The basic security operation platform is a comprehensive security platform that integrates threat intelligence, vulnerability detection, intrusion perception, active defense, backdoor killing, security baseline, and security brain. It undertakes the important task of enterprises to resist various network attacks and prevent internal risks.
First, obtain the latest attack data and trends from the outside through threat intelligence, and secondly, use vulnerability detection to count corporate assets and periodically inspect and patch security vulnerabilities, and then discover attacks on various networks, hosts, and services based on intrusion perception, and then through the security brain Overall analysis and automated response, complete the basic security operations of Internet companies in one go.
1. Threat Intelligence
For Internet companies, mastering threat intelligence can help companies to timely warn of security threats facing public network assets, understand the latest threat dynamics, implement proactive threat defense and rapid response strategies, and comprehensively grasp security threats in conjunction with in-depth analysis of security data , And accurately use SIEM for threat tracking and attack tracing.
1.1 Public Information Library
Regarding intelligence collection, on the one hand, it can be captured from open source intelligence channels (such as VirusTotal, Cymon, etc.), on the other hand, it can be obtained from internal security components (such as WAF, NTA), and can also be obtained through batch scanning, DDoS attacks, and other channels.
Threat intelligence gathering carding frame: GOSINT, Spiderfoot
a Whois and DNS information history better tools: SecurityTrails
query comprehensive threat intelligence have better tools: IBM X-Force Exchange, Crymon
ports are queried in a comprehensive Internet service statistics do better tools: SHODAN, Censys, FOFA
Better tools for analyzing malicious files, URLs, domain names, MD5 are:VirusTotal
1.2 Vulnerability warning
Many vulnerability releases are often not recorded in the CVE vulnerability database for the first time. You can use the CMDB to count various components used in your production environment, and then monitor the corresponding official website vulnerability pages and some forums or sites where hackers release vulnerability POCs. If there are new vulnerabilities, the security team will be notified by email or SMS to deal with them.
1.3 Information leakage
In the case of loose company management, employees often upload code to platforms such as GitHub, and some hackers will buy and sell data on the dark web after dragging the library, so it is necessary to monitor the company's information leakage.
Open source tools for scanning GitHub information leaks:, GitrobXiaomi ’ s open source tools x-patrol
for dark web scanning are: OnionScan
better comprehensive analysis frameworks are:AIL
Second, vulnerability detection
2.1 Network vulnerabilities
Vulnerabilities that can be discovered through direct remote scanning of ports, such as OpenSSH remote overflow vulnerabilities, MySQL weak passwords, etc.
Common network vulnerability scanning Nessussoftware: OpenVAS, Core Impact, , Nexposeetc.
There are also some special scanning tools, such nmapas: zmap, , masscan
password cracking tools such medushaas: hydra, ,Ncrack
2.2 Host vulnerability
The main reason is that there is a large number of security holes that can be exploited locally because the Linux / Windows system is not upgraded after being installed on the machine.
Security Compliance and Vulnerability Assessment software: OpenSCAP
open source tools CVE vulnerability scanning are: cvechecker, cve-checker-tool
vulnerability checks for Java component library: OWASP Dependency-Check
vulnerability checks for Javascript and Node.js library: Retire.js
scan for vulnerabilities container:Anchore
2.3 Website vulnerabilities
Common website vulnerability scanner are: AWVS, AppScan, WebInspect
common website vulnerability scanner open source are:Arachni
3. Intrusion perception
Intrusion detection technology is a means to detect intrusion by monitoring a series of security-related abnormal indicators.
Generally, intrusion can be perceived from passive channels:
1. Network anomalies, such as DDoS attacks, abnormal DNS requests, ARP spoofing
2. Host anomalies, such as brute force cracking, rebound shell, system privilege escalation
3. Isolation of anomalies, such as virtual machine escape, container escape
4. Application exceptions, such as command execution , File reading and writing, SQL injection
You can also perceive intrusion from active channels:
Such as honeypot, bait, honey swab, etc.
