Product

How HarfangLab EDR efficiently protects Linux endpoints

No threat can target Linux endpoints? Think twice. Ransomware attacks, cryptocurrency miners, web shells, and rootkits are often used to attack Linux systems. What does HarfangLab EDR do to protect Linux servers and workstations? We explain.
4 min

Rising interest in Linux by attackers

The GNU/Linux operating system is widely used by organizations. Moreover, Cloud architectures and applications supported by Linux-based containers made it spread even more. 

These new applications make Linux a prime target for attackers who try to take advantage of breaches such as:  

  • Unpatched softwares 
  • Misconfigurations 
  • Unsecure code 
  • and phishing and social engineering 

as noted by a study carried out by Trend Micro in 2023, making endpoints running on Linux a potential target for many types of threats that can damage an information system. 

Top malware types that targeted Linux OS in 2022 –  
Also, attacks are largely (97%) dominated by web-based attacks, in contrast with Windows

Top malware types that targeted Linux OS in 2022 –  
Also, attacks are largely (97%) dominated by web-based attacks, in contrast with Windows


Furthermore, another report from Checkpoint in November 2023 highlighted a
significant increase in ransomware attacks targeting Linux servers and VMware’s ESXi hypervisors since 2020. 
 
 
Although these Linux threats are generally less sophisticated, their impact is concerning and evolving. Indeed, while Linux-targeted ransomwares are minimalistic, focusing almost entirely on encryption, they can be tricky to detect. 
 
Noteworthy examples include the stealth malware Shikitega, and Linux implants by the Chinese company I-Soon and its partners.  

So, how does our EDR work to protect Linux endpoints? Let’s get to the heart of the matter. 
 

A robust and reliable EDR based on eBPF 

HarfangLab EDR relies on the eBPF technology that has many advantages over EDRs based on Linux Kernel Modules (LKM-based):  

  • Fast updates 
    eBPFs  are easier to maintain over the different Linux updates, unlike Linux Kernel Modules, enabling faster update and support for modern Linux kernels with minimal risk of errors or incompatibilities.
  • No Kernel Panic  
    eBPF, in contrast with Linux Kernel Modules, do not run in kernel mode and therefore cannot crash the system by inducing a kernel panic, aka. Blue Screen of Death. 

What about EDR self-protection? 
Attackers generally do their best to stay under the radars and might try to silence EDRs to do so, which is why HarfangLab provides self-protection capabilities as a core feature to protect its agent against malicious behavior. 
On Linux, self-protection of the agent involves two aspects: 

  • Process protection, to prevent malicious processes from killing the agent, or reading or altering its memory, 
  • File system protection, to prevent malicious processes from reading, overwriting or removing the agent’s files. 

Comprehensive telemetry for a precise understanding of security events 

HarfangLab EDR is known for its advanced telemetry capabilities on Windows, and the same high standards apply to Linux with the widest range of telemetry sources such as processes events, filesystem events, URL, DNS… to facilitate analysis by SOCs.  
 
Our priority: provide as much high-quality data as possible, with as little delay as possible, to allow cybersecurity experts to understand the origin of an alert and investigate efficiently. To this end, for example, our EDR allows to associate the process behind each network connection – which is particularly tricky to achieve on Linux. 

Now let’s dig deeper into the perks of high-quality data when it comes to detection. 
 

State-of-the-art, open and customizable detection 

Thanks to the high-quality data mentioned earlier, our CTI team produces fine-grained detection rules that are harder to bypass.   
Indeed, the quality and relevance of the data collected by our agents also enables us, by relying on the YARA and SIGMA rules formats, to provide state-of-the-art, transparent and customizable detection. Moreover, our AI engine also helps detect unknown threats on Linux, as it does for Windows and macOS to match the speed at which threats are evolving. 

In practice, this is how we are able to detect ransomware and threats in general on Linux: by feeding our Yara and IOC engines with our powerful telemetry, and by continuously improving our AI models. For ransomware especially, it is what makes HarfangLab able to detect and block attacks before they are executed, ensuring none of your files are encrypted. 

 

Want to know more about how our EDR works?