Hacking Book | Free Online Hacking Learning


security intelligence center and red and blue army confrontation exercise / zhang song

Posted by chiappelli at 2020-02-24

This article is selected from the 25th issue of trading technology frontier (December 2016).

Zhang song, director of information security, information technology department, Huatai Securities Co., Ltd., Nanjing 210019e-mail: Zhang [email protected]

Abstract: This paper analyzes the new security threat environment, and introduces the time statistics of financial service institutions in discovering and responding to security events by citing authoritative reports. Combined with the practice of red and blue army adversary exercises, this paper puts forward the idea of concept change - to dare and take the initiative to accept that system intrusion and data leakage have either occurred, or sooner or later and will occur. This paper further introduces how to make use of emerging technology to threaten intelligence and Security Intelligence Center, actively adapt to it, and gradually change from traditional defense to building security capability of "prediction, defense, detection, response and continuous monitoring and analysis". Key words: Threat Intelligence; Security Intelligence Center; adaptive security architecture; red and blue army confrontation exercise

1.1 new threat environment

In the past two years, the development of security threats has presented new features and situations, such as "dark cloud" community, continuous growth of black industry scale and full business chain, industry software and supply chain security issues, apt, internal crime and fraud, etc. These threats, which are more advanced than before, also present new behaviors and technical features, such as extensive network search, the use of the captured host, the use of exploit kit, "kill free" type Trojan horse, the evolution of bypass and escape technology, the use of social engineering, the cooperation of attack and telecommunication fraud, the limitation of scanner effectiveness, the chaos of webshell, let alone the use of 0-day vulnerability. Under the current threat environment, the defense measures themselves are not enough to resist the firm and persistent attackers or advanced threats. Some organizations are not prepared enough or even have no awareness of the successful invasion and data stealing.

1.2 conceptual change beyond passive defense and hypothetical capture

In the new threat environment, it is more and more important for organizations to dare to take the initiative. Intrusion and data leakage have either occurred or will happen sooner or later. According to the authoritative report of more than 80000 security incidents included in Verizon's 2015 data break investigation report, 2122 of which confirmed the existence of data leakage. In the financial services industry, 43% of the security incidents were found in a few days to a few weeks, 38% of which took months or even longer to be found. In 63% of the cases, it only takes a few minutes or even seconds for the attacker to attack the system. The new threat environment puts forward higher requirements for the network security system: first, do a solid job and improve the basic security, and then, establish the ability to quickly discover the really valuable attacks, attacks and data leakage events from the massive security events. The organization should gradually carry out continuous and multi-dimensional security monitoring, sense the attack situation and detect the capture, take the initiative to deal with and even hunt for external threats, normalize investigation and evidence collection, and strengthen the coordination and linkage between the organization and the external community.

As early as 2013, Gartner proposed a complete definition of threat intelligence, that is, "threat intelligence is evidence-based knowledge, including scenarios, mechanisms, indicators, meanings and actionable suggestions. This knowledge is about the existing or imminent threat or danger to the asset, which can provide decision-making information for the subject to respond to the relevant threat or danger ". In recent years, threat intelligence has developed rapidly in the American enterprise security market. According to it harvest estimates, the threat intelligence market will reach 10 billion yuan in 2018. Its main forms include tactical intelligence, operational intelligence and advanced strategic intelligence. In terms of its application fields, threat intelligence has been fully integrated with the next generation firewall, threat intelligence management platform, WAF and Siem. From the perspective of industry, threat intelligence has been widely used in government, finance, transportation, energy, manufacturing, TMT, medical and other industries, and more than two threat intelligence are usually used. Since 2015, threat intelligence has become a hot word in the security industry in China. Many key industries that attach great importance to security, such as finance, information technology and telecommunications, energy, have not only introduced threat intelligence data at home and abroad, but also tried to build their own threat intelligence platform. At the same time, there are many companies applying Threat Intelligence at home and abroad, which can be roughly divided into service providers focusing on Threat Intelligence and security manufacturers integrating Threat Intelligence into their own defense and detection products. The former is represented by micro online, threatconnect, threatq, crowdstrike and alienvault, while the latter is represented by 360, fireeye, checkpoint, PaloAlto and Symantec. With the application of Threat Intelligence becoming more and more mature, its application is showing the characteristics of platform, industry and sharing. Industry characteristics make the sharing of Threat Intelligence in the industry play an important role in helping different enterprises in the same industry cooperate with each other and jointly improve the overall security environment.

3.1 relationship between Gartner adaptive security architecture and Intelligence Center

In recent years, Gartner, a research institution, put forward the concept of adaptive security architecture, which is considered to be one of the top 10 technological trends in the future. As shown in Figure 1, in addition to the defense and response, the adaptive security architecture also includes prediction, detection and continuous monitoring. The capabilities in these three areas are quite consistent with the concept and positioning of the intelligence center, and can also be the main function of the landing of the intelligence center. As shown in Figure 2, continuous monitoring and analysis should be the core competence of the intelligence center.

Figure 2 Gartner: continuous monitoring and analysis is the core of the landing adaptive security architecture

3.2 information composition of security information center

From the perspective of sources, intelligence is divided into two parts: internal and external. The security intelligence center should cover the collection, processing, integration and display of the following types of intelligence: 1) internal intelligence of the organization:

Asset Intelligence: it assets concerned from the perspective of attack, especially the attack surface facing the Internet, such as domain name, IP, port, URI, open service, software version;

Internal vulnerability information: lifecycle information of vulnerability;

Attack alarm information: alarms on NGFW, IPS, WAF and terminal security software;

Traffic analysis information: whole network traffic;

Log analysis intelligence: OS log, web and middleware access log, malware behavior on the host;

User and entity behavior Intelligence: it matches the alarms generated by a certain custom policy, such as data leakage monitoring, database audit, host security policy violation (such as login times overrun), configuration baseline violation; Gartner in its latest top 10 strategic technology trends for The 2017 report focuses on the analysis of user and entity behavior when describing the adaptive security architecture, as shown in Figure 3.

2) organize external Intelligence:

Vulnerability notification information: for example, vulnerability information of manufacturers, especially vulnerability information with priority, impact analysis, whether it can be used, how it can be used and how it can be repaired, and manufacturer Security Notification;

Basic network information: such as PDNS (passive DNS), Whois historical data, malware and its behavior database, sub domain name, IP analysis pointing to the same domain name, digital certificate, etc

Attack index information: IOC indicator of complexity involves domain name and IP of C & C and hacker assets, malicious sample hash, webshell features;

Reputation Intelligence: malicious IP, botnet IP, tor IP, anonymous agent, geographic information, spam IP, malicious mobile number, malicious mobile device information, scanner IP, SQL injection IP;

BOT Intelligence: scanners, reptiles, worms;

Community Defense Intelligence: the information collected by a defense equipment manufacturer in the client equipment, and the intelligence information submitted and shared by the community.

There are also some types of intelligence that are not easy to read by machines and are difficult to be integrated by intelligence centers, which can be used for auxiliary analysis:

TTP: characteristics of specific hacker groups;

Industry situation: safety news and analysis in the industry;

Safe community news: news of safe community.

3.3 integration of security information center

As described in the previous section, the information center needs to deal with various types of information, and the ways, carriers and landing points of various types of information are different. The diversity of information brings many challenges to the integration of information, but it also brings fun to mix and match. After exploration and practice, the following findings and suggestions are made:

The ability of security information center can be decoupled into several units:

Collection: vulnerability and asset discovery, traffic monitoring, network security equipment log collection, host log collection, host log collection and forwarding;

Processing analysis: data cleaning ETL, real-time processing analysis and external API call;

Storage: source data storage, analysis result storage (column database);

Display: modular dashboard, Bi tool integration;

Subscription information query: generally refers to the information portal provided by the intelligence manufacturer.

Overall framework principle: the architecture design and construction of the information center should be mixed across vendors and solutions to avoid the limitations of single vendor products.

Collection: the discovery, dynamic display and quantitative support of vulnerabilities and assets are important capabilities of the intelligence center; traffic monitoring is a very important but easily ignored component. Traffic analysis can be used to monitor the attack codes that penetrate the NGFW and WAF to reach the computing resources, as well as internal investigations such as database audit.

Processing and analysis: the information center should be light loaded, focus on the delivery of analysis results after analysis, and focus on the convenience of visualization and analysis process.

