Sandfly Security
Sandfly Security
  • Видео 55
  • Просмотров 32 756
Immutable File Attack Persistence on Linux
Linux can allow administrators to set files as immutable. This feature prevents the files from being modified or deleted by anyone (even root). However, it can also be used by intruders to maintain persistence. In this video we discuss what an immutable file is, and how they are used by malware and hackers to remain on a host. We also discuss using the command line to identify immutable files and Sandfly's agentless Linux EDR to automatically locate the threat.
Sandfly's agentless Linux EDR is able to find this and many other types of Linux attacks without deploying any endpoint agents. Find out more and get a free license below:
www.sandflysecurity.com
Be sure to subscribe and follow us:
www...
Просмотров: 84

Видео

Linux Immutable Malware Process Binary Attack
Просмотров 15412 часов назад
Processes running with an immutable binary are nearly always malware on Linux. Learn what this attack is, how to automatically detect it, and command line forensics you can use to investigate suspicious processes using this attack tactic. Sandfly's agentless Linux EDR is able to find this and many other types of Linux attacks without deploying any endpoint agents. Find out more and get a free l...
Linux EDR Detecting Processes Running from Temporary Directory Attack
Просмотров 98День назад
Processes running from temporary directories on Linux are often malicious. We'll show you what this attack is, why it's suspicious, and how to find it with command line tools and Sandfly's agentless EDR for Linux. Sandfly is able to find this and many other types of Linux attacks without deploying any endpoint agents. Find out more and get a free license below: www.sandflysecurity.com Be sure t...
Linux Process Running with Hidden Binary Name Attack
Просмотров 25914 дней назад
Hidden process binaries on Linux are often malicious. In this video we describe what this attack is, why processes with hidden binaries are usually up to no good, and command line forensics you can use to investigate the activity. We also show you how to quickly find this attack with Sandfly's agentless Linux EDR and security platform. Sandfly is able to find this and many other types of Linux ...
Linux Process Running from /dev/shm RAM Disk Attack
Просмотров 20921 день назад
The Linux RAM disk in /dev/shm is a favorite place for malware to hide. The RAM disk is not frequently checked and is volatile so the malware can be sure it leaves not traces on disk if the system reboots. In this video we go over this attack, how to find it with Sandfly agentless Linux EDR, and command line forensics you can use to help investigate what may be happening. Sandfly is able to fin...
Deleted Process Binary Attack on Linux
Просмотров 16621 день назад
Malware on Linux will often delete the on-disk binary to evade detection with traditional anti-virus and file integrity monitoring tools. In this video we will discuss the threat and how to find it with Sandfly agentless Linux EDR. We'll then show you how to investigate it with command line forensics and recover the running process binary for analysis. Sandfly is able to find this and many othe...
SSH Excessive Keys Risk - Do You Have Too Many SSH Keys? Probably.
Просмотров 12528 дней назад
Do you have too many SSH keys on Linux? Probably. Having too many SSH keys on Linux accounts presents a credential theft and backdoor risk. Besides not knowing who can login with an account that has too many SSH keys on it, it can also hide backdoor keys placed there by hackers. In this video we discuss the risk and how to see it with command line tools on Linux as well as with agentless Sandfl...
SSH Authorized Keys2 Backdoor Attack
Просмотров 29628 дней назад
SSH has a little known way to leave behind backdoor keys, and that is by using the deprecated authorized_keys2 file. Many Linux users are unaware of this feature and what risks it poses. In this video we discuss this access method and how it can be abused as a backdoor. Then we show you how to find it with command line tools and automatic detection with agentless Sandfly as a Linux EDR. Sandfly...
Risky Business Snake Oilers Interview with Sandfly Security
Просмотров 84Месяц назад
Join us for an interview on the Risky Business Snake Oilers segment where we talk about agentless Linux security and Sandfly. We cover the problem of Linux security monitoring with traditional EDR agents and how Sandfly works to agentlessly hunt for threats. We also discuss monitoring Linux appliances and edge devices for attacks, SSH key and credential theft, lateral movement risks, and much m...
Default User SSH Authorized Key Risks on Linux
Просмотров 376Месяц назад
Default Linux users with SSH authorized keys are a way for attackers to hide backdoor accounts that can avoid detection for some time. In this video we discuss and demonstrate the threat, why it's used, and how to find it with command line tools and automatic discovery with Sandfly, the agentless Linux EDR platform. Sandfly is able to find this and many other types of Linux attacks without depl...