3.1 Network traffic analysis NTA
Common attacks in network traffic are:
1. Protocol hazards, such as BGP protocol attack, CDP protocol attack, MAC address spoofing, ARP cache poisoning, DHCP starvation attack, etc.
2. Denial of service, such as SYN Flood, UDP Flood, NTP reflection attack, SSDP reflection attack, DNS reflection Attacks, etc.
3. Probe scanning, such as IP scanning, port scanning, vulnerability scanning, virus propagation, mining propagation, ransomware propagation, brute force cracking, etc.
4. APT and C & C communications, such as hard-coded IP domain names, DGA random domain names DNS tunnel, encrypted traffic analysis, etc.
5. Decryptable application protocol attacks, such as HTTP attacks, SMTP attacks, MySQL attacks, SMB attacks, etc.
NTA security products:
Business network traffic analysis products: Greycortex, RSA NetWitness Network, ProtectWise, Molochand other
open source network traffic analysis products: Bro, Apache Spot, Stream4Flow, NetCap
open source, high-performance load balancing products: Katran, DPVS
an open source network intrusion detection products: Snort, Suricata
network traffic index retrospective analysis:Moloch
3.2 Host intrusion detection HIDS
There are many intrusion threats that can be detected by the host layer, such as system elevation, abnormal login, rebound shell, network sniffing, memory injection, abnormal process behavior, abnormal file reading and writing, abnormal network communication, virus backdoors, security vulnerabilities, configuration flaws .
Open source OSSECproducts: Osquery, Elastic/beats, sysdig, ,Capsule8
There are several methods for real-time process monitoring under Linux:
1. Hijack the glibc execve function at the application layer through ld.so.preload. Open source products are:exec-logger
2. It is implemented at the application layer through the related calls of Process Events Connector provided by Linux. Open source products are:Extrace
3. At the application layer through the interface provided by Linux Audit. There are built-in Linux auditd服务, open source products are:Osquery
4. At the kernel layer, it can be realized by Trancepoint, eBPF or Kprobe. Open source products Sysdigare: ,Capsule8
5. At the kernel layer, it is implemented by the execve function pointer of Hook Linux Syscall Table or the API provided by the LSM framework. There are built-in LSM安全模块, open source products 驭龙HIDSare: ,AgentSmith
3.3 Spoofing technology
The deception technology has been strengthened on the basis of the previous honeypot technology, using technologies such as bait, honey swabs and automated honeynet creation. Honeypots are divided into high-interaction honeypots and low-interaction honeypots. In order to achieve a high degree of confusion, deception techniques are usually based on high-interaction honeypots.
Open source honeypot products: Honeytrap, OpenCanary
open source products bait: honeybits
Open Source honey signed Products: Canarytokens
virtual machine layer to achieve control of open-source software: LibVMI,rVMI
Fourth, active defense
Active defense technology usually focuses on protection. Adding active defense technology to the system's default security usually helps intercept known or unknown security threats.
4.1 Host intrusion prevention HIPS
Linux's own security mechanism: LSM(Linux security module, Linux security module)
Implementation method: AKO(Additional Kernel Observer) Use dynamic loadable kernel module (LKM)
open source kernel active protection products: LKRG(Linux kernel runtime protection, Linux Kernel Runtime Guard )
4.2 Web Application Firewall WAF
Open source products: ModSecurity(supports Nginx), OpenStar
WAF based on AI: Wallarm
open source anti-fraud application security products:Repsheet
Implementation of DDoS protection:
The general DDoS is implemented in layers. The first layer (front end) can be used for IP cross-regional scheduling through the anycast routing protocol; the second layer can be resisted by dedicated DDoS protection equipment in hardware or software; the third layer is on the WAF Do application layer HTTP DDoS protection.
For the second layer of protection, you can use open source high-performance network 4 layer load balancing products: Katran
for the third layer of protection, you can use open source products: Tempesta FWapplication distribution controller
4.3 Self-protection RASP at runtime
Compared with WAF, RASP works inside the application and can obtain more details of the program operation, which can solve many problems of WAF false positives. The interception of the signed WAF bypasses the problem, so RASP is stronger than WAF in intercepting hacker attacks. However, in terms of performance, stability, and DDoS interception, traditional WAF is deployed independently, so it has more advantages.
