世界上有許多人都在使用Linux系統,絕大部分的公司都是使用Linux作為伺服器,這也就導致了容易做為攻擊目標的可能
從2013年起,數以百萬計的Linux系統已遭受“Malware Forensics Field Guide for Linux Systems"攻擊,而被竊取資料,而Second Look可以幫助你檢測這些可能的威脅
現今的檢測大多是靠檢測簽名,但是這並沒有即時性,也就是說,當被檢測出來有問題時,可能已存在您的系統一段時間了。
Second Look可以確保您的系統運行著應該運行的軟體。
記憶體取證(memory forensics)可以找出後臺運行的惡意軟體,以及在未知軟體修改系統時發出警報。Second Look能夠保證在伺服器與Workstation的記憶體中運行的程式與資料庫是已知來源且沒有被篡改的。
The use of Linux is everywhere in the world. Linux is used in our stock exchange transactions, social media, network storage devices, smartphones, DVR’s, online purchasing web sites, and in the majority of global Internet traffic. The Linux Foundation’s 2013 Enterprise End User Report indicates that 80% of respondents planned to increase their numbers of Linux servers over the next five years1 . Drivers include global enterprises migrating to cloud deployments, collaborative and mobile technologies, and employing Linux for mission-critical workloads.
Escalated Malware Attacks on Linux Systems
Millions of malware threat actors recognize this trend and are using advanced tactics to infiltrate Linux systems. According to the 2013 “Malware Forensics Field Guide for Linux Systems2 ,” the apparent goal of these attackers is to steal all types of information. Perhaps of greatest concern are the synchronized, targeted attacks against Linux systems. For several years, organized groups of attackers (a.k.a. threat actors) have been infiltrating Linux systems and have been communicating with command and control (C2) servers and exfiltrating data from compromised Linux systems. As a matter of fact, with an increasing market share of Linux desktop users, malware authors have recently taken solid aim at this target population with banking Trojan malware1 . These self-serving enemies are always going to be one step ahead of enterprises’ network infrastructure security systems making it extremely difficult, if not impossible, for systems to find malware signatures and inversion of control techniques. n Scans thousands of systems with hundreds of gigabytes of memory n Provides a configurable scanning engine for automated scans of remote systems throughout an enterprise n Incorporates an easy-to-use GUI to quickly assess and interpret results n Delivers output in a structured data format (JSON) to facilitate analytics n Supports all Linux distributions, 32- and 64-bit x86 systems providing flexibility and ease of implementation n Operates reactively or pro-actively on a single system or at enterprise scale for Linux-focused security For further information contact: Intelligence, Information and Services Cyber Products 12950 Worldgate Drive, Suite 600 Herndon, Virginia 20170 USA 866.230.1307 www.raytheon.com/cyberproducts Second LookTM All other trademarks and registered trademarks are property of their respective owners. Customer Success Is Our Mission is a registered trademark of Raytheon Company. Cleared for Public Release. Internal Reference #IIS2014-191 Copyright © 2014 Raytheon Company. All rights reserved. - 200170.0714. Conclusion Rising trends in malware incidents targeting Linux systems, combined with the ability of modern Linux malware to avoid common security measures, make malware incident response and forensics a critical component of any risk management strategy in any organization that utilizes Linux systems. Second Look provides unparalleled assurance that the programs and libraries in memory on Linux servers and workstations, from the kernel to system services and applications, are of known origin and have not been tampered with. It’s particularly useful for detecting artifacts of malware. Second Look is a powerful tool for detecting potential concealment techniques2 . There is no more effective tool commercially available for detecting rootkits, backdoors, and other unauthorized processes on Linux systems. 1 The 2013 Linux Adoption: 3rd Annual Survey of the World’s Largest Enterprise Linux Users. 2 Malware Forensics Field Guide for Linux Systems – Digital Forensics Field Guides by Cameron H. Malin, Eoghan Casey, and James M. Aquilina. Copyright © 2014 Elsevier, Inc. Despite the increasing prevalence of attacks on Linux systems, detecting them has often been an afterthought for security vendors focused on other platforms. Linux System Administrators and security experts require assurance that their enterprise systems are running the software that they are supposed to be running and nothing else. This requires a combination of memory forensics and integrity verification to uncover stealth malware and alerts on unknown or unexpectedly modified software. Too many people learn that their Linux systems are compromised only through external notification, long after the fact.