Storage: for classified storage of logs, it is necessary to integrate cost, amount of logs, differentiate and locate what type of logs, which platform is suitable for storage, rather than blindly store in traditional Siem / SOC, which results in data unable to be analyzed due to performance bottleneck, charging mode and too high TCO limit; it is necessary to consider long-term continuous storage of massive logs (such as web server access logs) for traceability Historical events; even further consider that the processing and analysis unit can be cleaned and analyze historical data after the threat information is updated. Consider positioning Siem as part of the log aggregation.

Display: the report display function of the intelligence center is a key consideration. It is necessary to use professional Bi to connect the database storing the analysis results.

3.4 application scenarios of Threat Intelligence in the initial stage

Scenario 1: alarm information linked with vulnerability information after NGFW and WAF are linked. Through the association of alarms from NGFW (or IPS) and WAF through the intelligence center, high-risk attack sources and attacked assets are identified. If the intelligence center has vulnerability information (especially credential After scan, precise vulnerability and asset information), "patching" will become very targeted and clear priority from an organizational perspective. Scenario 2: persistent vulnerabilities and attack surface operation management: traditional vulnerability scanning and re detection, ignoring attack surface analysis, continuous follow-up, priority management and dynamic quantitative display, security personnel often have no choice but to "say" which assets and vulnerabilities. The information center shall have continuous operation management on vulnerability and attack surface, and be able to measure the "contribution" of vulnerability repair of each it responsibility group dynamically. Scenario 3: network IOC Threat Intelligence is used for real-time attack detection. Network IOC generally refers to the domain name and IP information of hacker assets. By monitoring the host of an organization to connect with the hacker assets, the hackers who have been attacked can be filtered out with high confidence. In the process of IOC application, centralized collection of DNS requests and external IP is the basic skill and premise of IOC intelligence landing. Scenario 4: big data analysis of web and middleware access logs. In traditional security, few organizations collect and analyze access logs of web servers and middleware. The red and blue army found that one of the main analysis methods of the defenders was to identify the attack code that broke through the two layers of firewall and arrived at the host, search for the traces and clues of the system, and then further verify, respond and trace the source. This means that organizations need to do a good job in the basic work of security and collect web access logs for Internet systems. In order to trace back to the past system attacks and data leaks, logs usually need to be kept for a year or even longer, which requires a reasonable choice of architecture to solve the challenges of massive logs' continuous storage, TCO control, and the ability to re clean historical data when the attack attack features are updated. In practice, log collection mode, cost optimized storage, data cleaning based on big data technology, application of column database and display of integrated commercial Bi should be decoupled, respectively provided by professional solutions, and finally integrated to deliver the quick detection ability for system attack.

3.5 evolution route of Information Center landing

The evolution route of Information Center landing is very dependent on the existing it and it security infrastructure of the organization, such as centralized log collection platform, traffic monitoring platform, vulnerability operation management platform, so the evolution route is relatively flexible. The new version of the network security level protection system has been seeking public opinions. In the communication between the industry and the standard drafting expert group, the main changes of the national standard have been understood. After analysis, it is found that the new loopholes and risk control points of the "new equal protection" and the strengthened fields of intrusion prevention, centralized control and security event disposal all provide the national level for the implementation of the concept and practice of the information center System support and direction guidance. From the perspective of the construction and operation of the program group of the information center, it is suggested to adopt the small version iteration method to promote, for example:

0.1 improve the organization's basic security construction, that is, the top-level planning organization's defense front and internal intelligence data collection;

1.0 establish loophole operation management mechanism and lay a good foundation for loophole, asset and attack surface analysis;

2.0 use network IOC to quickly detect system and terminal capture; use whois, domain name, IP analysis and malicious sample tracing attacker;

3.0 collect alarm logs of network security attacks, conduct correlation analysis, protect key asset groups, and manage the priority of vulnerabilities;

4.0 collect the network traffic log, analyze the attack and capture of penetration protection equipment, and analyze the database access;

5.0 collect the host web and middleware access logs, and analyze the attack and capture of penetrating protective equipment on that day by using big data technology;

6.0 collect the host operating system log, process and key file hash, and analyze the signs of system attack;

7.0 combined with reputation intelligence, analyze the scene of specific high-value asset access page, privileged user remote access, remote office and email access, establish the attacker's portrait, identify the database and use the stolen account password for secondary attack;

8.0 combined with the fingerprint technology of APP devices, use the information of business security and risk control, such as the characteristics of wool party and malicious mobile phone number, to ensure the business risk control and security of customer-oriented system;

9.0 combined with the development of endpoint detection & response technology, analyze the behavior characteristics of malicious programs;

10.0 further integrate analysis and linkage, such as linkage with external communities, intelligence center calling protection equipment strategy, etc.

