[Yugong Series] 035.HW Network Security Advanced Class 035.HW Network Protection Operation Attack and Defense Drill (0day Vulnerability Protection) in May 2023

---

foreword

A 0day vulnerability refers to a security flaw that has not yet been discovered or publicly disclosed. Attackers can exploit these vulnerabilities to gain access to affected systems or applications, which may lead to serious consequences such as data leakage, system crashes, and malware installation. Because these vulnerabilities were first discovered without any patches or protective measures, they are called 0day vulnerabilities.

1. Background

In the past two or three years of offensive and defensive confrontation, the attacking team's methods have become simpler and more direct but also more and more subtle, especially 0-Day single-handed attacks have become more and more frequent, and more and more breakthroughs and system fall are caused by 0-Day and NDay. Some even directly obtain the control authority of the host system. Since it is 0day, it means that there is no existing attack feature, and it is difficult to be discovered and captured, otherwise it will not be called 0day. How to defend against such attacks is also a top priority. An effective security protection system can be developed from the following aspects.

2. Implementation ideas

1. Disguise key application fingerprints to disguise commonly used middleware, and change the server field of the http protocol header. Linux can be changed to IIS6.0. Modify the middleware configuration file, and configure the web service page of the mobile communication app as an "error" page to return information. Modify the gateway system configuration fingerprint and change the email system fingerprint to "Moresec HoneyPot" to divert the attacker's attention.

2. Heterogeneous border protection equipment (increasing the difficulty and cost of intrusion) VPNs and firewalls are deployed in a heterogeneous manner, and a large number of honeypots are deployed between the inner and outer VPN system network areas.

3. Strictly control outbound access (whether there is a back-and-forth) The attacker needs the authority of the victim host to go out of the network.