Three stage operations in the attack and defense drill of the blue team

Generally, the whole attack and defense drill is divided into three stages , Then divide each stage into two stages . Each stage , Key indicators will have different performances . In the large-scale actual attack and defense drill , The current stage can be judged according to the changes of key indicators of safety events , And take countermeasures .

There will be relatively many security incidents in the first stage , The alarms of scanning class and tool testing class account for a high proportion , At this time, the attack team is constantly exploring the attack path . In the later stage of the first stage, it will be found that the number of scanning events has decreased , But the incidents of vulnerability and upload have increased , At this time, the attack team found some paths to attack and continued to start exploratory attacks . The tactical focus at this stage is to rely on defenders to resist foreign enemies , Detect attacks through monitoring , And make defensive actions according to the continuous attempts of the attack team . At this stage, it mainly relies on defenders to monitor the attack and disposal personnel to constantly block the source of the attack , So called “ Physical warfare ”.

The second stage represents the attack team to break through the border , Enter the intranet . In the early stage of the second stage, the host scanning events will rise . The attack team found the path and tried to attack , Will launch a fierce attack on the target host , At this time, the attacked host will generate a large number of alarms , And the defense team should pay more attention to the alarm of the host , Make timely and effective research and judgment for each alarm . As long as it is found and disposed of in time , Constantly interrupt and eliminate attackers , It will have a great impact on the confidence of the attack team , Especially with the delay of attack and defense drill , Remove the more attack sources hidden by the attack team , The greater the psychological blow to them . At the end of the second stage , Host scanning events drop , But operating system and vulnerability security incidents will rise . The defense team needs to ensure the timeliness and effectiveness of the disposal of each alarm . At this stage, the psychological confrontation between the two teams is more obvious , The tactical focus is to eliminate internal problems , So called “ Psychological warfare ”.

In the first part of the third stage, there will be scanning classes 、 Vulnerability class 、 Upload events are rising at the same time . With the attack and defense into the white hot , More attack resources will be gathered in the final stage . The pressure of the defensive team will also reach the peak of the whole defensive stage , It is not only necessary to distinguish the surge of alarm information in time , It is more important to find and judge the attack events , If the disposal is not timely or there is deviation in disposal, it will have a huge impact . At the end of the third stage , Host scanning events will rise again , The offensive and defensive sides fight here , Spell technology , Fight for perseverance , No one will give up until the last moment . The tactical focus of the third stage is to strictly prevent and defend , So called “ Fight hard ”.

In defense , We should also control the overall defensive rhythm based on the changes of data . Through timely optimization and adjustment , Try to control the attack team in the first stage , Generally, the longer the first stage is delayed , The more it will reduce the pressure on the defensive team and bring better results . The front of the second stage and the back of the third stage are the key stages of defense , It is also the key to achieving good results , If the deployment of these two paragraphs is clear , It will greatly improve the effect and achievement of the whole exercise .