Memory Integrity is everything my firm needs to keep us apprised of what is actually running on our Linux system and will notify us if our network is at risk. SureView Memory Integrity has totally raised the bar of excellence for all other security products my firm uses. ---Director of Information Technology Large Global Financial Services Company 6
7 SureView Memory Integrity Graphical User Interface The graphical user interface for SureView Memory Integrity gives analysts the ability to take a deep dive into the status of a specific system with an easy-to-understand layout. Integration with SIEMS SureView Memory Integrity integrates seamlessly with SIEMs (such as Splunk), so that with a quick glance, an analyst can see SureView Memory Integrity alert activity from automated scans over time and across the enterprise. This enables correlations between alerts and with other security data sources
8 SUREVIEW MEMORY INTEGRITY USE CASE: Detecting Shellshock Bash Bug Malware on a Linux Server An Incident Response Engineer, employed by a financial services company, suspects an intrusion into the organization s Linux system but lacks the ability to determine if they are truly compromised. She needs to have better visibility to understand if the systems are infected. A persistent attacker had indeed infected the system by sending an HTTPS request containing specifically crafted variables to exploit the Shellshock Bash Bug vulnerability. A command was contained in a variable that triggered back door program and had infected the server. Even if the server was patched against the vulnerability, the malware would escape detection and exist on the machine. About Raytheon Websense Raytheon Websense portfolio of cyber security solutions provides unprecedented visibility into the enterprise and utilizes advanced analytics to enable a new level of cyber risk management. Through continuous monitoring of end points, user activity and other key assets, real-time data is collected and analyzed so decisions can be made instead of merely reacting to alerts. With over twenty years of experience in developing and implementing products for some of the most sensitive and critical enterprise systems operating in the world today, customers trust solutions from Raytheon Websense because they are scalable, secure, architecturally superior and cost effective. To confirm her suspicion, she runs SureView Memory Integrity that obtains an image of the code running in memory on the suspected system. The solution further compares the snapshot from memory with an approved image and alerts her on the anomaly. With access to the alert and additional forensics information from the SIEM s console, she can now conduct further investigations to determine the compromise and decide on remedial actions. Conclusion Traditional endpoint security products are not sufficient to protect Linux systems. The headlines tell the story of numerous attacks that companies do not see until it is too late. With Linux at the center of so much of the world s computing infrastructure, it is time for a different approach. Organizations need to deploy memory integrity verification to rapidly detect the threats facing Linux systems today. This approach eliminates unreliable traditional approaches to threat detection and provides positive assurance that systems are running only the software they are supposed to be running. SureView Memory Integrity, from Raytheon Websense is a Linux memory integrity verification solution that supports many different Linux distributions and versions. It operates at enterprise scale and is architected for ease of deployment and integration. Besides being top defense grade quality, SureView Memory Integrity is also scablable and grows as the organization expands. For further information contact: Raytheon Websense Worldgate Drive, Suite 600 Herndon, Virginia USA Trademarks and registered trademarks are property of their respective owners. Cleared for Public Release. Internal Reference #E15-K3P7 Copyright 2015 Raytheon Company. All rights reserved