1. Background
1. Introduction to Operation HVV
Operation HVV is one of the important arrangements made by the country to deal with network security issues. Since 2016, as my country has attached great importance to network security, the scale of the exercise has continued to expand. More and more units have joined the HVV operation. Network security confrontation drills have become more and more close to the actual situation, and various agencies have also responded to network security needs. From passive construction, it has been upgraded to a rigid need for business guarantee, and the national HVV in 2023 has now ended.
HVV is generally divided into red and blue teams, also known as red and blue confrontation. The red team is the attacking team and the blue team is the defensive team. At the beginning, the blue team will have an initial score, and once it is successfully attacked, the corresponding points will be deducted. The requirements for the blue team are gradually becoming stricter every year. Before 2020, as long as the blue team can detect attacks, they can add points or make up for the deducted points. But starting from 2021, the blue team must meet the requirements of timely discovery, timely processing and restoration of the attack chain in order to reduce points deductions and avoid early elimination.
2. Analysis of HVV pain points
Facing the annual national HVV, we must not take it lightly. As the saying goes, if you are careless, you will miss Jingzhou, and there are lessons from the past everywhere! Relevant industries that participate in HVV usually involve massive amounts of asset information, and the business lines of their systems are relatively extensive. The IT assets they belong to cannot be 100% converged at the beginning of HVV. During the official HVV period, the average daily working hours of the day shift will exceed 14 Hour. In addition, there may also be but are not limited to the following related risks:
(1) There are loopholes in public network assets, non-essential debugging environments, test environments and API interfaces are opened to the outside world, there is a lack of regular product upgrades, and there is no constant attention to the security of relevant open source components and commercial software used by enterprises;
(2) The public network business system lacks comprehensive penetration testing, and no in-depth penetration testing is conducted before business changes and new services are launched;
(3) Historical high-risk vulnerabilities in intranet assets have not been repaired in a timely manner. If an attacker breaks through the boundary, he or she can move laterally at will. Regarding the vulnerability of intranet security on the cloud, a strict security management system and approval process have not been established;
(4) Treating “third parties, subsidiaries, and branches” directly as trusted entities and lacking monitoring of interactive traffic;
(5) There is a lack of reasonable deployment of security equipment, such as WAF, web page anti-tampering, email gateways, APT, HIDS, EDR, etc., and there is no or little optimization of security rules to eliminate false positives and fit the business;
(6) Lack of ability to improve data and code leakage control and detection (such as code and data leakage detection on Github, Gitlab, Gitee and other platforms);
(7) There are problems with the permissions and account recovery mechanism of resigned personnel. Handover materials are transmitted through external network disks, and account permissions are not completely recovered. For example, the AKSK permissions of cloud servers and OSS cannot be deleted;
(8) There is no or lack of security audit for the north-south traffic of the office network, as well as east-west network blocking equipment, and the security department’s emergency response cannot immediately contact the responsible person to stop the loss;
(9) There is no unified use of internal office software for collaboration, and large-scale use of Youdao Cloud Notes, Baidu Cloud Disk, Sunflower, Feishu, DingTalk, Enterprise WeChat, QQ and other platforms that may lead to data leakage.
2. Blue team perspective techniques and tactics
1.Defensive preparations
The security team should develop effective technical protection and detection plans based on the activity characteristics of HVV attacks and the key risks faced by Party A's relevant business systems, including east-west sensing on the cloud, north-south full traffic threat intelligence monitoring and detection on the office network, and high-speed Risk business systems converge in three dimensions. East-west sensing on the cloud, deploying honeypots on the same network as the business, enables horizontal scanning and detection of compromised hosts and the capture of vulnerability exploits, thereby quickly locating compromised hosts and preventing lateral attacks. The north-south direction of the office network is connected to the threat intelligence system for full traffic to realize the threat correlation of traffic in and out of the office network. Black, white and gray IP intelligence is marked and analyzed by professional security engineers to detect targeted phishing, malware, mining and other behaviors. Monitor and capture, and ultimately establish an all-round, multi-layered defense system in depth.
Before the drill begins, use a scanner to scan Party A's domain name and IP for security vulnerabilities. Combined with penetration testing, some high-priority vulnerabilities detected will be compiled and statistics will be compiled. The relevant detection list will be submitted to the relevant person in charge before HVV to notify each business. Repairs are carried out online to effectively eliminate related security risks. By analyzing Party A’s online system and supply chain, we will examine application systems that may have 0-Day and 1-Day vulnerabilities as well as back-end management systems with excessive permissions, including but not limited to OA, finance, human resources, legal affairs, etc., and use WAF to profile them. The list is used to evaluate requests outside the office network, while avoiding security incidents caused by unpredictable 0Day, 1Day, weak passwords and other issues. In addition, a comprehensive scan and detection of the intranet system of Party A's unit will be carried out, problem systems will be reported, and the business team will be urged to make rectifications to reduce the lateral risk of attackers in the intranet system. Divide different VPCs and separate the resources that need to be isolated at the network level. Combined with the fine-grained resource management and control capabilities of security groups, use the ACL function to achieve more refined subnet isolation within the VPC.
