Finding Threats in Linux Memory The Value of Memory Integrity Verification

Similar documents
A Case for Managed Security

Under the Hood of the IBM Threat Protection System

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

End-user Security Analytics Strengthens Protection with ArcSight

24/7 Visibility into Advanced Malware on Networks and Endpoints

Security Intelligence Services.

Internet threats: steps to security for your small business

CGI Cyber Risk Advisory and Management Services for Insurers

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

I ve been breached! Now what?

Teradata and Protegrity High-Value Protection for High-Value Data

Advanced Analytics For Real-Time Incident Response A REVIEW OF THREE KNOWN CASES AND THE IMPACT OF INVESTIGATIVE ANALYTICS

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

CYBER SECURITY THREAT REPORT Q1

White. Paper. Rethinking Endpoint Security. February 2015

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Cisco Advanced Malware Protection for Endpoints

Security strategies to stay off the Børsen front page

PCI DSS Top 10 Reports March 2011

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

PCI DSS Reporting WHITEPAPER

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

Advanced Threat Protection with Dell SecureWorks Security Services

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

FIVE PRACTICAL STEPS

INSERT COMPANY LOGO HERE


Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

A New Era of Cybersecurity Neil Mohammed, Sales Engineer

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

WHITE PAPER. Managed Security. Five Reasons to Adopt a Managed Security Service

Impact of Data Breaches

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Combating a new generation of cybercriminal with in-depth security monitoring

The Benefits of an Integrated Approach to Security in the Cloud

ENABLING FAST RESPONSES THREAT MONITORING

Breach Found. Did It Hurt?

Securing the Internet of Things OEM capabilities assure trust, integrity, accountability, and privacy.

McAfee Server Security

IBM Security re-defines enterprise endpoint protection against advanced malware

The SIEM Evaluator s Guide

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

IBM Tivoli Endpoint Manager for Security and Compliance

Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Redefining Incident Response

Evolving Threat Landscape

Cisco Advanced Malware Protection

Symantec Cyber Security Services: DeepSight Intelligence

Win the race against time to stay ahead of cybercriminals

What Do You Mean My Cloud Data Isn t Secure?

BeyondInsight Version 5.6 New and Updated Features

Preemptive security solutions for healthcare

Defending Against Cyber Attacks with SessionLevel Network Security

Boosting enterprise security with integrated log management

Average annual cost of security incidents

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

IBM Security IBM Corporation IBM Corporation

IBM Tivoli Endpoint Manager for Security and Compliance

How To Buy Nitro Security

The webinar will begin shortly

Cisco Advanced Malware Protection for Endpoints

Reducing the cost and complexity of endpoint management

ALERT LOGIC FOR HIPAA COMPLIANCE

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

WHITE PAPER. Attack the Attacker HOW A MANAGED SECURITY SERVICE IMPROVES EFFICIENCY AND SAVES COST

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

A BETTER SOLUTION FOR MAINTAINING HEALTHCARE DATA SECURITY IN THE CLOUD

RSA Security Analytics

Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

FINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES

1 Introduction Product Description Strengths and Challenges Copyright... 5

RETHINKING CYBER SECURITY

Cybersecurity Vulnerability Management:

Trend Micro. Advanced Security Built for the Cloud

Transcription:

WHITE PAPER Finding Threats in Linux Memory The Value of Memory Integrity Verification Linux powers critical web and cloud infrastructure for organizations around the world. Not surprisingly, it has become a major target for cybercrime and cyber espionage. In the past year, financially motivated attackers have launched large-scale Linux-targeted threat attack campaigns across critical infrastructure, retail, healthcare, and financial and brokerage organizations. This white paper explores the magnitude of threats against Linux systems, and why organizations are looking at memory integrity as a superior approach for detecting threats on Linux systems. Memory integrity ensures that systems are running exactly the software they are supposed to be running, and flagging anything that should not be there.

www.raytheon.com/cyberproducts 2

Contents 1. Linux Systems: A Major Target 4 2. Threat Attacks on the Upswing 4 3. Threats Spare No Industry 5 Critical Infrastructure 5 Retail 5 Healthcare 5 Financial and Brokerage Services 5 4. How SureView Memory Integrity Works 6 SureView Memory Integrity Graphical User Interface 7 Integration with SIEMS 7 5. Conclusion 8 6. About Raytheon Websense 8 866.230.1307 3

