I originally thought that after four days, my stiff neck would be a little better, so I didn't take ibuprofen. However, after the ibuprofen effect wore off, I found that the pain was still the same as before, and I took the new ibuprofen.
It will take another hour or two to take effect, so I will update it later today, probably around one or two in the morning, and then just refresh this chapter.
…………
Abstract: The situation of organized and purposeful network attacks using network security vulnerabilities is becoming more and more obvious. On the one hand, the time window left for emergency response is getting smaller and smaller. On the other hand, the threat knowledge, professional skills, proficiency, etc. required for emergency response are getting smaller and smaller.
But it continues to increase. This article proposes a concise process and response steps for network operators to carry out emergency response as a defender, providing practical reference for relevant units.
Keywords: network security critical information infrastructure attack and defense drills
1 Introduction
With the increasing importance of information technology in social development, cyberspace has become a new battlefield for great power competition. Cybersecurity attack and defense drills are key to testing the cyber security protection of critical information infrastructure and improving the emergency response level of network operators.
As an important means of work, it is of great significance to promote the improvement of network security capabilities through actual combat and confrontation. From the perspective of network operators, this article takes the actual attack and defense drill process of a government website that participated in the organization as an example to briefly describe the defense in the attack and defense drill.
How to carry out the work and provide relevant units with organizational response experience.
2Drill content
A certain unit organized network security professionals to form several attack teams to conduct security attack tests on the official websites and business systems of secondary institutions within the jurisdiction for 5 days to verify the effectiveness of the target system's security protection capabilities.
The exercise platform submits the defender's report. As the target website and business system operating unit, the author's unit needs to ensure the physical security, operational security and data security of the target information system to minimize the harm of network security emergencies.
3Organizational structure
A defense headquarters was established, with the network security leader as the overall commander, and its members composed of leaders from the network security and business system operation departments. The headquarters consists of a defense working group, a monitoring analysis group, and a research and judgment group, with a total of 20 people.
3.1Defense Command
Coordinate the overall exercise defense work, and be responsible for the command, organization, coordination and process control of the information system attack defense exercise; issue authorization instructions for system shutdown, restoration of key operations and external information submission; report on the progress of the exercise and summary report to ensure that the exercise work meets expectations
Purpose.
3.2 Defense Working Group
Responsible for the specific work of information system emergency drills; building a centralized monitoring and disposal environment for maintenance drills; analyzing and evaluating the impact of information system emergencies on business; collecting and analyzing data information and records during the information system emergency response process; reporting to
The headquarters reports on the progress of the exercise and the development of the situation; is responsible for taking the lead in conducting daily summary and analysis of security incidents; statistics, screening, and submission of reports to the defenders.
3.3Monitoring analysis group
Responsible for business system access monitoring and network security situation monitoring during offensive and defensive drills, discovering and identifying network attacks, recording the monitoring process, and issuing attack warnings to the research and disposition team; timely patching vulnerabilities in the business system and shutting down the business system
and resume work.
3.4 Research and disposition team
In the preparation stage of the drill, they are responsible for rectifying the discovered network security risks and implementing various security protection measures. In the actual stage of the drill, they clean the network attack traffic to ensure the availability of the business system; they flexibly allocate technical resources as needed to complete technical analysis and
Research and judgment, real-time attack confrontation, emergency response, etc.
4Drill implementation
According to past drill experience, small-scale defense should carry out relevant work in three stages: before the drill, during the drill, and after the drill.
4.1 Before offensive and defensive drills
Attack and defense
�
Establish a complete support team before training
�
�
�
�
From safety
�
Technique
�
Establish a comprehensive monitoring and early warning system
�
�
�In the safety system�
�
area construction
�
Warning and handling feedback mechanism
�
�
�
Information within the scope of this guarantee
�
�Relationship�
�
Conduct a detailed risk assessment
�
� and security hardening
�
�
�Formulate
�
�
�Network Security Attack and Defense�
�
Practice implementation plan
�
�
�
�
�
and inform relevant personnel.
