A few days ago, Internet security professional media security cattle [Interview with cattle] column interviewed Zhichuangyu CSO black brother (Zhou Jingping).
Focusing on the new book "Cyberspace Surveying and Mapping Technology and Practice" published by Zhichuangyu, Security Niu analysts and Hei Ge conducted dialogues and exchanges on the current application and challenges of cyberspace surveying and mapping technology, as well as future development and innovation.
The full text below is reproduced from the Ping An Niu official account.
Interview guest: Brother Hei
Reporter: Shi Yifan
Analyst: Xu Xiaoli
With the development and application of network technology, cyberspace has become the country's fifth sovereign space after sea, land, air and space. Cyberspace surveying and mapping integrates multiple disciplines such as network communication technology, cyberspace security, and geography to model and express the attributes of network resources and the relationship between resources to reflect changes in the status of cyberspace resources, network behaviors, and digital activity intentions. . It can be said that cyberspace surveying and mapping is not only an important means of real-time network observation, accurate sampling, mapping and forecasting, but also an important infrastructure for realizing digital production and life and digital governance in the digital age.
Although cyberspace surveying and mapping technology has great application significance. From the perspective of practical application, how mature is the current application of cyberspace surveying and mapping technology? What challenges are faced in its practical application? What kind of innovation and development will there be in the future? With these questions in mind, Security Niu recently invited Zhou Jingping (Heige), a professional manufacturer in the field of cyberspace asset surveying and mapping, to know Chuangyu CSO (Hei Ge), and exchanged ideas on the innovative application and future development of cyberspace surveying and mapping technology.
Hei Ge
Brother Hei (original name: Zhou Jingping), the chief security officer of Zhichuangyu, the general manager of the 404 security research system, and one of the representative hacker technology research experts in China. Known as the "King of Vulnerabilities" in the industry, he has proposed a variety of offensive and defensive technology innovations in the security field, which have been widely concerned and recognized by the industry, especially in the fields of vulnerability mining and cyberspace big data analysis and mining. International leading level. The initiator and advocate of the world-renowned cyberspace surveying and mapping search engine "ZoomEye" (ZoomEye), and one of the authors of the best-selling book "Networkspace Surveying and Mapping Technology and Practice".
01
safety cow
We have seen that cyberspace surveying and mapping technology currently has a very high degree of attention, and Zhichuangyu officially released the book "Cyberspace Surveying and Mapping Technology and Practice" not long ago. From the perspective of the author of this book, how do you understand the definition and connotation of cyberspace mapping?
black brother
Everyone's understanding of the concept of cyberspace is actually different. A more common understanding simply refers to the digital space composed of the Internet, local area networks, and various devices. But if you input the word "cyberspace" into the translation software, it will output a word "Cyberspace" for you, and if this word is translated into Chinese, another literal translation word "cyberspace" will appear. In the early 1980s, the American science fiction writer William Gibson coined the term "Cyberspace" in his novels. In fact, the "Cyberspace" he described includes the "cyberspace" mentioned above. It also emphasizes that "cyberspace" corresponds to the actual physical world space.
In fact, the "cyberspace" we mentioned mainly refers to "cyberspace", and this understanding is very important. I think that there are various mappings between cyberspace and real space! This is the true meaning of cyberspace! This also directly affects the understanding of cyberspace asset mapping, especially in application practice.
With the development of information technology, cyberspace has become the country's fifth sovereign space after sea, land, air, and space. Therefore, the application of cyberspace surveying and mapping technology has become an indispensable demand. From the protection of national security, It plays a vital role in the protection of enterprise security and personal security. The United States should be the first to pay attention to cyberspace surveying and mapping, and many famous projects such as the NSA's treasure map project have also been born. The release of Shodan in 2009 marked the beginning of the era of cyberspace mapping search engines.
