Hilko Bengen
Hilko works in the CSIRT for a transportation and logistics company. He feels most comfortable when thinking about problems that touch systems programming, operations and IT security. For more than 25 years, he has learned to take free and open source software for granted and he is still amazed when he hears how others have found his contributions useful.
Sessions
This talk delves into strategies and practices for large-scale security monitoring of Linux systems within enterprise environments. We will explore unique challenges posed by Linux-based infrastructures — from their highly diverse configurations to their widespread deployment across cloud and hybrid landscapes.
We will discuss how we have addressed the need for scalability in our tooling and why integrating our solutions into a SIEM or SOAR platform is critical for effective incident response. Additionally, we will explain why traditional EDR solutions fell short of meeting our requirements and how we instead built a customized, open-source-driven setup leveraging Auditd/Laurel and Velociraptor.
The presentation will begin with an overview of our threat-based logging and response strategy, followed by a deep technical dive into the customizations and enhancements we made to the aforementioned tools — many of which have been shared with the community. Special attention will be given to the asset identification features we added to Velociraptor, enabling us to efficiently operate and respond at scale within complex enterprise environments.
The backdoor that had been added to xz-utils by an unknown threat actor (CVE-2024-3094) may be seen as a wakeup call in that too little attention is being paid on what happens behind the scenes in our software build processes. When we type ./configure && make
, cargo build
, pip install
or similar chants into our terminals or CI pipelines, we expect that magic happens and that we get software artifacts that Just Work.
Given the right instrumentation tools, it is possible to observe what actually happens during the build process of most software packages and in most cases we can infer whether a binary has actually been built from the presented sources as we expect. It is also possible to detect abnormal uses of compilers or linkers.
I will present a Linux-based prototype toolset for generating and analyzing those lower-level build logs and discuss curious findings and limitations of the approach.