01
What is Operation Net Protection?
Operation Network Protection is an activity led by the Ministry of Public Security to assess the network security of enterprises and institutions.
In specific practice, the Ministry of Public Security will organize the offensive and defensive parties. The offensive party will launch a network attack on the defender within a month to detect the security vulnerabilities of the defender (enterprises and institutions). By confronting the attacker, the security capabilities of the networks, systems and equipment of enterprises and institutions will be greatly improved.
"Operation Network Protection" is one of the important arrangements made by the country to deal with network security issues. "Operation Network Protection" began in 2016. As my country attaches great importance to network security, the units involved continue to expand, and more and more units are joining the operation to protect the network. Network security confrontation drills are becoming more and more close to the actual situation. Organizations' needs for network security have also been upgraded from passive construction to rigid needs for business assurance.
02
Classification of protective nets
Network protection is generally divided into national network protection, provincial network protection, and municipal network protection according to administrative levels. In addition, there are some industries that have relatively high requirements for network security, so network protection actions will also be carried out within the industry. , such as education, medical, finance and other industries.
03
Time to protect the net
Different levels of net protection have different start times and durations. Taking national-level network protection as an example, generally speaking, network protection starts around July or August every year and generally lasts 2 to 3 weeks. It takes about 2 weeks at the provincial level, and about a week at the lower level. 2021 is special. All safety work must be completed before July, and all 21-year net protection will be completed around April.
04
Impact of protective net
The network protection network is organized by the government and will rank the participating units. Units that perform poorly in the network protection network will be affected in future evaluations and other work. Moreover, network protection is linked to politics. Once the networks of enterprises and units participating in network protection are penetrated by attackers, their leaders may be removed. For example, last year, the network of a financial securities unit was penetrated, and the second-in-command of the unit was directly dismissed. The overall price paid is still very serious.
05
Rules for protecting the net
Net protection is generally divided into two teams, red and blue, for red and blue confrontation (there are different opinions on the Internet about red and blue offense and defense, here we use the domestic red attack and blue defense as the model).
The red team is an attack team. The red team mainly consists of the "national team" (national network security and other technical personnel specializing in network security) and penetration technicians from manufacturers. Among them, the "national team" accounts for about 60%, and the attack team composed of technical personnel from the manufacturer accounts for about 40%. Generally speaking, there are about three people in a team, who are responsible for information collection, infiltration, and battlefield cleaning.
The blue team is the defensive team and usually randomly selects some units to participate.
Blue team score
The blue team's initial points are 10,000 points. Once they are successfully attacked, the corresponding points will be deducted. Every year the requirements for the blue team become more stringent. Before 2020, the blue team could get extra points as long as it could detect attacks, or make up for the deducted points; but in 2021, the blue team must meet the requirements of timely discovery, timely processing and restoration of the attack chain in order to deduct a few points less, and can no longer pass This is a plus. The only bonus point is discovering a real hacker attack while defending the network.
red team score
Each attacking team will have some assigned fixed targets. In addition, some targets will be selected and placed in the target pool as public targets. Generally speaking, the red team will prioritize attacking these public targets. Once the attack is successful and the evidence is obtained, it will be submitted on a platform provided by a country. If the authentication is successful, points will be awarded. Generally speaking, the submission time of the submission platform is 9:00-21:00, but this does not mean that no one will attack after this time. In fact, the red team will still use the period from 21:00 to 9:00 to conduct attacks, and then submit the attack results during the day. Therefore, the blue team needs to conduct surveillance and protection 24 hours a day.
06
What is red teaming
Red Teaming is a full-scale, multi-layered attack simulation designed to measure a company's people and network, application and physical security controls against attacks from real-world adversaries.
During a red team engagement, trained security consultants develop attack scenarios that reveal potential physical, hardware, software, and human vulnerabilities. Red team involvement also provides opportunities for bad actors and malicious insiders to breach a company's systems and networks, or corrupt its data.
The significance of red team testing
\1. Assess the client's ability to respond to threatening behavior.
\2. Assess the security posture of the customer network by implementing rehearsals (accessing CEO email, accessing customer data, etc.).
\3. Demonstrate potential paths for attackers to access client assets.
We believe that from the perspective of the red team, any network security assurance task will start from the perspective of problem-finding through the technical means of security detection, discover system security vulnerabilities, and find shortcomings in the system and network. The red team security detection team will use a variety of detection and scanning tools to collect information, vulnerability testing, and vulnerability verification on the blue team's target network. Especially when facing large-scale enterprises, security problems in the system will be discovered through rapid means such as large-scale target investigation. The main process is as follows:
1. Large-scale target reconnaissance
In order to quickly understand the type, device type, version, open service type, and port information of the blue user system and determine the system and network boundary range, the red side will use Nmap, port scanning and service identification tools, or even ZMap, MASScan, etc. The large-scale rapid investigation tool understands basic information such as user network size and overall service opening status, so as to conduct more targeted testing.