Linux Systems: A Major Target Linux is an open source operating system beloved by enthusiasts because the price is right and the license provides the freedom to tinker. From its earliest days, Linux has powered numerous web servers and other Internet infrastructures worldwide. Over the past decade, Linux has increasingly been adopted for commercial use. Today, Linux is widely used in corporate data centers and is a formidable presence in nearly all realms of computing. What is even more surprising is that only 58% of IT professionals indicated they run antivirus on both Windows and Linux servers. 1 Threat Attacks on the Upswing In early 2014, Syngress published the Malware Forensics Field Guide for Linux Systems, which stated that: servers. 3 The Linux botnet Mayhem, which spread through ShellShock exploits, affected 1,400 servers. 4 Unfortunately, Operation Windigo and Mayhem are still active using the ShellShock Bash vulnerability and other means to spread to new victims. Throughout 2014, Linux continued to be hounded by longstanding, widespread, and easily exploited vulnerabilities, such as the aforementioned ShellShock, a.k.a. Bashdoor. ShellShock enables the processing of requests that an attacker can use to gain unauthorized access to assets. One report noted that it was unclear how many systems ShellShock affected, but it was likely in the millions. 5 Trends in malware incidents targeting Linux systems combined with the ability of modern Linux malware to avoid common security measures make malware incident response and forensics a critical component of any risk management strategy in any organization that utilizes Linux systems. 2 Those words were prophetic. It turns out that 2014 was the biggest year to date for cyber-attacks, and there is no indication that things are about to slow down. Given the incredible number of threat attacks reported in 2014, and the fact that Linux systems are a growing threat target, this paper assumes that a major percentage of past and future attacks have and will target Linux systems. Nearly every large organization has business critical systems based on Linux including critical infrastructure providers, utilities and energy companies, banks and other financial services, health care companies, media and entertainment firms, and high-tech companies. As it has moved from niche player to a core technology underpinning for global enterprises, Linux has become a major target for cybercrime and cyber espionage. Marketoonist, LLC Then there were the targeted cyber-espionage operations that used custom threats targeting Linux systems attributed to government-resourced attackers, such as Evanescent Bat and Turla. The Turla campaign, also known as Epic Turla, spread into 45 countries in an infection spree aimed at government operations and pharmaceutical companies. Linux Attacks Were On The Move in 2014 Windigo Infects 500,000 Computers March ShellShock Continues to Infect Millions September In 2014, Linux fell victim to several large-scale threat campaigns run by financially motivated attackers. Operation Windigo infected more than 500,000 computers and 25,000 dedicated July Mayhem Infects 1,400 Servers December Turla Affects 45 Countries 1 Source: Sophos Research Report, You might be surprised by how few businesses protect their Linux servers with antivirus. May 26, 2015. John Zorabedian. https://blogs.sophos.com/2015/05/26/you-might-be-surprised-by-how-few-businesses-protect-their-linux-servers-with-antivirus/ 2 Source: Cameron H. Malin, Eoghan Casey, James M. Aquilina, Malware Forensics Field Guide for Linux Systems (Syngress, 2014), 42. 3 Source: http://www.symantec.com/connect/blogs/25000-linux-and-unixservers-compromised-operation-windigo and http://thehackernews. com/2014/03/operation-windigo-linux-malware.html 4 Source: http://www.itnews.com.au/news/390053,new-mayhem-malwaretargets-linux-unix-servers.aspxhtml. 5 Source: http://www.technologyreview.com/view/531286/why-theshellshock-bug-is-worse-than-heartbleed/ www.raytheoncyber.com 4

