Detection and response
Susannah Clark

Nothing to hide: seeking out rootkits

Experts from Red Canary, VMware Carbon Black, and MITRE ATT&CK give advice about how to bring rootkits out from the shadows.

You never know what might be hiding in the depths of your network. As part of our ATT&CK Deep Dive webinar series, Red Canary’s Tony Lambert and Joren McReynolds joined Adam Pennington from MITRE and Jared Myers from VMware Carbon Black to demystify the threat of rootkits. You can watch the full recording here or check out the highlight clips below.

First things first, what is a rootkit?

According to MITRE:

Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.

Rootkits enable adversaries to thwart antivirus and remain under the radar. So let’s play….Legends of the Hidden Rootkit!

MITRE ATT&CK rootkit detection webinar

 

Why are rootkits useful to adversaries?

Adam explains how rootkits enjoy privileged access to persistently evade security controls and tools.

Which rootkits should I be concerned about?

Our panelists break down four varieties of rootkits, starting with hardware and firmware rootkits:

 

 

 

Jared walks us through bootkits and bootloaders, dating the Brain! bootkit (and himself) with a Bangles reference.

 

 

 

Kernel rootkits, such as the infamous Stuxnet, are the most common type. Jared passes the mic to Joren to get into how mitigation looks on Windows, Mac, and Linux systems.

 

 

 

Usermode rootkits, Tony’s personal favorite, are the only type that don’t require administrative privileges. Joren explains why that makes a difference.

 

What can I do now to keep ahead of rootkit threats?

A lot. Tony walks through recommended precautions and all four panelists take questions from the audience.

 

 

For hardware, firmware, and bootloader rootkits:

  • Enable Secure Boot
  • Monitor bootloader replacement, if possible
  • Enforce signed BIOS updates
  • Obtain hardware from trusted sources

For kernel and usermode rootkits:

  • Upgrade, upgrade, upgrade
  • Restrict administrator and root permissions
  • Enable driver signature enforcement
  • Disallow kernel extensions and modules for unauthorized software
  • Instrument your endpoints to hunt for suspicious or malicious behaviors
 

The adversary’s gift: When one technique opens a Pandora’s box

 

Practical recommendations and actionable steps to improve your organization’s security today

 

Organizations are facing headwinds to meet cybersecurity challenges

 

The simple math behind an effective incident response program

Subscribe to our blog