Shulou(Shulou.com)06/01 Report--

This article originates from everyone's deep thinking about the present and future network security industry, the industry and the industry are constantly looking for real security capabilities, regardless of the understanding of both An and B, red and blue, there are certain dislocation, limitations, one-sided …... So everyone decided to have a cloud collision, ideological collision, actual combat collision.

A red and blue attack and defense panoramic framework, five dynamic deduction pictures, red and blue deep thinking polishing, dozens of attack and defense technology experts game, hundreds of online and offline meetings, lasted for three months, common wisdom, initial results, sharing the industry, continuous research, quality by freshmen, faith co-create!

Salute and thank the following red and blue security capabilities and third-party organizations for their comments and guidance, together to contribute to the continued building of a security hub in Digital China.

Kelai, Qingtenyun Security, Changting Technology, San Bourn, Ambertong, Huayun'an, Bai Maohui, trusted Huatai, CITIC Network Security, Zhongrui World, Kyushu Juyuan, Zhong an Visa, Hangzhou Shiping, Micro step online, Anxin Network Shield, Midea Chuang Technology, Saining Network Security, Shenzhen convincing, Xinhua three, Taiji shares, Guoxin New Network, China Information Association Information Security Professional Committee, Information Industry Information Security Evaluation Center, Information security grade protection evaluation center of the ministry of public security.

-- Digital Consulting & PCSA Security competency Alliance

Summary: this report shows the attack process of the attacker from attack surface analysis, boundary breakthrough, horizontal penetration to target capture through six actual combat deductions, combined with the views of security capabilities, third-party institutions and security operators. the defensive side describes the panoramic objects and steps of large-scale network security attack and defense exercises from basic protection, enhanced protection to cooperative protection.

I. actual combat exercise

Figure 1

Illustration: the red and blue sides formulate attack and defense strategies around the protected object (nerve center target), in attack surface analysis and exposure convergence, boundary breakthrough and defense, horizontal infiltration and regional control, core area capture or forced control to carry out deduction.

Key points: the formulation of attack and defense strategy is like operational plan and defense plan is the premise of deduction, different stages formulate different attack and defense strategies, the attacking side generally returns to the point from point to surface, and the defensive side returns to the core point from face to face. The strategic method and the ability of both sides of attack and defense are combined to carry out layers of penetration and in-depth defense.

Attack: strategy formulation-attack surface analysis-boundary breakthrough-horizontal infiltration-capture target-lurking / concealment / retreat

Defense: strategy formulation-exposure convergence-boundary protection-area control-enhanced control-foundation / enhancement / collaboration

Figure 2

Illustration: after the red and blue offensive and defensive parties make attack and defense strategies around the protected object (nerve center target), the first step is attack surface analysis and exposure convergence.

Key points: Internet information, organizational structure, personnel information, third-party platforms (open source platform, cloud platform, etc.), supply chain system (equipment, personnel, services, DNS, ISP, ICP), etc., as well as the weaknesses of external service business application layer, system layer, data layer, network layer, platform layer, as well as Internet IP, port, domain name, VPN, email, etc., as well as various aspects of user information, passwords, etc.

Attacks: information gathering, social workers, multi-layer scanning, crawling, fishing, bumping into libraries, SQL injection, etc.

Defense: standardize the security requirements of online third-party platforms, improve the security requirements of supply chain service providers, standardize the organization of Internet information, reduce unnecessary Internet exits, close unnecessary services, services and ports, and normalize dynamic real-time in-depth monitoring, sniffer tools, clear exposure and real-time update weaknesses timely reinforcement, security organization normalization, awareness training normalization, etc.

Figure 3

Illustration: after the red and blue offensive and defensive parties make attack and defense strategies around the protected object (nerve center target), the first step is attack surface analysis and exposure convergence, and the second step is to enter the boundary breakthrough / defense stage.

