Linux Security Summit 2015/Abstracts/Stiller
Linux Incident Response
Mike Scutt and Tim Stiller, Rapid7
While Windows is still the dominating operating system, Linux has seen a steady increase of adoption by many organizations in both the private and public sectors. This adoption opens up new avenues to attackers and can increase the companies attack footprint if not properly hardened. Many companies commonly deploy these hosts without any hardening, patching or isolation to the Internet resulting in unauthorized access and potential data loss. Performing IR on a compromised Linux host involves the capture of volatile data (memory snapshots, processes, ports) and non-volatile data (log files, dropped files, file based persistence). Analysis may also contain logs from proxies, intrusion detection systems and firewalls. In addition to forensics analysis, the responder must provide thorough documentation and timeline of events based upon the completed analysis. With this data, the organization can begin the remediation process and incorporate better detections to further mitigate the threat.