当前位置:网站首页>Annex III: scoring standard of the defender docx
Annex III: scoring standard of the defender docx
2022-07-04 04:53:00 【Planet Guardian】
One 、 Bonus points now
1、 The deduction of the defensive side is the total score of the results obtained by multiple attack teams from the defensive side .
2、 Defensive bonus points include : Basic score and additional score .
3、 The basic score is the total score accumulated after scoring one by one according to the result report submitted by the defender , Every report should be made at the location of an attack , It is found from the monitoring 、 Analysis and research 、 Emergency response 、 Alert 、 Collaborative linkage 、 Trace back to 6 Score aspects , The specific parent formula is : Points will be deducted for this attack X The actual score of each scoring point ( percentage )x80% . notes : The upper limit of the basic score is the score of the attacker's victory 80% .
4、 Every report submitted by the defender is written about an attack , Only safety events that fall within the scope of exercises ( It belongs to the recognized achievements of the attacker ) To score , The same event is not allowed to appear in multiple reports .
5、 The upper limit of additional points is 3000 branch , All defensive units can submit .
6、 The maximum number of reports submitted by the defender is 50 individual .
7、 The report should be logical , A written description and log of evidence to be confirmed 、 Screenshot of equipment interface, etc .
8、 This exercise is designed “ Protection value ” The formula :
(1) When the defender is deducted points : Protection value =( Basic score deduction + Additional points 300O*O.2) x10000 ;
(2) When the defender does not deduct points : Protection value =( 0 . 8 + Additional points 3000x0.2) x10000
| Serial number | Scoring point | Specific scoring points | Evaluate specific indicators |
|---|---|---|---|
| 1 | Monitoring found (25%) | timeliness ( The defender proved himself ,5%) | Submit attack time 、 Discovery time, etc |
| 2 | Use tools or means (3%) | The tools or means used to submit monitoring findings include but are not limited to : Safety equipment 、 Situation awareness platform 、 Flow analysis, etc | |
| coverage ( Calculate the total coverage at the end ,9%) | The defender found the accused IP( Fill in the accused IP Address 、URL、 The name of the attacked unit ), Occupy each attack team to control its IP Total of | ||
| Monitoring found (25%) | effectiveness ( Whether the effective attack means of the attacker can be found ,8%) | 18 Effective attack means of attackers :① Internet side information collection ② Involve “ Key people ’ Sensitive information collection ③ Supply chain information collection ④ Application layer vulnerability exploitation ⑤ System level vulnerability exploitation ⑥ Phishing attacks ⑦ Social workers cheat and attack ⑧ Weak password attack ⑨ Website Trojan horse attack ⑩ kernel / Memory Trojan attack 1 Wireless network attack 3 Physical contact attack ③3 Elevated privileges ④ to grant authorization 、 Authentication mechanism bypasses ⒂ Build concealed passages ⑩ Collection and utilization of sensitive information on the intranet 1⒄ Supply chain strikes 18 Memory password extraction | |
| Analyze and judge (15%) | Lock the involved units and related units (3%) | Determine the scope of assets involved in this event 、 The unit to which the asset belongs 、 Operating units, etc | |
| Lock the main responsible person and relevant responsible person (3%) | Determine the main person responsible for the incident 、 The person directly responsible 、 Other specific responsible personnel and their related responsibilities | ||
| Analyze and judge (15%) | Clarify the nature of the event and the measures to be taken (3%) | Determine the nature of the incident and the appropriate disposal plan according to the network security classification and management measures of the units involved in the incident and the emergency disposal plan | |
| Study and judge the impact range of the attack (3%) | Determine the impact of attack events on business continuity 、 stability 、 The impact of data security , And define the scope of influence | ||
| Analyze the tools or means used in research and judgment (3%) | Tools or means used in the process of analysis, research and judgment , For example, log extraction tool 、 Correlation analysis tools and methods 、 Information extraction tools and methods and their specific roles | ||