�
�Safety awareness publicity and implementation
�
�
�
4.1.1 Asset sorting
�
�
�
�
�
�
Exhibition information
�
Organizing assets
�
�
�Main�
�
Carding content includes but is not limited to
�
�
Sort out the interactions released to the outside world
�
Network application system
�
�
�
�combine interactions�
�
�Online Export and Export�
�
Equipment and safety measures used
�
�
� Sort out the network structure
�
�
�Network topology
�
�
�
�
�
�Sort out and focus�
�
of or
�
�
�
Heavy
�
�Protected Information�
�
�Relationship�
�
�
�
�
Application system
�
Topology between servers
�
�
� Sort out network security equipment and network protection status
�
�
� Sort out the sslvpn and ipse access situation
�
�
�
4.1.2 Risk assessment
�
�
�
�
�
Safety and security experts combine information
�
Conduct security risk assessment based on the asset sorting results
�
�
�
�
�
Survey questionnaire available to safety and security experts
�
�
�
Personnel Interviews and Security�
�
technique
�
�
�infiltration�
�
�Test
�
�
�
�
�
hole scan
�
�
�
�
�
�line core�
�
�etc.
�
�
�equal square�
�
�
�
�
��
�
By security tools or manual means
�
�From cybersecurity risks
�
�
�
Application security risks
�
�
�
Host security risks
�
�
�
Conduct security risk assessments from dimensions such as terminal security risks and data security risks.
�
�
�
�
�The contents of each part can be
�
�
�
��
�
Down
�
�
�
�
�
�1
�
�
�Cyber Security Risk Assessment�
�
�Network Architecture Risk Assessment�
�
�
�
�
�Using methods such as labor and tools�
�
�from�
�
technique
�
�
�
A deeper understanding of strategy and management
�
Dig out the information that exists in the current network
�
�
�
and risk
�
�
�
Safety
�
�holes and security�
�
Low-line risk assessment
�
�
�
�
�Use scanning tools to scan and comprehensively scan network devices�
�
�
�
�
�
�
�
�
�
�Password Risk Assessment�
�
�
�
�
�strict�
�
�
�
stop
�
Those who have an account
�
�Password
�
�
�
Empty password situation
�
�
�
account
�
�
�
Permission risk assessment
�
�
�
�
��
�
�
�
�Administrator account and permissions
�
�
�Close not necessary�
�
account
�
�
�Canceling unreasonable account permissions
�
�
�Guarantee�
�
secret
�
�
�
Comply with safety standards
�
�line�
�
�
�
�
�
�
Remote login whitelist risk assessment
�
�
�
�
�strict�
�
Limit the IP addresses that can be remotely managed
�
�
�
��
�
Remote management using tel
�
�
�
Configuration backup risk assessment
�
�
�
�
��
�
All network equipment
�
�
�
Good configuration backup
�
�
�Confirm that the backup is valid�
�
Reply
�
�
�
�
�
�2
�
�
�Application Security Risk Assessment�
�
�Identity Authentication Risk Assessment�
�
�
�
�
�Comment�
�
�Application system�
�
Identification and identification
�
Ability to set up and use configurations
�
�
�Application system�
�
Handling various situations of user login
�
�
��
�
Login failed
�
�
�
Login connection timeout, etc.
�
�
�
Access control risk assessment
�
�
�
�
�Comment�
�
�Application system�
�
access control
�
Can set the situation
�
�
��
�
Access control policy
�
�
�
Permission settings, etc.
�
�
�
Security Audit Risk Assessment
�
�
�
�
�Comment�
�
�Application system�
�
Security audit configuration
�
�
��
�
Coverage
�
�
�
Recorded items and contents, etc.
�
�
�
Asset exposure risk assessment
�
�
�
�
�Model�
�
Hackers conduct information
�
�Collect
�
�
�Get asset details�
�
�
�
�
�Program name
�
�
�
Version
�
�
�
�
�
�
�
�
�
dangerous port
�
�
�
Business management background, etc.
�
�
�
Application�
�
Hole Risk Assessment
�
�
�
�
�includes web services
�
�
��
�
apache
�
�
�
websphere
�
�
�
tomcat
�
�
�
iis etc.
