Visibility Logs

If IMA and auditd are configured correctly, events from the log can be sent to the SIEM or log management system. A full-featured log management system will make it easier to search and correlate information. It will certainly be a good way to react faster to suspicious events or attacks. Values for the file hash, path, UID, or GID can help to detect possible security issues related to the event.

Graylog is a centralized logging solution that allows the user to aggregate and search through logs. Graylog provides a means for storing logs at a centralized location. (Keeping all the logs in one place helps you identify the issues easily.) You can use Graylog to collect and analyze logs from various sources: operating systems, application servers, hardware, and software firewalls. Graylog also helps you monitor websites, web applications, and other areas of IT infrastructure.

Figure 1 shows an example of the same event that was generated when I launched the script script.sh.

Figure 1: Logging an event with Graylog.

Once everything is configured, you can monitor your system and also hunt for threats. It is worth configuring your rules in such a way that they detect the events that are most important. If you aren't sure which rules are the most useful in detecting threats, it could be worth reaching for the MITER ATT&CK Framework.

Uncovering an Attack

The MITRE ATT&CK framework [3] is a knowledge base and model for documenting the life cycle and behavior of cyber attacks. The framework documents attacker tactics and techniques based on real-world observations. MITRE also helps to categorize adversary action and recommends specific ways of defending against an attack. The reports can vary in depth and insight – unfortunately, not all techniques are easily mapped.

If you know the details of how an attacker operates, it is much easier to search the audit log for evidence of an attack. MITRE is a good source for that preliminary attack information.

As an example, suppose you were checking to see if the Rocke group had infiltrated your system? According to the MITRE website [4]:

Rocke is an alleged Chinese-speaking adversary whose primary objective appears to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency.

The group specializes in attacks on Linux systems.

MITRE ATT&CK gives each technique its own number. The number is used to map the technique to auditd, which makes it possible to distinguish which technique the alert concerns, as follows:

- T1140 Deobfuscate/Decode Files or Information

According to this alert, which appears in the -k (keyname) field of the auditd log entry, Rocke group has extracted tar.gz files after downloading them from a command and control server. A report at MITRE ATT&CK says that Rocke group downloads payloads hosted on a legitimate website (Pastebin.com). The group uses the curl or wget utilities to download payloads to execute with a bash shell.

-w /usr/bin/wget -p x -k T1140-Deobfuscate-Decode-Files-or-Information
-w /usr/bin/curl -p x -k T1140-Deobfuscate-Decode-Files-or-Information

In the same step, the group decodes commands from binary into ASCII format using Base64:

-w /usr/bin/base64 -p x -k T1140-Deobfuscate-Decode-Files-or-Information

The Bitcoin miner itself is downloaded using shell scripts, curl, or wget from another location other than Pastebin. First, a config.json file containing the miner configuration data is downloaded, and then the rest of the miner. Next the group downloads mining executables from its own Git repositories and saves them under the filename java or kworkerds in the /tmpv, /var/tmp, or /dev/shm directory. Understanding this kind of behavior lets you make rules to detect it.

- T1053.003 Scheduled Task/Job: Cron

Rocke has installed a cron job that downloads and executes files from the command and control center.

Rocke creates cron jobs that persist on the victim's systems, which lets the attacker execute commands on a schedule without the need to be logged in. Rocke manipulates cron jobs, replacing the cron schedule and placing a malicious script in a folder that will execute hourly, daily, or weekly as part of existing cron jobs (Listing 3).

-w /etc/cron.daily/ -p wa -k T1053.003-Scheduled Task-Job-Cron
-w /etc/cron.hourly/ -p wa -k T1053.003-Scheduled Task-Job-Cron
-w /etc/cron.monthly/ -p wa -k T1053.003-Scheduled Task-Job-Cron
-w /etc/cron.weekly/ -p wa -k T1053.003-Scheduled Task-Job-Cron
-w /var/spool/cron/crontabs/ -p wa -k T1053.003-Scheduled Task-Job-Cron

- T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking

This alert shows that Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists. The group uses the open source tool libprocesshider to hide the process, before executing a file that modifies /etc/ld.so.preload.

-w /etc/ld.so.preload -p wa -k T1574.006-Hijack-Execution-Flow-Dynamic-Linker-Hijacking

This information on the Rocke group makes it easy to search the audit log for a Rocke attack (refer to Listing 1). You can use the log to uncover:

• The path of the file that was executed and the path of its parent
• The PID and parent PID (PPID) of the executable
• The hash value of the file
• The UID, GID, and EUID of the process owner

You can then check whether an earlier version of the hash is already in a database, and if so, comparing the versions could indicate whether file has been altered.

Conclusion

IMA, together with auditd, can certainly help you protect your systems. Of course, this setup won't cover all security surfaces, but being able to recognize hashes and expose attack techniques can help you detect threats faster. In addition to supporting faster threat recognition, IMA also lets you customize your rules. As you can see from the Rocke group example, you can use the Linux auditing system to discover techniques and tools that might indicate an attack.