Key points: according to the analysis of the attack surface and the deduction of the attack plan, the attacker has an insight into the various loopholes that can be exploited, and carries on the choice, penetration and breakthrough of the attack path. Border breakthroughs will use a variety of attack methods, the purpose of which is to tear apart the outermost defense system of the target, and the breakthroughs are often negligent or difficult to manage. The consciousness of the defensive side is the first, and we should clearly understand the situation of our own boundary defense, understand the shortcomings, do a good job in the first line of defense, and carry out the construction and operation of management, technology and operation system.

Attacks: vulnerability exploitation, automatic and manual penetration, dictionary attacks, password burst, DDOS, backdoor, fishing, etc.

Defense: multi-factor authentication, access control, dual redundancy, heterogeneity, web monitoring and defense, honeypot, flow monitoring and cleaning, malicious code protection, intrusion monitoring and protection, real-time vulnerability monitoring and reinforcement, privileged user control, weak password strategy and cleaning, removal of redundant security policies, threat intelligence, attack traceability, etc.

Figure 4.

Illustration: after the red and blue offensive and defensive parties make attack and defense strategies around the protected object (nerve center target), the first step is attack surface analysis and exposure convergence, and the second step is to enter the boundary breakthrough / defense stage. successful infiltration will enter the third stage of horizontal infiltration and regional control.

Key point: the probability of the attacker breaking through the border protection has a lot to do with the defense maturity of the defender. After breaking through the first line of defense, the attacker will camouflage himself as much as possible, while continuously looking for the next attack path and springboard in the dark. It is not terrible for the defender to lose the first line of defense, although the situation is very grim and passive. If the depth monitoring and detection method is effective and the security domain control strategy and reinforcement are in place, the abnormal behavior of infiltration lateral movement can be found in time, so that the attacker can only enter in a short period of time, or through powerful regional control strategies and means. Win in the third stage.

Attacks: vulnerability exploitation, automatic and manual penetration, dictionary attack, password burst, power enhancement attack, etc.

Defense: hierarchical division of security domains, strong control policies for domain access, elimination of redundancy policies, strong authentication and monitoring of internal accounts, heterogeneous boundaries of layered areas, implementation of deep traffic monitoring and early warning, malicious code protection against heterogeneity, implementation of credibility, real-time vulnerability monitoring and reinforcement, privileged user control, weak password policy and cleaning, removal of redundant security policies, etc.

Figure 5

Illustration: after the red and blue offensive and defensive parties make attack and defense strategies around the protected object (nerve center target), the first step is attack surface analysis and exposure convergence, and the second step enters the boundary breakthrough / defense stage. if the domain control is lost after the third step of horizontal infiltration and area control, it will enter the fourth step of the core contest, the nerve center target capture / strong control stage.

Key point: once the attacker breaks through the domain control, it is not far away to win the core target. Although this process often takes a long time, it has indeed reached a critical moment. If the defender has not been monitored and found at this time, the probability of the core target being captured is almost 100%, but it is not completely out of chance. If the defender does a good job in some core points, although there must be a greater loss. But it can also protect the core nerve center target from being captured.

Attacks: vulnerability exploitation, automatic and manual penetration, dictionary attack, password burst, power enhancement attack, etc.

Defense: real-time deep traffic monitoring and early warning, real-time weakness monitoring and reinforcement, strong control of privileged users, shutting down unnecessary services and ports of the target, implement a strong strategy of trusted blacklist and whitelist, remove unnecessary target users, strengthen target multi-factor authentication and enhance password strength, etc.

Figure 6

Illustration: to sum up, the attacker will not spend a lot of resources and energy to attack the worthless system. The defense thinking of the defensive side starts from passive to active, from boundary to depth, and from basic protection (clear protection object, convergence of exposed surface, multi-factor authentication, clear landing of access strategy, real-time in-depth monitoring and reliable reinforcement, good management of user information, strong control of privileged users). Put an end to weak passwords, complete the basic requirements of management, technology and operation and maintenance system on the basis of compliance, and focus on key points and key links to strengthen protection construction (integration of security strategy, in-depth monitoring and traceability, deep real-time monitoring, daily enhanced drills and exercises, establishment of a clear full and dynamic asset bank, establishment of a complete and real-time risk bank, and establishment of a more comprehensive capability bank. Build an integrated center of security and operation to achieve accurate monitoring and analysis of dynamic anomalies of ID, IP and ACT in the core links of defense, detection, prediction and response, and carry out accurate response and defense). In the event of large-scale attacks and emergencies, operators themselves, industry units, civil forces and regulatory units can be mobilized to carry out collaborative protection (information sharing and command coordination).