Knowing that Chuangyu began to pay attention to cyberspace surveying and mapping technology in 2010, it first started the prototype of ZoomEye product within the company, and it was officially launched in 2013. At present, we have accumulated technologies and data related to cyberspace surveying and mapping for more than 10 years. In recent years, many cyberspace surveying and mapping projects similar to ZoomEye have appeared on the Internet, so that some people think that this product is easy to make. It is nothing more than a large-scale scanner similar to Zmap plus an ES database. But in fact, I think cyberspace surveying and mapping is a very complex and huge system, which involves knowledge in multiple disciplines and fields, because we have stepped on many pitfalls ourselves. In order to let industry users better understand cyberspace asset surveying and mapping, we had the idea of writing a related book a few years ago, but due to busy work, everyone focused on technology research and product improvement, so until the previous It was not long before we completed and released the book "Technology and Practice of Cyberspace Surveying and Mapping".
In this book, we systematically sort out cyberspace surveying and mapping technology based on Zhichuangyu’s many years of technical research and application experience in the field of cyberspace surveying and mapping, and describe in detail the principle of cyberspace surveying and mapping technology, the construction of the capability system and the Typical application scenarios. When we wrote this book, we tried our best to choose some cases that are close to actual combat and easy to understand. This is mainly to take care of beginners. I hope that all readers of this book can gain something.
02
safety cow
Many people misinterpret cyberspace asset surveying and mapping as asset scanning and discovery, thinking that they all aim at data collection and identification. What do you think?
black brother
Obviously, asset scanning and discovery are not the same as cyberspace surveying and mapping. We can do a simple disassembly literally, and understand asset scanning and discovery as part of "measurement", so we still need to "draw". At the KCon conference in 2019, I made a summary of this and emphasized: To do a good job in cyberspace asset surveying and mapping, one needs to obtain more data, and at the same time give soul to these data, that is to say, to analyze and interpret data .
As we mentioned before, there are multiple mappings between cyberspace and real physical space. It is necessary to analyze data to find these correspondences and describe them. This is actually "drawing". Cyberspace assets are constantly changing with time. From this perspective, asset scanning and discovery are often only tasks at a single point in time, while detection and scanning of asset mapping is continuous. Through dynamic changes in network assets, Reflecting the changes in the real space, this is the concept of "dynamic mapping" we put forward.
Of course, asset scanning and discovery and asset mapping are also different in data collection dimensions. Asset mapping needs to associate multiple data to improve target portraits. In-depth description of IP assets, etc.
03
safety cow
What do you think is the current application maturity level of cyberspace surveying and mapping technology? What new technical capabilities are needed to optimize and improve?
black brother
At present, if we only look at it from the perspective of IP detection and scanning, the application of cyberspace asset surveying and mapping technology is relatively mature. In the early days, the Nmap method was mainly used. After the appearance of ZMap in 2013, it began to enter the mass detection stage. It can scan the entire IPv4 address space within a few minutes, and then similar projects such as MassScan appeared. But everything has two sides, and mature applications also mean fierce confrontation. Now many VPS manufacturers disable deployment detection such as Zmap, and there is also the problem of nodes being blocked, so this is also a problem that needs to be solved again.
In addition, the object of cyberspace surveying and mapping is not only for IPv4 network addresses, but also domain names, IPv6 addresses, and private network fields such as dark web, blockchain, and Starlink, all of which require new surveying and mapping capabilities. The knowledge of this part is reflected in the technical outline on the first page of "Cyberspace Surveying and Mapping Technology and Practice".
In addition to the dimension of object detection, cyberspace surveying and mapping actually faces many other challenges, such as the pressure of storage and analysis brought about by the increasing amount of data, and the application of new technologies such as ES will bring many new challenges. The problem. We should take the initiative to pay attention to and integrate important technological breakthroughs in various fields. For example, ChatGPT, which has recently become popular, may have very promising technological breakthroughs in the fields of target portraits and fingerprint recognition.
04
safety cow
You just mentioned that it may take a long time to use and make good use of cyberspace mapping? Why? What are the main application scenarios and application value of cyberspace surveying and mapping technology?
black brother
Before talking about these issues, I first quote a sentence from the preface of "Cyberspace Surveying and Mapping Technology and Practice": "The pattern determines everything!". I think the application space and scenarios of cyberspace surveying and mapping technology are very large, and what to do with surveying and mapping technology depends entirely on the user's "vision" and "pattern". That is the "Tao" I insist on. There are many things that you need to "think about", "see", and finally "see clearly".
