当前位置：网站首页>The first part of the construction of the defense system of attack and defense exercise is the introduction and the four stages of Defense

The first part of the construction of the defense system of attack and defense exercise is the introduction and the four stages of Defense

2022-06-27 07:24:00 【Planet Guardian】

List of articles

0x01 What is the red team

The red team is generally based on the existing network security protection system of the participating units , stay The defense team formed during the actual attack and defense drill .
Red team Main work Including before the drill security check 、 Rectification and reinforcement , During the exercise Network security monitoring 、 early warning 、 branch Analysis 、 verification 、 Management , later stage Review and summarize the deficiencies in the existing protection work , by Provide optimization basis for subsequent normalized network security protection measures .
During actual attack and defense exercises , The red team usually works on the basis of daily safety operation and maintenance , Further strengthen safety protection measures with practical thinking , Include Improve the management organization specification 、 Expand the scope of threat monitoring 、 Improve monitoring and protection means 、 Increase the frequency of safety analysis 、 Improve the speed of emergency response 、 Enhance the ability of traceability and countermeasures 、 Establish a mechanism for information collection and utilization etc. , Improve the overall defensive ability .
One thing to note is that ： The red team is not only operated by the target system in the actual combat exercise The business unit shall undertake independently , But by the Target system operation unit 、 Attack and defense experts 、 Ann All manufacturers 、 Software developers 、 Network operation and maintenance team 、 Cloud provider And so on Guard the team .
The roles and division of labor of each team forming the red team in the exercise are as follows .

The team	duty
Target system operation unit	Be responsible for the overall command of the red team 、 Organize and coordinate .
Security operations team	Be responsible for overall protection and attack monitoring .
Attack and defense experts	Be responsible for analyzing, studying and judging suspicious attacks found in security monitoring , Guide the safety operation team 、 Software developers and other relevant departments carry out vulnerability rectification Column work .
Safety manufacturer	Be responsible for the availability of their own products 、 Reliability and protection monitoring policy Whether the adjustment is reasonable .
Software developers	Be responsible for the safety reinforcement of its own system 、 Monitor and cooperate with attack and defense specialists The home shall rectify the safety problems found .
Network operation and maintenance team	Be responsible for cooperating with security experts on network architecture security 、 Export only Volume optimization 、 network monitoring 、 Traceability and other work .
Cloud provider ( if there be )	Be responsible for the security reinforcement of its own cloud system , And to the cloud Monitor the security of the system on the , At the same time, assist the attack and defense experts to solve the problems found Rectification .
other	In some cases, there will be other members , It depends on the situation Specific assignments .

A special emphasis on , As a red team , Know your opponent ( Blue team ) The situation is very important , As the saying goes, only by knowing your opponent can you know your friend , From the attacker's point of view , Understand the attacker's thinking and play , Understand the attacker's thinking , Combined with the actual network environment of the unit 、 operation management situation , Formulate corresponding technical defense and response mechanisms , To fight for in the defense process To more initiative .

0x02 The evolution trend of the red team

Timeline	evolution
2016 Years and 2017 year	Driven by the regulatory authorities , Part of the units began to Take part in the actual attack and defense drill organized by the supervision unit , At this stage, all units are mainly engaged in Take part in the drill for the defender .
2018 Years and 2019 year	The actual attack and defense exercises are no matter Is the number of participating units in a single drill 、 Number of attack teams , Or both sides of the offensive and defensive Technical capability and other aspects have been rapidly enhanced . The actual attack and defense exercise has become a recognized test It is an important means of network security construction level and security protection capability of all units , All units also From the previous simple participation in the exercise organized by the supervision unit , Gradually evolved into `Self organizing Department drill` or `Jointly organize industrial exercises .`
2020 year	With the constant confrontation and Honing , Both offensive and defensive sides have made rapid development and progress in the competition , Forced to attack The pressure brought by the rapid development of the strike team's skills and tactics , The defense has also changed a lot .

One 、 Defensive focus expanded

2020 The actual attack and defense exercise before , Mainly

The aim is to capture the target system mark , To find the defensive team's safety construction and defensive weakness , Improve the safety awareness of all units Purpose
The main score of the attack team is to win the key centralization in the target system and path System 、 Server and other permissions , Non target systems score very little .
therefore , The defense of the defensive team Focus on the target system and related path assets .

