Shulou(Shulou.com)06/01 Report--

Summarize some problems encountered by Security Service and think about it.

(1) the main work of the Security Services team

(1) the source of emergency response and forensics.

(2) analyze and deal with the network threats in customers.

(3) cooperate with the company's own products to find threats and solve network security problems.

(4) focus on major threat events, track and synchronize the solution to the customer side in a timely manner.

(II) the task of the security service team in reality

1) Network security: there are two types of security services provided at major national events

The unpaid security task led by the Ministry of Public Security and supported by the unit. An engineer is stationed 24 hours a day during the event, and there is no need to take the initiative to take over the network security of the security unit. When a security incident occurs and the security team of the security unit cannot solve it, we need to intervene and report to CNCERT

The other buys security services for major events for Party A. We will send one or two engineers to the site according to the contract, and we need to take the initiative to use network security equipment to find and solve problems.

2) Conference exchanges: for the promotion of culture or industry thematic exchanges organized by the competent authorities.

3) Emergency response: if the customer's network suffers from *, send an engineer to stop the network *, restore the normal operation of the system, and complete the late reinforcement and traceability.

4) Project support: support other department projects, mainly for sales, pre-sale, after-sales, research and development.

5) threat analysis: sample, traffic, security log and other analysis work.

6) Product inspection: according to the contract, provide safety inspection services according to the company's products, complete the inspection report, and cooperate with customers to deal with threats.

7) training projects: mainly for malicious code analysis direction, security awareness, * *, reinforcement and other training.

8) Technical research: personal technical improvement or project technical research.

9) R & D projects: platform building, tool writing and other R & D.

10) other projects: those not in the above 9 categories.

(III) in accordance with the mission and planning requirements, the team has the following capabilities

The main results are as follows: (1) the ability of sample analysis is mainly the ability of rapid identification.

(2) Network traffic analysis capability

(3) synthesize the cognitive ability of * scene

(4) Log analysis capability of network security devices

(5) effective communication ability of customers.

(6) capacity to deliver major projects

(7) situational awareness platform service capability

The following is the thinking in the face of each task

(1) Emergency response thinking (describing the problem is more important than solving the problem)

1. The person in charge answers the customer's emergency call, asks about the situation, preliminarily determines the situation, and sets up an emergency team. The questions asked include: what is the phenomenon of finding a problem? When did the problem occur? What did you do? Does it affect the business and is it possible to disconnect the network? What is the system of the problem machine? Is it possible to be remote? Remote guidance to customers: disconnect the network and enable backup without affecting the business; install antivirus software to check and kill completely without affecting the business; keep the site and wait for the engineer to collect evidence.

2. On-site

The administrator is required to accompany the whole process to participate, with the main purpose of returning the business to normal, and to fully understand the traceability and reinforcement of the network architecture.

At present, the more prominent problems in the implementation process are: the security service personnel have weak emergency experience on the linux server, and there is no focus on the network equipment log.

(2) Analysis and thinking of samples

1. Check the MD5 value and retrieve the ms5 value or file name on the threat intelligence platform or google.

2. Dynamic monitoring, viewing file behavior, network behavior. Associate the monitored file path, registry, network address, etc., on the threat platform.

3. After shelling, statically view the string and associate the string in the threat platform.

4. Debugging and analysis.

Pay attention to the screenshot of the key points.

Current problems: vulnerability exploitation sample analysis is difficult, infectious virus repair, batch sample analysis, extortion and decryption.

(3) thoughts on the inspection work based on the company's safety products

Understand customers' concerns, some customers focus on threats, others want to make things smaller.

Customers focus on key and valuable threats:

(1) incident notification by the regulatory authorities.

(2) webpage tampering

(3) Server failure

(4) data leakage

Advanced threat scenarios that Party A may face:

(1) the advanced * * brought to the private network by personal flash drive.

(2) take the employee's personal PC as the springboard.

(3) employees click on the web link and use the browser 0day * *.

(4) the employee email attachment document or executable program.

(5) the acquisition of employee account information will be transferred to the next step.

(6) the server weak password user account explodes.

(7) exploiting 0day vulnerabilities of server components.

Some advanced threat scenarios:

(1) connect to communicate late at night.

(2) the server actively exposes IP.

(3) threat scenarios caused by large file transfers and large packets.

(4) ddos denial of service * *.

(5) actively defend against the threat of interception

(6) the threat scenario of unknown threats detected in front of the sandbox.

(4) other plans of the group

(1) when it is impossible to determine a difficult security incident, organize other security groups to participate in the threat study and assessment, which can be understood as: expert consultation (2) holding a regular security meeting, once a week, or starting every morning, make arrangements for the work and notify and review the threats you deal with at the meeting. (3) case sharing, report sharing in the face of more important events, such as some newly emerging techniques. (5) what enterprises should do: (1) do a good job of mail protection (2) do a good job of U disk protection (3) install the latest vulnerability patch (4) Terminal antivirus, active defense

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.