The blog content is mostly collected from the Internet and summarized based on personal learning. If there is any infringement, please contact immediately and delete it immediately (〃'▽'〃)
It is not easy to organize, please ask for advice with an open mind, and welcome your guidance ( • ̀ω•́ )✧
Basic introduction of net protection action
what net protection action
What is a net protection operation?
The network protection operation is a network security attack and defense exercise. It is an actual offensive and defensive activity aimed at real network targets across the country.
The scale of the network protection operation
: major enterprises and institutions, subordinate organs, large enterprises (not limited to the Internet), the general duration is three weeks.
Prospects of network protection operations
In the future, network protection operations will be further expanded, and the gap of network security talents will also be further expanded.
Net protection experience sharing
Point deduction skills:
You must appeal if the non-owned assets are deducted; if the report provided by the attacker is an intranet asset, it is required to prove that it is our asset; keep a rigorous attitude and never admit it without conclusive evidence.
Bonus skills:
pay attention to the file sandbox alarm log and analyze the samples; pay attention to high-risk vulnerability alarms, such as deserialization, injection vulnerabilities, and system layer access permissions; if the attack information is sufficiently collected, you can contact the referee group for arbitration.
Protection Suggestions
Make good use of IP bans, and all overseas IPs will be banned; strengthen intranet protection; full-time sample analysts; exploit attacks and Trojan horse attacks are to avoid losing points; English phishing emails do not score.
Internal and external communication
Report content: source IP event type, traffic analysis (full traffic), samples need to be analyzed and attached if there is a sample, do not only capture the device alarm map; internal communication is mainly based on WeChat to avoid process limitation.
Attack and defense intrusion path
Exposure of web Internet assets
The assets exposed on the Internet are directly exposed to threats from external attackers. Compared with the higher security risks faced by the internal assets of the enterprise, the attackers have more points to exploit, and the cost of the attack is also lower.
The device is serially connected to the network and the device with loopholes
is deployed with bypass (does not change the existing network structure) or serial (serial access to the existing network) and other methods. There are loopholes, which can be directly exploited and penetrate the intranet.
Social workers' high-authority management security awareness
must be carried out to the end for employees' security awareness. Everyone has a clear understanding of their own executable permissions, responsible content and areas, and work process steps to avoid attackers pretending to be leaders or other departments. information, etc.
Springboard second-level units and subordinate organizations,
while they have taken basic protective measures, must put forward clear requirements for subordinate units, so that subordinate units that can have communication or data transmission can also take protective measures and make corresponding communication strategies. of tightening.
Red team attack
Web attack, host attack, known vulnerabilities, sensitive files, password blasting
Attack team
composition: The Ministry of Public Security organizes more than 100 teams, including national information security teams, military, scientific research institutions, evaluation agencies, security companies, etc., with hundreds of people composition.
Attack method: On the premise of ensuring the security of the defender's bullseye system (such as disabling DDoS attacks), without limiting the attack path, simulating any method that may be used, with the ultimate goal of escalating rights to control business and obtain data! But the attack process is monitored .
blue team defense
extreme defensive strategy
Full offline: All non-important business systems are offline; the target system is offline in stages; Crazy
IP: Crazy IP (C section) would rather kill 1,000 by mistake than let go;
function and only report to edge systems.
aggressive defensive strategy
Normalize policy tightening
Contact manufacturers of existing equipment to adjust existing security equipment policies, tighten access control policies, and reinforce databases and system components.
Reduce attack exposure surface
Assets exposed on the Internet are removed from the existing network information that can be found on the Internet.
Various passwords are complicated
Whether it is the operating system, business portal, database, middleware, or even the host, all passwords that require password authentication will be complicated.
Core business whitelist
Initialize the core business system and important business systems, record the traffic normally generated by the business, and implement the whitelist strategy.
Mainframe system patching
Baseline verification of the business system, rectification of items that do not meet the standards, vulnerability inspection of the business system, and rectification of the identified vulnerabilities.
Blue Team Defensive Process
content of defense
The overall plan for the early stage of the protection network is
established and the organization is the
commander-in-chief leading group; the command decision-making group;
the monitoring and early warning group; the emergency response group; the
business guarantee group; the external liaison group.
Asset sorting
Extranet asset IP, port, domain name
Intranet asset: host, system, server
Asset risk: vulnerability, weak password, boundary integrity
architecture analysis
Topology sorting: intranet area, Internet access area, etc.;
bullseye system and related System: mutual visit relationship; business flow
penetration testing
; manual penetration; leak scanning tools
to obtain existing asset threats; understand business system vulnerabilities.
Rectification and reinforcement
Security reinforcement; vulnerability repair; security equipment strategy;
lack of monitoring means to deploy
emergency drills
Checking and filling gaps; security strategy optimization; defense plan optimization
; verification of capabilities in all aspects; emergency drills
Asset sorting
Basic information sorting
is based on organizational structure, asset type, and asset importance (manual/platform), including: IP, MAC, (domain name), manufacturer, name, asset type, system identification, open ports, open services, middleware, Open business, system version, responsible person, business department, deployment location, etc.
Asset vulnerability detection
Weak passwords, high-risk ports, high-risk vulnerabilities, illegal outreach, illegal inline, dual network cards, etc.
Basic information sorting
Asset list, vulnerability ledger, asset mapping relationship, risk list, etc.
Penetration overview
- Simulate hacker attack methods, conduct non-destructive vulnerability detection and attack testing on important business systems, and find vulnerabilities at the application code level.
- The content of penetration testing includes vulnerabilities in configuration management, identity authentication, authentication and authorization, session management, input validation, error handling, and business logic.
- Overlook: Clean up or restrict access to sensitive information on all internal document services (network topology, security solutions and deployment locations, password files).
- Backup website, system source code storage location (developer or outsourcer code management service) to avoid system application 0day attack.
Rectification and reinforcement
emergency drill
mid defense
Situational Awareness Tool
fun sharing