�
�
�Other ssh
�
�
�
ftp and other programs
�
�Loss of compensation�
�
or version
�
�hole�
�
test
�
�
�
Penetration
�
�Test
�
�
�adopt�
�
�
as a means of testing
�
�
�Discover test target in information�
�
�Relationship�
�
recognize
�
and authorization
�
�
�
code
�
review
�
The security that exists in aspects such as
�
hole
�
�
�and reuse it
�
Possible hole
�
accomplished
�
lose
�
�
�Provide�
�
avoid or prevent such
�
�
�
�
�
�
risk or
�
Specific improvements or reinforcement measures for holes
�
�
�
�
�
�3
�
�
�Host Security Risk Assessment�
�
�webshell risk assessment�
�
�
�
�
�For systems that provide web services�
�
Perform webshell backdoor debugging
�
�
�
�
�Experience�
�
Server security
�
�
�
�
�Make sure you clean up any possible breaches�
�
�The back door left behind
�
�
�
�
�
Identity document risk assessment
�
�
�
�
�Exploiting professional zombie Trojan worms�
�
Test tools for operating systems
�
carry out
�
Careful file arrangement
�
�
�
�
�and for �
�
Read the files for behavioral analysis
�
�
�Identify virus families and their dangers
�
�
�
�
�
�Password Risk Assessment�
�
�
�
�
�strict�
�
�
�
stop
�
Those who have an account
�
�Password
�
�
�
Empty password situation
�
�
�
Port and service risk assessment
�
�
�
�
�Server only�
�
�
Put yourself to provide service-related ports
�
�
�Close not necessary�
�
Ports and external services
�
�
�
Server defense
�
�Wall Risk Assessment�
�
�
�
�
�Default�
�
stop
�
Actively conduct external visits
�
�
��
�
Yes
�
�
�
�
�
��
�
strict
�
Develop access control policies
�
�
�Implement server external access whitelist
�
�
�
system
�
�
�
Hole Scanning Risk Assessment
�
�
�
�
�For operating system�
�
�
�
�
Database and routines
�
application
�
�
�
The agreement proceeds
�
hole scan
�
�
�
�
�
�4
�
�
�Terminal Security Risk Assessment�
�
�Safety�
�
Low-line risk assessment
�
�
�
�
�Operation system for the terminal�
�
Configure security
�
�line�
�
�
�
�
�
�
�Guarantee�
�
End device security
�
�
�
�
�
�Password Risk Assessment�
�
�
�
�
�strict�
�
�
�
stop
�
Those who have an account
�
�Password
�
�
�
Empty password situation
�
�
�
Antivirus software risk assessment
�
�
�
�
��
�
�
�
�Whether anti-virus software is installed on the terminal
�
�
�Is the security policy�
�
�
start
�
�
�
illegal foreign affairs
�
�Risk Assessment�
�
�
�
�
��
�
�
�
�Whether the terminal is configured with dual network cards
�
�
�Whether�
�
�
Put or connect the hot
�
�
�
�
�
Supplement
�
Update risk assessment
�
�
�
�
��
�
�
�
�Supplement�
�
Updates
�
�
�
�
�
�5
�
�
�Data Security Risk Assessment�
�
�Safety�
�
Low-line risk assessment
�
�
�
�
�Operating system for the database�
�
Configure security
�
�line�
�
�
�
�
�
�
�Guarantee�
�
Database system
�
Safety
�
�
�
Data access control risk assessment
�
�
�
�
�Access to data
�
�
�
Evaluate permission settings
�
�
�
�
�
Data backup risk assessment
�
�
�
�
��
�
�
�
�Data backup strategy
�
�
�
�
�
Preparation status
�
�
�
4.1.3 Security reinforcement
�
�
�
�
�
�Over review�
�
� and �
�
�
�
The way
�
�
�
�
�Analytical information�
�
Optimize assets and critical assets
�
Information
�
�Relationship�
�
safety
�
Holes and Risks
�
�
�and targeted�
�
Security reinforcement in place
�
�
�
Network equipment
�
�
�
safety equipment
�
�
�
Safety system
�
Wait for the network
�
Faced security issues are caused by
�
��
�
Network Operations Department�
�
responsibility reinforcement
�
�
�Application system�
�
existence
�
hole
�
�
�
code
�
�
�
Editing error
�
�
�
Administrator�
�
�Password
�
�
�
Middleware
�
Holes and other hosts and applications
�
The problem is related by the various phases.
