Finding Threats in Linux® Memory the Value of Memory Integrity Verification

WHITE PAPER

Finding Threats in Linux® Memory The Value of Memory Integrity Verification

Linux powers critical web and cloud infrastructure for organizations around the world. Not surprisingly, it has become a major target for cybercrime and cyber espionage.

In the past year, financially motivated attackers have launched large-scale Linux-targeted threat attack campaigns across critical infrastructure, retail, healthcare, and financial and brokerage organizations. This white paper explores the magnitude of threats against Linux systems, and why organizations are looking at memory integrity as a superior approach for detecting threats on Linux systems. Memory integrity ensures that systems are running exactly the software they are supposed to be running, and flagging anything that should not be there. www.Raytheon.com/cyberproducts 2 WHITE PAPER - Finding Threats in Linux® Memory

Contents

1. Linux® Systems: A Major Target 4

2. Threat Attacks on the Upswing 4

3. Threats Spare No Industry 5

Critical Infrastructure 5

Retail 5

Healthcare 5

Financial and Brokerage Services 5

4. How SureView® Memory Integrity Works 6

SureView Memory Integrity Graphical User Interface 7

Integration with SIEMS 7

5. Conclusion 8

6. About Raytheon|Websense 8

866.230.1307 3 WHITE PAPER - Finding Threats in Linux® Memory

Linux Systems: A Major Target servers.3 The Linux botnet Mayhem, which spread through Linux is an open source operating system beloved by enthusiasts ShellShock exploits, affected 1,400 servers.4 Unfortunately, because the price is right and the license provides the freedom to Operation Windigo and Mayhem are still active using the tinker. From its earliest days, Linux has powered numerous web ShellShock Bash vulnerability and other means to spread to new servers and other Internet infrastructures worldwide. victims.

Over the past decade, Linux has increasingly been adopted for Throughout 2014, Linux continued to be hounded by commercial use. Today, Linux is widely used in corporate data longstanding, widespread, and easily exploited vulnerabilities, centers and is a formidable presence in nearly all realms of such as the aforementioned ShellShock, a.k.a. Bashdoor. computing. What is even more surprising is that only 58% of IT ShellShock enables the processing of requests that an attacker professionals indicated they run antivirus on both Windows and can use to gain unauthorized access to assets. One report noted Linux servers.1 that it was unclear how many systems ShellShock affected, but it was likely in the millions.5 Threat Attacks on the Upswing In early 2014, Syngress published the Malware Forensics Field Guide for Linux Systems, which stated that:

“Trends in malware incidents targeting Linux systems – combined with the ability of modern Linux malware to avoid common security measures – make malware incident response and forensics a critical component of any risk management strategy in any organization that utilizes Linux systems.” 2

Those words were prophetic. It turns out that 2014 was the Marketoonist, LLC biggest year to date for cyber-attacks, and there is no indication that things are about to slow down. Given the incredible number Then there were the targeted cyber-espionage operations that of threat attacks reported in 2014, and the fact that Linux used custom threats targeting Linux systems attributed to systems are a growing threat target, this paper assumes that a government-resourced attackers, such as Evanescent Bat and major percentage of past and future attacks have and will target Turla. The Turla campaign, also known as Epic Turla, spread Linux systems. into 45 countries in an infection spree aimed at government operations and pharmaceutical companies. Nearly every large organization has business critical systems based on Linux—including critical infrastructure providers, utilities and energy companies, banks and other financial Linux Attacks Were On The Move in 2014 services, health care companies, media and entertainment firms, and high-tech companies. Windigo Infects ShellShock Continues 500,000 Computers to Infect Millions March September As it has moved from niche player to a core technology underpinning for global enterprises, Linux has become a major target for cybercrime and cyber espionage.

In 2014, Linux fell victim to several large-scale threat campaigns July December run by financially motivated attackers. Operation Windigo Mayhem Infects Turla Affects 45 1,400 Servers Countries infected more than 500,000 computers and 25,000 dedicated

3 Source: http://www.symantec.com/connect/blogs/25000-linux-and-unix- 1 Source: Sophos Research Report, “You might be surprised by how few servers-compromised-operation-windigo and http://thehackernews. businesses protect their Linux servers with antivirus.” May 26, 2015. John com/2014/03/operation-windigo-linux-malware.html Zorabedian. https://blogs.sophos.com/2015/05/26/you-might-be-sur- 4 Source: http://www.itnews.com.au/News/390053,new-mayhem-malware- prised-by-how-few-businesses-protect-their-linux-servers-with-antivirus/ targets-linux-unix-servers.aspxhtml. 2 Source: Cameron H. Malin, Eoghan Casey, James M. Aquilina, Malware 5 Source: http://www.technologyreview.com/view/531286/why-the- Forensics Field Guide for Linux Systems (Syngress, 2014), 42. shellshock-bug-is-worse-than-heartbleed/ www.raytheoncyber.com 4 WHITE PAPER - Finding Threats in Linux® Memory

