Xinan Soft Examination Chapter 17 Principles and Applications of Network Security Emergency Response Technology

Enterprise 2023-07-01 20:27:40 views: null

1. Overview of network security emergency response

  • Network security emergency response refers to the monitoring, early warning, analysis, response and recovery of network security incidents by relevant personnel or organizations in response to network security incidents.
  • Network security emergency response is an important mechanism for cyberspace security protection, and the corresponding legal requirements are clearly given in the "Network Security Law of the People's Republic of China" (Chapter 5 Monitoring, Early Warning and Emergency Response)

img

2. Network security emergency response organization establishment and working mechanism

  • organization establishment

  The network security emergency response organization is mainly composed of an emergency leading group and an emergency technical support group. The main work of the network security emergency response organization mainly includes the following aspects:

  • Research on Network Security Threat Intelligence Analysis
  • Monitoring and Analysis of Network Security Events
  • Release of network security early warning information
  • Compiling and revising the network security emergency response plan;
  • Network Security Emergency Response Knowledge Base Development and Management
  • Network Security Emergency Response Drill
  • Cyber ​​security incident response and handling
  • Analysis and summary of network security incidents
  • Cyber ​​Security Education and Training
  • Working Mechanism

  The network security emergency response organization is a team that handles, coordinates or provides support for the organization's network security incidents. It is responsible for coordinating the organization's security emergencies and providing organizations with security services such as computer network security monitoring, early warning, response, and prevention. and technical support, collect, verify, summarize, and publish authoritative information on network security in a timely manner, and cooperate and communicate with domestic and foreign computer network security emergency response organizations.

  • organization type

  According to various factors such as sources of funds and service targets, emergency response teams are divided into the following categories: public welfare emergency response teams, internal emergency response teams, commercial emergency response teams, and manufacturer emergency response teams . The relationship between different types of network security emergency response organizations is shown in the figure.

img

3. Content and type of cybersecurity emergency response plan

3.1 Types and classifications of network security incidents

  In 2017, the Central Network Information Office issued the "National Network Security Incident Emergency Plan", which divided network information security incidents into malicious program incidents, network attack incidents, information destruction incidents, information content security incidents, equipment and facility failures, catastrophic incidents and others. 7 basic classifications such as information security incidents.

  According to the impact of network security incidents on national security, social order, economic construction and public interests, network security incidents can be divided into four levels: particularly major network security incidents, major network security incidents, relatively large network security incidents and general network security incidents. events, as shown in the table.

img

img

3.2 Contents of the network security emergency response plan

  The network security emergency response plan refers to the formulation of work steps to deal with security incidents in the event of an emergency, according to the types of security incidents and unexpected situations pre-conceived. Generally speaking, the basic contents of the network security emergency response plan are as follows:

  • List the types and handling measures of system emergencies in detail.
  • Event handling basic workflow.
  • Specific steps and sequence of operations to be taken in emergency response.
  • The names, addresses, telephone numbers and contact methods of relevant functional departments of the personnel involved in the implementation of the emergency plan.

3.3 Types of Network Security Emergency Response Plans

  According to the management area covered by the network security emergency response plan, it can be divided into national level, regional level, industry level, departmental level and other network security incident emergency plans. Different levels of network security emergency response plans have different specific requirements. The high-level plans are biased towards guidance, while the low-level plans focus on the handling procedures of network security incidents.

  Network security emergency response should formulate more specific emergency response plans based on network information systems and business characteristics. Generally, specific disposal operations are required for specific network security events, such as malicious code emergency plans, network equipment failure emergency plans, computer room power Contingency plans for supply interruption, contingency plans for web page tampering, etc.

4. Common network security emergency incident scenarios and processing procedures

4.1 Common Network Security Emergency Handling Scenarios

  (1) Malicious program events : usually lead to slow computer system response and abnormal network traffic, mainly including computer viruses, network worms, Trojan horses, and botnets. The destructive spread of malicious programs shall be dealt with by the emergency response organization, which may coordinate external organizations to provide technical assistance, analyze harmful programs, protect the site, and cut off relevant network connections if necessary.

(2) Cyber ​​attack incidents

  • Security scanner attack: Hackers use scanners to detect vulnerabilities in the target system.
  • Brute force cracking attack: Brute force cracking the account password of the target system to obtain background administrator privileges.
  • System vulnerability attack: attack by exploiting the vulnerabilities existing in the operating system/application system.

(3) Website and Web application security incidents

  • Web page tampering: unauthorized tampering or wrong operation of website page content.
  • Web page hanging horse: make use of website loopholes to create a web page Trojan horse.
  • Illegal pages: There are gambling, pornography, fishing and other bad pages.
  • Web vulnerability attack: attack through various web vulnerabilities such as SQL injection vulnerabilities, upload vulnerabilities, XSS vulnerabilities, and unauthorized access vulnerabilities.
  • Website domain name service hijacking: The domain name service information of the website is damaged, so that the domain name service resolution of the website points to a malicious website.