Second Look™ Protects Your System
Second Look is a tool that uses memory forensics to acquire and analyze volatile memory from Linux systems. Second Look provides malware detection using an integrity verification approach to validate that all software running is known and unaltered. When responding to a confirmed or potential computer security incident on a Linux system, Second Look will quickly determine where to focus your efforts by highlighting stealth malware, unknown, or unauthorized programs running on the system, and other potential indicators of compromise and vulnerability, saving you time, money, and loss of business.
Second Look for Linux Incident Response
Second Look Incident Response provides memory acquisition and analysis tools to help you get to the root of the problem when you're investigating a suspect system. The Incident Response edition preserves evidence in volatile memory, reconstructs the system state, and extracts artifacts from memory. It detects stealthy malware that would remain hidden from other system administration, forensic, and investigative tools. Second Look Incident Response is powerful and easy to use; memory acquisition is initiated via a single command and analysis results are provided via an easy to navigate GUI.
Second Look Enterprise Security – Protecting Entire Enterprises
The Enterprise Security version of Second Look monitors Linux workstations and servers using live remote memory analysis to verify the integrity of the kernel and processes. It provides notifications to system administrators and security teams when alerts indicate a compromise has been detected and enables quick, indepth investigation and response. Second Look was designed to automate Linux memory forensics on thousands of geographically distributed systems enabling system administrators and other users to meet tight performance, reliability, and timing requirements. Second Look Enterprise Security verifies that your Linux systems are running only authorized software whether it is vendor supplied, third-party supplied, or custom developed. It detects rootkits, backdoors, unauthorized processes, and other signs of intrusions into your critical Linux systems. Its memory forensics alerts can be easily integrated into any existing Security Information and Event Management Systems (SIEMS).
Linux Incident Response with Second Look
One of the most important things to do when responding to a security incident on a Linux system is to take a memory dump to preserve the volatile state of the system. Then you can analyze the memory image with Second Look on a trusted system. It will help you quickly determine where to focus your valuable time and attention by using signature-less malware detection to highlight stealth rootkits, unknown or unauthorized programs running on the system, and other potential indicators of compromise. Second Look Professional Edition is a must-have in the toolkit of any incident responder or forensics professional tasked with investigating Linux systems.
Click here for highlights |
Product features (Second Look Professional Edition)
- Memory acquisition and analysis for all 32- and 64-bit x86 (i386/i486/i586/i686, amd64/x86_64) Linux systems running 2.6- and 3-series kernels. This includes:
- Amazon Linux 2010.11 through 2014.03, and higher;
- Debian 4 through 7, and higher;
- Fedora 2 through 21, and higher;
- Red Hat Enterprise Linux (RHEL), Oracle Linux, and CentOS 4.x, 5.x, 6.x, 7.x and higher;
- Ubuntu 4.10 through 14.10, and higher;
- and other distributions.
- Analysis via command line interface (CLI) or graphical user interface (GUI) applications which run on Ubuntu 12.04 (64-bit), Ubuntu 14.04 (64-bit), RHEL/CentOS 6.x (64-bit), or RHEL/CentOS 7.x (64-bit).
- Automatic kernel version identification — just select a memory image and go.
- Supported memory image formats:
- raw physical memory images ("mem" format — as produced by secondlook-memdump, Inception, and other tools);
- SLM memory images ("slm" format — a high-performance compressed memory image format used by Second Look Enterprise Edition);
- LiME memory images ("lime", "padded", or LiME "raw" formats — images in LiME "raw" format require conversion with secondlook-limeraw2mem);
- VMware virtual machine snapshot and suspend files (vmsn/vmss/vmem);
- VirtualBox snapshots (as produced with vboxmanage debugvm dumpguestcore); and
- Libvirt/KVM snapshots (as produced with virsh dump — for conversion of Libvirt/QEMU SaveVM files, see lqs2mem, originally secondlook-lqs2mem, now an open source project).
- Support for analysis of memory images from systems running either distribution stock kernels or custom kernels.
- Support for analysis of memory images from Amazon EC2 instances (under both pv and hvm virtualization types).
- Access to a repository of over 14000 ZRKs (Zipped Reference Kernels) providing the metadata and baseline for analysis and verification of Amazon, CentOS, Debian, Fedora, Oracle, RHEL, and Ubuntu stock kernels.
- An easy-to-use tool for creation of ZRKs for other distributions or for custom kernels.
- Second Look ZRKs can also be used as Volatility profiles.
- Integrity verification of the kernel and processes in memory.
