Shulou(Shulou.com)06/01 Report--

(1) background

Party B's security team usually relies on Party B's own security products when providing security services for the enterprise. Generally speaking, for the threat of product detection, we need analysts to check whether such a threat really exists, and there are inevitably some false positives. On the other hand, the proliferation of threats is more or less the same in all enterprises, and the threats that appear here may also exist in another enterprise, so after the analyst has analyzed the threat in one enterprise, another analyst will analyze the same in another enterprise, causing a waste of resources.

Based on this, we hope to build a knowledge platform for analysis services, integrate threat information and reduce the burden of analysis.

The following points are summarized:

(1) reduce the repeated research and judgment of false positives.

(2) repetitive analysis of threat reduction.

(3) report extraction of common threats

(4) emerging threat inquiries

To a large extent, the construction of the knowledge base platform is for the output of the report, we all know that enterprise reporting needs a report, and writing a report is sometimes very labor-intensive.

(2) the design of the subject of knowledge base

The events that need to be entered are:

(1) entry of false positives

(2) entry of security events

(3) input of common safety incidents

(4) input of the latest security incidents

Supported keyword retrieval fields are:

Virus type: (you can add the virus names of other mainstream vendors)

MD5 values of sample and derivative files: (multiple)

Network connection domain name: (multiple)

Network request IP: (multiple)

Virus body and derived file name: (multiple)

Service name:

Registry key-value pair:

File path:

Mutex name:

Script:

Other strings:

The composition of the subject of the threat event:

Basic event information, threat log screenshot, occurrence time

Event analysis, sample analysis, propagation analysis, traceability analysis

Event disposal, disposal threat, reinforcement plan

Attachment:

Reports submitted to users

List of sample HASH involved in this event

Samples are stored separately in the HASH command

Note: any subsequent member is supported to participate in the modification after the threat event is entered.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.