In order to continuously "adapt" to the new and changing threat environment, continuously improve the internal skills of security operators in threat response, increase the perception of attackers, attack means and black industry behavior mode of the organization, and introduce the red and blue army confrontation exercises carried out by large companies at home and abroad in recent years and gradually mature, which need to be mentioned as new On the agenda. In view of the length of the paper, we will only draw lessons from others, and share practical experience in exercise arrangement, scene, cooperation between red and blue, guidance and revision of exercise to defense system, and industrial cooperation.

4.1 Red Army vs. blue army

4.1.1 Red Army

The Red Army often refers to the security operation personnel within the organization, especially the personnel to deal with external threats, security incidents and emergency response. One big challenge is that Party A's general staff is limited, and security personnel are more inclined to operation and maintenance, compliance and system management. Few organizations attach great importance to persistent threat confrontation and establish their own response force. In practice, the company providing professional security services generally provides technical experts and coaches, plans and arranges exercises together with the safety supervisor of Party A, and plays the role of observation, response and coach in the initial exercises.

4.1.2 Blues

The blue army is a team that focuses on "attacking" organizational systems, it infrastructure and it services provided within or in cooperation with the organization. In military activities, there has long been the name of special forces in the special forces, which is used to test and upgrade the traditional troops and better adapt to actual combat. In practice, the blue army is generally composed of a "white hat" that is registered by a third party, certified by real name, managed, supervised and monitored, and participated in the test. Some large companies, such as Microsoft and Ali, have also organized their own blue army.

4.2 initial objectives and findings of the exercise

4.2.1 objectives of the exercise

At the beginning of the exercise, the goal can be more focused on the effectiveness verification of the equipment and tools invested by the organization, and gradually can be transferred to the verification and continuous cultivation of soft power, such as:

Verify the effectiveness of NGFW and WAF, verify the effectiveness of various testing tools, and provide professional input for equipment optimization;

From the perspective of attackers, we can find the entry point, hidden assets and major high-risk loopholes;

Define the scope and accumulation of basic security, such as log collection and traffic collection;

Formulate IOC, attack and capture detection features, and forewarn the fall of defense equipment;

Explore and mature the event management, emergency response, threat response and thread tracing practice of the organization, and exercise the tracking and traceability ability;

4.2.2 main findings of the drill

At the beginning of the exercise, the main findings of the exercise are often the verification of assumptions, but at the same time, there will be unexpected gains, such as:

As a kind of "defense" control, the "double wall combination" of NGFW and WAF is reasonable and necessary, which can effectively reduce the "attack cost" of attackers at the "network protection level", and substantially reduce the probability of non firm attackers (such as black production) pursuing efficiency to attack the system;

As "predictive" control, it is necessary to independently operate multi scan platform, fine manage attack surface and continuous vulnerability management;

"There is no airtight wall.". Organizations often verify that even the top-level "double wall combination" can be pierced, and the ability to detect and respond to threats cannot be avoided by establishing "continuous monitoring and analysis".

[1]2015 Data Breach Investigations Report.2015 [2]Definition: Threat Intelligence. 2013 May. [3]Designing an Adaptive Security Architecture for Protection From Advanced Attacks.2016 January.[4]Top 10 Strategic Technology Trends for 2017.2016 October. [5]Microsoft Enterprise Cloud Red Teaming.2014 November.

The contents of this official account are for reference only. Any loss caused by the direct or indirect use of the official account shall be liable for any loss caused by the inaccurate or incomplete contents of the official account. If you have any questions, please feedback to tech [email protected].

--------------------------Shanghai Stock Exchange provides trading technical support and services for market participants such as securities companies, fund management companies and relevant industry institutions, including daily trading technical support, technical exchange and discussion, market survey feedback, stock information technology knowledge base, testing and other services.