Hacking Book | Free Online Hacking Learning


li xue: 30 years old, learning to start a business

Posted by harmelink at 2020-03-12

Dongxun technology and an are always coming and going, but Li Xue is the first time to see them.

As the founder of dongxun technology, Li Shufu and Li Xue have totally opposite personalities: Li Shufu is talkative, cheerful, soft and quick to speak;

Li Xue's voice is low and slow, and every sentence seems to be deliberate and steady. Such temperament usually belongs to people of technical background.

Different from Li Shufu's complicated entrepreneurial experience, Li Xue had been deeply involved in technology before he started dongxun technology.

"When I came out to start my business in 2010, I thought very simply. I think it's about a dozen people, looking for a field to study, and then a fixed profit model. "  

Li Xue talks about his first venture in such a light way that he doesn't seem to think much about anything other than technology.

It wasn't until 2012 that he really began to think about the meaning of entrepreneurship. By this time, he was thirty years old.

"People often say that when we are in the thirties, we start to think about what we should do in the future and what we should rely on to make money."

From college, Li Xue began to make money through his favorite technology.

In college, Li Xue majored in communication engineering, but he was only interested in computer technology. "The computer related course results are all good, the unrelated is more bleak."

Like many technology enthusiasts, Li Xue noticed the popular hacker magazine at that time. Seeing more, he simply began to try to become an author. "What I wrote is not bad, I'll try to contribute. It's fun."

The first contribution was made. At that time, tens of yuan was worth Li Xue's food for many days.

Through continuous contributions, Li Xue has received thousands of yuan of contributions. At the same time, those disciplines that are not related to computers have sounded the alarm. The final result is that "there are too many suspended subjects, and most of the contribution fees have been paid for revision."

After entering the job, Li Xue became a penetration testing engineer, mastered programming through self-study, and did research and development, testing and technical support. He has been familiar with a complete set of software processes - but from the beginning to the end, he only experienced two companies. Relatively stable working environment, so that he does not have to think about too much outside the technology.

But at the age of thirty, questions about the future appear in Li Xue's mind.

"After thinking about it for a long time, I finally think that making money is the same as how." Li Xue came to the conclusion that "the goal should not be to make money, but to make certain achievements in the field of security."

Perhaps influenced by the event of "China US hacker war", which led Li Xue to join in security, Li Xue set his goal to "help the country to discover the cyber threat attack of other countries": "to find evidence of the other party's organization, and then trace it to specific people."

This goal is not so grand, and the ability and conditions needed are not easily available: "there should be products, data and services." Interestingly, the original question of "how to make money" was answered in this process: "to do this, we need to stand at a higher level to integrate various resources. At that time, the money will come naturally. "

When it comes to attacks between countries, there is one word that cannot be avoided: apt attacks.

A few years ago, apt was a new way of attacking. Those who don't know have no concept; those who have a little cognition will surely know the cases that shocked the world, and they will inevitably be confused by its fierce attack and complicated layout.

At that time, the apt attack was like a fierce beast suddenly killed in a little-known deep mountain.

It was at that time that dongxun technology began to engage in the research of apt attack and defense.

Nowadays, the apt attack has been understood by more and more people. "Two years ago, we preached that the first thing is to introduce what the apt attack is about." "We don't need it now," Li said. "We all know what apt is about."

At the same time, the market of apt defense has gradually opened up. "Previously, apt's projects were innovative scientific research projects, rarely involving enterprise security. By this year, many large industry users are considering apt in security construction. "

However, there are still some misunderstandings about apt attack.

Similar to Jiang Haike's view that "so-called apt attacks are not real", Li Xue believes that "advanced" in apt is only "relatively advanced attacks" rather than "high-dimensional attacks":

"Iran's weapon level malicious code used four 0days and two known loopholes, which naturally made people feel very advanced. But last year's Ukraine power grid incident, we analyzed that the attack was not preceded by weapon level code or worms. In the end, the combination of timing destruction module and other attack means, such as occupying telephone line to obstruct the police, is not profound, but the purpose is very strong. "

As for the view that "most of the apt attacks are preceded by email phishing", Li Xue did not fully agree with it

"In fact, after IPS (Intrusion Prevention System) WAF (web application protection system) came out, the attack difficulty was obviously improved, so the attacker adjusted the direction and launched the attack through harpoon mail. Theoretically, it is a complete attack method to cover the previous attack means, because apt is always a very flexible and complex tactical implementation method. "

From this point of view, the real mystery of apt attack is not the means of attack, but the combination and layout: the art of tactics.

Li Xue specifically mentioned Lockheed Martin's "network kill chain" - detection, weapon selection, delivery, vulnerability utilization, installation and implantation, command control, and goal achievement.

"We need to be clear about how the attackers attack. In fact, we should be clear about what has been done in these seven stages and when did it start? What did you detect? What loopholes were exploited? Have you made use of success? Is it infiltrated or directly implanted with malicious code? Is there any illegal control? What did you do? "

Since the process of attack has been clarified, defense measures have emerged: "chain breaking defense".

"First, loopholes; second, Trojans for control, i.e. special Trojans; third, penetration technology for attacks on the intranet. The defender needs to defend three key technologies in stages, using different behavior analysis methods at the terminal, network and cloud. If we successfully intercept these three key technologies, we can intercept the attack. This is the chain breaking protection. "

Li Xue once explained his idea in an interview.