Threats Spare No Industry Healthcare Threats are not limited to specific industries. Hackers follow With millions of records that contain personally identifiable the money and attack critical infrastructure, retail, healthcare, information, healthcare is especially vulnerable to attack. In one and financial sectors. One key component of successful attacks, healthcare related attack, an operator of more than 200 hospitals regardless of industry, is that overburdened IT and security in the U.S. experienced 4.5 million patient records stolen. teams fail to notice the incursions until it is too late. With threats spanning industries and use of Linux systems on the rise, it is The records included names, Social Security numbers, physical likely that Linux is a threat target in every organization. addresses, birthdays and telephone numbers. In August 2014, the Washington Post reported that healthcare breaches hit 30 Critical Infrastructure million patients. The report notes that, “since federal reporting According to the Department of Homeland Security (DHS), requirements kicked in, the U.S. Department of Health and an unnamed U.S. public utility was attacked in 2014.6 The hack Human Services’ database of major breach reports (those sought access to the utility’s control system network. The report affecting 500 people or more) has tracked 944 incidents affecting notes that, “hackers may have launched the latest attack through personal information from about 30.1 million people. A an Internet portal that enabled workers to access the utility’s majority of those records are tied to theft (17.4 million people), control systems.” This brute force attack was not the only one followed by data loss (7.2 million people), hacking (3.6 million) launched on critical infrastructure. DHS also reported that an and unauthorized access accounts (1.9 million people).9 Given attacker gained access to a utility’s “mechanical device” and the incredible number of threat attacks reported in 2014, and the maintained access over a period of time. Although the number fact that Linux systems are a growing threat target, this paper of Linux systems affected was not specifically reported, it can be assumes that a major percentage of past and future attacks have assumed that some number of them were Linux based. and will target Linux systems.

Retail Financial and Brokerage Services The retail business is littered with attacks. Target™ is the most In February 2015, the Carbanak hacking group stole $1 billion high-profile example, and that was a damaging incursion that from banks around the globe. The operation struck banks in will take years for the company to recover from. However, about 30 countries, according to a report of Kaspersky’s finding there were others in retail that suffered from attacks, including in ZDNet.10 In its report, Kaspersky notes that the use of a Neiman Marcus, Michaels, eBay® and Home Depot®. The breach Secure Shell (SSH) backdoor “to communicate with the C2 of Target cost the company $148 million.7 To date, Home Depot server in 190.97.165.126 (operatemesscont.net)… indicates that chalked up $48 million for its data breach.8 the attackers did not limit themselves to Microsoft Windows environments.”11

THE COST OF A BREACH What is Your Reputation Worth?

The infamous Target data breach cost the retailer more than just financial loss, but the dollars and cents were staggering. Forbes reported the retailer’s profit fell nearly 50% in the last quarter of 2013 and more than a third for all of 2013. The magazine also reported the hard loss from the data breach came in at $148 million.

However, there were other costs as well. The CEO lost his job, and the company suffered a loss of reputation that is incalculable. Maybe your business is not as high profile as Target. So how does a major breach affect you?

Ponemon Institute’s Cost of a Data Breach study shows that the average cost of a data breach is about $3.5 million. The average cost for a compromised record is more than $194.

6 Source: http://www.reuters.com/article/2014/05/21/us-usa-cybercrime- infrastructure-idUSBREA4J10D20140521 9 Source: http://www.washingtonpost.com/blogs/wonkblog/wp/2014/08/19/ 7 Source: http://www.nytimes.com/2014/08/06/business/target-puts-data- health-care-data-breaches-have-hit-30m-patients-and-counting/ breach-costs-at-148-million.html 10 Source: http://www.zdnet.com/article/carbanak-hacking-group-steal- 8 Source: https://threatpost.com/home-depot-breach-cost-company-43-mil- 1-billion-from-banks-worldwide/ lion-in-third-quarter/109629 11 Source: https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf

