Linux security is anything but stagnant. It’s no secret that cybercriminals are exploiting the growing popularity of the OS and the high-value servers and devices it powers worldwide with new and evolving attacks such as malware and rootkits. Despite the reputation Linux has earned of being an exceptionally secure and stable OS, Linux malware is on the rise, and the number of new Linux malware variants reached a record high in the first half of 2022, as researchers discovered nearly 1.7 million samples during this period.

In this article, we cover a wide range of topics, including current security trends, technologies, and policies that are set to shape the next five years of security software and the ever-evolving landscape of open-source security. To gain insights from top experts in the field, we had a seat with Vali Cyber Threat Intelligence Analyst Nathan Montierth and Vali Cyber Co-Founder and CTO Austin Gadient. 

Austin is the primary author of Vali Cyber’s product, ZeroLock - the world’s first Linux security product that combines portability, performance, and efficacy into one easy-to-use system. Austin is also the author of SecurityPerf, an open-source framework that determines the impact of security software on production Linux workloads. Before starting Vali, Austin was an officer in the United States Air Force and developed secure software architectures for America’s satellite infrastructure.

Nathan’s work focuses on behavioral identification and technical analysis of modern malware and brings offensive methodologies to develop defensive solutions. He was a cyberwarfare officer in the US Air Force for five years. He had extensive cyber operations training, graduated from the AF-Basic Operator Course, and spent three years on the keyboard in operations.

LinuxSecurity: Can you speak a bit about the current state of Linux security and your predictions for the future? Specifically, what growing trends have you noticed in malware? What technologies or policies are most important for security software over the next five years and why? Profiles

Nathan Montierth: One key trend I’ve noticed is that Linux threats have become more like Windows threats. The outdated notion that Linux is more secure than other OSes is primarily based on “security through obscurity,” which isn’t much of a valid defense. That entire premise hinges on the idea that less attention is paid to the target. This is increasingly not the case with Linux, so we now see techniques that were previously applied predominantly to more user-centric OSes. Ransomware, bots, and backdoors all seem to be multiplying in the Linux environment. The causality of this trend could probably be connected to several potential directions, such as the rise of the cloud, increased digitization overall, and higher levels of virtualization. I don’t see these threats going anywhere, and in the future, I believe that we’ll see that threats that apply to any other OS family will also use Linux.   

Looking at Linux malware specifically, modern malware campaigns seem much more “business-minded” and systemic. Ransomware strains provide robust real-time “support” to victims, walking them through paying the ransom and hypothetically restoring files. Some services help victims improve their security after the ransom is paid and even describe themselves as “consultants.” However, they are arguably more predatory than most who use that title. Perhaps more interesting is the trend I’ve begun to notice that malware authors seem to focus more on portability. The diverse nature of current hardware and software probably makes it more challenging to engineer effective malware targeting a wide swath of vulnerable devices. We will continue to see malware use victim-native commands and tools rather than newly compiled code.   

To combat the increasing number and variety of threats targeting Linux, I see the broad adoption of physically based multi-factor authentication becoming one of the best defenses against traditional attacks. The more we can effectively pair traditional authentication methods with authentication based on a physical “thing” in the account holder’s possession, the more widespread remote attacks struggle to find footholds. Of course, this assumes correct implementation. At an organizational policy level, organizations will benefit immensely from routinely role-playing breaches and incidents in a “fire drill.” Since attacks only seem to be increasing, ensuring that personnel understand policies, procedures, and tools and know how to use them will pay dividends WHEN the incidents happen. Doing this will keep teams from becoming complacent or inexperienced and should reduce the overall impact of attacks.  

LS: What's your favorite open-source tool and why?

Austin Gadient: I am a massive fan of MITRE Caldera. Caldera enables repeatable, measurable efficacy testing to determine how different security tools perform while detecting adversary behavior across the MITRE ATT&CK framework. Another tool I love is SecurityPerf. Of course, I am very biased since I am the author. However, I love SecurityPerf for the same reasons I love MITRE Caldera. While Caldera provides a repeatable, measurable efficacy test, SecurityPerf provides a performance test. Using SecurityPerf, we’ve found many issues in the performance of different security products and system configurations. 