For most units that have participated in actual combat attack and defense exercises , For their own safety The whole problem and weakness have been fully understood , Have also been carried out Safety construction rectification work . For these units , What is urgently needed is through Actual attack and defense drill inspection More important systems Security , Discover more comprehensive security risks .

therefore , 2020 Year begins , When organizing offensive and defensive exercises , Will be gradually reduced during the exercise The weight of the target system , Encourage attacks on more units 、 System , Find more problems and risks . Again , The defensive focus of the defensive team is mainly from the target system , Expand to All important business systems 、 All important equipment and assets 、 All related parent-child documents position .

Two 、 Continue to strengthen monitoring and protection measures

With the rapid development of attack and Defense Technology in recent years , Various attacks in actual attack and defense exercises Means emerge in endlessly 、 Playful tricks , All units felt the attack team during the exercise The serious threat and the great pressure of defense , The monitoring and protection system of the defense team Facing a huge challenge . The defensive team can really play an important role in the offensive and defensive confrontation Safety products are flocking to , Invest a lot of money in purchasing and deploying .

2018-2019 year , In addition to traditional products , Full flow threat monitoring products are available in Proved himself in the offensive and defensive confrontation , Won the favor of all units
2020 year , Host threat detection 、 Products and services such as honeypots and threat intelligence have matured rapidly and are being exercised The ability to monitor and protect against mainstream attacks is demonstrated in , The defense team began a large-scale division Use .
besides , Phishing attack 、 Supply chain attack No effective protection product , However, with the rapid grinding in actual combat , The corresponding products will also mature and expand rapidly Extensive use .

3、 ... and 、 Passive defense to frontal confrontation

To say change , 2020 The biggest change of the defensive team in should be from Passively beaten Quickly change to Frontal confrontation 、 Choose an opportunity to counter .

2020 Years ago , Most of the defensive teams in the exercise Now after the attack, it is basically The blockade IP、 Offline system 、 Fix vulnerability , Then wait The next attack . The enemy is in the dark 、 I'm in Ming , Can only be beaten passively .
2020 Year begins , Big A large number of defensive teams have strengthened Traceability and counteraction capability , A head-on confrontation with the attack team , Also achieved a lot of results .
Have the ability to confront head-on , We need to focus on the following aspects :

Ability	Introduce
Respond quickly	In actual combat, we should pay attention to the speed of troops , When an attack is found , Only the most `Quickly confirm` attacks 、 Locate the victim host 、 Take measures to deal with , To be effective Stop the attack , And buy time for tracing and counteracting in the next step .
Accurately trace the source	As the saying goes, know yourself, know the enemy, win every battle , To face the attack team resist , First of all, find `The position of the attack team` , And find a way to get enough information about the attack team , To have `pertinence` To formulate countermeasures and launch counterattack .
Precise reaction	Counterattack is actually an attack launched by the defensive team . The defensive team is accurate On the basis of traceability , It requires an experienced attacker to `Effective and accurate implementation of countermeasures` . Of course , Some units will use honeypots and other products to bury traps , Waiting to attack After the team jumped in , Use the Trojan horse in the trap to quickly capture the attack team system .

0x03 The four stages of defense

Protection work in actual combat environment , Whether in the face of normal network attacks blow , Or in the face of organized 、 Large scale advanced attack , For protective units , It is a direct challenge to its network security defense system .
In a real combat environment , The red team needs According to Prepare for war 、 Face the war 、 actual combat and After the war Four stages to carry out safety protection work .

One 、 Preparation stage —— No war without preparation

Before the actual attack and defense work starts , First of all, you should fully understand your own security Protection status and existing deficiencies , From managing the organizational structure 、 Technical protection measures 、 Safety assessment can be carried out in all aspects such as safety operation and maintenance disposal , Determine their own safety protection ability and work The degree of tacit understanding between the writers , Provide capability support for follow-up work . This is the stage of war preparation Main work

In the actual attack and defense environment , We often face technology 、 Management and operation There are many limitations .

Limit	Introduce
Technical aspects	Weak basic ability 、 Improper security policies and security measures Imperfect 、 Improper product deployment location 、 There is a problem with the safety of the protective products 、 Monitoring hand Not familiar with 、 Problems such as single monitoring means are common ;
Management	The system is missing , lack of clear-cut job responsibility , Problems such as imperfect emergency response mechanism are also common ;
Operation	information Production carding is not clear 、 Do not understand the business architecture 、 Incomplete rectification of loopholes 、 Safety monitoring is divided into Problems such as insufficient analysis and disposal capacity can be seen everywhere .