2. Password and common vulnerability testing
After the red team understands the blue team's user network size, host system type, and service opening status, it will use Metasploit or manual methods to carry out targeted attacks and vulnerability tests, including: various web application system vulnerabilities, middleware vulnerabilities, system vulnerabilities, etc. , applications, and component remote code execution leaks, etc. At the same time, Hydra and other tools will be used to test common weak passwords for various services, middleware, and systems, and finally obtain host system or component permissions through technical means.
3. Permission acquisition and lateral movement
After the red team obtains specific target permissions through system vulnerabilities or weak passwords, it uses the host system permissions and network accessibility conditions to move laterally, expands the results, and controls key databases, business systems, and network equipment, and uses sufficient information collected to Finally control the core system, obtain core data, etc. to prove the lack of current system security.
Red teams act as real and motivated attackers. Most of the time, the Red Team attack range is large, the entire environment is within range, and their goal is to penetrate, maintain persistence, centrality, and retreatability to confirm what a persistent enemy can do. All tactics are available, including social engineering. Eventually the red team will reach the point where they own the entire network, otherwise their actions will be captured and they will be stopped by the security administrator of the network they attacked, at which time they will report their findings to management to assist in improving the network's security. safety.
One of the main goals of the red team is to remain invisible even when they are inside the organization. Penetration testers do not perform well on the network and can be easily detected because they use traditional methods to enter the organization, while red teamers are stealthy, fast, and technically equipped to circumvent AV, endpoint protection Knowledge of solutions, firewalls, and other security measures the organization has implemented.
07
What is blue team
The bigger challenge facing the blue team is to discover vulnerabilities that can be exploited and protect their own domain without imposing too many restrictions on users.
\1. Clarify the control measures
Most important for blue teams is the ability to understand the controls in place in their environment, especially when it comes to phishing and phone phishing. Some companies really don’t start looking for protective measures in their own networks until they have a formal confrontation.
\2. Ensure data can be collected and analyzed
Because the blue team's effectiveness is based on the ability to collect and utilize data, log management tools, such as Splunk, are particularly important. Another piece of ability is knowing how to collect all the data on the team's actions and record them with high fidelity so that during review, you can determine what went right, what went wrong, and how to improve.
\3. Use tools appropriate for your environment
The tools the blue team uses depend on what their environment requires. They have to figure out, "What is this program doing? Why is it trying to format the hard drive?" and then add technology to block the unintended actions. Tools to test the success of the technique come from the red team.
\4. Select experienced people to join the team
Besides tools, the most valuable thing about the blue team is the knowledge of the players. As you gain experience, you start to think, "I've seen this, I've seen that, they did this, and they did that, but I wonder if there's a vulnerability here." If you only target what you already know Be prepared, and you will be unprepared for the unknown.
\5. Assume failure
Asking questions is a valuable tool towards exploring the unknown. Don't stop preparing for what exists today and assume there will be failures in your infrastructure. The best way to think about it is to assume that there will eventually be vulnerabilities, and nothing is 100% safe.
at last
Statistics show that the current talent gap for cybersecurity in China is as much as 1.4 million...
Whether you are a cybersecurity enthusiast or a practitioner with certain work experience,
whether you are a new graduate in the industry or a professional
who wants to change jobs , you all need this job Super super comprehensive information
almostDefeats 90% of self-study materials on the market
And covers the entire network security learning area.
Bookmark it!It will definitely help your study!
Friends who need a complete set of network security introductory + advanced learning resource packages, you can click to receive it for free (if you encounter problems with scanning the QR code, you can leave a message in the comment area to receive it)~
1. A complete set of tool kits and source codes necessary for network security
2. Video tutorial
Although there are a lot of learning resources on the Internet, they are basically incomplete. This is an Internet security video tutorial that I recorded myself. I have accompanying video explanations for every knowledge point on the roadmap.
3. Technical documents and e-books
I also compiled the technical documents myself, including my experience and technical points in participating in network protection operations, CTF, and digging SRC vulnerabilities.
I have also collected more than 200 e-books on Internet security. Basically, I have both popular and classic ones, which I can also share.
4. NISP, CISP and other certificate preparation gift packages
5. Information security engineer exam preparation gift package
6.Interview questions from major Internet security companies
I have compiled network security interview questions in the past few years. If you are looking for a job in network security, they will definitely help you a lot.
If friends need a complete set of network security introduction + advanced learning resource package, you can click to get it for free (if you have any problems with scanning the QR code, you can leave a message in the comment area to get it)~