At this point, the research results in the first half of 2020 have come to an end, and those with red and blue capabilities are still carrying out research, hoping that more regulatory units, industry users, and security practitioners will pay attention and guidance, and that more people with security capabilities will continue to participate in the research. I look forward to the 2021 version of "Red and Blue attack and Defense Panorama demonstration".

II. Persons with safety capabilities

Network layer security capabilities: Kelai

Any network activity is bound to generate network traffic. By recording all the traffic in the network, real-time in-depth monitoring and analysis, we can understand anything that happens in the network, and achieve the first time to discover and respond to unknown threats. Provide users with a "God's perspective" of network security, and work with other capabilities to raise the threshold of network security.

It is necessary to trace and collect evidence of security incidents in offensive and defensive confrontation. Through the high-performance retrieval and analysis ability, we can trace back the historical event information in any period of time, restore the real attack process, grasp the attack source, tactics and other information, and provide a strategic basis for security defense. actively, intelligently, efficiently and multi-dimensionally improve the overall security protection level of security operators.

Host layer security capability: Qingtenyun Security

From breaking through the boundary to capturing the target, host security is the last line of defense against each other, and how to reduce the "exposure" of assets from the host level, including dynamic monitoring, normalized self-evaluation, real-time reinforcement, and so on, is a prerequisite for reducing attacks. In addition, strong "regional control", including asset detection, security reinforcement, event forensics, virus Trojan detection and killing, vulnerability detection and repair, abnormal monitoring, in-depth detection, etc., will affect the reliability of the last line of defense of security. We can help users make the host stable and secure through comprehensive inventory, rapid risk discovery, real-time intrusion detection and one-click compliance check.

Host layer security capability: trusted Huatai

The core host is the most valuable target of the attacker, who uses the natural defects of the computer system architecture to construct virus Trojans and vulnerabilities. The traditional security protection ideas still protect against specific known security vulnerabilities and specific known attacks. With the trusted idea, the immune platform of "leukocyte" operating system is constructed to combine security protection with system operation, and to actively monitor and control all key links of system operation on the basis of trusted measurement and trusted verification. to achieve active defense against known and unknown threats. It not only meets the technical requirements of grade protection 2.0 trusted verification, but also realizes the trusted unified management of the host.

Application layer Security capability: Changting Technology

After the attack and defense drills, many defenders even found that the traditional border defense is gradually failing, and new loopholes are emerging one after another at a geometric multiple speed. once the border defense system is negligent, the expected protection effect will be greatly reduced, the protection rules will be repeatedly bypassed, and even some security protection products have become the entrance for the attackers to open the intranet because of their own loophole risks. Defenders need to adjust their protection system to adapt to the new security situation. In the new era and new situation, as vice rises one foot, virtue rises ten, and the defender use the attacking side's camouflage deception, but outside and inside the border, honeypots are used to lure and trace the attackers who are still in the asset detection stage, and more advanced semantic analysis WAF is used in the application layer to intercept the majority of Web attacks. These protective measures make the attackers nowhere to hide.

The Red side has the ability of actual combat platform: Saint-Brizol

The core of network attack and defense confrontation is the contest of technical capabilities between the two ends. Only by constantly conducting real exercises and collisions between the two ends of the attack and defense can we continue to improve the technology of attack and defense. At present, how to ensure the authenticity and security of the exercise process has become a hot topic. Daily drills need to be normalized, and the Red Army actual combat cooperation platform can realize the functions of simulation attack, cooperative operation, data sharing, full name audit and so on, so as to improve the defensive side's understanding of the attacking efficiency and ensure the authenticity and security of the network attack and defense work.