Unsecured and Unencrypted SSH Private Key Threats on Linux
Просмотров 752Месяц назад
Unsecured and unencrypted SSH private keys are a major security threat on Linux. In this video we go over how easy unsecured SSH private keys can be stolen by intruders to use for lateral movement. We'll go over command line methods to find private keys. Then, we'll show you how attackers will find IP addresses of hosts to attack with the stolen key after discovery. Finally, we'll show you how ...
Linux EDR nologin Shell Rename Backdoor Attack Detection and Forensics
Просмотров 386Месяц назад
System accounts on Linux often use a default shell of /sbin/nologin or /usr/sbin/nologin to prevent them from logging into a host even if enabled by accident. But what happens if an attacker were to replace the nologin binary with a valid shell like /bin/bash? Well, it makes a very stealthy backdoor user! In this video we'll show you this hacking tactic as it is used by APT groups to hide backd...
Linux EDR Obsolete Password Hashes and their Risks for Password Cracking
Просмотров 275Месяц назад
Over the years Linux has featured many password hashes from MD5 to modern Yescrypt. These hashes are designed to slow down brute force password cracking in the event of compromise. However, as CPU and GPU speeds have increased, so has the risk of password crackers making many of the old algorithms not just obsolete, but dangerous to continue using. In this video we show you how to identify obso...
Linux EDR Default User Password Attack Detection and Forensics
Просмотров 229Месяц назад
Linux ships with many default users disabled out of the box, but what happens if someone were to give them a password to enable login? Well, it would give them a backdoor user! In this video we explore this threat, how it looks with command line forensics, and how to use Sandfly's agentless Linux EDR to watch your system for this attack to know if it is happening. Sandfly is able to find this a...
Linux EDR Duplicate User Password Hash Attack Detection and Forensics
Просмотров 260Месяц назад
Users with duplicate password hashes on Linux indicates the host has been compromised. In this video we'll discuss what we mean by duplicate password hashes, how to identify them with command line tool forensics, and automatically detecting this Linux attack with agentless Sandfly Security EDR. Sandfly is able to find this and many other types of Linux attacks without deploying any endpoint age...
Linux EDR Reverse Shell Detection, Investigation, and Forensics
Просмотров 1,1 тыс.Месяц назад
Linux EDR Reverse Shell Detection, Investigation, and Forensics
Rob Joyce Interview - Linux Critical Infrastructure Threats
Просмотров 5372 месяца назад
Rob Joyce Interview - Linux Critical Infrastructure Threats
Find and De-Cloak Linux Stealth Rootkits Instantly with Agentless Linux EDR
Просмотров 2823 месяца назад
Find and De-Cloak Linux Stealth Rootkits Instantly with Agentless Linux EDR
Sandfly Linux EDR With Agentless Password Auditing - Find Default Passwords Instantly
Просмотров 1014 месяца назад
Sandfly Linux EDR With Agentless Password Auditing - Find Default Passwords Instantly
SSH Security Zones - Full demo of how to track, secure and monitor SSH keys on Linux agentlessly.
Просмотров 1755 месяцев назад
SSH Security Zones - Full demo of how to track, secure and monitor SSH keys on Linux agentlessly.
SSH Security Zones - Track, secure and monitor SSH keys on Linux agentlessly.
Просмотров 2205 месяцев назад
SSH Security Zones - Track, secure and monitor SSH keys on Linux agentlessly.
Stop Using Cryptographic Hashes to Find Linux Malware
Просмотров 4419 месяцев назад
Stop Using Cryptographic Hashes to Find Linux Malware
Agentless File Integrity Monitoring on Linux to Detect Compromised Servers
Просмотров 2059 месяцев назад
Agentless File Integrity Monitoring on Linux to Detect Compromised Servers
Linux Threat Hunting Tactics and Techniques vs. Signatures
Просмотров 2219 месяцев назад
Linux Threat Hunting Tactics and Techniques vs. Signatures
Sandfly Agentless Linux Security Quickstart
Просмотров 63910 месяцев назад
Sandfly Agentless Linux Security Quickstart
Drift detection for incident response on Linux. IR teams can instantly find compromised hosts.
Просмотров 2,1 тыс.10 месяцев назад
Drift detection for incident response on Linux. IR teams can instantly find compromised hosts.
Find malware & ransomware on Synology NAS DSM appliances with Sandfly's agentless drift detection.
Просмотров 75210 месяцев назад
Find malware & ransomware on Synology NAS DSM appliances with Sandfly's agentless drift detection.
Find Linux intrusions rapidly with agentless drift detection from Sandfly Security.
Просмотров 27910 месяцев назад
Find Linux intrusions rapidly with agentless drift detection from Sandfly Security.
BPFDoor Evasive Linux Backdoor and Malware Forensic Investigation Presentation
Просмотров 2,1 тыс.Год назад
BPFDoor Evasive Linux Backdoor and Malware Forensic Investigation Presentation
Agentless Embedded Linux Device Security on Raspberry Pi
Просмотров 2062 года назад
Agentless Embedded Linux Device Security on Raspberry Pi

Комментарии

  • @Joseph-b7h1i
    @Joseph-b7h1i 8 часов назад

    You're doing a fantastic job! Could you help me with something unrelated: My OKX wallet holds some USDT, and I have the seed phrase. (mistake turkey blossom warfare blade until bachelor fall squeeze today flee guitar). How should I go about transferring them to Binance?

  • @TheBrodie31k
    @TheBrodie31k 3 дня назад

    those sneaky hackers!

  • @JeffreyHandy
    @JeffreyHandy 7 дней назад

    I didn’t know anything about this. Thank you.

  • @tracyrreed
    @tracyrreed 29 дней назад

    Backdoors aren't very interesting. Anyone can write a backdoor to run as root/admin on any OS. How they get installed is much more interesting. If you use SELinux or fapolicyd then this backdoor (or any other) can't run.

  • @drmikeyg
    @drmikeyg Месяц назад

    Thanks Craig.

  • @dominikheinz2297
    @dominikheinz2297 Месяц назад

    A question regarding how sandfly works. Are all the individual modules (the sandflies) that are ran on the target system, individual binaries? because, if so, they have to be transferred and executed on the target system. Are they just placed in the tmp dir and then executed and send the results back over SSH via JSON? I am curious. Otherwise, seems like a very interesting product.

    • @SandflySecurity
      @SandflySecurity Месяц назад

      We use a purpose built binary and instructions are sent to it once on the host on what to analyze and collect. The binary is built specifically to investigate Linux with capabilities to de-cloak rootkits, parse data, etc. The execution is done in a secured home user directory and not out of /tmp. Results in the server are JSON and can be exported to any compatible source such as Splunk, Elastic, Postgres, Syslog, and so on. If it takes JSON, we can send to it also with our REST API. Hope that helps and thanks for watching.

    • @dominikheinz2297
      @dominikheinz2297 Месяц назад

      @@SandflySecurity Do you utilize EBPF to query the information? Because relying on userspace applications seems prone to error, as they could all be tampered with, no?

    • @SandflySecurity
      @SandflySecurity Месяц назад

      @@dominikheinz2297 We do not tie into the kernel using kernel hooks or eBPF for safety reasons. These telemetry sources can cause kernel panics and performance issues. The reality also is any telemetry source can be tampered with, and this includes eBPF. Our approach is to analyze the systems from multiple different angles and this gives very high detection coverage that is difficult to evade.

    • @dominikheinz2297
      @dominikheinz2297 Месяц назад

      @@SandflySecurity Appreciate the detailed answers! Very interesting. From my understanding, eBPF code is very unlikely to panic the kernel because it essentially runs in a "VM" inside the kernel, and is verified during compilation, I might be wrong on that tho. So, if I understand you correctly, you essentially transfer your custom binary, and have various functions to verify the same state. Lets take as an example, hiding of processes. You would query using the ps command maybe, another approach would be walkign /proc, and maybe some other syscall to retrieve running processes. Then these informations are aggegated, and checked if any of the results differ? Thats how I understand it. So, the binary performs the operations of querying for data/states, and the sandflies just instruction the binary what to query?