Threats Spare No Industry Threats are not limited to specific industries. Hackers follow the money and attack critical infrastructure, retail, healthcare, and financial sectors. One key component of successful attacks, regardless of industry, is that overburdened IT and security teams fail to notice the incursions until it is too late. With threats spanning industries and use of Linux systems on the rise, it is likely that Linux is a threat target in every organization. Critical Infrastructure According to the Department of Homeland Security (DHS), an unnamed U.S. public utility was attacked in 2014. 6 The hack sought access to the utility s control system network. The report notes that, hackers may have launched the latest attack through an Internet portal that enabled workers to access the utility s control systems. This brute force attack was not the only one launched on critical infrastructure. DHS also reported that an attacker gained access to a utility s mechanical device and maintained access over a period of time. Although the number of Linux systems affected was not specifically reported, it can be assumed that some number of them were Linux based. Retail The retail business is littered with attacks. Target is the most high-profile example, and that was a damaging incursion that will take years for the company to recover from. However, there were others in retail that suffered from attacks, including Neiman Marcus, Michaels, ebay and Home Depot. The breach of Target cost the company $148 million. 7 To date, Home Depot chalked up $48 million for its data breach. 8 Healthcare With millions of records that contain personally identifiable information, healthcare is especially vulnerable to attack. In one healthcare related attack, an operator of more than 200 hospitals in the U.S. experienced 4.5 million patient records stolen. The records included names, Social Security numbers, physical addresses, birthdays and telephone numbers. In August 2014, the Washington Post reported that healthcare breaches hit 30 million patients. The report notes that, since federal reporting requirements kicked in, the U.S. Department of Health and Human Services database of major breach reports (those affecting 500 people or more) has tracked 944 incidents affecting personal information from about 30.1 million people. A majority of those records are tied to theft (17.4 million people), followed by data loss (7.2 million people), hacking (3.6 million) and unauthorized access accounts (1.9 million people). 9 Given the incredible number of threat attacks reported in 2014, and the fact that Linux systems are a growing threat target, this paper assumes that a major percentage of past and future attacks have and will target Linux systems. Financial and Brokerage Services In February 2015, the Carbanak hacking group stole $1 billion from banks around the globe. The operation struck banks in about 30 countries, according to a report of Kaspersky s finding in ZDNet. 10 In its report, Kaspersky notes that the use of a Secure Shell (SSH) backdoor to communicate with the C2 server in 190.97.165.126 (operatemesscont.net) indicates that the attackers did not limit themselves to Microsoft Windows environments. 11 THE COST OF A BREACH What is Your Reputation Worth? The infamous Target data breach cost the retailer more than just financial loss, but the dollars and cents were staggering. Forbes reported the retailer s profit fell nearly 50% in the last quarter of 2013 and more than a third for all of 2013. The magazine also reported the hard loss from the data breach came in at $148 million. However, there were other costs as well. The CEO lost his job, and the company suffered a loss of reputation that is incalculable. Maybe your business is not as high profile as Target. So how does a major breach affect you? Ponemon Institute s Cost of a Data Breach study shows that the average cost of a data breach is about $3.5 million. The average cost for a compromised record is more than $194. 6 Source: http://www.reuters.com/article/2014/05/21/us-usa-cybercrimeinfrastructure-idusbrea4j10d20140521 7 Source: http://www.nytimes.com/2014/08/06/business/target-puts-databreach-costs-at-148-million.html 8 Source: https://threatpost.com/home-depot-breach-cost-company-43-million-in-third-quarter/109629 9 Source: http://www.washingtonpost.com/blogs/wonkblog/wp/2014/08/19/ health-care-data-breaches-have-hit-30m-patients-and-counting/ 10 Source: http://www.zdnet.com/article/carbanak-hacking-group-steal- 1-billion-from-banks-worldwide/ 11 Source: https://securelist.com/files/2015/02/carbanak_apt_eng.pdf 866.230.1307 5