Ability to visualize network security policies: Ambertone

The process of network attack is a process of breaking through the boundary layer by layer. As a defender, the security policy should be used as a strong grasp to strengthen the ability of regional isolation and boundary protection, plan the network security control policy from the top perspective and audit the policy configuration regularly, so that there is no place to hide the misconfiguration of redundancy policy, expiration policy and empty policy, and there is no hiding place for network risks such as illegal access and the opening of high-risk ports. Form an effective centralized management of security policy, regular audit and automatic maintenance mechanism, and provide a global business perspective for asset detection, vulnerability detection, access control, intrusion monitoring and many other security capabilities, and build a new visual field of network security policy integration that is visible, manageable and controllable.

Vulnerability management security capability: Hua Yunan

Loopholes are always the focus of contention between the offensive and defensive sides. However, time and resources are limited. Based on vulnerability intelligence, asset exposure and severity, it provides priority guidance for security personnel to repair vulnerabilities, and carries out one-click automatic vulnerability repair in the shortest possible time. Through the establishment of their own threat and vulnerability management platform, it will effectively reduce the security risk of enterprises and solve the pain point problems in vulnerability management.

Security ability of network assets surveying and mapping: White hat remittance

With the continuous introduction of new applications and technologies and the continuous discovery of new loopholes, the scale and complexity of the attack surface are also expanding. In this case, how to monitor, evaluate and converge the network attack surface is an urgent problem for defenders to solve. New IT facilities are becoming more and more common, and we continue to study. In the field of cyberspace surveying and mapping, we establish a large number of fingerprint rules and collect asset information through active scanning. Effective surveying and mapping includes information such as IP, asset name, port, protocol, operating system, device type, manufacturer, application components, etc., to form an information system asset database to help the defender converge the attack surface. At the same time, combined with the latest exposure of POC, through risk characteristics and other rules for special risk verification, accurate description of vulnerability risk impact surface, the formation of emergency notification and disposal.

Data security management ability: Citic Network Security

The essence of network security is attack and defense, and without the premise of attack, there is no need for defense. Attackers dig holes, or hosts, or networks, or applications, or databases, or even human nature, with the intention of divulging, stealing and destroying. The emperor thinks more, or the management system, or the technical system, or the operation system, which is intended to prevent loss, damage and availability. However, the attacker has been dissatisfied with the destruction of technology, the trend of the data. This can be seen from the fact that the loopholes that have been dug have been exploited by blackmail viruses. As the core focus of attack and defense, data should stand from the perspective of data security supervision, through asset portraits to help users grasp the distribution, value and vulnerability of data assets, and evaluate the risk of data assets combined with threat behavior.

Those who can trace the source of the attack: medium-sized World

With the intensification of network attack and defense confrontation, more and more enterprises consider discovering, responding, tracking and tracing the security events of the whole network based on the global perspective, in order to improve the overall security protection capability. "tracing the source of network attack" is the new security requirement that appears under this background. from the perspective of the attacker, the attack fragments at different time points and different parts are reorganized into attack events through analysis. and deeply trace the source of the attacker's tactics, purpose, background, etc., to achieve more accurate and efficient threat discovery and disposal. Using "attack traceability" to bring a new threat monitoring idea for security operators, through the realization of web, e-mail and other key nodes for threat monitoring and traceability, for security operators to build a new generation of threat monitoring system for actual combat.

Security penetration service ability: Kyushu Juyuan

Attack and defense are like "spear" and "shield". If you want not to be pierced easily by "spear", you must constantly strengthen the defense capability of "shield". It is necessary to fully understand the combat mode of "spear" from a technical point of view. network attackers will collect as much target information as possible against the target, including some open source applications, special ports developed by servers, some source codes and accounts of third-party shared platforms, and so on. The defender needs to make a reasonable assessment of the network security status and identify the risk and exposure information as well as the network entry point.

