1. What is Operation Net Protection?
Operation Network Protection is an activity led by the Ministry of Public Security to assess the network security of enterprises and institutions.
in specific practice. The Ministry of Public Security will organize both offensive and defensive parties. The offensive party will launch a cyber attack on the defensive party within a month to detect security loopholes in the defensive party (enterprises and institutions).
By confronting the attacker, the security capabilities of the networks, systems and equipment of enterprises and institutions will be greatly improved.
"Operation Network Protection" is one of the important arrangements made by the country to deal with network security issues. The "network protection operation" began in 2016. With the emphasis on network security in our country, the units involved have continued to expand, and more and more units have joined the network protection operation. The network security confrontation drill is getting closer to the actual situation. Organizations' needs for network security have also been upgraded from passive construction to rigid needs for business assurance.
2. Classification of protective nets
Network protection is generally divided into national-level protection network, provincial-level protection network, and municipal-level protection network according to administrative levels; in addition, some industries have relatively high requirements for network security, so network protection operations will also be carried out within the industry , such as the financial industry.
3. Time to protect the network
Different levels of net protection have different start times and durations. Taking national-level network protection as an example, generally speaking, network protection starts around July or August every year and generally lasts 2 to 3 weeks. It takes about 2 weeks at the provincial level, and about a week at the lower level. 2021 is special. All safety work must be completed before July, and all 21-year net protection will be completed around April.
4. The impact of network protection
The network protection is organized by the government, and the participating units will be ranked. Units that perform poorly in the network protection will be affected in the future evaluation and other work. Moreover, network protection is linked to politics. Once the network of enterprises and units participating in network protection is penetrated by attackers, the leaders may be removed. For example, in a financial securities unit last year, the network was penetrated, and the second in command of the unit was directly dismissed. The overall price paid is still very serious.
5. Rules for protecting the network
1. Red-blue confrontation
Net protection is generally divided into two teams, red and blue, for red and blue confrontation (there are different opinions on the Internet about red and blue offense and defense, here we use the domestic red attack and blue defense as the model).
The red team is the attack team, and the red team mainly consists of the "national team" (the country's network security and other technical personnel specialized in network security), and the manufacturer's penetration technicians. Among them, the "national team" accounted for about 60%, and the attack team composed of technical personnel from the manufacturer accounted for about 40%. Generally speaking, there are about 3 people in a team, who are responsible for information collection, infiltration, and cleaning the battlefield.
The blue team is the defensive team and usually randomly selects some units to participate.
2. Blue team score
The initial score of the blue team is 10,000 points, once the attack is successful, the corresponding points will be deducted. Every year the requirements for the blue team become more stringent. Before 2020, the blue team could get extra points as long as they could detect attacks, or make up for the deducted points; but in 2021, the blue team must meet the requirements of timely discovery, timely processing and restoration of the attack chain in order to deduct a few points less, and can no longer pass This is a plus. The only way to gain points is to spot real hacking attacks during network protection.
3. Red team score
Each attacking team will have some assigned fixed targets. In addition, some targets will be selected and placed in the target pool as public targets. Generally speaking, the red team will prioritize attacking these public targets. Once the attack is successful and the evidence is obtained, it will be submitted on a platform provided by a country. If the authentication is successful, points will be awarded. Generally speaking, the submission time of the submission platform is from 9:00 to 21:00, but this does not mean that no one will attack after this time. In fact, the red team will still use the period from 21:00 to 9:00 to attack, and then submit the attack results during the day. Therefore, the blue team needs 24 hours of monitoring and protection.
6. What is the red team?
Red Teaming is a full-scale, multi-layered attack simulation designed to measure a company's people and network, application and physical security controls against attacks from real-world adversaries.
During a red team engagement, trained security consultants develop attack scenarios that reveal potential physical, hardware, software, and human vulnerabilities. Red team engagement also provides opportunities for bad actors and malicious insiders to compromise a company's systems and networks, or corrupt its data.
6.1. The significance of red team testing
\1. Assess the customer's ability to respond to threatening behavior.
\2. Assess the security posture of the customer network by implementing rehearsals (access to CEO email, access to customer data, etc.).
\3. Demonstrate potential paths for attackers to access client assets.
We believe that from the perspective of the red team, any network security assurance task will start from the perspective of problem-finding through technical means of security detection, discover system security vulnerabilities, and find shortcomings in the system and network. The red team security detection party will use a variety of detection and scanning tools to carry out information collection, vulnerability testing, and vulnerability verification on the blue party target network. Especially when facing large-scale enterprises, security problems in the system will be discovered through rapid means such as large-scale target detection. The main processes are as follows:
1. Large-scale target reconnaissance
In order to quickly understand the type, device type, version, open service type, and port information of the blue user's system, the red party will use Nmap, port scanning and service identification tools, or even use ZMap, MASScan, etc. to determine the system and network boundary range. The large-scale rapid investigation tool understands basic information such as user network size and overall service opening status, so as to conduct more targeted testing.
