table of Contents
Emergency response procedures
Defense Model
SDL
Emergency response procedures
Many people think that the emergency response is the face hacked machine to look up what circumstances, is not to be in a botnet virus, which is not to be among the rootkit, is not being linked to the webshell so on. Emergency response this thing is a very technical things, deal with the end of the story, handled properly, then it is easy to build up and collapse, and even cause some unnecessary situations. Emergency response to this child, CSO and security operations engineer point of fact, not the same, in fact, the reason is because the two people are not the same duties, CSO is a very special and extremely reluctant to own company name appears in the Sky vulnerabilities or SRC on the platform, after all, the emergence of leadership is to come if you drink tea. In fact, emergency response is a process. Process substantially as follows:
Preparation Phase
- Here it is ready to be used to detect people and tools, such as ls, losf, ss, ifconfig these things
- Emergency Monitoring: including firewalls, systems, web servers, IDS / WAF / SIEM logs in, unusual or unauthorized user to perform the operation, and even the administrator's report (e-mail can also be what you can phone text messages you can see things heard), we determined that the data from these points and the attacker to the affected area, and then can we talk about below.
- The initial emergency response: To determine the type of event according to preliminary results of the monitoring to the above, and the need to define the level of security incidents. After do is to put the relevant resource allocation, during the later formed a temporary emergency response team should approach the security and progress of the event to inform the management get their support, (the latter can be someone special to do)
- Security Event Classification: in fact, decide for yourself what is most important to determine the priority of emergency full use of existing resources (It should be noted that not all security incidents have to put these resources to complete)
- Survey: Here is investigating the cause of the whole incident, forensic tracing, vulnerability analysis, check the back door, collect data and analyze
- The main purpose here is to control the first victims of the range, do not let the effects of the attack continues to spread to other IT assets and business environment, remember not to fall into all the energy inputs directly to block the back door. Then do it is to find the root cause, solve, blocking attack, to restore the business to a more horizontal sheets
- Here we go no other monitoring determined according to various attacks and attack vector, followed by that meeting to reflect on this incident, write reports, continuous improvement of work processes and ease
In fact, this is very effective in emergency response PDCERF model (refer to NIST SP800-61): Prepare (ready), Detection (detect), Containment (inhibition), Eradication (eradication), Follow-Up (trace), this model is used to depicts emergency response is very scientific.
Smooth emergency response depends largely on the previous article mentioned that the relationship between data mapping and asset mapping diagram to quickly locate and accurately find the person responsible for the event can increase the efficiency of emergency response, addressing the impact of emergency response brought as soon as possible.
Defense Model
For defense model, in fact, safe construction of Maslow's hierarchy depicts the establishment of a good defense and iterative model:
LV0: undefended: that is, no security measures
LV1: consider yourself safe: through some of the more basic security measures do based ACL, and the system does not exist any obvious flaws. But it does not have the complex emergency response time, the need to purchase security services. Here evaluation criteria are: a team of information security and to ensure the delivery of the code, the server environment is no obvious flaws, and penetration testing done.
LV2: basic emergency response: the ability to attack and defense, and can do can rescue and repair of large information security incidents, without relying on external security services, but the security system has not been fully established. Here evaluation criteria: to have a strong security team offensive and defensive capabilities, and the ability of emergency response.
LV3: Security System established: At this stage, safety should have a sound system, capable of covering the whole life cycle, development and operation and maintenance of the environment, there is a necessary process, in the framework of some businesses and assets will consider security issues, detection and targeted security means can adjust according to different attack scenarios. Here's evaluation criteria include: have a complete defense in depth system and can cover the daily emergency response and security.
LV4: In addition to ensuring basic infrastructure, security, applications and data, but also can have a systematic security solutions at the operational level, the way this time against not only from the usual time of the attack, but also focus on business logical security and convenience with a high level of attacker (such as advanced attackers and black production team) confrontation. It should be risk control system and the establishment of a higher intensity domain security measures, such as security domain, account system, and other basic services.