The target of the attacker is a point, and the larger the scale of the target system, the more weaknesses that can be exploited, especially the weakness of human behavior. For example, targeted vulnerability mining, APT attacks, rights enhancement vulnerability exploitation, weblogic RCE series and automatic attack tools, etc., attack against SVN, gitlab, zabbix, redis, enterprise wiki, OA systems and so on. Defenders use abnormal behavior identification warning tools in attack and defense scenarios, combined with multi-clue association analysis to improve the ability to detect and respond to attacks. The essence of attack and defense is the game of investment and technology between people, and then a more efficient security protection strategy can be obtained through the evolution of attack and defense technology.

People with data security capabilities: China Envis

SQL injection attack is one of the main means to attack database security. If the database defense device has built-in a large number of SQL injection feature libraries and virtual patches, and forms a baseline through automatic learning of access behavior, it can comprehensively diagnose foreign CVE vulnerability attacks and SQL injection behavior, and block illegal operations in real time, so as to ensure that the database is protected from SQL injection attacks.

The database audit comprehensively monitors and audits the database access behavior, and can detect the database access through the built-in database attack identification features, and alarm immediately when the attack behavior is found. And can trace the source of all the access behavior of the database.

Data Security ability: Mectronic Technology

Attack and defense is a topic that can never be bypassed in the network security world, and only the real attack and defense confrontation can really test the robustness of the defense system. In the face of endless loopholes and ever-changing hacker attacks, as a practical manufacturer of zero-trust data security concept for a long time, we take the ATT&CK model as a starting point, comprehensively analyze data security from three aspects of identity, assets and behavior, define a new security boundary based on deterministic assets, and comprehensively protect against asset data security risks, so as to solve the "uncertainty" of hacker attacks in the traditional network security system.

Data security capability: Hangzhou Shiping

The object of network attack and defense is the system and data, and the goal of the attacker is to destroy the stability of the system or steal data. Data security has always been the top priority in network attack and defense. Equal Insurance 2.0 and "big data basic requirements" put forward new and higher requirements for the technical ability of data security inspection and evaluation. Data security compliance check is the cornerstone of data security protection. Data operators and regulators need to confirm the distribution of sensitive and important data, while ensuring data security and compliance at every step of the data life cycle. Data compliance check includes basic requirements such as data integrity, residual information protection, and data confidentiality, as well as big data security extension compliance, which covers the whole life cycle of data.

Threat intelligence capabilities: micro-step online

In the red-blue confrontation, the red side constantly collects target information, analyzes assets and weak links, breaks through defense from frontal attack and side penetration, and then penetrates horizontally until capturing the target. Correspondingly, the blue side needs to carry out asset carding, reinforcement and convergence in advance, and carry out threat prediction and blocking of the source IP as well as internal collapse host discovery in order to achieve a good three-dimensional defense effect.

Threat intelligence is to provide Blue Square with the ability to use global cyberspace intelligence collection and analysis capabilities to monitor real-time assets or sensitive data exposed to the public or dark networks of the Blue team. Provide local intelligence platform to help identify fallen hosts and suspicious source IP, automate linkage disposal, and support threat monitoring and blocking products for bypass traffic.

We bring together the top domestic security service and analysis team to establish and implement an effective threat intelligence system for security operators, and quickly improve the capabilities of blue attack monitoring, forensics location, emergency response and traceability analysis.

Security capability at the bottom of hardware: Anxin network shield

Attack is looking for shortcomings, defense can also find the key point, all attacks eventually return to the core point is the computing environment, starting from the computer architecture, any code that needs to be executed by CPU and data processed need to be stored through memory. Monitoring the read, write and execution behavior of memory through memory virtualization and other technologies can prevent various attacks such as abnormal memory access and malicious code execution, and build a complete memory security environment for the computer system. We have been studying for many years, and based on the hardware virtualization technology, the memory protection system can monitor all program behavior at the level of CPU instruction set, and can detect and respond as soon as possible.

