Bridging the gap: Open Source Linux Security

The setting

We’ll walk through a fictional security incident.

Timeline:

  • A threat actor is doing reconnaissance on your environment.
  • Exploitation of a vulnerability in a workload.
  • Privilege escalation in your system.
  • Persistence: a backdoor is installed on the system.
  • Lateral movement: the attacker is moving through your environment, looking for valuable data.
  • Data exfiltration: the attacker is stealing data from your environment.

Incident response

So now you have to respond to the incident. You need to answer a couple of questions:

  • What was the vulnerable workload?
  • How did they get in?
  • How did they get lateral movement?
  • What data was exfiltrated?

A lot of organizations have a hard time answering these questions, because they don’t have the right tools in place to detect and respond to security incidents.

What now

Most of the time, organizations buy proprietary tools that they install on your infrastructure. Most of these are served as a SaaS model, running black box agents on your infrastructure, and sending data to the cloud for analysis. This is not ideal, because you don’t have control over your data, and you don’t have visibility into how the tools are working, and it compromises your sovereignty.

Another issue is that these tools are often not Linux native, or they’re built by companies with ties to questionable governments like Israel or the US. This is a real problem and not anti-semitic or anti-American - there’s precedent here: Kaspersky was banned from US government use and later private use due to the company’s ties to the Russian government.

Open Source as a solution

Permissive licences:

  • Reduces vendor lock-in
  • Use, modify, distribute and audit without restrictions

Linux native:

  • Built by the community, for the community

KangaSec

KangaSec is a tailor-made open source security service, provided by Kangaroot, using open source tools and technologies.

Reference design

SIEM/SOC based on Elastic (Elastic License 2.0, still open source). Prebuilt rules and integrations expanded on by Kangaroot

You can deploy this fully open source, but Kangaroot still relies on Elastic integrations for incident response and forensics.

WAF based on Coraza. Extended with CrowdSec WAF integration.

IDS/IPS using Falco for host based intrusion detection. Zeek and Suricate for network based intrusion detection.

Security assesments are done by the Kanagaroot team. Here they do in-depth assements of your environment.

Hardening and Compliance is done using Ansible, verified using OpenSCAP. Additional hardening can be done based on assesment (they need insights first).

PAMS: based on Keycloak (IDP), OpenBao (Secret management and PKI), OpenSSH certificates, Elastic session view and auditd (replacement for CyberArk session view).

Vulnerability management: Nuclei for scanning.

Container Security: Stackrox and Falco.

Secure development: Sonarqube, ZAProxy, SBOM generation with reports to DefectDojo, RenovateBot for automated dependency updates.

Threat sharing platform: MISP You can enrich your MISP with data from your SIEM, and share it with the community as well as receive data from the platform to increase your visbility.

Elastic can be replaced with other tools:

  • OpenSearch (with custom dashboards)
  • ElastAlert 2 with Sigma
  • Auditbeat OSS

Going over the timeline again

Let’s replay the incident timeline, and see how the different tools would have helped you detect and respond to the incident:

  • Reconnaissance:
    • WAF is able to detect and block malicious traffic.
    • NIDS can detect scanning activity on the network.
    • CrowdSec can detect and block malicious traffic.
  • Exploitation:
    • WAF can detect and block exploitation attempts.
    • Falco can detect and alert on suspicious activity on the host.
    • Elastic Defend contains a bunch of rules on which can be alerted.
    • Zeek/Suricata can detect and block exploitation attempts.
    • RedHat Advanced Cluster Security can detect and block exploitation attempts in Kubernetes environments.
    • Nuclei can detect vulnerable workloads.
    • Hardening prevents exploitation of known vulnerabilities.
    • Fapolicyd can prevent execution of malicious binaries on the host.
  • Privilege escalation:
    • Auditd logs all privilege escalation attempts.
    • Falco can detect and alert on suspicious activity on the host.
    • Elastic Defend contains a bunch of rules on which can be alerted.
    • The assesment can trim down sudo rules, and reduce the attack surface.
  • Persistence:
    • Elastic will have logs on where the backdoor was installed.
    • Falco can detect and alert on suspicious activity on the host, such as the installation of a backdoor.
    • NIDS can detect long running sessions, DNS tunneling and known TLS fingerprints of C2 traffic.
    • fapolicyd can prevent execution of malicious binaries on the host.
  • Lateral movement:
    • Auditd logs all lateral movement attempts.
    • Short-lived SSH certificates can be used to prevent lateral movement using stolen credentials.
    • CrowdSec can block SSH password spraying attempts.
  • Data exfiltration:
    • NSM can detect unusual high volumes of data being sent out of the network.
    • Network segmentation can prevent data exfiltration.
  • Recover:
    • OSQuery and Yara can be used to detect and remove the backdoor.
    • Forensics can be done using Elastic, and the data can be used to improve detection rules and hardening.
    • Elastic session recording can be used to see what the attacker did on the system.

Elastic Defend depends on SIEM logs and alerts on that. Falco uses eBPF to detect and alert on host based activity.

Conclusion

Open source security tools can provide an in-depth security solution that is Linux native. The caveat is that you need to have the expertise to set it up and maintain it, but that’s where Kangaroot comes in ;)

What you’re getting

  • Care-free security service with monthly response.
  • Proactive security
  • Reports post incident, with recommendations for improvement.