| Emergency response (25%) | Ability to suppress attacks (9%) | Block the effective attack source ( Such as IP、 Physical interface 、 Service etc. )(6%); Ways and effects of dealing with social engineering attacks ( How to deal with )(3%) | |
| The ability to eradicate attacks (8%) | Vulnerability location and repair capability ( Locate the vulnerability location , Quickly fix vulnerabilities )( Hour scale )(4%); Clear or process attack tools 、 Abnormal account and other attack vectors (4%) | ||
| Resilience (8%) | |||
| Alert (15%) | accuracy (5%) | Whether the time involved in this event 、 scope 、 Hazards and Countermeasures , Detailed and accurate through the text 、 In the form of charts | |
| Penetrability (5%) | Whether the notification and early warning information can be timely transmitted to the front-line actual combat department and the specific responsible person | ||
| effectiveness (5%) | For this event , After receiving the notification, relevant parties have been carrying out hidden danger elimination | ||
| Collaborative linkage (10%) | The linkage between departments within the unit (2%) | For this incident, the internal security department of the unit 、 Business unit 、 The linkage mechanism of the management department and other relevant departments in the process of handling the incident 、 Division of responsibilities and actual results | |
| The linkage of various units within the industry (3%) | In view of the linkage mechanism of relevant units within the industry in the process of handling the incident 、 Division of responsibilities and actual results | ||
| With the public security organs 、 Linkage of competent departments (3%) | In response to this incident, the local public security organ 、 Linkage mechanism of competent departments 、 Linkage defense system 、 Linkage efficiency and actual effect | ||
| Linkage with subordinate units (2%) | For the linkage mechanism between the incident unit and its subordinate units in the process of handling the incident 、 Division of responsibilities and actual results | ||
| Trace back to (10%) | Trace the equipment information of the attack team in the field (4%) | According to the path length 、 The integrity and complexity of path restoration are given as appropriate | |
| Trace the source to the equipment information of the off-site attack team (2%) | According to the path length 、 The integrity and complexity of path restoration are given as appropriate | ||
| Trace back to the virtual identity of the attacking team member (2%) | According to the path length 、 Path restoration pet integrity and complexity are given as appropriate | ||
| Trace the source attack host or attack control host (2%) | According to the reliability of the attacking host or the controlling host 、 The length of the path 、 The integrity and complexity of path restoration are given as appropriate | ||
| Additional sub items | Discovery and disposal of zero day vulnerabilities ( ceiling 1500 branch ) | A zero day vulnerability attack event was found during the exercise ( Submit the principle of vulnerability characteristics 、 Use method and other description documents and POC Program ), Disposal and countermeasures are timely and effective | |
| Report the clues of illegal attack involving this unit ( During the drill , Outside the scope of the exercise ), And portrait the attacker ( ceiling 1500 branch ) | For example, Trojans 、 back door 、 Logic bomb, etc , And try to portray the attacker , Submit the attacker's organizational attribute or personal attribute 、 Attack tools used 、 Owned attack facilities 、 The law of network activity 、 Attack tactics and characteristics |
Two 、 Score reduction rules
( One ) Abnormal defense
| Serial number | type | Deduction rules | remarks |
|---|---|---|---|
| 1 | It is found that the defender has abnormal defense against any system , Including sealing C paragraph , Website unavailable , The homepage of the website has been changed to a picture , Be found and submit conclusive evidence | Every time 30 Minutes less 10 branch ,5 Those that have not been rectified for hours , Every time 30 Minutes less 20 branch | The headquarters develops special systems , The attacking team submits the clue evidence of the abnormal defense of the defender , Check the system and notify the defender , And give 2 Hours disposal time ,2 Points will be deducted after hours , Adopt the blood dripping deduction method , Until the defender corrects his behavior |
