1, Penetration Testing: is a professional security service, is practical exercises for the target system intrusion events.
2, security incidents
- Unauthorized access: a person without permission by logical or physical access to networks, systems, applications, data, or other resources, expressed as a intrusion.
- Network attacks --- denial of service attacks: how resources are consumed by the CPU, memory, disk space, bandwidth or to prevent damage and has been authorized users normal use of the network, system and so on.
- Event malicious program malicious code: Trojans, botnets, linked to horse attacks, extortion virus.
3, emergency response mode
- Remote Emergency: emergency by phone, email, etc.
- Local Emergency: rushed to the customer site, find the cause and fix the problem, and finally issued an emergency report
4, step emergency response
(1) Preparation
- Clear management personnel
- Draw network topology
- Finishing FAQ Handbook
- Apply for special funds for emergency
- Procurement of professional hardware equipment, emergency response tools
- The development of contingency procedures
- The formation of the management team, technical team
- List compiled emergency response personnel organization
(2) Detection
- Determine the nature and severity of the impact of the event, expected resources needed
- Tool detection
- Analysis of abnormal thing is like
- Confirm rating
- The device logs, to notify the downstream
- Operating system log (system, application, security, etc.), the system slows down, cpu usage rate, consume a lot of network bandwidth, abnormal port, abnormal processes, such as abnormal dll
- Application Log: access logs, manage logs, error logs, etc.
(3) containment
- Determine the appropriate containment methods: isolation network, modify the firewall filtering rules and routing, remove the login account, close the service, loss of control kept to a minimum
- Lists several options, made it clear that their risk, selected by the service object
(4) eradication
- Completely solve the problem of risk, analyze the causes and vulnerabilities, safety reinforcement
- Step up publicity to announce the dangers and solutions to strengthen inspection work
(5) recovery
- All systems infringement or destroyed, applications, databases, network devices, etc. restored to normal state task
(6) tracking summary
- Security concerns after the system recovery, especially where problems have occurred
- Established track document
- Absorb the lessons learned, self-improvement and system protection strategy
5, extortion virus Introduction
- Digital currency along with the rise of a new type of virus Trojan: bitcoin, coins and other of the world
- Before 2008: blackmail lock screen
- May 2017 WannaCry (Eternal Blue extortion worms), extortion virus has become a direct threat to the largest class of Trojan virus for government and enterprise agencies and Internet users.
- Globelmposter, GandCrab, Crysis and so on extortion virus
- The latest threat: do not pay ransom to public data
6, blackmail mode of transmission of the virus
- Exploit: ms17-010, office (8570,1182), weblogic, cve-2019-0708: rdp, etc. Vulnerability
- Phishing
- Pages linked to horse
- Hand implants
- Brute force rdp: Remote Desktop
- Violence to crack the system weak passwords
- Software tied to horses: tied up, winrar: create self-extracting format
- ads streaming file:
-
echo aaaa>a.txt
echo bbbb>a.txt:b.txt
查看:dir /r a.txt:b.txt:$DATA
打开:notepad.exe a.txt:b.txt
-
7, how to find
- Business can not be used
- Desktop has been tampered with
- File extension
8, GlobeImposter behavior analysis
- Replication of the virus file to a specified directory: appdata
- Computer user id and generate blackmail file
- The write ID and user key
- Persistence reside: Create a registry file, set the boot from the start
- Encryption hard disk file
- Delete the shadow copy and remote login log
- Deletes itself
9, encryption
- RSA+AES
- Two pairs of keys: a user's public and private key, public and private key hacker
10, decryption mode
The following three conditions can be accomplished by decryption tool on the Internet
- There are loopholes in the design of extortion virus encoding or encryption algorithm is not correct
- Extortion virus maker initiative to publish a key or master key.
- Law enforcement agencies seized servers with the key, and had to share.
Back up important data must be decrypted before *
Professional treatment (third party)
11, blackmail virus protection
- The system user password to make changes in a timely manner, password complexity, length, regularly change
- Update patches
- Physical isolation (off network, ban card, shut down)
- Access Policy: 445,135,139 closed port, etc., to avoid Remote Desktop Services (RDP, the default port 3389) exposed to the public Internet (such as ROMS for convenience really necessary to open before you can access through the VPN login) whitelist mode
- Remote backup, backup isolation
- Strengthen the audit, to strengthen tracking traceability
- Periodic safety assessment: penetration testing, code audit: initiative to identify problems
- Improve the safety of full consciousness
12, virus analysis environment
vmxp:
1. disable the network card
2. Firewall On: refuse
3. Clean: Snapshot
4. essential tool: static debugging: ida, dynamic debugging: ollydbg
monitoring tool: reg
tinder sword: Internet security software
13 is, CISP-IRE Introduction
- Certified Information Security professionals - engineers, emergency response, English as Certified Information Security Professional -Incident Response Engineer, referred to CISP-IRE
- CISP-IRE testing questions and operate as a multiple choice question, out of a total of 100 points, including choice 20 (20 minutes), the title practical operation 8 (80), to give 70 points or more (including 70 minutes) by.
- Cisp-ire knowledge as shown below:
