0xb2 emergency - overview of intranet security monitoring

Posted by trammel at 2020-04-12

It's been three months since it disappeared. I told you in my friend circle two days ago that this series won't end:), last time we talked about how to do security for a server. As long as it's solid and solid, it's not difficult to fix it frequently, observe the state more, and respond to security events in time. But the reality is that there will not be a server in an enterprise, so it is very important to build a complete security monitoring system inside the enterprise, so in this article, we will talk about security monitoring.

0x00 enterprise security statement cycle:

First of all, make it clear that network security monitoring is a very important part of enterprise security management, so we have to say what is the life cycle of enterprise security. The enterprise security life cycle includes planning stage, resistance stage and monitoring and response stage. Draw a picture to show:

So when we do network security monitoring, monitoring and the corresponding stage is where we need to invest the most. This link is the basis for analysts to collect, analyze and upgrade iterations for monitoring and intrusion response, so we need to draw a diagram to illustrate this.

In the information collection phase, we need to collect as much information as possible about various machines in the intranet. We can collect the information of the intranet with the help of NIDS, HIDS, Siem and other log collection devices. When we detect that a server or host has made an abnormal request, we enter the analysis phase. We can match or not use the threat with the help of the rules of IOCS IOC is used for information retrieval. When the event is solved, we need to update the data and requirements of IOC. Finally, we return the updated data to our monitoring system and complete an iteration.

0x01 collection, analysis, upgrade and processing:

As we said before, the points that need to be solved in network security monitoring are collection, analysis, upgrading and response phase processing. Next, we will talk about these points respectively.

Let's say one by one:

(1) Collection:

In fact, there are two ways to collect this process, one is technical means, the other is non-technical means. The so-called technical means refer to the collection of relevant data from terminals or hosts, network equipment and logs; the non-technical means include the data provided manually or orally by the client.

As for the technical means, the data we need to collect at least includes the following contents: creating the log source of application data, receiving and storing the log collector, and the transfer method of moving the log from the source to the data collector.

For non-technical means, in fact, we should pay attention to the reports, reports and other data provided by clients or customers, which often provide very useful information.

In order to ensure that the results and data we collect are more reliable, our collection operation should include at least three parts:

(2) Analysis: analysis is the process of identifying and verifying normal, suspicious and malicious activities. It can be said that the emergence of IOC accelerates the speed of this process in the whole monitoring process. Let's focus on IOC, which may often be said by some big companies, but many people don't understand the real intention of IOC. First of all, IOC is visible or can identify the activity data of opponents , which is a sign of the attacker's activity. The emergence of IOC is to solve the problem of sorting out the signs of attackers' activities and finding potential malicious behaviors in the current automation system.

As mentioned above, there are two methods to divide the analysis based on IOC, i.e. relying on IOC for analysis and matching, and not relying on IOC for analysis and search. The first one relies on IOC analysis, which is called matching. As long as I see some of your information appears in the IOC of malicious behavior, I can identify your behavior as malicious behavior. If not, it means No. But it can find some malicious behaviors, but without IOC, you know. The second analysis method that does not rely on IOC is called search attacker. Next, we will talk about two key technical points - Intrusion and event and event classification.

<1>入侵与事件:入侵也就是不通过合法渠道操作计算机的行为,入侵只是事件的一个例子,除了入侵事件,还有其他的信息安全事件比如拒绝服务等。其实在这里我们应当建立一套完整的安全事件分级标准,其实我个人觉得这个地方可以参考纵深防御体系的建设来进行分级,这样便于进行事件的定性。 <2>事件分类:按照事件的类型和严重程度,我们也可以将事件来进行分类,方便撰写报告,比如说把事件按照突破防御的层数分为log、Low、Medium、High、Critical五个层次,不同的层次对应不同的应急响应预案。 <3>信息交换考虑因素:如果我们被APT打了,我们必须要做好最坏的打算,假设现在攻击者已经贡献了我们的邮件系统,并且可以随意查看我们的邮件,那么这个时候,攻击者必然会去读取安全团队和IT团队的邮件来找到系统薄弱点,从而进行进一步的渗透,在监测到一个严重的事件以前。我们应该对我们的通信系统进行一个测试用来抵御这些威胁。

(3) Handling:

When dealing with an information security event, we should first consider how to reduce the risk. At this time, we should consider to establish a risk reduction criterion. When any asset is captured, the client must take at least one measure according to the nature of the event to reduce the risk of data loss, change or failure, but can't wait to die.

At this time, the security team should establish a hierarchical response strategy to restrict the attacker's interaction with other computers, and consider some possibilities.

If possible, we can introduce these abnormal traffic into honeypot to study the behavior and purpose of attackers, but no matter what actions we take, we should ensure the integrity of data. If we are attacked by apt, to solve these problems, we need to have a dedicated and reliable channel to exchange information, so as to ensure that our emergency response information is not leaked.

0x02 CIRT:

Cirt has evolved from Cert. what does the word mean? Baidu. Next, we will discuss how to build a mature and effective cirt team.

The key criteria that cirt needs to track and measure include event classification and total number, and the time consumed from event discovery to event containment.

The architecture of cirt is shown as follows:

(1) Incident response Supervisor: leader, a leader worthy of the name, must select a person in charge from the above three parts to report to him, and because of the existence of cirt, he must be forced to fight with other departments.

(2) Event monitoring and response: this team is responsible for daily analysis and update and maintenance of security event data. It is composed of event handlers (those who only work on non IOC and are very skilled), incident event analysts (non IOC and IOC meeting points) and event analysts (those who only work on IOC). This place is generally operated 24 hours a day, and People are on call.

(3) Threat and intelligence system: the work of this place includes Threat Intelligence Collection and use, red and blue army simulation exercise, penetration test, etc. the daily work is to do nothing and play by yourself, and then continuously improve the security level.

(4) Infrastructure development: develop some internal systems to maintain the normal and efficient operation of these monitoring.

(5) Incident response team contact person: nothing, nothing.