Monitor the immutability of operating system and application files

Increase cyber security through binary integrity at file level with checksums

Free trial In a nutshell NIS2 🇩🇪
In this blog post you will find out:
  • Why binary file tampering is a security risk for your sub-enterprise IT
  • How you can monitor the manipulation of binary files
  • How to implement immutability monitoring with Versio.io in 5 minutes

Manipulation of binary files = security risk

Monitor the immutability of operating system and application files The manipulation of operating system files or applications represents a significant security risk, as it can allow unauthorised access to the system. Modified files can contain malware such as viruses, Trojans or ransomware that infect the system, steal or damage data and take control of the system. The introduction of backdoors also enables attackers to gain undetected access to the system, which can lead to further attacks on the entire network. In addition, manipulated files can affect the stability of the system and cause applications or the operating system to no longer function reliably.
 

Recognising manipulated binary files

The integrity of binary files is crucial for the security and stability of an operating system or application. Hash values play a central role in this. A hash value is a unique fingerprint of a file that is calculated from its content. Any change to the file, no matter how small - be it due to a download error or malware - changes the hash value. The hash values of binary files may therefore only change as part of updates. Otherwise it is an unauthorised change.
Example of a checksum of a file based on the MD5 algorithm: 097202d6e3d2077e717e75ad6e9a4ba4
 

Implement monitoring with Versio.io in 5 minutes

Configuration of integrity monitoring

Versio.io is a software platform that creates transparency, control and efficiency in IT operations. The core component is the continuous and automated documentation (inventory) of IT landscapes. A OneImporter (agent) on the host computer to be monitored and the activated 'Folder Importer' module are required to monitor binary files.
A directory to be monitored must be specified in the Folder Importer configuration. If the 'Capture files' option is activated, the files it contains are also inventoried. The 'Capture file hashes' option adds the checksum (MD5 hash value) of each file to the documentation. In the following configuration, the files to be captured for the blog post example were still limited to files with the name 'python3'.
X
Figure: Configuration of file binary integrity monitoring
 

Documentation of the integrity violation

The following illustration shows the result of the inventory of the directory in the Instance Viewer. The initial state was recorded in the lower area (original). We see the file 'python3' with its metadata, which also contains the checksum.
The change (manipulation) recognised by Versio.io is documented in the centre of the figure. The content of the file 'python3' was changed manually (simulation of a cyber attack), which leads to a change in the checksum.
X
Figure: Manipulation detection based on continuous and automated inventory in Versio.io
You may also be interested in:
  • Events & Alerting - An event can be generated for the recognised manipulation of the file and the associated integrity violation using policies (logical rules). Alerting can be executed based on the event, which can send notifications by email or chat or generate an incident ticket, for example.
  • Configuration files - The approach shown above can also be used for any other files, such as configuration files. With the help of the file importer, it would also be possible here to inventory the entire content of the configuration and process it in Versio.io.
 

Conclusion

The use of checksums for binary files therefore not only contributes to system stability, but also protects against targeted attacks on system files. It is an indispensable tool for the operational security management of a company's IT.
 
 

Autoren | 21. Januar 2025


Fabian Klose
Fabian Klose
Head of Software Development
P:  +49-30-221986-51
LinkedIn


Keywords

Cybersecurity

 

Binary file

 

Binary format

 

Manipulation

 

Integrity

 

Ransomware

 

We use cookies to ensure that we give you the best experience on our website. Read privacy policies for more information.