    • @SandflySecurity
      @SandflySecurity Месяц назад

      @@dominikheinz2297 eBPF is much less likely to cause kernel panics than kernel hooks, but it has happened. The other issue is that once you get the telemetry data out of your eBPF, how does that impact performance and stability of the host? The more you collect, the more processing power needed to analyze the data. Each way of collecting telemetry has pluses and minuses. By avoiding these other telemetry sources we increase reliability, safety, and speed. We also have much wider compatibility as we can operate on systems over a decade old, embedded systems, custom kernels, etc. With other methods you need to be extremely careful about kernel versions and updates can break the agent or the agent can break the kernel. We simply avoid all these issues by not having an agent. This means we have far wider visibility across all Linux systems than other methods. Also, we can watch everything, and not just select systems for fear of compatibility/stability/performance impacts. Our system will use various mechanisms to collect the data depending on what the source is we need. The mechanisms are built-in native functions and we don't call out to ps, and such because we assume the system is compromised and don't trust the results. We go and look ourselves. Results can be processed for known attacks, or in the case of drift detection, changes we see vs. what we expected. This can be new processes started, new users, new systemd services, new modules loaded and so on.

  • @juergenm6107
    @juergenm6107 Месяц назад

    With lynis or emba I can detect misconfiguration perfectly

  • @MrSamdizzy
    @MrSamdizzy Месяц назад

    Wow! You're obviously excellent at what you do and I like the way you explain this issue. Though I am not in the security field I understood everything you said. Kudos!

    • @SandflySecurity
      @SandflySecurity Месяц назад

      Thanks for the compliment. Glad you enjoyed the video.

  • @comosaycomosah
    @comosaycomosah Месяц назад

    this channel should have so many more subs you guys make great vids i need to try your products i havent yet

    • @SandflySecurity
      @SandflySecurity Месяц назад

      Thanks. We will be posting many more videos. Please share and tell your friends. We have a free trial on the website if you want to use it.

    • @comosaycomosah
      @comosaycomosah Месяц назад

      @SandflySecurity for sure! And yea I was looking lastnight I may have too

  • @shiverello6109
    @shiverello6109 Месяц назад

    Very well explained, any Linux admin could detect this backdoor after the video. Much appreciated

  • @kevinpaulus4483
    @kevinpaulus4483 Месяц назад

    Nice ... but you still need an exploit from which you can run root commands or escalate to root to replace the shell in the shadow passwd file (chsh) and change the non password to something legible (passwd). Do you have alerts of possible RCE's on vulnerable systems ... do you do continuous nessus like or nmap/NSE or ... other types of vulnerability scanning ? Anyway ... quite interesting product for an enterprise with a Linux environment.

    • @SandflySecurity
      @SandflySecurity Месяц назад

      We assume anyone that gets on a Linux box is going to get root is our philosophy. There are many ways it can happen with bugs, mis-configurations, etc. We scan systems on random basis for signs of attack but are not a vulnerability scanner. We specifically focus on compromise detection and agentless threat hunting. Many systems remain unpatched or open to attack and admins need an automated way to search out and identify hosts that have been compromised. Hope that helps.

  • @Yayaisbadatchess
    @Yayaisbadatchess Месяц назад

    Awesome! Is the $1$ the same for every md5 password?

    • @SandflySecurity
      @SandflySecurity Месяц назад

      Yes. The chart basically is this: $1$ = MD5 $2a$ = Blowfish $2y$ = Blowfish $5$ = SHA-256 $6$ = SHA-512 $y$ = yescrypt

  • @Yayaisbadatchess
    @Yayaisbadatchess Месяц назад

    So glad the algorithm suggested this video, awesome!

    • @SandflySecurity
      @SandflySecurity Месяц назад

      Thanks for the compliment and watching. We will be posting a lot more of these short topic videos so please subscribe.

    • @Yayaisbadatchess
      @Yayaisbadatchess Месяц назад

      @SandflySecurity Already did! Also maybe if it's possible to make the red font a little brighter ☺️

    • @SandflySecurity
      @SandflySecurity Месяц назад

      Thanks for the feedback. We'll fix for next time.

