Detecting Shellshock with SIEM Solutions

By Derek Arnold ·

At the end of September, a serious vulnerability (CVE-2014-6271 and CVE-2014-7169) came to light affecting Linux/Unix and Apple OS X. The seriousness of the Bash Shellshock vulnerability is that it allows unauthenticated, arbitrary code execution remotely. There is strong potential the exploit activity will become more damaging. There are reports of attackers using the vulnerable systems to install malware droppers, reverse shells, backdoors, and preparing for DDoS attacks. 

While much has been discussed on this key vulnerability, there is a lack of information on how to use security information and event management (SIEM) in detection and reporting initiatives.
Detection Using Your SIEM

In this brief video, I demonstrate how to exploit the vulnerability. Splunk Enterprise is used to set-up a Shellshock reporting dashboard to give your organization complete situational awareness. The reports can be emailed to your Unix team daily or posted on the video wall in your SOC. By installing two scripts on your Linux forwarders, you will see which systems are still in need of the patch, as well as the commands the attackers are attempting on your Apache web servers. 



While I utilized Splunk Enterprise for the demonstration, other SIEM engines will also work, although some of the set-up details will vary.

Derek Arnold

Principal Consultant

Derek Arnold has spent the last 12 years securing large retail, medical device, and insurance companies. He has worked on large, diverse enterprises in the Fortune 500. His key specialties include security operations, threat intelligence, physical security and SIEM. As a principal consultant for Optiv, he helps organizations solve their unique security challenges using Splunk Enterprise.