It's been three months since it disappeared. I told you in my friend circle two days ago that this series won't end:), last time we talked about how to do security for a server. As long as it's solid and solid, it's not difficult to fix it frequently, observe the state more, and respond to security events in time. But the reality is that there will not be a server in an enterprise, so it is very important to build a complete security monitoring system inside the enterprise, so in this article, we will talk about security monitoring.

0x00 enterprise security statement cycle:

First of all, make it clear that network security monitoring is a very important part of enterprise security management, so we have to say what is the life cycle of enterprise security. The enterprise security life cycle includes planning stage, resistance stage and monitoring and response stage. Draw a picture to show:

• Planning stage: the goal is to prevent the intrusion as effectively as possible, or to deal with the weaknesses exploited by the ongoing intrusion activities. In this stage, the IT department and the information security department are ready and evaluate the form, and they start the defense and evaluate the results. Budget, audit, compliance inspection, training, SDL and other work all take place in this stage.
• Resistance stage: IT department and information security team conduct penetration and protection, which involves some automated work, such as firewall, antivirus software, DLP, black-and-white list and authentication related work, in order to prevent attackers from intruding into our system.
• Monitoring and response stage: this place is designed to three safety monitoring points - collection, analysis and upgrading iteration, and problem solving is part of the response stage.

So when we do network security monitoring, monitoring and the corresponding stage is where we need to invest the most. This link is the basis for analysts to collect, analyze and upgrade iterations for monitoring and intrusion response, so we need to draw a diagram to illustrate this.

In the information collection phase, we need to collect as much information as possible about various machines in the intranet. We can collect the information of the intranet with the help of NIDS, HIDS, Siem and other log collection devices. When we detect that a server or host has made an abnormal request, we enter the analysis phase. We can match or not use the threat with the help of the rules of IOCS IOC is used for information retrieval. When the event is solved, we need to update the data and requirements of IOC. Finally, we return the updated data to our monitoring system and complete an iteration.

0x01 collection, analysis, upgrade and processing:

As we said before, the points that need to be solved in network security monitoring are collection, analysis, upgrading and response phase processing. Next, we will talk about these points respectively.

• Collection: the data we need for mobile phones is used to judge the nature of the activity, whether it is normal or abnormal, whether it is malicious or not.
• Analysis: the process of verifying and reproducing the nature of the event we suspect. In terms of the above figure, we divide one category according to the IOC (indicator of complex intrusion indicator), and the other is not according to the IOC.
• Upgrade: inform the client (the client here refers to the enterprise itself for Party A and the client for Party B) about the state of the captured assets.
• Handling: the behavior that the client or the security team only goes to reduce the loss and risk of the enterprise.

Let's say one by one:

(1) Collection:

In fact, there are two ways to collect this process, one is technical means, the other is non-technical means. The so-called technical means refer to the collection of relevant data from terminals or hosts, network equipment and logs; the non-technical means include the data provided manually or orally by the client.

As for the technical means, the data we need to collect at least includes the following contents: creating the log source of application data, receiving and storing the log collector, and the transfer method of moving the log from the source to the data collector.

For non-technical means, in fact, we should pay attention to the reports, reports and other data provided by clients or customers, which often provide very useful information.

In order to ensure that the results and data we collect are more reliable, our collection operation should include at least three parts:

• Data for hosts, networks, and applications, also known as base data
• Report, statement and other non-technical data
• Information data of database, voucher system and other management platforms

(2) Analysis: analysis is the process of identifying and verifying normal, suspicious and malicious activities. It can be said that the emergence of IOC accelerates the speed of this process in the whole monitoring process. Let's focus on IOC, which may often be said by some big companies, but many people don't understand the real intention of IOC. First of all, IOC is visible or can identify the activity data of opponents , which is a sign of the attacker's activity. The emergence of IOC is to solve the problem of sorting out the signs of attackers' activities and finding potential malicious behaviors in the current automation system.

As mentioned above, there are two methods to divide the analysis based on IOC, i.e. relying on IOC for analysis and matching, and not relying on IOC for analysis and search. The first one relies on IOC analysis, which is called matching. As long as I see some of your information appears in the IOC of malicious behavior, I can identify your behavior as malicious behavior. If not, it means No. But it can find some malicious behaviors, but without IOC, you know. The second analysis method that does not rely on IOC is called search attacker. Next, we will talk about two key technical points - Intrusion and event and event classification.

<1>入侵与事件：入侵也就是不通过合法渠道操作计算机的行为，入侵只是事件的一个例子，除了入侵事件，还有其他的信息安全事件比如拒绝服务等。其实在这里我们应当建立一套完整的安全事件分级标准，其实我个人觉得这个地方可以参考纵深防御体系的建设来进行分级，这样便于进行事件的定性。 <2>事件分类：按照事件的类型和严重程度，我们也可以将事件来进行分类，方便撰写报告，比如说把事件按照突破防御的层数分为log、Low、Medium、High、Critical五个层次，不同的层次对应不同的应急响应预案。 <3>信息交换考虑因素：如果我们被APT打了，我们必须要做好最坏的打算，假设现在攻击者已经贡献了我们的邮件系统，并且可以随意查看我们的邮件，那么这个时候，攻击者必然会去读取安全团队和IT团队的邮件来找到系统薄弱点，从而进行进一步的渗透，在监测到一个严重的事件以前。我们应该对我们的通信系统进行一个测试用来抵御这些威胁。

(3) Handling:

When dealing with an information security event, we should first consider how to reduce the risk. At this time, we should consider to establish a risk reduction criterion. When any asset is captured, the client must take at least one measure according to the nature of the event to reduce the risk of data loss, change or failure, but can't wait to die.

At this time, the security team should establish a hierarchical response strategy to restrict the attacker's interaction with other computers, and consider some possibilities.

• Computer sleep mode
• Port closure
• Kernel and system are modified to restrict network access
• ACL
• Firewalls and agents
• Routing table

If possible, we can introduce these abnormal traffic into honeypot to study the behavior and purpose of attackers, but no matter what actions we take, we should ensure the integrity of data. If we are attacked by apt, to solve these problems, we need to have a dedicated and reliable channel to exchange information, so as to ensure that our emergency response information is not leaked.

0x02 CIRT:

Cirt has evolved from Cert. what does the word mean? Baidu. Next, we will discuss how to build a mature and effective cirt team.

The key criteria that cirt needs to track and measure include event classification and total number, and the time consumed from event discovery to event containment.

The architecture of cirt is shown as follows:

(1) Incident response Supervisor: leader, a leader worthy of the name, must select a person in charge from the above three parts to report to him, and because of the existence of cirt, he must be forced to fight with other departments.

(2) Event monitoring and response: this team is responsible for daily analysis and update and maintenance of security event data. It is composed of event handlers (those who only work on non IOC and are very skilled), incident event analysts (non IOC and IOC meeting points) and event analysts (those who only work on IOC). This place is generally operated 24 hours a day, and People are on call.

(3) Threat and intelligence system: the work of this place includes Threat Intelligence Collection and use, red and blue army simulation exercise, penetration test, etc. the daily work is to do nothing and play by yourself, and then continuously improve the security level.

(4) Infrastructure development: develop some internal systems to maintain the normal and efficient operation of these monitoring.

(5) Incident response team contact person: nothing, nothing.