These deficiencies often lead to the overall prevention of There is a short board in the protection capacity , Monitoring of security incidents 、 early warning 、 Inefficient analysis and disposal Next .

In view of the above situation , The red team before the drill , It needs to be carried out from the following aspects Preparation and improvement .

improvement	Method
Technical aspects	In order to discover potential safety hazards and weak links in time , It is necessary to carry out targeted self - Inspection work , And carry out safety rectification and reinforcement , The content includes the sorting of system assets 、 Application Group Piece carding 、 Interaction protocol 、 Safety baseline check 、 Network security policy check 、 Web Safety inspection 、 Critical network security risk check 、 Sort out and improve safety measures 、 Open Intelligence gathering 、 Improvement and drill of emergency plan, etc . In order to test the effectiveness of monitoring measures , The safety of the safety product itself also needs to be 、 Deployment location 、 Coverage assessment ; In order to find problems faster , Try to deploy all Traffic threat monitoring 、 Network analysis system 、 Honeypot 、 Host monitoring and other safety protection equipment , Improve the effectiveness of monitoring 、 timeliness 、 accuracy ; The monitoring personnel shall also be responsible for the safety Master the product 、 Optimize safety product rules .
Management	First, establish a reasonable security organization structure , Clear job responsibilities , Establish specific Working groups , At the same time, combined with the responsibilities and contents of the working group , Work out work plans in a targeted way Make a plan 、 Technical solution 、 Cooperation mechanism and work content of relevant parties , Responsibility to person 、 bright In place , Control the progress and quality according to the work implementation plan , Ensure management work Put it in place , Effective implementation of technical work . Second, establish an effective work communication mechanism , Through a secure and trusted instant messenger To establish a command group for actual combat work , Issue work notice in time , Share information and data , 了 Understand the working conditions , Fast 、 Effective work communication and information transmission .
Operation	Establish a protection working group and clarify the work responsibilities , Responsibility to person , Carry out and implement technical Surgical examination 、 Rectification and safety monitoring 、 early warning 、 analysis 、 Operational work such as verification and disposal , Strengthen the ability of safety technology protection . Improve safety monitoring 、 Early warning and analysis measures , enhance Diversified monitoring methods , Establish a complete emergency response organization for safety incidents and a landing site Process mechanism , Improve the handling efficiency of events .

meanwhile , All protective work includes early warning 、 analysis 、 verification 、 Disposal and follow-up The rectification and reinforcement must be based on monitoring to find security threats 、 Potential loopholes Can only be carried out on the premise of . among , Full flow security threat monitoring and analysis system Is an important key to the protection work node , And take this as the core , Effectively carry out relevant protection work .

Two 、 In the war stage —— Mobilization in front of the station boosts morale

After going through the stage of preparing for the war, I checked and filled the gaps 、 Urban defense reinforcement and other work , Safety protection can Force in technology 、 Management and operation have been greatly improved .
in order to Can cooperate more , Effectively deal with the attack in the actual combat stage , Reduce analytical disposal Time of the event , Improve the effect of defense , We also need to do a good job of mobilization in the war stage .
It is suggested to do a good job in the war stage from three aspects .

aspect	Introduce
Hold a pre war mobilization meeting	The pre war mobilization meeting mainly carries out three parts of work ： First, before the actual combat exercise , Through the form of on-site pre war mobilization meeting , Pre war mobilization , Unified thinking , system A tactic 、 Improve morale , Reach a consensus . The second is to emphasize the precautions in the protection work , There are many ways to attack , To prevent defenders from being attacked, use , Strictly observe the rules Record the red line 、 Do what is forbidden . Third, improve everyone's awareness of attack and defense , The attack process To analyze , Deploy targeted defense points for common attack means , Do something Shoot .
Implement workflow	Implement the purpose of the workflow The first is to carry out tasks for personnel involved in defense work Division of labor , Explain job responsibilities 、 Attend to each one's own duties . Second, solidify the daily work flow 、 Each post Bit coordination , Do a good job in the early stage of the attack 、 The mid-term study and judgment and the later stage of the process Set work . The third is to implement the work scheduling plan 、 Shift handover requirements, etc . Pass the work Make the process so that the defense work is orderly and effective , Improve the effect of defense .
Organize tactical training	There are two main work contents of the tactical training meeting ： First, security experts share other Relevant experience of the unit's network security actual attack and defense drill , Assist the defense team to make different attacks The defensive tactics of the attack scene . The second is the detailed interpretation of the scoring rules of the drill by the safety experts , Improve the participants' understanding of the drill .