866.230.1307 5 WHITE PAPER - Finding Threats in Linux® Memory

How SureView® Memory Integrity Works backdoors, injected code, unauthorized processes, and other Threat detection, based on memory integrity verification, signs of intrusions. is blazing a new trail. SureView Memory Integrity from Raytheon|Websense, is a solution that takes a completely When it detects a compromise, SureView Memory Integrity different approach to threat detection than traditional endpoint notifies system administrators and security teams and enables security products. Using memory forensics, it undertakes threat quick, in-depth investigation and response. The solution’s alerts detection through integrity verification. easily integrate with existing SIEMs. Besides being top defense grade quality, SureView Memory Integrity is also scablable and For threats to actively run on a computer, they must do so in grows as the organization expands. physical memory. Instead of trying to identify known threats, which we already know to be a losing proposition, SureView CUSTOMER PROFILE: Memory Integrity verifies the contents of memory against what Global High-Frequency/Algorithmic Trading Firm should be in memory, based on known references. It then flags Deploys SureView Memory Integrity Enterprise-wide anything found in memory that does not match expectations. This firm suspected an intrusion and realized it lacked the ability to SureView Memory Integrity uses the code published by Linux determine if its Linux systems were compromised. distribution vendors (e.g., Red Hat, CentOS, Ubuntu, Debian, and Fedora) as the basis for what should be running in memory. A trusted partner recommended the firm look at signature-less Users augment this reference set with the custom and third- threat detection based on memory forensics. party software in use in their environment. SureView Memory Integrity operates enterprise-wide, reconstructing the state During a proof-of-concept evaluation, SureView Memory Integrity of Linux systems—such as programs running, open files, and detected stealthy threats that no other product found. The firm loaded modules—by reading the kernel data structures from subsequently deployed SureView Memory Integrity enterprise-wide physical memory. The solution then verifies that a system on 5,000 globally distributed servers and workstations with no is running only known software, while detecting rootkits, impact on critical production systems.

SureView® Memory Integrity | Architecture Enterprise Scale Linux® Memory Integrity Verification

SureView® Memory Integrity Server

Reference Data Repository

Linux Targets

SIEM

“SureView Memory Integrity is everything my firm needs to keep us apprised of what is actually running on our Linux system and will notify us if our network is at risk. SureView Memory Integrity has totally “raised the bar” of excellence for all other security products my firm uses.” ---Director of Information Technology – Large Global Financial Services Company

www.raytheoncyber.com 6 WHITE PAPER - Finding Threats in Linux® Memory

SureView® Memory Integrity Graphical User Interface The graphical user interface for SureView Memory Integrity gives analysts the ability to take a deep dive into the status of a specific system with an easy-to-understand layout.

Integration with SIEMS SureView Memory Integrity integrates seamlessly with SIEMs (such as Splunk), so that with a quick glance, an analyst can see SureView Memory Integrity alert activity from automated scans over time and across the enterprise. This enables correlations between alerts and with other security data sources.

866.230.1307 7 WHITE PAPER - Finding Threats in Linux® Memory

About Raytheon|Websense SUREVIEW MEMORY INTEGRITY USE CASE: Raytheon|Websense portfolio of cyber security solutions Detecting “Shellshock” Bash Bug Malware provides unprecedented visibility into the enterprise and ® on a Linux Server utilizes advanced analytics to enable a new level of cyber risk management. Through continuous monitoring of end points, An Incident Response Engineer, employed by a financial user activity and other key assets, real-time data is collected and services company, suspects an intrusion into the analyzed so decisions can be made instead of merely reacting organization’s Linux system but lacks the ability to determine to alerts. With over twenty years of experience in developing if they are truly compromised. She needs to have better and implementing products for some of the most sensitive visibility to understand if the systems are infected. A and critical enterprise systems operating in the world today, persistent attacker had indeed infected the system by sending customers trust solutions from Raytheon|Websense because they an HTTPS request containing specifically crafted variables to are scalable, secure, architecturally superior and cost effective. exploit the “Shellshock” Bash Bug vulnerability. A command was contained in a variable that triggered back door program and had infected the server. Even if the server was patched against the vulnerability, the malware would escape detection and exist on the machine.

To confirm her suspicion, she runs SureView Memory Integrity that obtains an image of the code running in memory on the suspected system. The solution further compares the snapshot from memory with an approved image and alerts her on the anomaly. With access to the alert and additional forensics information from the SIEM’s console, she can now conduct further investigations to determine the compromise and decide on remedial actions.

Conclusion Traditional endpoint security products are not sufficient to protect Linux systems. The headlines tell the story of numerous attacks that companies do not see until it is too late. With Linux at the center of so much of the world’s computing infrastructure, it is time for a different approach.

Organizations need to deploy memory integrity verification to rapidly detect the threats facing Linux systems today. This approach eliminates unreliable traditional approaches to threat detection and provides positive assurance that systems are For further information contact: running only the software they are supposed to be running. Raytheon|Websense 12950 Worldgate Drive, Suite 600 SureView Memory Integrity, from Raytheon|Websense is a Herndon, Virginia Linux memory integrity verification solution that supports 20170 USA 866.230.1307 many different Linux distributions and versions. It operates at enterprise scale and is architected for ease of deployment and www.raytheoncyber.com integration. Besides being top defense grade quality, SureView Memory Integrity is also scablable and grows as the organization expands.

Trademarks and registered trademarks are property of their respective owners.