Unlocking the Secrets of Linux Security: An Expert Analysis
5 - 10 min read
Aug 02, 2023
Linux security is anything but stagnant. Cybercriminals are exploiting the growing popularity of the OS and its powered high-value servers and devices by utilizing new and evolving attacks in network security. Despite the reputation Linux has earned, that of being secure and stable against all forms of network security issues, Linux malware is on the rise. The number of new Linux malware variants reached a record high in the first half of 2022, as researchers discovered nearly 1.7 million samples during this period.
In this article, we will cover a wide range of Linux Security topics, such as current cybersecurity trends, technologies, and policies that are set to shape the next five years of security software and the ever-evolving landscape of open-source security. To gain insights from top experts in the field, we had a seat with Vali Cyber Threat Intelligence Analyst Nathan Montierth and Vali Cyber Co-Founder and CTO Austin Gadient.
Gadient is the primary author of Vali Cyber’s product, ZeroLock - the world’s first Linux security product that combines portability, performance, and efficacy into one easy-to-use system. He is also the creator of SecurityPerf, an open-source cloud security framework that determines the impact of security software on production Linux workloads. Before starting Vali, Gadient was an officer in the United States Air Force and developed secure software architectures for America’s satellite infrastructure.
Montierth’s work focuses on behavioral identification, technical analysis of modern malware, and offensive methodologies used to develop defensive solutions. He was a cyberwarfare officer in the US Air Force for five years, had extensive cyber operations training, graduated from the AF-Basic Operator Course, and spent three years on the keyboard in operations.
LinuxSecurity: Can you speak a bit about the current state of Linux security and your predictions for the future? Specifically, what growing trends have you noticed in malware? What technologies or policies are most important for security software over the next five years and why? 
Nathan Montierth (NM): One key security trend I’ve noticed is that Linux network security threats have become more like Windows concerns. The outdated notion that Linux is more secure than other OSes is primarily based on “security through obscurity,” which isn’t much of a valid defense. That entire premise hinges on the idea that less attention is paid to the target. This is increasingly not the case with Linux, so we now see techniques that were previously applied predominantly to more user-centric OSes. Ransomware, bots, and backdoors all seem to be multiplying in the Linux environment. The causality of these cyber security trends could probably be connected to several potential directions, such as the rise of the cloud, increased digitization overall, and higher levels of virtualization. I don’t see these network security issues going anywhere. In the future, I believe that these network security threats will apply to any other OS family that uses Linux.
Looking at Linux malware specifically, modern malware campaigns seem much more “business-minded” and systemic. Ransomware strains provide robust real-time “support” to victims, walking them through paying the ransom and hypothetically restoring files. Some services help victims improve their security posture after the ransom is paid and even describe themselves as “consultants.” However, they are arguably more predatory than most who use that title. Perhaps more interesting is the security trend I’ve begun to notice, which is that malware authors seem to focus more on portability. The diverse nature of current hardware and software probably makes it more challenging to engineer effective malware targeting a wide swath of vulnerable devices. We will continue to see malware use victim-native commands and tools rather than newly compiled code.
To combat the increasing number and variety of network security threats targeting Linux, I see the broad adoption of physically based multi-factor authentication becoming one of the best defenses against traditional attacks in network security. The more we can effectively pair traditional authentication methods with authentication based on a physical “thing” in the account holder’s possession, the more widespread remote attacks struggle to find footholds. Of course, this assumes correct implementation. At an organizational policy level, organizations will benefit immensely from routinely role-playing cloud security breaches and incidents in a “fire drill.” Since attacks only seem to be increasing, ensuring that personnel understand and know how to use policies, procedures, and network security toolkits will pay dividends when the incidents happen. Doing this will keep teams from becoming complacent or inexperienced and should reduce the overall impact of attacks on network security.
LS: What's your favorite open-source tool and why?
Austin Gadient (AG): I am a massive fan of MITRE Caldera. Caldera enables repeatable, measurable efficacy testing to determine how different network security toolkits perform while detecting adversary behavior across the MITRE ATT&CK framework. Another tool I love is SecurityPerf. Of course, I am very biased since I am the creator. However, I love SecurityPerf for the same reasons I love MITRE Caldera. While Caldera provides a repeatable, measurable efficacy test, SecurityPerf provides a performance test. Using SecurityPerf, we’ve found many issues in the performance of different security products and system configurations that would have caused problems in protecting data and network security.