(4) Denial of service event

  • DDoS: Attackers use TCP/IP protocol vulnerabilities and limited server network bandwidth resources to launch distributed denial-of-service attacks.
  • DoS: DoS: There is a security hole in the server, which makes the website and server inaccessible, business interruption, and users cannot access.

4.2 Network Security Emergency Handling Process

  Emergency event handling generally includes steps such as safety event alarm, safety event confirmation, emergency response plan activation, safety event handling, safety event report writing, and emergency work summary.

  • The first step is to call the police for security incidents. When an emergency occurs, the staff on duty shall report it in time. The alarm personnel should accurately describe the security incident and make a written record. According to the type of safety incidents, each safety incident shall be reported sequentially according to the reporting regulations 1-the person on duty, 2-emergency working group leader, 3-emergency leading group.
  • The second step is to confirm the security incident. After receiving the safety alarm, the emergency working group leader and the emergency leading group should first judge the type of the safety event, and then determine whether to activate the emergency plan.
  • The third step is to start the emergency plan. The emergency plan is the emergency treatment measures formulated after fully considering various security incidents, so as to deal with various security incidents in a timely and effective manner in emergency situations. It is necessary to avoid the situation that the emergency plan cannot be found or cannot be activated in case of emergency.
  • The fourth step is to handle security incidents. Handling security incidents is a complex task that requires at least two people to participate. The tasks handled mainly include the following
  • Preparations: Inform relevant personnel and exchange necessary information.
  • Detection work: Take a snapshot of the scene and protect all records that may be used as evidence (including system events, actions taken by accident handlers, communication with the outside world, etc.).
  • Suppression work: Take containment measures to limit the scope of the attack as much as possible.
  • Eradication work: Solve problems, eradicate hidden dangers, analyze system vulnerabilities that lead to accidents, and take remedial measures. It should be noted that when cleaning the scene, all necessary original information must be collected and preserved to archive the accident.
  • Resume Work: Restores the system to make it function normally.
  • Summary work: Submit the accident handling report,
  • The fifth step is to write a security incident report. According to the incident handling work records and the collected raw data, combined with the security knowledge of experts, complete the writing of the security incident report.
  • The sixth step is to summarize the emergency work. Hold an emergency work summary meeting, review the problems encountered in the emergency work process, analyze the causes of the problems, and find out the corresponding solutions.

5. Network Security Emergency Response Technologies and Common Tools

5.1 Overview of Network Security Emergency Response Technology

  Network security emergency response is a complex process that requires the comprehensive application of multiple technologies and security mechanisms. The technologies commonly used in the network security emergency response process are shown in the table.

img

  • access control technology. It is an important technical means for network security emergency response. Its main purpose is to control network resources from being illegally accessed and limit the scope of security incidents. According to the different objects of access control, the technical means of access control mainly include network access control, host access control, database access control, application service access control, etc. These access control methods can be implemented through firewalls, proxy servers, routers, VLANs, user identity authentication and authorization, and so on.
  • Website Security Assessment. It refers to analyzing the victim system to obtain the hazard status of the victim system. At present, there are mainly the following methods for network security assessment:

  (1) Malicious code monitoring: Use malicious code detection tools to analyze whether the victim system has installed viruses, Trojan horses, worms or spyware. Commonly used malicious code detection tools mainly include Dshield_Web Kill (English name WebShellKill), chkrootkit, rkhunter, and 360 antivirus tools.

  (2) Vulnerability scanning: use the vulnerability scanning tool to check the vulnerabilities existing in the victim system, and then analyze the harmfulness of the vulnerabilities. Commonly used vulnerability scanning tools mainly include port scanning tools such as Nmap and Nessus.

  (3) File integrity check: The purpose of file integrity check is to discover whether the tampered files in the victim system or the kernel of the operating system have been replaced.

  (4) System configuration file inspection: After the attacker enters the victim system, he will generally modify the system files to facilitate subsequent attacks or control. By checking and analyzing system configuration files, network administrators can discover the attacker's operations on the victim system. For example, on a UNIX system, the network administrator needs to perform the following checks

  • Check the /etc/passwd file for suspicious users.
  • Check whether the /et/inet.conf file has been modified.
  • Check whether the /etc/services file has been modified.
  • Check the r command configuration /etc/hosts.equiv or .rhosts file.
  • To check the new SUID and SGID files, use the find command to find all SUID and SGID files in the system, as follows:
#find / (-perm -004000 -o -perm -002000) -type f -print

  (5) Network card promiscuous mode check: The purpose of network card promiscuous mode check is to confirm whether a network sniffer is installed in the victim system. Because network sniffers can monitor and record network information, intruders often use network sniffers to obtain usernames and passwords transmitted over the network. Currently, there are software tools that can detect network sniffers in the system, such as CPM (Check Promiscuous Mode) and ifstatus under the UNIX platform.

