Chapter Seventeen Network Security Emergency Response Technology Principles and Applications
Overview of cybersecurity emergency response
-
Cyber security emergency response concept
- In response to network security incidents, and the persons or organizations to network security event monitoring, early warning, analysis, response and recovery work
-
Cybersecurity emergency response role
- Respond to and handle security incidents that may occur at any time in the network in a timely manner
-
Network security emergency response related specifications
Network security emergency response organization establishment and working mechanism
- Network security emergency response organization established
- Consists of an emergency leadership group and an emergency technical support group
- Organization members: management, business, technical, administrative and logistics personnel
- Work content:
- Network Security Threat Intelligence Analysis Research
- Network security incident monitoring and analysis
- Network security warning information release
- Compilation and revision of network security emergency response plan
- Development and Management of Network Security Emergency Response Knowledge Base
- Network security emergency response drill
- Cybersecurity incident response and handling
- Network security incident analysis and summary
- Cyber security education and training
- Network Security Emergency Response Organization Working Mechanism
- A team that handles, coordinates, or provides support to organizations on cybersecurity incidents
- Network security emergency response organization type
- Public welfare emergency response team
- Internal Emergency Response Team
- Commercial Emergency Response Team
- Vendor Emergency Response Team
Contents and types of network security emergency response plans
-
Network security incident types and classification
-
In 2017, the Central Cyberspace Administration of China issued the "National Cybersecurity Incident Emergency Plan" , which classified cyber information security incidents as follows
- Malicious program incidents, network attack incidents, information destruction incidents, information content security incidents, equipment and facility failures, catastrophic incidents and other information security incidents
-
According to the degree of impact of cybersecurity incidents, cybersecurity incidents are divided into four levels
-
-
Basic content of network security emergency response plan
- List in detail the types and treatment measures of system emergencies
- Basic workflow of event handling
- The specific steps and sequence of operations to be taken for emergency treatment
- The name, address, telephone number of the personnel involved in the implementation of the emergency plan and the contact method of the relevant functional department
-
Network security emergency response plan types and reference templates
- According to the management area covered, it is divided into: national level, regional level, industry level, department level
- Reference template
- Emergency procedures for core business system interruption or hardware equipment failure (level I)
- Emergency response procedures when the integrity of the portal and hosting system is compromised (Level I)
- Emergency procedures when the external network system encounters hacker intrusion attacks (Level II)
- Emergency procedures for external network systems encountering denial of service attacks (Level II)
- Emergency procedures after external power supply interruption (Level II)
Common network security emergency incident scenarios and processing procedures
-
Common network security emergency response scenarios
- Malicious program event: malicious code attack
- Cyber attack
- Security scanner attack
- Brute force
- System vulnerability
- Website and web application security incidents
- Denial of service events: DDoS, DoS
-
Network security emergency handling process
-
Security event alarm
-
Security incident confirmation: confirmed by the emergency working team leader and emergency leading group
-
Start emergency plan
-
Security incident handling: At least two people participate
The main work:
- Preparation: notify relevant personnel and exchange necessary information
- Inspection work: take a snapshot of the scene to protect all records that may be used as evidence
- Suppression: take containment measures and try to limit the scope of the attack
- Eradication work: solve problems, eradicate hidden dangers, and take remedial measures. Archive the incident
- Resume work: Recover the system and make the system run normally
- Summary work: submit an incident handling report
-
Write a security incident report
Content of report:
- Security incident on the date
- Participants
- The way the incident was discovered
- Event type
- The scope of the incident
- Field record
- Loss and impact caused by the incident
- Event handling process
- Experience and lessons to be learned from this accident
-
Emergency work summary
-
-
Emergency drill for cyber security incidents
-
Type division
-
Practice method
- CTF/Red and Blue Confrontation
-
Network security emergency response technology and common tools
-
Access control
- Network access control
- Host access control
- Database access control
- Application server access control
-
Cybersecurity assessment
- Malicious code detection: 360 antivirus
- Vulnerability scanning: Nessus
- File integrity check: monitor whether binary files are replaced
- System configuration file check: baseline scan
- Network card promiscuous mode check: whether to install a network sniffer
- File system check
- Log file review
-
Network security detection
- Network traffic monitoring: Wireshark
- System self-monitoring
- Network communication status monitoring of victim systems, etc. (netstat)
- Operating system process activity status monitoring such as victim system (ps)
- User activity monitoring such as victim systems (who)
- Address resolution status monitoring of the victim system (arp)
- Process resource usage monitoring of the victim system (lsof, fport)
-
system recovery
-
System emergency start
-
Malicious code removal
-
System vulnerability repair
-
File deletion recovery
-
System backup and disaster recovery
- Technology: Disk array, dual-system hot backup system, disaster recovery center, etc.
- The "Information Security Technical Information System Disaster Recovery Specification (GB/T 20988-2007)" defines six disaster recovery levels and technical requirements:
- Level 1-Basic Support
- Level 2-Alternate venue support
- Level 3-electronic transmission and partial equipment support
- Level 4-Electronic transmission and complete equipment support
- Level 5-Real-time data transmission and complete equipment support
- Level 6-Zero data loss and remote cluster support
-
-
Intrusion forensics
-
Evidence information is divided into two categories:
-
Real-time information or volatile information
-
Non-volatile information
-
-
Generally, the information that can be used as evidence or evidence-related is:
-
Log
-
Files, such as file size, content, creation date, swap file, etc.
-
System process
-
Users, such as online users’ service hours and usage methods
-
system status
-
Network communication connection record
-
Disk media
-
-
Six steps for network security forensics:
- Forensic site protection
- Identification evidence
- Transmission evidence
- Save evidence
- Analyze the evidence
- Submit evidence
-
Network security emergency response reference case
- Emergency Plan for Public Internet Network Security Incidents
- Alibaba Cloud Security Emergency Response Service
- IBM product security breach emergency response
- Emergency response to "Eternal Blue" attack
- Procedures for handling page tampering events
See P370-P377 for details