LS: What are some of the most significant flaws in existing Linux security tools?
NM: The most significant flaw is that Linux endpoint security solutions lag behind the latest Windows endpoint data and network security solutions. The focus hasn’t been on Linux. Existing solutions rely on signatures for detection, which is the traditional malware detection method, and it requires a person to certify a software signature as malicious.
Additionally, the most influential Linux solutions have a very costly resource overhead. Your processing power will take a massive hit for the added efficacy, which at the end of the day, will be a business expense of its own, reducing the product's value. SecurityPerf is a great way to validate this and evaluate the value of any given security system versus any network security issues that could head your way.
LS: eBPF is all the rage. What are your thoughts on the technology from a defensive security perspective?
AG: eBPF was initially developed as a diagnostic tool. It provides excellent access to low-level kernel event information in a more performant way than other methods such as auditd. However, eBPF is very easy to circumvent from an attacker’s perspective. Even an unprivileged attacker can bypass eBPF-based system call information by overloading the maps used to communicate between an eBPF program and userspace. Furthermore, the eBPF verifier has vast numbers of CVEs against it, making enabling the feature a risk to data and network security. eBPF is an excellent tool for diagnostics but has significant drawbacks when used in security products.
LS: How is Vali Cyber revolutionizing Linux security?
AG: Vali Cyber provides three primary offerings to the Linux security market. The first and foremost is ZeroLock, a novel runtime detection and response system that combines high portability, efficacy, and performance into one application. The second is SecurityPerf, an open-source network security toolkit that allows organizations to determine the performance impact of a security solution on their workloads. We have used SecurityPerf extensively in PoCs to show customers how their existing solution is causing massive performance impacts, significantly increasing their computing costs. Finally, Vali Cyber is pioneering the concept of self-protecting containers through work with the United States Air Force and Space Force. Every deployed container should have some level of runtime security associated with it. ZeroLock provides that protection natively and embeds it directly into container images to ensure they are always protected against the latest network security threats while deployed. ZeroLock's protection extends from desktop Linux systems to LAMP stacks targeted by WordPress web shells. We are actively securing WordPress security vulnerabilities, messaging queues, and other high-volume applications.
LS: What does ZeroLock do for the Linux security market? What are the real-world and cost impacts?
AG: ZeroLock provides the only Linux security solution that combines portability, performance, and efficacy into a single package. ZeroLock can deploy on any Linux system if the kernel version is 3.5+. Additionally, ZeroLock has unparalleled performance and significantly reduces memory and CPU usage. These claims are easily verifiable with SecurityPerf, an open-source tool we’ve developed to measure system performance that is freely available on GitHub. ZeroLock does not rely on signatures to detect attacks in network security. Instead, ZeroLock uses Artificial Intelligence and Machine Learning behavioral detection out of the box. This approach makes ZeroLock’s detection far more future-proof than the adjustments attackers make to their malware through obfuscation.
LS: I see you have a podcast together. Tell me about your podcast. What led you to start it? Where can people listen to your podcast?
NM: Yes! Our podcast is called ROP Lobsters, and you can listen on Spotify. Austin and I pool our knowledge and experience to give nuanced takes on information security news, current events, and other cybersecurity trends. We cover hacker techniques and tools, recent attacks in network security, and public policy decisions. We love cybersecurity and enjoy talking together about it. You can find our podcast on Spotify today!
Keep Learning About Linux Security
With attacks in network security on the rise and targeting Linux in recent years, robust Linux security has never been more critical for individuals and organizations. While Linux is heralded for its high levels of data and network security and stability, it is by no means a “silver bullet” in digital security. As previously mentioned, the OS must be correctly and securely configured, and sysadmins must practice secure, responsible administration to prevent further network security issues. Staying informed of the latest cyber security trends and solutions is vital to protecting Linux environments against attacks that could lead to compromise. We hope the information and insights provided in this article have given you a better understanding of the evolution of Linux security, what to expect in the coming years, and the type of protection required to secure against malware and other persistent and dynamic network security threats Linux users face.
- Learn about the history of Linux malware and what’s being done to stop it.
- Get tips and advice for securing your Linux system.
- Learn about open-source vulnerability assessment network security toolkits and scanners to help improve your vulnerability management strategy.
- Learn about container security considerations and best practices in our Linux Container Security Primer.
Have a question that wasn’t covered in this interview? Connect with us on social media, and we’ll provide you with the information you seek!