  • @loremipsum685
    @loremipsum685 Месяц назад

    Forgot how useful peekfd is!

  • @callmebigpapa
    @callmebigpapa Месяц назад

    You only hear the noisy, the low and slow go undetected for years. If our power goes out so will theirs. They should have had a dedicated jumpbox for the aquarium guys. The security team for the company can get into any box .....if they get the ok. We should force hardware keys everywhere.

  • @ruymanbr
    @ruymanbr 2 месяца назад

    Thanks. So this scans but doesn't protect or clean/stop any future attack?

    • @SandflySecurity
      @SandflySecurity Месяц назад

      We have ability to halt/suspend processes among others. Most security teams want to investigate Linux boxes vs. automatic response to survey situation.

  • @artemis-arrow-3579
    @artemis-arrow-3579 6 месяцев назад

    eh, I wrote a stealth malware called gorgon, absolutely no impact on the system, no slowing down, no bugging the system, nothing, mainly due to some design elements I came up with, it's also compatible with pretty much every kernel version since 2.something point is, if someone is skilled enough, and puts the time and effort into a rootkit, they can design something truly invisible

    • @SandflySecurity
      @SandflySecurity 6 месяцев назад

      Thanks for the comment. No doubt it's possible to hide on Linux for quite a while.

  • @Tulah
    @Tulah 7 месяцев назад

    I feel like hashes could still be useful, but not the way presented here, not to detect malware, but to guarantee integrity of known good software. Hash all the known binaries and libraries on the system, record sizes and then monitor changes. There are some files of course that need to be blacklisted from this such as log files and some runtime files, tempfiles so it's not perfect, but it's additional thing to bundle with other security. Take hashes before backup, bundle them with the backup and then take hashes immediately after the backup to make sure nothing went wrong while at it. Check hashes again immediately after updates and record changes. Monitor file integrity over time actively and report changes into whatever monitoring system is being used. This is basically what people did with open source version of Tripwire early 2000's. Hash everything and record hashes on floppy disk which is then removed until next checkup. Also I did something similar with CFEngine some 10-15 years ago, though I only monitored integrity of some files, not all files so that kinda defeats the point, but at least I'd know if important configs or content of directories changed for reason or another.

  • @antediest
    @antediest 9 месяцев назад

    Who the fuck uses sha1 in 2024 😂

    • @SandflySecurity
      @SandflySecurity 9 месяцев назад

      It doesn't matter what cryptographic hash you use. The problem is identical. In fact, the longer the hash, the more of a problem it actually becomes.

  • @welcomeblack
    @welcomeblack 9 месяцев назад

    ??? The legitimate software provider should provide the check hash. Then you changed the original code so it hashes differently. That's expected behaviour, and is what you look for to check whether or not the OG program has been compromised. What am I missing?

    • @SandflySecurity
      @SandflySecurity 9 месяцев назад

      It was demonstrating how easy it is also for a malware binary to be changed and why using hashes to look for malware is a bad approach. The use of a system command is just convenience for others that want to try it as an experiment. You are correct that hashes work great for spotting things that change where you don't want them to change (like a distro binary). They work very poorly for malware that changes all the time.

    • @welcomeblack
      @welcomeblack 9 месяцев назад

      @@SandflySecurity Ah OK that makes sense. If you're skimming your server for a known exploit .badbash.rc and are scanning based on hash value, yeah the hash might change every time it's run

    • @cedricbrisson7240
      @cedricbrisson7240 9 месяцев назад

      @@SandflySecurity Exactly. A lot of AVs do hash based static analysis and it's absolutely worthless 90% of the time. I've had at least 10x more false positives from hash based detection than true positives

    • @hi117117
      @hi117117 9 месяцев назад

      @@cedricbrisson7240 I mean kind of? Most use yara rules that look for specific bytes in critical sections that a malware can't easily change. Maybe its just my exposure but I don't see many people using hashes to identify malware. What I do see are systems using hashes to identify goodware (for lack of a better term).

  • @comosaycomosah
    @comosaycomosah 9 месяцев назад

    Pretty fire channel!