National HVV allows attackers to use phishing, puddle and other attack methods. In order to further enhance the security awareness of Party A’s employees, phishing emails are sent to all employees, special security awareness training is conducted for employees who have been successfully phished, and relevant posters are posted in the workplace. At the same time, we carry out phishing propaganda activities, analyze common phishing methods such as email, phone calls, WiFi, identity disguise and Bad USB, and create a beautiful combination of anti-phishing security awareness to greatly reduce the security risks caused by this. Through network architecture assessment, the overall network security domain division is clarified, inter-domain/intra-domain access control relationships are sorted out, the attack surface and intrusion prevention are evaluated, and finally network isolation and attack surface convergence are achieved to effectively combat external and internal attacks.
2.Detect response
Analyze risks through 15×24-hour emergency response, build an automated defense system, summarize and analyze the logs of security devices, conduct analysis and modeling based on business scenarios and score behaviors, and link with detection and blocking products such as firewalls, IPS, WAF, etc. Improve detection accuracy and link with honeypot products to effectively help trace and counterattack attackers. Linkage with border devices such as web application firewalls/CDNs to automatically block problematic IPs in threat intelligence within seconds, reducing manual analysis costs, shifting limited personnel's attention to events that require more attention and reducing response time. From a higher-dimensional perspective, break down the barriers to information exchange between different security products, different protection stages, and different protection locations, and master the defensive initiative of single-point attacks that are visible to the entire network.
In addition, phishing/social engineering attacks are still widely used as an important attack method. Especially when the defender's frontal defense line is very strong, boundary breakthrough through phishing/social engineering is often the first choice. We have also observed that Many industries and companies with high security protection levels have been successfully attacked as a result, but many defenders suffer from the lack of effective detection and protection methods. For the analysis of new phishing Trojan attack techniques, in addition to the more conventional loader + CobaltStrike payload, we found three relatively novel techniques, such as white file patch to avoid killing, control flow flattening obfuscation, and Hook to change Beacon C2. The more typical CobaltStrike Trojan mainly uses domain prefixing and cloud function forwarding to hide the C2 address. Therefore, in terms of static feature detection, we add high-frequency phishing keywords to the keyword list of intranet email security products to provide risk reminders, and add warning labels to emails from outside. In terms of dynamic feature detection, for CobaltStrike Trojans that use the cloud function mechanism to communicate, the relevant domain names can be directly blocked or blocked; for CobaltStrike Trojans that use the domain prefix mechanism to communicate, because it is generally impossible to directly obtain the attacker's domain name or IP and other identifiers, Therefore, it needs to be intercepted according to its specific traffic forwarding mechanism.
After discovering an attack, the blue team should first determine the source of the attack and whether it is an internal misoperation by employees; then, if it is determined to be an attack, isolate the problem host from the intranet; then, based on the alarm information generated by the security protection equipment and security monitoring equipment, Sample information, etc., combined with various intelligence systems to track the source. When conditions permit, the decoy system can be deployed to counter the attack team's attack on the terminal to achieve traceability, defense and countermeasures.
3. Traceability and countermeasures
During the HVV period, in order to enable Party A to obtain more points and a higher ranking, we also adopt but are not limited to the following technical analysis methods to carry out traceability countermeasures:
(1) IP positioning: reversely check the domain name through IP and obtain whois information, IP port scanning, reverse penetration server, and locate the physical address based on IP;
(2) ID tracking: Obtain the identity of the attacker through search engines, social platforms, technical forums and social engineering libraries;
(3) Attack program analysis: Utilize a variety of online cloud sandboxes to analyze phishing samples, combined with manual extraction of sample features;
(4) Honeypot: Obtain the attacker’s host information, browser information and real IP, conduct profile analysis of the attack source attacker, and even counterattack;
(5) Batch online phishing horse: Because cloud functions will automatically call IP addresses in different availability zones when requesting targets, online and session requests are continuously sent in the virtual machine. Onlineing a large number of IPs in CobaltStrike at once will make it impossible for the red team to directly distinguish; distinguish;
(6) Consumption of cloud function quota: Although cloud function can hide C2, access needs to be billed, so scripts can be used to maliciously steal the red team's quota, causing its Trojan to be unable to go online;
(7) False online: replay the heartbeat packet to go online, but the red team cannot execute any commands, and can also send junk traffic to the attack team’s dnslog to confuse the red team’s vision;
(8) Reverse phishing red team: Deploy honeypots on both Party A’s public network and intranet, and use vulnerabilities in proxy tools and attack programs to obtain red team host authority, such as using Clash RCE, Ant Sword and Ice Scorpion RCE, Countermeasures of Git and SVN leakage exploitation tools, etc.
3. Summary and improvement
With the widespread application of new intelligent technologies, the information infrastructure level has become more complex, and traditional security ideas have become increasingly difficult to adapt to the requirements of security assurance capabilities. It is necessary to establish a defense-in-depth system architecture through new ideas, new technologies, and new methods from the perspective of systematic planning and construction, and overall improve the protection capabilities for actual combat. From the perspective of actual combat response, Party A's existing security architecture was sorted out, with security capability building as the core idea, and the overall security architecture of government and enterprise institutions was redesigned for the main risks. Through the combination and structural design of multiple security capabilities, the A security defense system that can have actual combat protection capabilities, effectively respond to advanced threats, and continue to iteratively evolve and improve.