Security ability of network attack and defense range: Saining net security

Cyber war will cause social paralysis and endanger life safety and national security. The next generation network shooting range is needed to effectively verify network attack methods, study new security technologies, explore vulnerabilities, produce standardized threat response processes and response teams, and validated network defense architectures. Focusing on the core technology of network security attack and defense confrontation, the red and blue sides need to use professional network shooting range to conduct security drills and carry out personnel training-> business drills-> strategic tactics drills. Conduct effective drills and research on the core issues and technologies in attack and defense confrontation, so as to dynamically and effectively improve the overall ability of attack and defense.

People with comprehensive security capabilities: convinced

Through a large number of cases of attack and defense, we find that many units have a lot of protective measures, but they only stay at the level of "passive operation and maintenance" based on defense. there is no good continuous monitoring and closed-loop response based on assets, loopholes, threats, events and other elements to achieve "active operation". The reason is mainly limited to the lack of security personnel and technical resources of the unit, resulting in not enough ability and energy to effectively operate the existing safety technology system and management system, so as to achieve a sustained and effective security effect.

Adhering to the service concept of "man-machine intelligence", we effectively integrate the rich practical experience of security experts and the self-learning and automation capabilities of machines, through a security operation platform, three-tier security experts, four major operating mechanisms (assets, vulnerabilities, threats, events), to help users build a continuous, closed-loop and active security operation system, so as to achieve the goal of rapidly expanding security capabilities and improving security effectiveness.

People with comprehensive safety capabilities: Xinhua San

In the red-blue confrontation, if the blue army wants to defend its own city, it must be fully prepared to know itself and the enemy before it can cope with it. First of all, it is necessary to find out their own assets and all business, applications, key assets, business inspection, protection, minimum configuration, optimal authorization and so on. From the point of view of the attacker, the use of attack methods, attack methods and tools can look at the overall situation of the attacked target, so the red-blue confrontation is an overall and in-depth system engineering. Building an overall defense in depth is the core concept of our security, and strive to build multiple lines of defense from the data level, application level, server level, network level and network boundary. Malicious attackers must break through all lines of defense in order to access core data assets. At the same time, combined with the centralized monitoring and analysis of operation and maintenance, the attack behavior and attack path can be discovered and visually displayed in time, so that the attack cost of the attacker is greatly increased.

Security service ability: Taiji Digital Security Division (steadfast laboratory)

Understanding the concept of national security, understanding the concept of network security, and doing a good job in the network security system of an organization is an important part of the digitization and information development of an organization's business. It is necessary to do a good job in basic skills for integrated two-wing, two-wheel drive and balanced development.

Through the host era, the network age, the information age and the digital age, security has changed from one-dimensional to multi-dimensional. Only when we do a good job in every step can we not panic and feel secure.

1. Consensus of consciousness: the correct consensus on the concept of organizational security at three levels of macro-level, meso-level and micro-view is a good basis for carrying out work.

two。 Organizational coordination: management, business, IT, security, and operation coordination is an important guarantee to do a good job.

3. Security policy: business data definition security strategy, rigid requirements and compliance to complete top-level planning and system design

4. Integrated landing: management requirements, technical construction and operation system of the IT coupling, so that security into a business, can be truly integrated landing

5. Three layers of protection: according to the difference of security maturity and protection objects, do a good job of basic compliance protection, improve the overall base, identify key points, and implement enhanced protection, involving national important, important, key parallel development of collaborative protection.

6. Three bases: the object of protection (clarity of assets, clarity of personnel accounts, clarity of relevance)

Digital era, Digital China, Digital Security 3.0, we work with users to identify protected objects-defense maturity assessment-security strategy determination-top-level planning and design-continuous improvement of defense landing system-security operation integration