LS: What are some of the most significant flaws in existing Linux security tools? 

NM: The most significant flaw is that Linux endpoint security solutions lag behind the latest Windows endpoint security solutions. The focus hasn’t been on Linux. Existing solutions rely on signatures for detection, which is the traditional malware detection method. It requires a human to certify a software signature as malicious.  

Additionally, the most influential Linux solutions have a very costly resource overhead. Your processing power will take a massive hit for the added efficacy, which at the end of the day, will be a business expense of its own, reducing the product's value. SecurityPerf is a great way to validate this and evaluate the value of any given security system.  

LS: eBPF is all the rage. What are your thoughts on the technology from a defensive security perspective?

AG: eBPF was initially developed as a diagnostic tool. It provides excellent access to low-level kernel event information in a more performant way than other methods such as auditd. However, eBPF is very easy to circumvent from an attacker’s perspective. Even an unprivileged attacker can bypass eBPF-based system call information by overloading the maps used to communicate between an eBPF program and userspace. Furthermore, the eBPF verifier has vast numbers of CVEs against it, making enabling the feature a security risk. eBPF is an excellent tool for diagnostics but has significant drawbacks when used in security products. 

LS: How is Vali Cyber revolutionizing Linux security? 

AG: Vali Cyber provides three primary offerings to the Linux security market. The first and foremost is ZeroLock, a novel runtime detection and response system that combines high portability, efficacy, and performance into one application. The second is SecurityPerf, an open-source tool that allows organizations to determine the performance impact of a security solution on their workloads. We have used SecurityPerf extensively in PoCs to show customers how their existing solution is causing massive performance impacts, significantly increasing their computing costs. Finally, Vali Cyber is pioneering the concept of self-protecting containers through work with the United States Air Force and Space Force. Every deployed container should have some level of runtime security associated with it. ZeroLock provides that protection natively and embeds it directly into container images to ensure they are always protected against the latest threats while deployed. ZeroLock's protection extends from desktop Linux systems to LAMP stacks targeted by WordPress web shells. We are actively securing WordPress, messaging queues, and other high-volume applications. 

LS: What does ZeroLock do for the Linux security market? What are the real-world and cost impacts?

AG: ZeroLock provides the only Linux security solution that combines portability, performance, and efficacy into a single package. ZeroLock can deploy on any Linux system if the kernel version is 3.5+. Additionally, ZeroLock has unparalleled performance and significantly reduces memory and CPU usage. These claims are easily verifiable with SecurityPerf, an open-source tool we’ve developed to measure system performance that is freely available on GitHub. ZeroLock does not rely on signatures to detect attacks. Instead, ZeroLock uses Artificial Intelligence and Machine Learning behavioral detection out of the box. This approach makes ZeroLock’s detection far more future-proof than the adjustments attackers make to their malware through obfuscation.

LS: I see you have a podcast together. Tell me about your podcast. What led you to start it? Where can people listen to your podcast? 

NM: Yes! Our podcast is called ROP Lobsters, and you can listen on Spotify. Austin and I pool our knowledge and experience to give nuanced takes on cybersecurity current events. We’ll cover hacker techniques and tools, recent attacks, and public policy decisions. We love cybersecurity and enjoy talking together about it. You can find our podcast on Spotify today! 

Keep Learning About Linux Security

Cyber 4508911  340With the rise in attacks targeting Linux in recent years, robust Linux security has never been more critical for individuals and organizations. While Linux is heralded for its high level of security and stability, it is by no means a “silver bullet” in digital security. As previously mentioned, the OS must be correctly and securely configured, and sysadmins must practice secure, responsible administration to prevent attacks. Staying informed of the latest trends and solutions is vital to protecting Linux environments against attacks leading to compromise. We hope the information and insights provided in this article have given you a better understanding of the evolution of Linux security, what to expect in the coming years, and the type of protection required to secure against malware and other persistent and dynamic threats Linux users face.  

Have a question that wasn’t covered in this interview? Connect with us on social media, and we’ll provide you with the information you seek! 

Twitter | Facebook | LinkedIn