At present, network security is still the most important and core application field of cyberspace surveying and mapping technology, mainly including vulnerability impact assessment, asset census and other directions. This is mainly determined by the current application requirements of customers. Nowadays, many enterprise users urgently need to sort out the exposure surface of their network assets. Like the shadow assets we emphasized in the past few years, the so-called "attack surface" we have begun to emphasize in the past two years Management", etc. The objects of this kind of mapping are mainly domain names, cloud hosts and other assets in the internal and external networks of the enterprise, and also include the identification requirements of some fraudulent and forged websites. In my opinion, these can be regarded as the most basic and mature application scenarios of cyberspace surveying and mapping technology. Our company has many very mature products in this area, which can meet the application needs of various customers in different scenarios.
At the same time, we have been committed to the exploration of various new surveying and mapping technology application scenarios, and have proposed innovative application concepts such as "behavioral surveying and mapping", "dynamic surveying and mapping", and "cross surveying and mapping", and have also carried out a lot of practical attempts for this purpose. For example, we launched the "data subscription" model a long time ago, which can monitor new assets that users pay attention to through search syntax, and discover asset exposure problems at the first time; another example, we combine APT attack mapping with our NDR The system has carried out intelligent linkage, through "behavior mapping" to carry out "dynamic mapping" of the assets used by APT organizations in the whole network, and before the actual implementation of APT attack behavior, the NDR product is used to intercept and defend in advance, truly achieving "forward defense" !
I have always believed that the ultimate goal of the aforementioned "giving data a soul" is to transform data into a kind of "knowledge" and further upgrade it to "wisdom" on this basis, so as to better guide decision-making. For example, the "Heartbleed" vulnerability in 2014 that must be mentioned every time we mention it. Through continuous global "dynamic mapping" and through the changes in IP data affected by the vulnerability every day, we finally obtained the ranking of our country's security emergency response capabilities in the world at that time. 102, which shows that our country urgently needs to improve its vulnerability emergency response capabilities. There is also the "Russia-Ukraine conflict" that has continued since last year. We found very interesting things through surveying and mapping. For example, we can say that we "perceived" the outbreak of the Russia-Ukraine conflict in advance. According to the surveying and mapping of network assets such as C2 used by the organization, it was found that a large number of server resources for attacks were deployed in advance in January 2022. We also "perceived" Russia's offensive routes and attack methods at various stages of the attack.
Based on this understanding, I believe that the application of cyberspace mapping technology will not be limited to the field of network security. For example, when the new crown epidemic broke out, the impact of the epidemic could be predicted through the deployment trend of VPN, and even through the distribution of equipment, it was possible to gain insight into the market coverage capabilities and deficiencies of a certain manufacturer. But for Zhichuangyu, as a professional security manufacturer, the application of cyberspace surveying and mapping technology in the field of network security will be the core direction of our future research, especially in the field of regional surveying and mapping.
05
safety cow
You just mentioned the attack surface management (ASM) technology, which is also the focus area that the industry generally pays attention to. What is your opinion on the current development of ASM technology application?
black brother
In the field of network security, there is never a shortage of various new concepts and ideas. But in fact, I am not particularly interested in these "new concepts". From my personal understanding, if the asset sorting of cyberspace mapping is implemented from the perspective of defense, then the attack surface management technology places more emphasis on finding problems from the perspective of "attackers". So before Gartner formally put forward the concept of attack surface management, we actually started a lot of implementation.
"Attack surface management" is actually a comprehensive concept, including: External Attack Surface Management (EASM), Cyber Asset Attack Surface Management (CAASM), Digital Risk Protection Services (DRPS), Vulnerability Assessment (VA), Weaknesses/Vulnerabilities Prioritization technology (VPT) and other technologies in multiple scenarios, the core point of which is the continuous monitoring and governance of attack surfaces based on big data. Therefore, I believe that companies with data and technology accumulation in cyberspace mapping and vulnerability assessment management will have natural advantages in helping enterprises achieve attack surface management. For example, we know that Chuangyu 404 Lab has accumulated profound experience in these aspects, especially ZoomEye for surveying and mapping, Seebug platform for vulnerabilities, etc. At present, we have launched ScanV, a SaaS-based Internet attack surface management platform, and network asset attack surface management based on local business networks. System ZoomEye Pro etc.