( Two ) The system or network is controlled : The attacker obtains the system permission or breaks through the network boundary , The defender will deduct points accordingly
1、 Authority is charged
| Serial number | type | Deduction rules | remarks |
|---|---|---|---|
| 2 | Get the domain name control permission of the participating unit | First level domain name 100 branch 、 Two level domain name 50 branch | Those that have a particularly significant impact on the results will be evaluated by the headquarters |
| 3 | Acquired PC terminal 、 Mobile terminal permissions ( mobile phone 、Pad) | PC terminal 20 branch , Mobile terminals 50 branch | PC The terminal is system Permission or root jurisdiction |
| 4 | Get mailbox permission | Email account password :20 branch | The attacked party will only deduct one point if it successfully guesses and solves the account with the identification password |
| System administrator privileges :500 branch -1000 branch | Especially important cases will be judged by the headquarters and scored | ||
| 5 | Access to the office automation system | 200 branch -500 branch | Get global self built 、 In use OA、 im 、 project management 、 Financial and other system administrator permissions |
| 6 | Be identified 、 Account management platform permissions (sso,4A) | System management authority 300 branch , Login system 100 branch / individual . | Especially important cases will be judged by the headquarters and scored |
| 7 | Access to domain control system | Administrator rights 200 branch , Controllable servers in the domain 10 branch / platform . | Especially important cases will be judged by the headquarters and scored |
| 8 | Get fortress machine 、 Operation and maintenance machine permissions | Administrator rights 200 branch , Managed servers 10 branch / platform . | Especially important cases will be judged by the headquarters and scored |
| 9 | Get control of the cloud management platform | Administrator rights 200 branch , Cloud hosts 10 branch / platform . | Especially important cases will be judged by the headquarters and scored |
| 10 | Access to big data system | / | Score according to the amount of data and importance , Especially important cases will be judged by the headquarters and scored |
| 11 | Get the database connection account password ( contain SQL Inject ) | Normal user rights 50 branch , Administrator rights 100 branch . | The same authority of the same system ( Including administrators ) Only deduct one point |
| 12 | Access to network devices | Reduce points by backtracking according to the final results , Such as the same network segment as the core target ,300 branch . Take the router for example , small 50 branch , medium 150 branch , large 300 branch . | Including firewall router 、 Switch 、 Gatekeeper 、 The shutter 、 Ferry machine 、VPN etc. , Especially important cases will be judged by the headquarters and scored |
| 13 | Access to industrial Internet system | / | Including Internet of vehicles 、 Intelligent manufacturing 、 Remote diagnosis 、 Intelligent transportation, etc , According to the importance of the system, the headquarters will judge and score |
| 14 | Obtained the IOT device management and control platform | Internet of things platform with control function 200 branch , Calculate according to the number of connection points on the platform 5 branch / platform . | The score will be reduced after the command department studies and judges the especially important battle results |
| 15 | Get security device permission | Normal user rights 50 branch , Administrator rights 200 branch | Include lDS、 Audit equipment 、WAF And other security equipment control authority ( Including the management background of distributed deployment system ), Especially important cases will be judged by the headquarters and scored |
| 16 | Get general web Application system 、FTP And other application permissions | Normal user rights 50 branch , System administrator privileges 100 branch . | The same authority of the same system ( Including administrators ) Only one score . If the server host permissions are charged at the same time , Only deduct one point . |
| 17 | Get server host permission ( contain webshell jurisdiction ) | Normal user rights 50 branch , Administrator rights 100 branch . | It will not be superimposed with other points deducted . Especially important cases will be judged by the headquarters and scored |
| 18 | Get access to other important business systems 、 Production system 、 Data system and other permissions | / | The headquarters will score according to the drill target system |