- Access to a pagehash database containing hashes of the executable code pages of the ELF executables and shared libraries from over 2 million software packages from the Amazon, CentOS, Debian, Fedora, RHEL, and Ubuntu distributions.
- An easy-to-use tool for the addition of pagehashes supporting verification of custom or third-party software.
- Detection of kernel rootkits, backdoors, and other kernel-mode malware (known and unknown varieties).
- Detection of shared library rootkits, keyloggers, spyware, injected libraries, injected threads, and other user-mode malware (known and unknown varieties).
- Detection of unknown or unauthorized processes.
- Recovery of device mapper crypto keys for LUKS, TrueCrypt, and other full disk encryption schemes.
- Extraction of system state from captured memory images, including loaded kernel modules, running processes, memory mappings, open files, active network connections, and more. Output is available in the GUI/browser, in plain text from the CLI, and in JSON format for ingestion by other programs.
- Offline usage is supported via a subscription to our ZRK and pagehash reference data feeds.
More Reasons to Choose Second Look
Beyond the unique and powerful Linux Incident Response feature set listed above, what sets Second Look apart is the team behind it and the quality of the software they deliver.
- The Second Look Team provides professional support via phone and email, with on-site consulting services available. You get direct access to experts in Linux system internals and security.
- Customer feedback often quickly leads to new features.
- Second Look ships with comprehensive documentation, including a User Guide with explanations of the techniques most commonly used by attackers to maintain stealthy persistence on Linux systems.
- Second Look is regression tested against a large suite of sample memory images to ensure maximum quality and compatibility.
- If you like the visibility that Second Look gives you during investigations, you can upgrade to the Enterprise edition to monitor your systems on an ongoing basis.
Linux Enterprise Security with Second Look
Enterprise security teams require the ability to ascertain whether their systems are compromised or not. Second Look addresses advanced Linux threats by providing a signature-less malware detection capability based on memory forensics and integrity verification. Memory forensics eliminates reliance on the operating system and other software on potentially compromised hosts, giving Second Look a trustworthy view of system state. Such a capability is invaluable for proactive detection of intrusion, responding to a security incident, determining the scope of a breach, and validating the success of remediation. Second Look Enterprise Edition is a must-have for any security-conscious organization where Linux plays a significant role in the IT infrastructure.
Click here for highlights |
Product features (Second Look Enterprise Edition)
All the capabilities of the Professional edition, plus:
- Memory acquisition from remote systems, and live remote memory analysis, via the Second Look agent. The agent is only launched when a memory dump or remote memory analysis is requested. Since its only function is to provide access to the target system's memory, and it does not perform any analysis, the agent is small, simple, and highly portable.
- Live remote memory analysis enables Second Look to verify the integrity of a remote system's kernel and the integrity of the executable code in all processes, without doing a complete memory dump. This results in fast scans across thousands of systems and great scalability for systems with hundreds of gigabytes of memory.
- An engine for automated scans of remote systems throughout an enterprise, with fully automated alerting. Second Look's configurable scanning engine makes fully automatic, enterprise-wide Linux memory forensics easy.
- Integration of alerts with any SIEM via syslog or JSON data.
- An option for a locally hosted reference kernel repository and pagehash database. For both performance and privacy reasons, many enterprise customers prefer to utilize locally hosted repositories of reference material. We provide a feed of reference data for stock kernels and Linux software released by the major distributions. We also provide tools for automated creation of reference kernels and automated generation of pagehashes so that custom or third-party kernels and software can be incorporated in your local repositories.
- Support for the SLM high-performance compressed memory image format. The SLM format is superior to raw physical memory images in that it occupies less space while retaining rapid access to captured memory, and it stores metadata about the acquired memory.
- Professional services to support inital deployment, integration with other security products or other aspects of your IT infrastructure, and triage and investigation of Second Look alerts.
More Reasons to Choose Second Look
Beyond the unique and powerful features described above, what sets Second Look apart is the team behind it and the quality of the software they deliver.
- The Second Look Team provides professional support via phone and email, with on-site consulting services available. You get direct access to experts in Linux system internals and security.
- Customer feedback often quickly leads to new features.
- Second Look ships with comprehensive documentation, including a User Guide with explanations of the techniques most commonly used by attackers to maintain stealthy persistence on Linux systems, and a Deployment Guide walking through the ins and outs of an Enterprise deployment.
- Second Look is regression tested against a large suite of sample memory images to ensure maximum quality and compatibility.