  • @danielpacak6577
    @danielpacak6577 9 месяцев назад

    That's a great demo and very powerful tool for host IR. I was wondering how / whether this product is suitable for cloud native deployments. For example, running it on a Kubernetes node will be much harder because capturing a profile or well known good behavior of such ephemeral containerised workloads running on a given node is probably much harder.

    • @SandflySecurity
      @SandflySecurity 9 месяцев назад

      We can profile systems running containers. You can also use recon modules that include only containerized processes, or do not include containerized processes to setup what kind of drift you want to find. For instance, profile containerized to only track containers running on a host. Or track non-containerized only to only track the host OS regardless of what containers it is running. Thanks for your comment.

    • @danielpacak6577
      @danielpacak6577 9 месяцев назад

      Thank you for clarification. It would be very helpful to see a video that demonstrates how to hunt for threats on a Kubernetes node.

  • @andrealang3393
    @andrealang3393 10 месяцев назад

    Promo`SM 👀

  • @nickknows4249
    @nickknows4249 10 месяцев назад

    Best video I’ve seen on BPFDoor. Please take my money for a Linux forensics course!

    • @SandflySecurity
      @SandflySecurity 10 месяцев назад

      Thanks for the comment. No plans for a course yet, but our product can teach you a lot about Linux forensics by just what it does. We have a free license for home lab users that may be of interest.

  • @stephenkolostyak4087
    @stephenkolostyak4087 10 месяцев назад

    this is cool, it's like something I did years ago. Nice.

  • @zackey_tnt
    @zackey_tnt 10 месяцев назад

    How do you deal with hosts that have been in prod for some time and have deviated from a master image, such that, prod changes are now "drifted"?

    • @SandflySecurity
      @SandflySecurity 10 месяцев назад

      Best way would be to profile the known-good image of where the system started (e.g. base image of the distro used). Then scan the prod system and review each change alert to make sure you know what it is (does this process belong here, is this user OK?, etc.). Then add/append it to the drift profile. After that, all new changes will be alerts going forward. You can then also use that profile to check your other systems to see how they drifted from your updated profile.

  • @michalmanos4320
    @michalmanos4320 10 месяцев назад

    How can we ensure the security of the SSH secrets on a cloud based panel hosted offsite/in-cloud? Is there an option to self-host, is this open source code for auditing?

    • @SandflySecurity
      @SandflySecurity 10 месяцев назад

      Customers self-host our product where they want. It is not run by our company and no customer data is sent to us in any form. You can self-host on-prem, in the cloud, or wherever you want. SSH secrets can be managed by our product with elliptic curve cryptography protecting the keys, or we can integrate with a key vault of your choice. Please read more about SSH key security in our install docs: docs.sandflysecurity.com/docs/standard-vs-maximum-security-install docs.sandflysecurity.com/docs/credentials-security We do not store or process any customer data here: sandflysecurity.com/why-sandfly/data-privacy/

  • @NobleSteed00
    @NobleSteed00 10 месяцев назад

    How can this be done without an agent?

    • @diamondq
      @diamondq 10 месяцев назад

      I 99% sure their server connects to all the machines via SSH and then issues 'recon' commands over the SSH connection. You see during his setup that he's assign SSH credentials to each of the new boxes so that their server can connect. Generally any management software that calls itself agentless generally means it's using SSH (or equivalent).

    • @SandflySecurity
      @SandflySecurity 10 месяцев назад

      We connect over SSH and have a purpose built binary with Linux forensic engines to gather data. We do not hook into the kernel or leave anything permanently running as is typical of agent-based deployments.

    • @NobleSteed00
      @NobleSteed00 10 месяцев назад

      @@SandflySecurity Ok, thanks.

    • @rosonowski
      @rosonowski 10 месяцев назад

      @@SandflySecurity Without access to ring 0, are you relying entirely on userland indicators as demonstrated in this video? The centralized collector and viewer is nice, but what does this offer, mechanically, over something like tripwire?