3、 ... and 、 The actual combat stage —— Comprehensive monitoring and timely disposal

The offensive and defensive sides officially launched a comprehensive confrontation in the actual combat stage . The defender must prepare for war according to Clear organization and responsibilities , Focus and strength , Ensure timely monitoring 、 Accurate analysis 、 Efficient disposal , Try not to break the system , Data is not lost .
In the actual combat stage , From a technical point of view, we should focus on the following four points .

From a technical point of view	Introduce
Comprehensively carry out safety monitoring and early warning	In the actual combat stage, the monitoring personnel need to have basic safety data analysis ability , According to the supervisor Test data , Intelligence information can basically judge the effectiveness of the attack , In case of any doubt, immediately cooperate with the expert Industry analysts assist in the analysis , Ensure that monitoring can discover in real time , No missing report , To dispose of Work provides accurate information , At the same time, the monitoring work should cover the attack time of the whole attack team .
Overall analysis, research and judgment	In actual combat protection , Analysis, research and judgment should be the core link , The analysis, research and judgment personnel should Have offensive and defensive technical ability , Familiar with network and business . The analysis, research and judgment personnel serve as the whole defense Protect the working brain , We should give full play to the role of experts and batons . forward , Monitoring Attack warning detected by personnel 、 Analyze and confirm Threat Intelligence , backward , Coaching assistance The incident handling personnel shall handle the confirmed attack .
Improve the efficiency and effect of event handling	After determining the attack time and success , The most important thing is to take technical measures to contain the attack in the shortest time 、 Prevent spread . Event handling link , The network should be federated 、 host 、 Should be Coordinate with the personnel of multiple posts such as safety .
Trace back to , Total counterattack	After discovering the attack , The defense team can according to the safety protection equipment 、 Safety supervision Alarm information generated by the measuring equipment 、 Sample information, etc , Combine with various intelligence systems to trace Source . When conditions permit , The attack team can counter attack the terminal by deploying the trapping system , do Trace to the source 、 Defensive reaction .

Four 、 Post war consolidation —— Improvement after actual combat

The end of the exercise is also the beginning of the improvement of protection work .
After the actual work is completed, you should Make a full 、 Comprehensive double disk analysis , To sum up your experience 、 lesson .
There are two aspects of work to be done Develop .

One side ：

We will find out the attack and defense drill through the double play Preparation stage 、 In the war stage 、 Actual combat level Work programme in paragraph 、 Organizational management 、 Work kick-off meeting 、 System assets sorting 、 Security Self inspection and optimization 、 Deployment of basic safety monitoring and protective equipment 、 safety consciousness 、 meet an emergency Plan and drill 、 matters needing attention 、 Team coordination 、 Intelligence sharing and use And so on What are the flaws and deficiencies , Plan of rectification measures for problems in output technology and management .
meanwhile , All units also need to immediately summarize the offensive and defensive exercises and defensive strategies , Such as information technology 、 back Control tactics 、 Defensive battle command strategy, etc , Provide support for the drill team in the next time Defensive technical guidance .

On the other hand

Second, the network attack and defense drill is not a one-time support activity , Its The ultimate goal yes Units found network security construction through exercises The inadequacies of being , Improve and enhance the overall safety Full defense capability , Through relatively independent safe operation ideas , Data centric building Overall network security protection system , And then give full play to the most effective security capability .

So single Experience accumulated through network attack and defense drill , Follow the safe operation mechanism formed during the exercise 、 Safety monitoring technology and emergency response strategy, etc , Provide... In daily safety work Continuous safe operation capability , Make the network security protection measures continue to produce results , And then really Effectively improve the ability of safety protection .
meanwhile , The unit also needs to speed up the rectification exercise The deficiency of the current network security system construction , Instead of reducing the strength of the support team after the exercise , Resulting in reduced overall security defense capability .

Add

Last , The unit participates in and self organizes network attack and defense drills , Fully accumulate performance Practice activity experience , Train the security team , Continuously improve the overall network security system and Continuously improve the safe operation capability .

Extract

Have a beginning and an end
《 The book of odes 》 Some words ：
“ There is no beginning , Xianke has an end .”
Do things from beginning to end ,
Not just responsible for yourself ,
It is also responsible for others .
When you want to slack off ,
Remind yourself not to give up easily .
More persistence ,
There will be less regret .

原网站

版权声明
本文为[Planet Guardian]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/178/202206270650521205.html