1. What is the network protection operation?
The network protection operation is led by the Ministry of Public Security to assess the network security of enterprises and institutions.
In specific practice. The Ministry of Public Security will organize both offensive and defensive parties. The offensive party will launch a cyber attack on the defensive party within a month to detect security loopholes in the defensive party (enterprises and institutions).
Through the confrontation with the attacker, the security capabilities of the network, system and equipment of enterprises and institutions will be greatly improved.
The "network protection operation" is one of the important arrangements made by the country to deal with network security issues. The "network protection operation" began in 2016. With the emphasis on network security in our country, the units involved have continued to expand, and more and more units have joined the network protection operation. The network security confrontation drill is getting closer to the actual situation. Institutions have also upgraded their network security needs from passive construction to rigid needs for business protection.
2. Classification of protective net
Network protection is generally divided into national-level protection network, provincial-level protection network, and municipal-level protection network according to administrative levels; in addition, some industries have relatively high requirements for network security, so network protection operations will also be carried out within the industry , such as the financial industry.
3. Time to protect the net
The start time and duration of different levels of net protection are different. Taking the national protection network as an example, generally speaking, the protection network starts around July and August every year, and generally lasts for 2 to 3 weeks. The provincial level is about 2 weeks, and the lower level is about a week. 2021 is quite special. Since it is the 100th anniversary of the founding of the Communist Party of China, all security work must be completed before July, and all 21-year network protection will be completed around April.
4. The impact of the protection net
The network protection is organized by the government, and the participating units will be ranked. Units that perform poorly in the network protection will be affected in the future evaluation and other work. Moreover, network protection is linked to politics. Once the network of enterprises and units participating in network protection is penetrated by attackers, the leaders may be removed. For example, in a financial securities unit last year, the network was penetrated, and the second in command of the unit was directly dismissed. The overall price paid is still very serious.
Five, the rules of the net
1. Confrontation between red and blue
Net protection is generally divided into two teams, red and blue, for red and blue confrontation (there are different opinions on red and blue offense and defense on the Internet, here is based on the domestic red offense and blue defense).
The red team is the attack team, and the red team mainly consists of the "national team" (the country's network security and other technical personnel specialized in network security), and the manufacturer's penetration technicians. Among them, the "national team" accounted for about 60%, and the attack team composed of technical personnel from the manufacturer accounted for about 40%. Generally speaking, there are about 3 people in a team, who are responsible for information collection, infiltration, and cleaning the battlefield.
The blue team is the defensive team, which usually randomly selects some units to participate.
2. Blue Team Score
The initial score of the blue team is 10,000 points, once the attack is successful, the corresponding points will be deducted. Every year, the requirements for the blue team are more stringent. Before 2020, as long as the blue team can discover the attack, they can add points, or make up for the deducted points; but in 2021, the blue team must meet the requirements of timely discovery, timely disposal and restoration of the attack chain in order to reduce the deduction of a little points, and can no longer pass. This is a plus. The only way to gain points is to spot real hacking attacks during network protection.
3. Red Team Score
Each attacking team will have some assigned fixed targets. In addition, some targets will be selected and placed in the target pool as public targets. Generally speaking, the red team will give priority to attacking these public targets. Once the attack is successful and the evidence is obtained, it will be submitted on a platform provided by a country, and the certification will be successful. Generally speaking, the submission time of the submission platform is from 9:00 to 21:00, but this does not mean that no one will attack after this time. In fact, the red team will still use the period from 21:00 to 9:00 to attack, and then submit the attack results during the day. Therefore, the blue team needs 24 hours of monitoring and protection.
6. What is a red team?
Red teaming is a full-scale, multi-layered attack simulation designed to measure a company's people and network, application and physical security controls against real-world adversary attacks.
During a red team engagement, trained security consultants develop attack scenarios that reveal potential physical, hardware, software, and human vulnerabilities. Red team engagement also provides opportunities for bad actors and malicious insiders to compromise a company's systems and networks, or corrupt its data.