Judging from the latest maturity curve released by Gartner, the attack surface management technology is still in a relatively early stage of development, and its related products or services need to be compatible with Party A's security operations. It is still a relatively new field for the market and widely used. Still need some time to integrate.
06
safety cow
For enterprises to carry out cyberspace surveying and mapping work, Zhichuangyu put forward a "5W" theory, which can combine the practice of daily security work of enterprises to talk about how to maximize the application value of cyberspace surveying and mapping technology?
black brother
As the new generation of network security technology solutions tend to be comprehensive, more emphasis will be placed on the effective linkage between various technologies or products. Many security products and tools have already completed API transformation, which shows this. Of course, in specific practice In the process, there will be a question of who will take the lead. For example, from the perspective of cyberspace mapping, you have to look at it from the perspective of defense. It may be asset management leading, and then cooperate with related capabilities of vulnerability management; from the perspective of attackers, it will be To assess whether the vulnerability will affect the security of assets, etc.
In the book "Cyberspace Surveying and Mapping Technology and Practice", we put forward the "5w" theory around the application of cyberspace asset surveying and mapping technology, namely:
1. Who (holographic): Who owns the asset and who is using it.
2. What (omniscient): What is the asset and what service is provided.
3. Where (global domain): where, what else.
4. When (full time): When is this asset and what has changed.
5. Why (all reasons): Why?
Combined with cyberspace surveying and mapping, it is launched to solve these five basic problems. This is actually to point out the direction for our data acquisition, technology and product development. Of course, each customer's needs and application scenarios are different, which also leads to their choice. The focus is different. For example, when a customer is attacked, the customer may pay more attention to who is attacking me. At this time, the customer's focus is on the attacker's assets (what) and their ownership (who), and then they may go further and pay attention to when Deployed (when), which machines he also deployed (where), and what is the purpose of their deployment (why). When customers choose surveying and mapping products, they should combine their actual needs and application scenarios, and even find the most suitable product form through repeated testing and adjustment.
07
safety cow
Cyberspace surveying and mapping is an important tool for future network security protection. What do you think will be its future development and evolution trend?
black brother
I have talked so much before, in my opinion, cyberspace surveying and mapping is a very large field, which can be compared with the surveying and mapping discipline in real space. As modern society becomes more and more digitalized, cyberspace becomes more and more important. Cyberspace surveying and mapping is to find out cyberspace assets, and these assets are actually data in the end, and data is considered to be the most basic strategic resource. Therefore, obtaining more data and giving data a soul is the core of our cyberspace mapping.
The development of technology will also introduce more application scenarios to cyberspace surveying and mapping, such as cloud surveying and mapping brought by cloud technology, darknet surveying and mapping brought by darknet, starlink surveying and mapping brought by Starlink satellite communication, and so on. In addition, digital assets are complexly intertwined in multiple scenarios, such as the mixing of public cloud and private cloud data, the intersection of open and dark networks, and the increasingly blurred boundaries between internal and external networks, etc., which will also lead to the integration and changes of technology and product solutions.
In addition, there is actually a lot of room for cyberspace surveying and mapping technology itself. For example, as mentioned earlier, no surveying and mapping system can completely cover all network system ports. We still have many protocols and assets that cannot be identified. More innovative thinking is needed, even looking at these issues from an interdimensional perspective, such as the wide application of ES big data technology that I mentioned many times before, and the trend of civilianization of AI technology brought about by the recently popular ChatGPT Etc., may lead to new technological changes in cyberspace surveying and mapping, and we should prepare in advance.
Safety cattle review
Cyberspace security can only be "defended" if it is "visible". With the increasing demand for offensive and defensive drills, holographic asset management, and attack surface management, the application of cyberspace surveying and mapping is gradually becoming more and more extensive. In the future, applying cyberspace surveying and mapping to risk management and forecasting will definitely become an important basic issue for many enterprises. However, we have also seen the application of cyberspace surveying and mapping tools to support network security construction. In many scenarios, there are still some rigid index requirements, which require more innovation and integration technologies, continuous mining of application scenarios, and continuous and deep accumulation of data.