Open source products that support both Java and PHP:OpenRASP
4.4 Database firewall DBF
Through the database firewall, you can intercept SQL injection attacks, desensitize sensitive data, prevent high-risk data deletion operations, record and discover violations, etc. Provides the last layer of security protection for SQL injection.
Open source products based agency model: DBShield, Acre
plug-in based model of open source products:mysql-audit
Five, backdoor killing AV
General backdoors are roughly divided into 3 categories:
1. Highly hidden backdoor rootkit
2. General remote control backdoor
3. Webshell backdoor executed in web environment
5.1 Rootkit
Rootkits are mainly divided into three types according to their function stages: application-level rootkits, kernel-level rootkits, and boot-up bootkits (lower-level rootkit backdoors). The difficulty of detecting these three rootkits increases in turn.
Open source tools:
Rootkit detection application layer: rkhunter, chkrootkit
off-line memory analysis tool Rootkit: Volatility
Rootkit hidden process detection: Linux Process Hunter
a comprehensive Rootkit detection: Tyton,kjackal
5.2 Back door
The back door of the host is usually the back door of the general remote control application layer. There are many such backdoors, and they are often used in combination with rootkit technology.
tool:
Linux backdoor scan tool: clamav
open source scanning tool script: malscan
Open Source Host backdoor detection tool: binaryalert
Open Source distributed scanning tool: klara
open source threat intelligence and response analysis tools: rastrea2r
dynamic analysis and detection tools: cuckoo, sandbox
malicious software enterprise-level automated analytical framework:stoQ
5.3 webshell
Webshell is a specialized web backdoor, usually written in a scripting language, with high flexibility and easy deformation. Common webshells include PHP, ASP, ASP.NET, JSP, Python, Node.js and other types of backdoors.
tool:
Open source PHP webshell detection tool: tool for php-malware-finder
monitoring file changes: masc
open source tool MLCheckWebshell
for webshell detection using machine learning: online webshell detection platform: BaiduWEBDIR+
Six, security baseline
Configuration security issues account for a large proportion of security vulnerabilities, and include networks, operating systems, various application servers, and database systems. Common security baselines include default security configuration and security hardening.
tool:
Baseline security template website: cisecurity
Open Source Compliance Software: Lynis, inSpec
open source continuous auditing and configuration management platform:Rudder
7. Safe Brain
The security brain is a comprehensive analysis and orchestration automation response center for security data. Its main functions include security situation awareness (SSA), security information and event management (SIEM), security orchestration and automated response (SOAR).
7.1 Security situational awareness
The main part is the front-end display of the safe brain. The data involved in security is more complex and highly correlated, and requires a better front-end display framework.
The security brain needs to be able to deal with complex security events involving the interaction and correlation of multiple entities. To this end, knowledge graphs, graph calculations, data semantics, machine learning and other technologies must be comprehensively used to produce better results. In addition, it needs to interact with external The integration of various systems (such as systems for identity management and threat intelligence) also requires continuous improvement by the security team.
reference:
Front-end display frame: Sqrrl
material website: SecViz
JS D3.jsframework: vis.js, ,three.js
7.2 Security information and incident management
product:
SIEM SplunkProducts: QRadar, , LogRhythm
Intelligent Decision SparkSolutions: Flink, ,Storm
Large data storage and processing projects: Hadoop, ClickHouse
log data indexing and querying items: Elasticsearch/Elastic Stack, Graylog
the open source logging safety rules: Sigma
the open source big data security solutions: Elastic, Metron
open-source map database project:HugeGraph
Security orchestration and automated response
The next step in intelligent decision-making is security orchestration and automated response (SOAR).
product:
SOAR open source products: StackStorm, MozDef(Mozilla defense platform)
open source security operations choreography Products:PatrOwl