How SureView Memory Integrity Works Threat detection, based on memory integrity verification, is blazing a new trail. SureView Memory Integrity from Raytheon Websense, is a solution that takes a completely different approach to threat detection than traditional endpoint security products. Using memory forensics, it undertakes threat detection through integrity verification. For threats to actively run on a computer, they must do so in physical memory. Instead of trying to identify known threats, which we already know to be a losing proposition, SureView Memory Integrity verifies the contents of memory against what should be in memory, based on known references. It then flags anything found in memory that does not match expectations. SureView Memory Integrity uses the code published by Linux distribution vendors (e.g., Red Hat, CentOS, Ubuntu, Debian, and Fedora) as the basis for what should be running in memory. Users augment this reference set with the custom and thirdparty software in use in their environment. SureView Memory Integrity operates enterprise-wide, reconstructing the state of Linux systems such as programs running, open files, and loaded modules by reading the kernel data structures from physical memory. The solution then verifies that a system is running only known software, while detecting rootkits, backdoors, injected code, unauthorized processes, and other signs of intrusions. When it detects a compromise, SureView Memory Integrity notifies system administrators and security teams and enables quick, in-depth investigation and response. The solution s alerts easily integrate with existing SIEMs. Besides being top defense grade quality, SureView Memory Integrity is also scablable and grows as the organization expands. CUSTOMER PROFILE: Global High-Frequency/Algorithmic Trading Firm Deploys SureView Memory Integrity Enterprise-wide This firm suspected an intrusion and realized it lacked the ability to determine if its Linux systems were compromised. A trusted partner recommended the firm look at signature-less threat detection based on memory forensics. During a proof-of-concept evaluation, SureView Memory Integrity detected stealthy threats that no other product found. The firm subsequently deployed SureView Memory Integrity enterprise-wide on 5,000 globally distributed servers and workstations with no impact on critical production systems. SureView Memory Integrity Architecture Enterprise Scale Linux Memory Integrity Verification SureView Memory Integrity Server Reference Data Repository Linux Targets SIEM SureView Memory Integrity is everything my firm needs to keep us apprised of what is actually running on our Linux system and will notify us if our network is at risk. SureView Memory Integrity has totally raised the bar of excellence for all other security products my firm uses. ---Director of Information Technology Large Global Financial Services Company www.raytheoncyber.com 6

SureView Memory Integrity Graphical User Interface The graphical user interface for SureView Memory Integrity gives analysts the ability to take a deep dive into the status of a specific system with an easy-to-understand layout. Integration with SIEMS SureView Memory Integrity integrates seamlessly with SIEMs (such as Splunk), so that with a quick glance, an analyst can see SureView Memory Integrity alert activity from automated scans over time and across the enterprise. This enables correlations between alerts and with other security data sources. 866.230.1307 7

SUREVIEW MEMORY INTEGRITY USE CASE: Detecting Shellshock Bash Bug Malware on a Linux Server An Incident Response Engineer, employed by a financial services company, suspects an intrusion into the organization s Linux system but lacks the ability to determine if they are truly compromised. She needs to have better visibility to understand if the systems are infected. A persistent attacker had indeed infected the system by sending an HTTPS request containing specifically crafted variables to exploit the Shellshock Bash Bug vulnerability. A command was contained in a variable that triggered back door program and had infected the server. Even if the server was patched against the vulnerability, the malware would escape detection and exist on the machine. About Raytheon Websense Raytheon Websense portfolio of cyber security solutions provides unprecedented visibility into the enterprise and utilizes advanced analytics to enable a new level of cyber risk management. Through continuous monitoring of end points, user activity and other key assets, real-time data is collected and analyzed so decisions can be made instead of merely reacting to alerts. With over twenty years of experience in developing and implementing products for some of the most sensitive and critical enterprise systems operating in the world today, customers trust solutions from Raytheon Websense because they are scalable, secure, architecturally superior and cost effective. To confirm her suspicion, she runs SureView Memory Integrity that obtains an image of the code running in memory on the suspected system. The solution further compares the snapshot from memory with an approved image and alerts her on the anomaly. With access to the alert and additional forensics information from the SIEM s console, she can now conduct further investigations to determine the compromise and decide on remedial actions. Conclusion Traditional endpoint security products are not sufficient to protect Linux systems. The headlines tell the story of numerous attacks that companies do not see until it is too late. With Linux at the center of so much of the world s computing infrastructure, it is time for a different approach. Organizations need to deploy memory integrity verification to rapidly detect the threats facing Linux systems today. This approach eliminates unreliable traditional approaches to threat detection and provides positive assurance that systems are running only the software they are supposed to be running. SureView Memory Integrity, from Raytheon Websense is a Linux memory integrity verification solution that supports many different Linux distributions and versions. It operates at enterprise scale and is architected for ease of deployment and integration. Besides being top defense grade quality, SureView Memory Integrity is also scablable and grows as the organization expands. For further information contact: Raytheon Websense 12950 Worldgate Drive, Suite 600 Herndon, Virginia 20170 USA 866.230.1307 www.raytheoncyber.com Trademarks and registered trademarks are property of their respective owners. Cleared for Public Release. Internal Reference #E15-K3P7 Copyright 2015 Raytheon Company. All rights reserved. 300140.0615

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information