| 19 | Get other systems 、 The server 、 Equipment and other permissions | / | The score shall be checked and approved by the headquarters |
2、 The network boundary is broken
| Serial number | type | Deduction rules | remarks |
|---|---|---|---|
| 20 | The attacker enters the logical isolation business intranet | -1000 branch | / |
| 21 | The attacker enters the logical strong isolation business intranet | -2000 branch | / |
| 22 | The attacker enters the core production network ( Such as railway dispatching network 、 Bank core accounting network 、 Power production control area 、 Operator signaling network 、 Energy production, Internet of things, etc ) | -5000 branch | |
| 23 | Other situations | / | / |
3、 The target system is controlled
| Serial number | type | Deduction rules | remarks |
|---|---|---|---|
| 24 | Internet area | -5000 branch | If the permissions of other important business systems outside the target system of the Internet area are charged , It can affect the development of major businesses in the whole industry or a certain region , Treat the target system as losing points , Maximum decrease 4000 branch |
Download link
https://download.csdn.net/download/qq_41901122/85865296?spm=1001.2014.3001.5503
Extract
Someone asked :“ How did you get through the trough ?” A high praise replied :“ be secure against assault , The long , Catch big fish .” A short-sighted person , I often lose my heart , Can't do anything ; And people with long-term vision , Always ambitious , Step by step is the way . It's hard to go uphill , It's easy to get exhausted , But you can see the most beautiful scenery . There is no insurmountable gap in the world , There are no obstacles that cannot be broken , A wide heart makes a wide road , Long things should be seen . Long term optimists , They can not only accept their imperfections , Will not be discouraged by local failures . On the way to success , They know that the green mountains are left , I'm not afraid of burning without firewood . Take a long view , Life can be suddenly enlightened 、 Fragrance spreads . I like a word very much : Snakes grow up in molting , Gold was panned out of the gravel , Massage is the comfort after pain , Spring is the prosperity through winter . Growing up , Dangerous beaches and reefs are everywhere , We will inevitably experience the darkest moments of life . But life is also like a pot , When you are at the bottom of the pot , No matter which way you go , It's all up . When frustrated , Don't complain , Focus on solving problems , Always break through the fog ; When you are down , Not afraid of failure , Life can get better ; When frustrated , Don't lose heart , With an optimistic attitude , Look to the future , Finally, we can reach the top . Don't panic , Those gloomy times , It will eventually turn into a light that illuminates your way ahead .
《 Have optimistic and long-term vision 》
边栏推荐
- Sample template of software design document - learning / practice
- Share some of my telecommuting experience
- Acwing game 58
- Create ASM disk through DD
- What is context?
- Niuke Xiaobai monthly race 49
- Rhcsa 06 - suid, sgid, sticky bit (to be added)
- 【MATLAB】MATLAB 仿真 — 模拟调制系统 之 AM 调制过程
- 每日刷题记录 (十二)
- 海力士EMMC5.0及5.1系列对比详解
猜你喜欢
软件设计文档示例模板 - 学习/实践
Longest increasing subsequence problem (do you really know it)
Annexe VI: exposé sur les travaux de défense. Docx
Exploration and practice of eventbridge in the field of SaaS enterprise integration
在代碼中使用度量單比特,從而生活更美好
Drozer tool
Create ASM disk through DD
The five pictures tell you: why is there such a big gap between people in the workplace?
6-4 vulnerability exploitation SSH banner information acquisition
每日刷题记录 (十二)
随机推荐
Niuke Xiaobai monthly race 49
红队视角下的防御体系突破之第二篇案例分析
AcWing第 58 场周赛
Acwing game 58
Exploration and practice of eventbridge in the field of SaaS enterprise integration
"Don't care too much about salary when looking for a job", this is the biggest lie I've ever heard
Yolov6 practice: teach you to use yolov6 for object detection (with data set)
What is the difference between Western Digital Green disk, blue disk, black disk, red disk and purple disk
appliedzkp zkevm(13)中的Public Inputs
RAC delete damaged disk group
【无标题】
电子元器件商城与数据手册下载网站汇总
GUI 应用:socket 网络聊天室
Network - vxlan
Talking about JVM
【MATLAB】通信信号调制通用函数 — 傅里叶变换
简单g++和gdb调试
Share some of my telecommuting experience
MySQL indexes and transactions
Drozer tool