2. Password and common vulnerability testing
After the red team masters the network scale, host system type, and service opening status of the blue party users, it will use Metasploit or manual methods to carry out targeted attacks and vulnerability tests, including: various web application system vulnerabilities, middleware vulnerabilities, system , application, and component remote code execution leaks, etc. At the same time, Hydra and other tools will be used to test the passwords of various services, middleware, and systems for common weak passwords, and finally obtain the host system or component permissions through technical means.
3. Permission acquisition and lateral movement
After the red party obtains specific target authority through system loopholes or weak passwords, it uses the host system authority and network reachability conditions to move laterally, expands the battle results and controls key databases, business systems, and network equipment, and uses the collected sufficient information to Finally control the core system, obtain core data, etc. to prove the lack of current system security.
Red teams act as real and motivated attackers. Most of the time, red team attacks are large, the entire environment is in range, and their goal is to infiltrate, maintain persistence, centrality, retreatability, to confirm what a persistent enemy can do. All tactics are available, including social engineering. Eventually red teams will reach their goal of owning the entire network, otherwise their actions will be caught, they will be stopped by the security administrators of the network they are attacking, at which point, they will report their findings to management to help improve the security of the network. safety.
One of the main goals of the red team is to remain invisible even when they are inside the organization. Penetration testers are not good on the network and can be easily detected because they use traditional means to enter the organization, while red teamers are stealthy, fast, and technically equipped to evade AV, endpoint protection Knowledge of solutions, firewalls, and other security measures the organization has implemented.
7. What is Blue Team?
The bigger challenge facing the blue team is to discover vulnerabilities that can be exploited and protect their own domain without imposing too many restrictions on users.
1. Understand the controls
Most important to blue teams is the ability to understand the controls in place in their environment, especially when it comes to phishing and phishing. Some companies really don't start looking for protective measures in their own networks until there is a formal confrontation.
2. Ensure data can be collected and analyzed
Because the effectiveness of a blue team is based on the ability to collect and utilize data, log management tools, such as Splunk, are especially important. Another piece of ability is to know how to collect all the data of the team's actions and record them with high fidelity, so as to determine what went right, what went wrong, and how to improve during the replay.
3. Use tools appropriate for your environment
The tools the blue team uses depend on what their environment requires. They have to figure out "what is this program doing? Why is it trying to format the hard drive?", and then add technology to block unintended actions. The tools to test the success of the technique come from the red team.
4. Pick experienced people to join the team
Apart from tools, the most valuable thing for the blue team is the knowledge of the players. As you gain experience, you start to think "I've seen this, I've seen that, they did this and that, but I wonder if there's a bug here." If you're only targeting what's known Be prepared, and you will be unprepared for the unknown.
5. Assume failure
Asking questions is a valuable tool towards exploring the unknown. Don't stop at preparing for what exists today, assuming there will be failures in your own infrastructure.
The best way to think about it is to assume that there will eventually be bugs and that nothing is 100% secure.
at last
Statistics show that the current talent gap for cybersecurity in China is as much as 1.4 million...
Whether you are a cybersecurity enthusiast or a practitioner with certain work experience,
whether you are a new graduate in the industry or a professional
who wants to change jobs , you all need this job Super super comprehensive information
almostDefeats 90% of self-study materials on the market
And covers the entire network security learning category
to bookmark it!It will definitely help your study!
If friends need a complete set of network security introduction + advanced learning resource package, you can click to get it for free (if you have any problems with scanning the QR code, you can leave a message in the comment area to get it)~
1. A complete set of tool kits and source codes necessary for network security
2. Video Tutorial
Although there are a lot of learning resources on the Internet, they are basically incomplete. This is the online security video tutorial I recorded myself. I have supporting video explanations for every knowledge point on the road map.
3. Technical documents and e-books
The technical documents are also compiled by myself, including my experience and technical points in participating in the network protection operation, CTF and digging SRC vulnerabilities.
I have also collected more than 200 e-books on Internet security, basically I have popular and classic ones, and I can also share them.
4. NISP, CISP and other certificate preparation gift packages
5. Information security engineer exam preparation gift package
6.Interview questions from major Internet security companies
The interview questions about cyber security that have been sorted out in the past few years, if you are looking for a job in cyber security, they will definitely help you a lot.
Friends, if you need a full set of network security introduction + advanced learning resource package, you can click to get it for free (if you encounter problems with scanning codes, you can leave a message in the comment area to get it) ~