LV5: Advanced security measures: more than meets the level basically eat all the requirements of this stage is to get that force said earlier the grid, get that pattern right away. This stage to introduce the industry's advanced technology such as situational awareness, threat intelligence systems, machine learning, deep learning, artificial intelligence technology to the forefront of the industry added to the safety control system, that is, we often say that the best practices. Here we have a complete system of defense in depth, to have accurate and attackers confrontation, to fully understand who attack us, and to optimize the success rate of attack blocking, timeliness, accuracy and automation.
Evaluation of enterprise security building standard is to do good or bad ROI (return on investment), which is able to take advantage of lower costs to defend against costly network attacks, for example, a wave of DDoS someone hit you need to spend 10 money, and you live in this 10 dollar defense and attack caused only impact on your dime, indicating that the attack defense is effective; the other hand, if you defend yourself from those attacks and the impact of your defense costs 100 dollars so your ROI have a problem, or defense may need to continue to optimize rethink. For a person in charge of security, the factors affecting the return on investment is as follows:
- Systematic: with a systematic blueprint for building security with vision and Perception
- Management System of: detail here is actually two parts, namely the construction of the tool chain (management tool) and team building (manager), contribute to the security of the system construction, and to increase responsiveness.
- Opportunities and risks: do security must be able to accept the risk, not a checklist of questions, checklist can help you to build does not completely eliminate security problems, security issues are there will still be "natural disaster" man-made, to a certain extent.
- Security Positioning: To know a few two kilograms, the company's existing safety measures in the industry is what level, how to raise the level.
- The ability to match: the development of the security team must keep up with the rate of expansion of the company, not the radical conservatism time.
- The bigger picture: Security is not a team thing, is something the entire company, it is necessary to actively cooperate and communicate with various departments.
SDL
For SDL is, in fact, SDL Internet has been a lot of articles to introduce SDL things, first of all be sure that SDL is a good thing, it can reduce the number of vulnerabilities and the software itself appears, and can also reduce the severity. Speaking of SDL said something we have to pull things safety training, safety training within many companies in fact often overlooked, especially a lot of outsourcing companies, what is the specific reason you know. SDL does not pay attention to the consequences in fact directly reflects the many large traditional businesses such as communications, energy, finance and other industries many systems are using SSH (Struts + Spring + Hibernate) developed Struts once a 0day, these companies will certainly security sector to work overtime, there is a very important reason is because there is no research on safety issues ahead of the system, in other words the development phase did not consider these things (in view of these systems are basically a mostly outsourced). This is the Internet company, as some large Internet companies to promote SDL is better, so some particularly affected loophole will have the appropriate plans, can quickly fix vulnerabilities. Pulling away, we continue to do for safety training, safety training, the content of the training should include the following:
Part 1: safety design include: reduced attack surface, the depth of the defense, the principle of least privilege, server security configuration, etc.
Part 2: threat modeling: Overview, design sense, constraint-based modeling coded threat
Part 3: security Code: buffer overflow (for C / C ++), integer arithmetic error (for C / C ++), XSS / CSRF ( for Web-based applications), SQL injection (for Web-based applications), weakly encrypted
Part 4: testing safety: safety testing and the difference between the black box testing, risk assessment, safety testing methods (code audit, etc. Fuzz)
Part. 5: privacy sensitive data: best practices sensitive data types, risk assessment, privacy, development and testing
Part 6: advanced concepts: advanced security concept, trusted user interface design, the details of security vulnerabilities, custom threat mitigation
above selective training, depending on the size, ability, and many other requirements to meet safety requirements.
In view of the many companies do not promote the concept of SDL, but we can drive by the offense and defense to supplement this part of the so-called offensive and defensive drives include the following:
- Baseline advance: secure coding standards, security design
- Thing in action: code audit, security testing before release
- Later mechanism: http full flow ids, web log analysis, auditing, and other real-time traffic
- Event-driven: the discovery of new problems to supervise the development department and quickly repair
For threat modeling, Microsoft STRIDE essential to meet the so-called STRIDE is Spoofing (fake), Tampering (tampering), Reputation (denied), Information Disclosure (information disclosure), DoS (denial of service), Elevation of Privilege (privilege escalation ). For SDL part, no one could say it better than Microsoft! So directly attached links:
Threat Modeling (STRIDE)
in the Microsoft Security Development Lifecycle (SDL) - Process Guidance (SDL)
Author: e1knot
Transfer: https://zhuanlan.zhihu.com/p/26542790