Guoxin government cloud operation service provider: Guoxin new net

Cloud service is the trend of intensive operation and management. Business centralization, system centralization and data centralization greatly improve operation efficiency, shorten construction cycle, save operation costs and reduce operation and maintenance costs, but also concentrate security risks. This is a severe test and challenge for builders, operators and tenants. How to improve the comprehensive security protection capability and strengthen the east-west security protection in the cloud, especially the data security and access control need to make great efforts. Under the trend of business cloud, the attack and defense analysis of cloud security has a lot in common and adds a lot of unique key points compared with the traditional environment. Cloud security can be divided into cloud platform service providers, cloud tenants and cloud security regulators in terms of roles, and their perspectives and security responsibilities and risks are different. Cloud platform service providers need to ensure their own security, compliance and protection capabilities. Cloud tenants have upper-level security responsibility for cloud business and data, while cloud security regulators, from a third-party perspective, supervise the operation security of business and data on the cloud and the compliance security of the cloud platform. The protection of cloud security should be managed and guaranteed uniformly with the joint efforts of the three roles.

III. Third-party security institutions

Professional Committee of Information Security of China Information Association

The essence of network security lies in confrontation, and the essence of confrontation lies in the ability of attack and defense. This series of red and blue attack and defense panoramic deductions vividly illustrate the diversity and complexity of network attack and defense, and also make me think of the importance and urgency of network attack and defense personnel training. At present, with the rapid development of the new generation of information technology, especially the vigorous promotion and strategic layout of the "new infrastructure", the problem of network attack and defense has infiltrated into all fields of national economic and social development, and the demand and requirements for network attack and defense personnel have been greatly increased. There is an urgent need to strengthen the systematic, professional, dynamic and practical training of network attack and defense talents from basic education to higher education, from academic education to vocational training, from the popularization of common sense to actual combat competitions, so as to create a good environment and conditions for network attack and defense talents with strong professional ability and rich experience in actual combat to stand out.

Information Security Grade Protection Evaluation Center of the Ministry of Public Security

Cyber attack and defense is a war without gunpowder smoke. In the process of building a new digital infrastructure, we must adhere to the two-wheel drive of security and development, invasion and reaction, attack and defense, and the situation of the battlefield in cyberspace is rapidly changing. Red and blue confrontation attack and defense can not only be drills, but must take actual combat as the starting point. Key information infrastructure operators must develop security capabilities of both attack and defense, so as to break the passive situation caused by information asymmetry and capability asymmetry. Today's network confrontation has broken through the traditional simple security boundary protection ability. the network security attack and defense under artificial intelligence and cloud computing is not only the confrontation of computing power and speed, but also the confrontation of comprehensive intelligence capability. whoever can gain insight into the distribution of assets in cyberspace, grasp the changing trend of network security, and master the first-hand network combat map will take the lead in the network confrontation. In fact, the high level of attack and defense ability of network security has fulfilled a saying in the martial arts: kung fu is outside kung fu.

Information Industry Information Security Evaluation Center

The statement of the General Secretary of "there is no national security without network security" points out the direction for the security protection of China's key information infrastructure. In recent years, taking compliance as the starting point and attack and defense as the drive has become an important feature in the field of network security in our country, and the new concept of "actual combat, systematization, and normalization" is deeply rooted in the hearts of the people. only the network security protection system that has been tested in actual combat can be upgraded from infrastructure security to active defense and linkage reaction. Every node in important industry departments should build the ability to resist the huge damage caused by "black swan" events such as 0day loopholes, simulate how to solve endogenous security problems after the loss of the border, and contribute their own efforts to the network security protection of the country's key information infrastructure.

Several generations of consultation

The essence of network security lies in "confrontation", and all things in the field of confrontation are dynamic, and there is no such thing as once and for all. There is no silver bullet, there is no panacea, only the eternal decline of "as virtue rises one foot, vice rises ten." Therefore, the importance and key of active defense based on attack perspective is self-evident, which is the fundamental reason why the industry should hold offensive and defensive drills for a long time. Hope to see more and more people with excellent security capabilities join in the country to make the network security industry bigger and stronger.

IV. Safety operation units

A national ministry

Thanks to the researchers of the red and blue attack and defense panoramic deduction series, this series can indeed enable the business and IT of our unit to see clearly the full picture and protection objectives of network security defense work. First, they can tell their superiors how big the network security workload is. Second, they can deeply see that it is a process of continuous accumulation and input. Third, they can clarify the structure, content and process of their own work. And be able to report to the higher authorities. The work is clear. The downward arrangement of the work will not be omitted, and the priorities and priorities should be clear.