    • @SandflySecurity
      @SandflySecurity 10 месяцев назад

      We use a variety of indicators and artifacts from a host but do not hook into ring 0 as it is not necessary to find virtually any malware on Linux (and introduces stability and performance impacts). We have no recent experience with tripwire, but in general we do not do just traditional file integrity monitoring, but can also profile running processes (even done by fileless malware). Also users, cron entries, systemd services, SSH keys, at jobs, and so on. Any forensic artifact we collect can be tracked for drift agentlessly. Finally, we can work on any Linux host we can log into which includes not just servers, but embedded systems, appliances, and so on up to a decade+ old. We also cover Intel, AMD, ARM, MIPS and Power CPUs seamlessly on virtually any Linux distribution.

  • @Ichinin
    @Ichinin Год назад

    This was exceptionally good, especially the sniffer detection tips.

  • @adriennecrosby4105
    @adriennecrosby4105 Год назад

    Your screen is very difficult to read.

    • @SandflySecurity
      @SandflySecurity 10 месяцев назад

      Thanks. We'll make it larger for future videos.

  • @a.r.5779
    @a.r.5779 Год назад

    Thank you very much, very very instructive.

  • @johnf216
    @johnf216 Год назад

    Great video, thanks for taking the time to record and share it.

  • @loremipsum685
    @loremipsum685 Год назад

    www.fbi.gov/wanted/cyber/apt-41-group

  • @cyberlabz
    @cyberlabz Год назад

    Great video!! This is gold!! Thank you.

  • @johnlampe595
    @johnlampe595 2 года назад

    if the user has a virustotal API key, could they feed it to sandfly to automate the hash lookups?

    • @SandflySecurity
      @SandflySecurity 2 года назад

      We will have that feature soon as it is on our near-term roadmap.

  • @shiwangk9963
    @shiwangk9963 2 года назад

    Sounds Cool UI, I have been using ansible to do the same stuff on cli. Would love to see more features !

  • @goddiemang5792
    @goddiemang5792 2 года назад

    Useful information here !!!

  • @loremipsum685
    @loremipsum685 3 года назад

    Very cool. Thanks for sharing.

  • @YoungDioX
    @YoungDioX 4 года назад

    Great video! I do wish you paused a little for some of the commands towards the end so I could get a good look at them.

  • @svampebob007
    @svampebob007 4 года назад

    That's a very interesting tool you got there, the main issue I have with it is www.sandflysecurity.com/pricing/ You should really put a price where your mouth is. A basic price with * can really help consumers choose the product. I love the idea though: Now that I've looked at the website and videos, and got time to think about, this is more of a passive protection, you are basically digging through logs and looking at anomalies, meaning that once you detect an intrusion you'll flag it (with very impressive amount of details saving loads of hours of looking at logs). Yet at the end of the day the system is already compromised, if this even happened 1 minutes or 30 days ago is kinda irrelevant, that system should be taken offline and preferably wiped. It's still a very ingenious solution, I like the fact that you basically just use ssh to get a foot hold into any ssh capable system and passively look at what's going on that's clever! I think this could be done with a anti malware/anti virus using ssh/sshfs and capping the scan speed by either limiting the affinity of the AV/AM possess or limiting the bandwidth and also focusing on "vulnerable" locations. it would still work as a "passive" protection, but more automated. I still like the idea, and I'm very impressed with the data being very accessible, the real issue is no visible price points... I could be saving $50k per cluster or be looking at a $50k bill for what amounts to a $20 job because you're billing structure isn't obvious. Maybe I'm totally misunderstanding the technology, so correct me if I'm wrong, but when I hear when you say "agentless" and "ssh", "key", "we see root here that's normal (video id: lQizoBHmF6Q time 7:54)" implies that you allow Sandfly to login via ssh as root but only with a ssh key, so that you can then use that software to scan the system using logs and commands like "lsof -i -P -n | grep LISTEN" So basically Sandfly get's a shell into any system and collects the data, but doesn't actually do anything with it. (implementing AV with ssh root access would help here) Still I'm impressed with the data it's showing, most data/graph servers tend to just show kinda usless things like "cpu temp" "network speed"... cpu and network are the kind of stuff that we take care off before the host is online it should already be capable of not over heating or max out the network. Now who launched not.a.virus.jpg as neo.matrix.bat... that's the kind of stuff I'm looking for! Looking at logs where it spams me 1000 lines of "dhcp default renewed ip to 127.0.0.1" per 1 "btw neo tried to login" is very useful. because some times you can't just grep "who dun did it"

