You never know what might be hiding in the depths of your network. As part of our ATT&CK Deep Dive webinar series, Red Canary’s Tony Lambert and Joren McReynolds joined Adam Pennington from MITRE and Jared Myers from VMware Carbon Black to demystify the threat of rootkits. You can watch the full recording here or check out the highlight clips below.
First things first, what is a rootkit?
According to MITRE:
Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Rootkits enable adversaries to thwart antivirus and remain under the radar. So let’s play….Legends of the Hidden Rootkit!
Why are rootkits useful to adversaries?
Adam explains how rootkits enjoy privileged access to persistently evade security controls and tools.
Which rootkits should I be concerned about?
Our panelists break down four varieties of rootkits, starting with hardware and firmware rootkits:
Jared walks us through bootkits and bootloaders, dating the Brain! bootkit (and himself) with a Bangles reference.
Kernel rootkits, such as the infamous Stuxnet, are the most common type. Jared passes the mic to Joren to get into how mitigation looks on Windows, Mac, and Linux systems.
Usermode rootkits, Tony’s personal favorite, are the only type that don’t require administrative privileges. Joren explains why that makes a difference.
What can I do now to keep ahead of rootkit threats?
A lot. Tony walks through recommended precautions and all four panelists take questions from the audience.
PRATICAL TAKEAWAYS
For hardware, firmware, and bootloader rootkits:
- Enable Secure Boot
- Monitor bootloader replacement, if possible
- Enforce signed BIOS updates
- Obtain hardware from trusted sources
For kernel and usermode rootkits:
- Upgrade, upgrade, upgrade
- Restrict administrator and root permissions
- Enable driver signature enforcement
- Disallow kernel extensions and modules for unauthorized software
- Instrument your endpoints to hunt for suspicious or malicious behaviors