�
�
�
Responsible person for reinforcement
�
�
�Guidance provided by security experts�
�
It is recommended to solve the target system
�
In safety evaluation
�
found in
�
Technique
�
�Security issues
�
�
�pair system�
�
Security configuration is carried out
�
Transformation
�
�
�Eliminate the relationship�
�
Improper configuration
�
�appeared�
�
��
�
�
�
�
�
4.1.4 Security
�
training
�
�
�
To improve safety
�
Technical personnel safety
�
Technical competence and credibility of non-security personnel
�
�Security awareness
�
�
�Defensive Workgroup Customization�
�
Training course content
�
�
�Use relevant teaching materials, practical cases and other materials
�
�
�Help relevant people�
�
Improve security awareness
�
�
��
�
Chemical information
�
�Security Attack and Defense�
�
knowledge
�
�
�In order to better serve in �
�
Effectively respond to cyberattacks during training
The attack team obtains information about the target unit from the outside.
�
Chemical system
�
Conduct an attack
�
practice
�
�
��
�
Test
�
Training target system
�
protective capabilities
�
�
��
�
Test
�
�Train the defensive team�
�
collaborative support capabilities
�
�
�
The attack methods used by the attack team should not affect the normal business of the target unit.
�
�
exhibition
�
�
�Including but not limited to penetration�
�
�Test
�
�
�
system
�
�
�
hole attack
�
�
�
fishing
�
attack/apt�
�
combined attack
�
�
�
society
�
�Engineering attacks, etc.
�
�
�
4.1.6 Environment preparation
�
�
�
In cooperation
�
�
The scene
�
Build
�
Practice centralized monitoring and disposal of the environment
�
�
�
electricity
�
�
�
Network equipment
�
�
�Access to the network according to work task assignments
�
�
�Guarantee attack and defense�
�
Practice
�
normal operation of equipment
�
�
�
4.2 Offensive and defensive drills in progress
The defense working group guides the monitoring analysis team and research and judgment team to maximize their efforts to defend against network attacks from any attacker during the offensive and defensive drills, and monitor the attack status of the target system in real time; immediately notify the defense headquarters of any network security incident to monitor the drill situation in real time
, do a good job in the analysis and judgment of security incidents, form an analysis and disposal report and report it. 4.2.17x24 hours monitoring and early warning. The monitoring and analysis team uses business system access logs and website security monitoring, network security management center, network security situation awareness and other reporting and early warning platforms,
Achieve centralized monitoring of website security. Assign dedicated cloud personnel to conduct real-time analysis and verification of security events on the monitored website. When security incidents occur, they will be immediately reported to the on-site research and disposition team. All monitoring tasks are assigned to persons, and the monitored security events must be retained.
Record, make detailed records of system backup work and faults, and conduct preliminary diagnosis. 4.2.2 Technical analysis. During the offensive and defensive drills, the number of network attacks increased exponentially. However, traditional security threat discovery methods based on black and white lists, signatures, and rules
, can no longer cope with the escalating and targeted network threats during the exercise. Therefore, when the Internet security monitoring platform and security situation awareness detect a security event, the monitoring analysis team must immediately analyze the security event, locate the problem and trace the source. Determine the non-
After a false alarm, the detailed attack path, attack IP, etc. will be fed back to the research and determination team and the defense working group for reporting. After locating the security problem based on the fault description and diagnosis, we will output solution ideas according to the situation and feedback to the research and determination team. Unable to locate the analysis
Problems are directly fed back to the defense working group. 4.2.3 Expert judgment and confrontation with real-time attacks. The biggest security risk during the offensive and defensive drills comes from attacker attacks, especially targeted and persistent attacks. Early detection and containment of targeted attacks
Persistent and persistent attacks are an effective means to avoid external risks. The exercise period is also an active period for illegal hacker organizations. Hacker organizations may disguise themselves as attack teams to attack defensive units. The monitoring analysis team and research and disposition team need to analyze and judge security events in real time.
According to the event characteristics, add corresponding protection strategies to security equipment such as intrusion prevention systems and web application firewalls, and classify illegal attack events for real-time attack countermeasures. 4.2.4 Emergency response and business recovery. The key to successful emergency response is to handle the emergency quickly according to the precautions.
Establish processes to resolve security incidents that have occurred in an orderly manner.