    • @SandflySecurity
      @SandflySecurity 4 года назад

      Thanks for your response. Pricing is one of these things where it can vary so much depending on a customer's size and number of endpoints that we just need to talk to them to see how many hosts they actually have to see what discounts apply. The product is affordable even for very small deployments and also for very large ones. We don't actually look at any logs or use any built-in system tools at all. We have custom built forensic engines designed specifically to investigate Linux. We are addressing after the fact intrusions because that is the major exposure for Linux. Even if you have a security product that claims to intercept and block all attacks (not possible), then there is always the chance the intruder still gained entry. For instance a product that blocked five attacks and gave you five alerts. That's fine. But suppose there was a sixth attack it simply didn't see or block and that worked? At that point you better be looking on the host for compromise signs or you are in trouble. If we detect attacks we can in fact respond to them. The latest version of the product can actively respond to process attacks by either suspending or killing the malicious process as soon as it is found. Other response options are possible. On top of this you can also build your own custom checks very easily and deploy them agentlessly. So if you are dealing with a specific threat to your orgranization and want to keep it confidential you can deploy custom modules yourself to help with incident response and clean-up. Contact us if you'd like a demo for your organization. We are happy to give a live demo on live attacks and supply a trial license. Thanks.

  • @hermanwooster8944
    @hermanwooster8944 4 года назад

    This was awesome. As a new Linux user, I'll be sure to save this video for reference.

  • @JaggedTusk
    @JaggedTusk 4 года назад

    Hey Craig, outstanding videos. I've learned so much regarding Linux forensics! Please keep the videos coming!

  • @austinjohnson4890
    @austinjohnson4890 4 года назад

    I'm a computer nerd thinking about switching careers to cyber security... Growing hemp has lots of down time so im going to study up. this channel is going to be my new college, thanks for uploading this stuff; not many will watch this but a few people like me will really appreciate it.

  • @Gregorydaerr1971
    @Gregorydaerr1971 5 лет назад

    Can you show us the books you've read or are reading on that bookcase behind you?

    • @SandflySecurity
      @SandflySecurity 5 лет назад

      Too many to list and changes constantly!

    • @Gregorydaerr1971
      @Gregorydaerr1971 5 лет назад

      🤔....how bout just post q pic and I'll do the rest. I'm overwhelmed at the layered onion this topic has become. It seems almost purposely convoluted and obfuscated. Typical / average ....navice..... users have no hope of securing themselves in today's cyberspace. As a programmer, I'm hoping to deep dive and become competant in this space before looking into where some attention should be directed in order to enable the average user some useful and reliable tools for better protection. Virus software that simply white or black lists or compares hashes against a lookup table are woefully unable to offer any real protection. We need software that can recognize what a script/executable/binary is actually doing and how its interacting with the OS and to limit and restrict BEHAVIOR rather than to attempt to use lazy shortcuts that are easily defeated. We need to create security software that can find unknown vulnerabilities based on more granular analysis of the system it protects. I also think that the whole trust model the cert authorities are providing have proven useless and another framework is needed soon. I think that anything involving "trust" metrics have proven in recent years, to be a corrupt and broken system. The most effected of these sloppy policies are the average user. ....and they are likely ovlivious. Although ignorance can reduce the shock of some situations (your identity has been stolen, 110k pervs are watching your daughter shower thru her phone and you just realized that on the internet, men are men......women are men and teenage girls are FBI Guys) for these average folk, that may be enough. However, I prefer knowing- REGARDLESS if there is nothing I can do. ... at least i can take comon sense precautions to protect my data, money and privacy. G Daerr

  • @Gregorydaerr1971
    @Gregorydaerr1971 5 лет назад

    Can you suggest a good Antivirus product?

  • @Gregorydaerr1971
    @Gregorydaerr1971 5 лет назад

    Curious. Where can I read your paper?

    • @SandflySecurity
      @SandflySecurity 5 лет назад

      Search for it at firstmonday.org. It should still be there.

  • @Gregorydaerr1971
    @Gregorydaerr1971 5 лет назад

    What language did you write the stealth scan prog.......python?