"Based on the attack chain model, the attack chain can be cut off by corresponding monitoring and defense for different attack stages. Even if the first step is not prevented, the second step can still be intercepted. "

With that, Li added, "the broken chain is not easy to understand, so it is based on the safety monitoring and threat analysis of the kill chain."

Thus, there are "Iron Dome" and "mirror".

In order to find the potential high-level attack threat in cyberspace, we need to "signal" the network pipeline based on the behavior analysis method. According to this idea, Li Xue put forward his trump card: "Iron Dome advanced persistent threat early warning system".

"Iron Dome mainly protects users from various security threats when they visit the Internet. At the network exit, the network communication data is collected by bypass, the communication traces of network intrusion and illegal control in the communication data are analyzed, all kinds of threat behaviors are identified, the threat identification and tracking in the whole network are realized at the network layer, and the loss suffered by key assets is audited and positioned. "

The media introduced the original "Iron Dome", which is the first defense product against apt attacks in China.

Although the early warning of "Iron Dome" against the threat of "pipeline" was effective, Li Xue found that this was far from enough.

In the follow-up customer service process, some users call to ask why "Iron Dome" detects security problems, but can't scan them through killing software?

Li Xue found that anti-virus software at the "end" level created new obstacles: "different users have different choices for anti-virus software, including domestic and foreign ones, with different capabilities, and the complexity of customer environment will also lead to practical problems such as failure to update the anti-virus version in time. What's more, the attacker will also deliberately avoid killing malicious code for killing software. "

Another situation is that there are so many infected terminals that users can't deal with malicious code quickly.

"Iron Dome helps customers find that more than 400 machines have problems at one time from the traffic, and it's very difficult to run one machine at a time; moreover, some malicious codes also have anti clean technology such as dual process protection, which is equivalent to adding one more life, and it's difficult to completely clean up the killing software."

How to help users deal with it quickly at the "terminal" level has become a new topic for Li Xue to think about, "which requires automation means. One is to help users detect malicious code behavior; the other is to determine how to deal with the problem, delete files, delete services or end the process, and then deal with it automatically. "

So there is a "mirror" this product.

"Like manual judgment, first use feature scanning to find out all the unknown things for comparison, and then determine the problems based on the matching of threat intelligence, the detection of feature code, and the analysis of behavior, and finally issue the disposal task." Li Xue said, "this is how the" mirror "for the terminal comes."

Li Shufu once expressed his wish to march into the cloud in an interview. Now, according to Li Xue, this idea has been implemented:

At the beginning of this year, "Iron Dome" version 4.0 was officially released. In addition to adding "threat perception map" and a number of detection technologies, it is also the first and only behavior research and judgment technology among domestic manufacturers that actually applies machine learning in products. At the same time, the new version also supports the association query of cloud Threat Intelligence, and combines the capabilities of the cloud dongxun threat intelligence platform, so as to achieve massive cloud Threat Intelligence Based on TTPS information and hackers' organization information, the non machine readable information can be further queried in detail.

"At present, we are building tip Threat Intelligence Platform in the cloud, which gathers internal threat clues of users and intelligence data of external Internet. On the one hand, it is beneficial to discover potential security threats through association analysis and other mining; on the other hand, it can make a portrait of the attacker and use homology analysis and other methods to complete traceability. "

"Of course, considering China's national conditions, this tip platform fully supports privatization deployment," Li Xue said with a smile

From the "Iron Dome" to the "mirror" to the "Threat Intelligence", the defense on the three levels of cloud, management and end has been gradually launched, and the pattern of dongxun technology has gradually formed.

Up to now, dongxun has been changing, and Li Xue is also experiencing changes.

Referring to the 30-year-old idea, Li Xue talked about a cartoon picture of "how to draw a horse" on Weibo. "The first steps are circle drawing and straight line drawing. At the last step, he found that a lot of details need to be added - the real implementation plan will not be as simple as the first thought, not only the slope is very steep, but also the pit, trap and detour."

"To achieve the goal, not yet." Li Xue said, "however, I basically follow my ideal pace."

From simple technology to overall situation, Li Xue encountered many problems.

"Business problems, management problems, organizational skills, etc. are all lacking in experience. Mr. Li and I are always racking our brains to solve them." When it was difficult, he encouraged himself with Mao Zedong's experience, "Chairman Mao encountered no less contradictions than now, but he also tried his best to achieve the goal. Compared with his goal, my goal is much smaller. "

Unconsciously, both Li Xue and Li Shufu have been branded as entrepreneurs. Employees of the company often see that the two often share technical articles late at night and often appear in the office on weekends. "After the start-up, our concept of going to work and going to work has been very vague."

Like all entrepreneurs, there will be conflicts between the two people's ideas, "it's unrealistic to get things done without conflicts." But this does not prevent the relationship: "the last second in the product planning meeting, the next second on the wine."

"In fact, I've been keeping up with President Li." Li Xue said, "the total age of Li is older than me, and he has invested more than me. I still have a gap with him. "

Inevitably, Li Xue must also balance work and family: his daughter is just three years old, but he has to devote more energy to his career, and his family will inevitably not understand. "I also persuaded and enlightened a lot. I've done my best in this area. " Li Xue told us.

It has been seven years since Li Xue started his business. The temperament of technicians is still distinct, and the road of entrepreneurship is not smooth.

But there is no doubt that he has learned how to become a good entrepreneur; his vision at the age of 30 is also moving towards reality step by step.

-Recommended reading-

☞ [interview] Li Shufu's "experience of safety"