Shulou(Shulou.com)06/01 Report--

I. Security threat confrontation has entered a new stage

1.1 threat: besieged on all sides

On the whole, the current security threat shows an evolution trend in four aspects, which can be called siege on all sides:

First, the scope of the * is constantly expanding. Expand from traditional IT infrastructure to supply chain, industrial control, cloud, and BYOD and IoT devices.

Second, the cost of * is falling. In the report released on May 27th, 2015, the Vietnamese side against us was disclosed, which is characterized by the use of the commercial platform Cobalt Strike produced by the United States. Both the WannaCry incident and the Biga incident disguised as a blackmail worm used a military-grade loophole disclosed by the US NSA by the Shadow broker on April 14, 2017.

Third, the number of support points is increasing. Big data, the underground industry, has become an underground intelligence system. Botnets provide a large number of zombie nodes, while Bitcoin provides a new untraceable way to make a profit.

Fourth, the way is constantly three-dimensional. In the past, simple access to the Internet has evolved into a three-dimensional one. For example, in the case of a power outage in Ukraine, the mode of operation is actually a combination of online malicious code and offline DDoS*** for emergency calls. Including what we have seen a lot of prefabrication for the front supply chain, as well as people brought in and traditional electromagnetic means.

In this case, single-point security products can not deal with comprehensive security problems, therefore, it is more necessary to build a systematic situational awareness capability. However, there are a lot of top or "map guns" in traditional situational awareness, and some people still measure how many billions of times the product has been defended. If in the DDoS era and the worm era, the number of events spread or * times is a measure of the intensity of events, then under the highly covert nature of APT, this kind of statistics is completely meaningless. As the General Secretary said on May 25th, 2016, "easily seen threats are often not higher-risk threats, higher-risk threats are often difficult to see."

1.2 traditional confrontation

From another point of view, the confrontation between * and security means has also entered a new historical stage. Traditional confrontations can be summarized into three categories:

Second, the cost of * is falling. In the report released on May 27th, 2015, the Vietnamese side against us was disclosed, which is characterized by the use of the commercial platform Cobalt Strike produced by the United States. Both the WannaCry incident and the Biga incident disguised as a blackmail worm used a military-grade loophole disclosed by the US NSA by the Shadow broker on April 14, 2017. The first kind is the confrontation against the load detection, which is mainly the penetration of the normalization mechanism of the traditional detection engine.

The second category is the scenario confrontation against the host system, which we call Rootkit. Of course, it has also evolved into BIOSkit or Bootkit, and its core is to make the * * load cannot be obtained by the IO capability of the security product, thus unable to enter the internal cycle of the product.

The third category is the escape technology on the network side. It is through a variety of encryption, coding, camouflage, entrainment and other ways to counter the corresponding perception and analysis means.

1.3 the closed loop of energy points and capabilities

Generally speaking, the traditional confrontation is still a single point of confrontation, corresponding to the built-in cycle of security products from IO to detection, and then to disposal, so as to avoid killing, concealment, escape and confrontation as its basic points.

At present, the * * has evolved into a systematic * *, which can be used not only for the small closed loop of "IO → detect → disposal", but also for the large closed loop between the security manufacturer and its products. First of all, various products themselves can be obtained by * * parties for relevant simulation tests, including building corresponding scenarios; second, whether it is the ability of security vendors to release to customers, or customers' perception of uplink to security vendors, it can be interfered with. In addition, incidents like Duqu2.0 * Kaspersky show that security vendors are also the direct targets of advanced threats, and that there is a lot of interference in the large amount of data received by security manufacturers every day.

1.4 * equipment for penetration of active defense, physical isolation, etc.

It can be seen that the penetration of high-level people has a mechanism, which is not a simple one-to-one feature-free confrontation, but aims at the weakness of active defense mechanism based on the weighted characteristics of behavior. For example, the US disassembles its host operation into atomized operations, so that any module cannot constitute an alarm; * * users use dedicated delivery hardware devices to achieve * * injection and information return. This bypasses the monitoring scenario in the network (the back end is supported by a * platform).

1.5 people's perceptual coverage and ability to come out.

In fact, when the defender has situational awareness, the defender also has situational awareness. According to documents leaked by Snowden, NSA has been working on a CamberDaDa plan since 2007, focusing on targets such as the Russian Defense products Export Corporation. How does the plan ensure the effectiveness of the target? In fact, it uses the persistence node it has established in the Russian telecommunications system to pay attention to the communication between the * target and Kaspersky. When the alarm to Kaspersky contains a US sample or * information, it is considered that * has been exposed; when the alarm contains a third-party sample, the US will try whether the third-party sample can be reused.

1.6 Network shooting range-- Construction and Simulation of Defense capability

At the same time, the network shooting range technology, which is widely used at present, makes the traditional method of killing-free antivirus software or penetrating a single security product into the whole defense system of simulating the defender. in order to study how to effectively bypass the defense system.

1.7 establish an effective "enemy scenario" to deal with security issues

In the case of the systematic capability evolution of * parties, if the traditional thinking of "physical isolation + good person hypothesis + rule deduction" is still adopted to think about security issues, it will constitute the biggest self-security paralysis at present, therefore, both the research and development of situational awareness and specific security products need to be based on effective "enemy scenario". In his speech on April 19, the General Secretary also clearly warned us that "the physical isolation line of defense can be cross-network *" and that the idea of using a single product to ensure safety is out of date.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.