Linux is continuing to rise in popularity with over 96.3% of the world’s top 1 million servers running a Linux solution. An increase in popularity only leads to an increase in vulnerability to attackers. With new vulnerabilities appearing constantly, security teams need to keep their solutions in check and stay updated on what is going on throughout the industry. Hackers are constantly looking for new ways to infiltrate systems and keeping up with the newest arising threats is the only way to protect your environments from these hackers.
Check out this interview with our CEO Jake King, where he talks about what is expected from Linux, the security industry, and Cmd in 2020.
In short, we’re going to be seeing a lot more adversarial attacks that involve ransomware / malware delivered through stolen accounts, CI / CD pipelines and automated management tools. There’s a whole new world of opportunity for adversaries to take advantage of new technology being used by teams that might not be fully up to speed on how to implement it properly.
In the past, adversaries were traditionally interested in industrial espionage, data theft, credential theft, causing a lot of people to see ransomware takeover the majority of the endpoint space. I feel that a lot of the early indicators we are seeing are going to lead to more sophisticated attacks, specifically for Linux environments as the endpoint variants of these attacks is getting more interesting & sophisticated.
Because of this, we will probably start to see longer dwell times and greater amounts of lateral movement in systems. Adversaries are going to begin to take advantage of instance permissions and metadata permissions, which will lead to a lot of account and system account abuse. Since many companies are minimizing access to cloud environments, they’ve assumed they are safe, however there is a substantial gap in what security professionals can see. They often don’t have enough tools in place to detect lateral movement, privilege escalation, and account abuse in these mission-critical environments.
The approach a lot of teams take has been traditionally focused on the network edge for our platforms, endpoints and corporate networks – but I believe we’ll see some best practices forming around cloud / datacenter infrastructure, primarily in the two following areas:
Container / Host runtime observability
For years now we’ve seen amazing tooling leveraged for endpoints to discover patterns of abuse, lateral movement, or even process anomalies using runtime analysis. That pattern is quickly moving to the Cloud / Container world, and I anticipate a number of emerging standards will come out of this new found source of data.
I believe we will see teams start to align runtime and container process monitoring with existing amazing standards for adversarial detection, such as the MITRE ATT&CK framework. Indicators of compromise are quickly being tied to Tactics, Techniques and Procedures outlined in the ATT&CK framework and its assisting teams in identifying threat actors much faster.
This, combined with the ability to pattern match over multiple IOCs will reduce noise, and inevitably reduce alert-fatigue for SOC teams.
Multi-factor authentication & Extended / Continuous authorization
Weak Credentials? Re-used credentials? Absolutely! We’re seeing massive trends to leverage datasets captured from large breaches over the last few years that combined with a little ML provide incredible insights into how we use (and slightly change) passwords for different systems and services we use every day. It’s getting easier for us to detect credential reuse (thanks Troy!), but still remains a point of compromise.
Considering that MFA has been broadly deployed across multiple cloud vendors and endpoint systems, and users are more aware of its importance, we will absolutely see the addition of this functionality to our Cloud IAM accounts & many service / system level accounts.
Cloud vendors are probably going to start to build unified data models and consistent plans on how they share data between each other, specifically for threat intelligence and IAM. This is going to give rise to a lot of opportunities for consuming data from other cloud providers, leading to an increase in the overall security posture of multi-cloud deployed environments.
One of the challenges that cloud providers have had over the last few years is that there are great controls for identity and access within the cloud hypervisor system itself, but once the system is deployed there are few controls provided to the organizations that run the systems. Cloud providers are going to have to start looking into what they can do on a system level to restrict or provision access to different system components.
What I am most excited for this year is aligning those cloud vendor stacks with open source threat mapping and threat models. We are going to start seeing a more unified and consistent way of describing what an adversary – or even an administrator – did to cause an incident. Once cloud vendors start providing more of that data in an open source fashion, it’s going to be likely that security centers and security hubs (Google, Amazon, and Microsoft) will align with open standards and potentially, even adopting open query languages. Open query languages will give us the opportunity to ask questions about the data in a similar way. This all plans pretty nicely into what we are doing at Cmd for 2020.
It boils down to 3 primary areas, the first one being integration, this allows for expanding generic and core API functionality to integrate with better industry partners, be more consistent with cloud service providers, and truly be an offering that provides a first class data experience.
Secondly, we are going to have to bring a wealth of Linux and Unix knowledge from the previous few years of collecting Linux threat intelligence and user behavioral data. We are going to be displaying this knowledge in the form of machine learning and artificial intelligence.
Lastly and most interestingly, the biggest thing you will see from Cmd is a lot more open communication about the data we collect and the value we derive from that data. At Cmd, we want to provide deep insight and share the normal and abnormal findings we are collecting to build more interesting insights to demonstrate, not only the value of our technology but just the interesting things that are going on in production.
We have some great products that are coming out in the near future that anybody who is running Linux in the cloud should want to use. We not only wanted to achieve these things for enterprise clients and the larger companies we have been working with, but we wanted to make our technology more accessible so keep an eye out for awesome changes coming to our current product and new product release in market shortly.