A financial institution

The network security of the financial system is the lifeline, and there are too many aspects involved in security protection. There were all kinds of complex work before, not only the security technology should be put in place, but also the management system should be truly enforceable. The most important thing is that the effectiveness of security operation must be in place, especially the three systems integration (management, technology, operation) and three protection (foundation, strengthening, coordination) hierarchical. These pictures are very clear about the work to be done and why they are done, and it is worth learning. Here we also see a lot of our own shortcomings, and the follow-up reference can continue to improve.

A central enterprise group

Asset repository, risk library, exposure, thank you for giving us a vivid practical lesson on network security, especially the sand table deduction from the perspective of attack and defense like a battle map, so that we can have a comprehensive and clear understanding of the objectives, strategies and ideas, methods and steps, means of attack, etc., and there are corresponding defense contents, key points, functions, effects and other contents at different stages and levels. A clear understanding of both sides, to promote our future work will be targeted, greatly improve the effectiveness and efficiency of our work.

An Internet company

In the face of Internet public services, our biggest worry is that there will be network security incidents in the production business, and we have always been cautious about exposed services. every day's work is to rack our brains to think about what weaknesses and loopholes have been found by the attackers, and what threats and risks will be caused by what attacks on us. Whether we can deal with these problems, whether we can recover after the accident and so on. This picture not only comprehensively deduces all the contents and key points of the attack, but also refines the systematic content of defense depth, which is worthy of our in-depth analysis, study and transformation.

Tidbits

PHL, sprinkler, White Fatty Man, ThatHeraoZhao77, Cabbage, Weibo, Weiyang, Kobayashi rough Man, Qi. , Ln (K), bump against the wall, cloud travel, flight, YY, Gouda, Master Qiao, Whiskey, Confidential, Steve, Zwell, Deng Huan and other safety partners continue to discuss, judge and revise N times! Update! The process of brain-burning and deduction is like this.

PCSA Alliance

Digital China and network power strategy guide all fields of the country to be digitized, and the digitization rate of China will be greatly improved. in the future, key information infrastructure and important information systems at the national, industry and city level will become the nerve center of economic and social operation.

The future network security challenges are becoming more and more clear and urgent, including:

Threat Challenge: upgrade from Hacker Organization to threat Challenge of out-of-limit War in Cyberspace of hostile and hegemonic countries

Transformation challenges: upgrading from chimney system to big data, large platform, large system, big operation, big security challenge

Defense challenges: upgrading from compliance basic defense to nerve center enhanced defense and multi-party collaborative defense challenges

Security challenges: in the face of "normalization and actual combat" of high-level attacks, ensure that the integrated security operation challenges of "real-time monitoring, systematic defense, threat early warning, rapid response, information sharing and accurate command" are met on the basis of "clear assets, dynamic risks, and ecological capabilities".

In the face of four major challenges, PCSA continues to work with Chinese key security capabilities to build symbiotic platforms "Cyberspace Security Management and Operation platform", "data flow Security Supervision platform" and "Cloud Security Integrated Service platform". Plan "Business data IT dynamic strong correlation Asset Library", "High Frequency and full risk Database", "Network Security capability Base" and "Network Security Integrated Defense (Blue) platform" to realize the real-time dynamic closed-loop operation system of supply chain security, compliance basic protection, enhanced protection, collaborative protection, prediction, defense, detection and response, and realize information sharing, emergency coordination, and integrated command and clear command. Ensure the safe and stable operation of the nerve center of the digital society, fill the technology gap and make continuous efforts to create a security center for users.

PCSA was founded in Beijing on October 20, 2016.

PCSA Vision: aggregating China's key Security capabilities and enabling Digital Intelligence era

PCSA mission: continue to create a security hub for users

PCSA values: quality is co-created by new beliefs

China Envis: protect core data and safeguard network security

Source: industry Alliance of Private Cloud Security capabilities

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.