safety analysis

Posted by barello at 2020-03-15

0x00 Preface

To write the year-end summary, there is always a busy year, but can not remember what busy feeling. It has been engaged in security analysis for more than a year, including vulnerability mining, vulnerability analysis and subsequent event tracking, as well as some simple understanding of security analysis.

Write down the idea of safety analysis, which is also a summary of the work. This blog has the following two parts:

The content is totally from the perspective of personal safety research, which is not helpful to the safety construction of the enterprise. Don't spray if you don't like it.

0x01 what is safety analysis

Security analysis is the response to security events; through some methods to collect information, through the processing of information, the process of generating intelligence. Therefore, security analysis is guided by information. Whether it is vulnerability warning, malware analysis, or attack event tracking, it is necessary to produce information that is conducive to security construction decision-making. Therefore, the safety analysis has three core stages:

The final result of security analysis is to export intelligence, which is time effective. How well security analysis is done depends on the breadth and timeliness of information collected and the ability to process information.

0x02 safety analysis life cycle

Security analysis is the activity of tracking and analyzing security events. It often starts with direction determination and information collection, ends with information export and dissemination.


In the initial stage of security analysis, we must determine the types of attack events to be analyzed; the ways to collect information related to attack events; the auxiliary resources to be used to analyze these events.... generally speaking, the analysis of different events has different directions; although there are overlapping parts in information collection, evaluation and verification, the specific analysis methods, There will be differences in the way of development and communication.

Security analysis is driven by intelligence export. Vulnerability intelligence, then the determined direction should be related to vulnerability; malware intelligence, we need to pay attention to extortion, mining, botnet and other dynamic. To export TTP information, you need to collect information related to apt attacks.


Information collection is in the early stage of security analysis, and its quality has a great impact on the subsequent process. Therefore, we must pay attention to the following points when collecting information:

Before information collection, the direction and analysis scope should be clear, which has been described in the previous step "direction". The second is to ensure the cleanliness and accuracy of the input information. A typical example is twitter. Many people collect intelligence information through Twitter, but the blog posts of these bloggers are not necessarily the security information we need, so Twitter is not a high-definition and clean intelligence source.

In addition, high availability and accuracy of information should be ensured. There are some security media at home and abroad, and personal blogs of researchers. It is difficult to ensure high availability and high precision at the same time by obtaining information through these channels; media reports meet the high precision, but often only elaborate problems, without too much added value, which needs manual expansion by security researchers. Some personal blogs are highly available, but some of their technology sharing is not what we need, and the accuracy of this approach is often very low. There are also some requirements for information collection, such as whether the coverage is wide, whether the source is reliable, and so on.

Therefore, information collection is ultimately a problem of exploring information access and structured information collection data.

I've talked about so many requirements for information collection. I'd like to talk about the source of information: osint, closed, confidential

Security analysts should be based on full source analysis, rather than limited to easily accessible information. Only closed and confidential data can contain effective and highly relevant intelligence. Open source data can only provide additional credibility, or trigger the collection of closed and confidential information.

In any way, the starting point is to get the desired information, and the goal is to export the high-quality information needed for decision-making. From the cost point of view, the cost of open-source data collection is far lower than the deployment of private assets; the difficulty of open-source data acquisition is low, but the amount of processing is huge, so a more reasonable information acquisition structure is that the three complement each other.


The evaluation of event information is an important stage of security analysis, which is carried out after obtaining the information. In the stage of information collection, it is only to build the access to information, aiming at the source, not the information itself. Perhaps in the collection stage, keyword matching or even machine learning has been used to filter information. But it can not avoid the process of human intervention and study.

The source of information is determined, and after obtaining the information, it enters the stage of study and judgment. The study and judgment are carried out from the following perspectives:

Through the first five aspects, to study the reliability, effectiveness and accuracy of the information. The sixth is to prepare for the following stages.


The analysis stage is the most important part of safety analysis. Different security events have different analysis methods and need different skills and resources.

Analysis is a process of in-depth research through the existing information to find out the characteristics, development rules, causes, and output information that can help decision-making.

There are different analysis methods for all kinds of security incidents, which will not be discussed here.


As mentioned before, there are many types of security events, different analysis strategies and different analysis periods.

Short cycle, such as vulnerability analysis. After analyzing the loopholes in detail, getting the causes of loopholes, using methods, and determining the impact area, we can enter the archiving and communication link. There is often no need for further expansion.

Long cycle, such as apt analysis, blackmail, Botnet, etc. This kind of security events have a common feature: high time complexity, multiple events, and difficult behavior analysis.

According to these characteristics, this kind of attack can not describe the whole attack activity through a single attack event. So we need to expand the stage of long-term tracking and analysis of some security incidents.

Typical is apt analysis. Apt has high time complexity, multiple behaviors, multiple fingerprint identities, rat and malware, and the information carried by a single attack event is limited, so it cannot produce an effective TTP. Only through extended analysis can we summarize the information that is conducive to decision-making.

The same goes for malware and botnets.


Sorting is to structure the collected information and the generated information, store them in the computer system, and support fast access, query, reference (or even cross reference). It needs to be clear that this process is not simply archiving. The purpose of archiving is to store organized data sets for long events. In our security analysis, the methods and characteristics of network attacks are changing, and the information produced will change according to the changes of confrontation.

We input events, analyze them, and store the output information. At a later time, we find another active attack event of the same origin. We modify the output information according to the changes, forming the analysis mode of "input analysis output correction".

Information recycling and cross reference are very important to reduce analysis time and improve information quality. Therefore, the sorting stage is indispensable.

Again, attacks lead to security incidents, and attacks are constantly changing. Security analysis is a dynamic process of confrontation and change.


It can be found that "intelligence" has always been discussed. Intelligence is used to support decision-making. If intelligence is not disseminated, then our security analysis will be meaningless.

How to spread?

Before answering this question, it needs to be based on the positioning of security personnel.

0x03 postscript

Personal point of view: information obtained from non trustworthy sources cannot be called intelligence. In order to produce useful security information, a complete analysis cycle needs to be completed. According to the usual work experience, the security analysis is divided into seven stages:

The seven stages will be slightly adjusted according to different security events. But the life cycle is the same. To do security analysis, we must have a foothold, or IOC. Information collection is about equal to IOC collection. Gosint, the open-source IOC collection platform of Cisco before, has solved the first three steps well, so we can learn about it.

So much for the time being, safety analysis is a big concept, and the safety personnel of Party A and Party B have totally different points of view. In this case, they only look at safety analysis from the perspective of personal safety research.


Personal blog:

After that, we will release some security analysis tools. Welcome collection