  (6) File system check: The purpose of the file system check is to confirm whether there are files created by the intruder in the victim system. Generally speaking, intruders will create hidden directories or hidden files in the victim system to facilitate subsequent intrusions. For example, intruders put Trojan horse files in the /dev directory, because system administrators usually do not check this directory, so that the Trojan horse can be avoided.

  (7) Log file review: reviewing the log files of the victim system can allow emergency response personnel to grasp the intruder's system intrusion path and the intruder's execution operations.

  • Network Security Monitoring. The purpose is to analyze the network activities or internal activities of the victim system and obtain the current state information of the victim system. At present, there are mainly the following methods for network security monitoring:

  (1) Network traffic monitoring. By using network monitoring tools, the network traffic data of the victim system is obtained, and the communication information of the victim system on the network is mined and analyzed, so as to discover the abnormal behavior of the victim system on the network, especially some hidden network attacks, such as remote control Trojans, stealing secrets, etc. Trojan horses, network worms, ransomware, etc.

  (2) System self-monitoring. The purpose of system self-monitoring is mainly to grasp the current activity status of the victim system to confirm the intruder's operation on the victim system. The method of system self-monitoring includes the following aspects.

  • Network Communication Status Monitoring of Victim System
  • Operating system process activity status monitoring of the victim system
  • Activity monitoring of the victim system
  • Address resolution status monitoring of the victim system
  • Process resource usage status monitoring of the victim system
  • system recovery. The system recovery technology is used to restore the normal operation of the victim system after security treatment, and minimize the loss caused by the attack. The method of system recovery technology mainly consists of the following aspects:

  (1) System emergency startup: When the computer system cannot be used normally due to forgotten passwords or loss of system files, the damaged system can be recovered by using the system emergency startup disk, and the damaged system access rights can be regained. The main function of the system emergency boot disk is to realize the boot recovery of the operating system of the computing device, and the main types are CD-ROM and U disk. The system emergency boot disk saves the related files of the minimum startup of the operating system, and can independently complete the startup of related devices.

  (2) Malicious code removal: The system cannot be used normally after being attacked by malicious codes, and the malicious codes of the victimized system are removed by using special security tools.

  (3) System vulnerability repair: For the victimized system, check the corresponding security holes through security tools, and then install the patch software.

  (4) File deletion recovery: When the operating system deletes a file, it just makes a deletion mark on the file directory entry of the file, and marks the cluster occupied in the FAT table as an empty cluster, while the cluster in the DATA area still retains the original data. the content of the file. Therefore, the deletion of ordinary computer files is only logically marked, rather than physically cleared. At this time, the deleted files can be retrieved through the security recovery tool.

  (5) System backup and disaster recovery: Common backup and disaster recovery technologies mainly include disk arrays, dual-machine hot backup systems, and disaster recovery centers. When the operating system is attacked and paralyzed, the backup disaster recovery system is enabled to maintain business continuity and data security.

  • Intrusion Forensics. It refers to the extraction of attack evidence from computer and network systems through specific software and tools. According to the characteristics of evidence information changes, evidence information can be divided into two categories: the first category is real-time information or volatile information, such as memory and network connection; the second category is non-volatile information, which will not be lost when the device is powered off.

Generally, the information that can be used as evidence or associated with evidence is as follows:

  • Logs, such as operating system logs, network access logs, etc.;
  • Files, such as OS file size, file content, file creation date, swap file, etc.;
  • System process, such as process name, process access file, etc.;
  • Users, especially online users' service hours, usage methods, etc.:
  • System status, such as the services opened by the system and the mode of network operation, etc.;
  • Network communication connection records, such as network router operation logs, etc.;
  • Disk media, including hard disk, CD, USB, etc., especially disk hidden space.

Network security forensics generally includes the following six steps:

  • The first step is to collect evidence and protect the site. Protect the integrity of the victim system or device and prevent the loss of evidence information.
  • The second step is to identify the evidence. Identify the types of evidentiary information that may be obtained and apply appropriate acquisition techniques and tools.
  • The third step is to transmit evidence. Securely transfer captured information to forensic equipment.
  • The fourth step is to save the evidence. Store evidence and ensure that stored data is consistent with the original data.
  • The fifth step is to analyze the evidence. Correlation analysis is carried out on the relevant evidence, the evidence chain is constructed, and the attack process is reproduced.
  • The sixth step is to submit evidence. Submit evidence to administrators, lawyers, or the court.

Guess you like

Origin blog.csdn.net/qq_43632414/article/details/127399037
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com