6.1. Significance of Red Team Testing
1. Assess the customer's ability to respond to threatening behavior.
2. Assess the security posture of the customer network by implementing rehearsals (access to CEO email, access to customer data, etc.).
3. Demonstrate potential paths for attackers to access client assets.
We believe that from the perspective of the red team, any network security guarantee task will start from the perspective of finding problems through security detection technical means, discover system security vulnerabilities, and find shortcomings in the system and network. The red team security detection party will use a variety of detection and scanning tools to carry out information collection, vulnerability testing , and vulnerability verification on the blue party target network. Especially for large-scale enterprises, it will find out the security problems of the system through large-scale target detection and other rapid means. The main process is as follows:
1. Large-scale target detection
In order to quickly understand the type, device type, version, open service type, and port information of the blue user's system, the red party will use Nmap, port scanning and service identification tools, or even use ZMap, MASScan, etc. to determine the system and network boundary range. The large-scale rapid investigation tool understands basic information such as user network scale and overall service opening status, so as to carry out more targeted tests.
2. Password and common vulnerability testing
After the red team masters the network scale, host system type, and service opening status of the blue party users, it will use Metasploit or manual methods to carry out targeted attacks and vulnerability tests, including: various web application system vulnerabilities, middleware vulnerabilities , system , application, and component remote code execution leaks, etc. At the same time, Hydra and other tools will be used to test the passwords of various services, middleware, and systems for common weak passwords, and finally obtain the host system or component permissions through technical means.
3. Permission acquisition and lateral movement
After the red party obtains specific target authority through system loopholes or weak passwords, it uses the host system authority and network reachability conditions to move laterally, expands the battle results and controls key databases, business systems, and network equipment, and uses the collected sufficient information to Ultimately control the core system, obtain core data, etc., to prove the lack of current system security.
Red teams act as real and motivated attackers. Most of the time, red team attacks are large, the entire environment is in range, and their goal is to infiltrate, maintain persistence, centrality, retreatability, to confirm what a persistent enemy can do. All tactics are available, including social engineering. Eventually red teams will reach their goal of owning the entire network, otherwise their actions will be captured, they will be stopped by the security administrators of the network they attacked, at which point, they will report their findings to management to help improve the security of the network. safety.
One of the main goals of a red team is to remain invisible even as they get inside the organization. Penetration testers are not good on the network and can be easily detected because they use traditional means to enter the organization, while red teamers are stealthy, fast, and technically equipped to evade AV, endpoint protection Knowledge of solutions , firewalls, and other security measures the organization has implemented.
7. What is the blue team
The bigger challenge for the blue team is to find exploitable vulnerabilities and protect their domain without imposing too many restrictions on users.
1. Identify controls
Most important to blue teams is the ability to understand the controls in place in their environment, especially when it comes to phishing and phishing. Some companies really don't start looking for protective measures in their own networks until there is a formal confrontation.
2. Ensure data is collected and analyzed
Because the effectiveness of a blue team is based on the ability to collect and utilize data, log management tools, such as Splunk, are especially important. Another piece of ability is to know how to collect all the data of the team's actions and record them with high fidelity, so as to determine what went right, what went wrong, and how to improve during the replay.
3. Use the right tools for the environment
The tools a blue team uses will depend on the needs of their environment. They have to figure out "what is this program doing? Why is it trying to format the hard drive?", and then add technology to block unintended actions. The tools to test the success of the technique come from the red team.
4. Pick experienced people to join the team
Apart from tools, the most valuable thing for the blue team is the knowledge of the players. As you gain experience, you start to think "I've seen this, I've seen that, they did this and that, but I wonder if there's a bug here." If you're only targeting what's known Prepare and you are unprepared for the unknown.
5. Assume there will be failure
Asking questions is a valuable tool to explore the unknown. Don't stop at preparing for what exists today, assuming there will be failures in your own infrastructure.
The best way to think about it is to assume that there will eventually be bugs and that nothing is 100% secure.
If you find it helpful, you can help me like it and bookmark it. If the writing is wrong or unclear, you are welcome to point it out in the comment area, thank you!