In part one of this Linux blog series, we talked about how the open source operating system has been quietly emerging as a fundamental piece of digital innovation. However, the explosive growth of Linux is on a collision course with our topic from part two in this series—security threats.
As Linux continues to become a core component of mobile computing and Internet of Things (IoT) connectivity, companies will need a purpose-built solution to Linux security.
That’s why we’ve created the SentinelOne Linux Agent—a 3-fold solution to detecting malicious attacks on Linux machines and servers.
Linux Agent Part One: Behavioral Analysis
When considering behavioral analysis in terms of historical Linux security threats, there are 4 separate categories to defend against:
- Daemon Attacks: These attacks persist in the background as attackers quietly compromise your databases or web servers. There are multiple ways that attacks can launch a daemon attack. Some major Linux threats such as China Chopper or Locus Shell breach local machines by compromising web servers. Others, such as r57 shell, c99 shell, or b374k shell, take a SQL injection approach to compromising your databases, exploiting website vulnerabilities to capture sensitive information. And still others, such as Snakso, use command-line injection to modify packets and exfiltrate database files.
- Brute Force Breaches: Some attackers take a brute-force approach to breaching Linux machines. One of the biggest Linux threats, SSHV, runs malware binary to launch an SSH login attack, trying to match a password via plain text authorization or keyboard authorization to gain access to a Linux shell and remotely command it.
- Privilege Escalation: Lateral movement is critical to advanced cyber attacks and Linux threats are no different. Many backdoor Linux attack vectors, such as WSO web shell, Turla, and Kaiten, give hackers remote access and enable them to use various tools to gain admin access and start advancing their attacks.
- Botnets: Linux threats often manifest in botnets. One particularly dangerous example is Tsunami, a Linux attack vector that exploits systems through web admin panel abuse, ultimately opening a security hole through root privilege gained via crontab UID. The foothold enables attackers to compile a backdoor that deletes any related trace logs to hide the threat.
The SentinelOne Linux Agent will use behavioral analysis to detect these types of attacks, keeping your Linux machines and servers safe from historically troublesome threats that are bound to become stronger in the near future.
Dynamic Behavior Tracking (DBT) has always been a key aspect of the SentinelOne cybersecurity solution and it will be equally important in the Linux Agent.
Linux Agent Part 2: Heuristic Detection
One of the greatest cybersecurity challenges is the fact that attackers can often move much faster than security solutions themselves. An attack vector that security researchers mitigate can be tweaked slightly to become a new, even more dangerous threat.
To address this concern for Linux systems, the Linux Agent uses heuristic analysis of malware binaries to look beyond the code of known threats. By extracting features from known threats, the Agent can identify zero-day threats more effectively than security solutions that simply blacklist a list of historical attacks.
Linux Agent Part 3: Reputation
Digital certificates are a critical component of secure communication online and as IoT brings increased connectivity and greater Linux usage, the market for stolen digital certificates will continue to rise.
Analyzing the reputation of digital certificates is an increasingly necessary component of comprehensive cybersecurity solutions, especially for the Linux open source operating system.
The SentinelOne Linux Agent employs the same reputation services for Linux as for Windows and OS X agents as a means to mitigate any digital certificate threats.
Whether you realize it or not, we’re about to reach a crossroads with Linux security. What used to be relegated to small-time, home-user attacks by fraudsters will quickly grow to large-scale attacks on enterprises as the open source operating system gains traction in business. If you want to learn more about how the SentinelOne Linux Agent is purpose-built for both today’s and tomorrow’s Linux threats, contact us today for a free demo.