I originally thought I would be able to finish coding, but in the end, I did not finish, so I will update later, probably around 1 a.m. Just refresh this section then, alas, it really turns out that saving drafts is very necessary.
Abstract: The situation of organized and purposeful network attacks exploiting cybersecurity vulnerabilities is becoming increasingly apparent. On one hand, the ti window for ergency responses is shrinking; on the other hand, the threat knowledge, professional skills, and proficiency levels required for ergency responses are continually increasing. This paper presents a concise process and response steps for ergency responses undertaken by network operators as defenders, providing practical references for related entities.
Keywords: Network security critical information infrastructure attack and defense drills
1 Introduction
As the significance of information technology in societal developnt grows, cyberspace has beco a new battleground for major powers. Network security attack and defense drills, as a ans to test the cyber protection of critical information infrastructures and enhance the ergency response levels of network operators, significantly bolster network security protection capabilities through real-life adversarial practice. From the perspective of network operators and using a governnt website real-world attack and defense drill as an example, this paper briefly describes how defenders conduct their work during the drill, providing experience for organizing responses for related entities.
2 Drill content
A certain entity organized several attack teams consisting of network security professionals to perform a sustained 5-day security attack test on the official websites and business systems of second-level institutions within their jurisdiction, verifying the effectiveness of the target systems' security protection. Each day, a report from the defenders was submitted at a fixed ti on a unified drill platform. The entity I belong to, as the operator of the target websites and business systems, must ensure the physical, operational, and data security of the target information systems, minimizing the harm from cybersecurity incidents.
3 Organizational structure
Establishing a Defense Command Center led by the network security manager as the commander-in-chief, with mbers consisting of leaders from the network security and business system operation departnts. Subordinate to the Command Center are the Defense Working Group, Monitoring and Analysis Team, and Judgent and Disposal Team, totaling 20 people.
3.1 Defense Command Center
Coordinate the overall defense work of the drill, responsible for the command, organization, coordination, and process control of the information system attack defense drills; issue critical operation commands for system downti and recovery, as well as authorization instructions for external information reporting; report progress and summary reports of the drill, ensuring that the drill's objectives are achieved.
3.2 Defense Working Group
Responsible for the specific tasks of the information system ergency drill; setting up and maintaining a concentrated monitoring and disposal environnt; analyzing and assessing the impact of information system ergencies on business operations; collecting and analyzing data and records during the information system ergency handling process; reporting the drill progress and situational developnt to the command center; responsible for leading daily security incident summaries and analyses; compiling, filtering, and submitting defense reports.
3.3 Monitoring and Analysis Team
Responsible for monitoring business systems access and cyberspace security posture during the attack and defense drill, detecting and identifying network attacks, keeping records of the monitoring process, and issuing attack alerts to the Judgent and Disposal Team; promptly patching vulnerabilities in business systems, and conducting system shutdowns and recovery operations.
3.4 Judgent and Disposal Team
During the drill preparation phase, responsible for rectifying identified cybersecurity hazards and implenting various cybersecurity protection asures. During the live drill phase, responsible for purifying network attack traffic to ensure the availability of business systems; dynamically and flexibly deploying technical resources as needed, completing technical analysis and judgent, real-ti attack counterasures, and ergency responses.
4 Drill Implentation
Based on past drill experience, small-scale defense should be organized around three stages: before the drill, during the drill, and after the drill.
4.1 Before the Attack and Defense Drill
Prior to the drill, establish a comprehensive support team. Set up a monitoring and early warning system from a safety technology perspective, and build a notification, early warning, and feedback chanism at the safety policy level. Conduct a detailed risk assessnt and security reinforcent of the information systems within the scope of this guarantee, formulate the "Network Security Attack and Defense Drill Implentation Plan," and educate related personnel on information security awareness. 4.1.1 Asset Inventory. Carry out an inventory of informatization assets, primarily including, but not limited to: inventory of internet applications released externally; inventory of internet export and the devices and security asures used for the export; inventory of network architecture (network topology); inventory of important or key information systems, application systems, and the topology of servers; inventory of network security devices and network protection; inventory of SSLVPN and IPSecVPN access. 4.1.2 Risk Assessnt. Security experts, together with the results from the inventory of informatization assets, perform a security risk assessnt. Security experts can use thods such as surveys, employee interviews, and security techniques (penetration testing, vulnerability scanning, baseline reviews, etc.) through secure tools or manually, to perform a security risk assessnt from dinsions such as network security risks, application security risks, host security risks, endpoint security risks, and data security risks, with each part referring to the following. (1) Network Security Risk Assessnt: Network architecture risk assessnt employs manual and instruntal thods to delve deeper into current threats and risks in the network from technical, strategic, and managerial aspects. Vulnerability and security baseline risk assessnt, which uses scanning tools to scan and comprehensively inspect network devices. Weak password risk assessnt, strictly prohibiting all accounts from using weak or empty passwords. Account and privileges risk assessnt, inspecting administrator accounts and privileges, closing unnecessary accounts, canceling unreasonable account privileges; ensure password strength ets the security baseline requirents. Remote login whitelist risk assessnt restricts IPs that can remotely manage, disabling remote managent via Telnet. Configuration backup risk assessnt ensures all network devices have good configuration backups and confirm backups are effective and restorable. (2) Application Security Risk Assessnt: Authentication risk assessnt assesses the identity recognition and authentication settings and configuration of application systems, and how these systems handle various user logins, such as login failure and tiout. Access control risk assessnt, which evaluates the setup of the application system's access control function, such as the access control policies, and permissions settings. Security audit risk assessnt evaluates the security audit configuration, such as the scope of coverage, items, and content recorded. Asset exposure risk assessnt simulates hackers to collect information, obtain detailed asset information (program na, version), open dangerous ports, business managent backends, etc. Application vulnerability risk assessnt includes Web services like Apache, WebSphere, Tomcat, IIS, as well as other programs like SSH, FTP, etc., for missing patches or version vulnerabilities. Penetration testing uses appropriate testing thods to uncover security vulnerabilities in the information system's authentication and authorization, code review, etc., reproduces the damage that could be caused by exploiting these vulnerabilities, and provides specific improvent or reinforcent asures to avoid or defend against such threats, risks, or vulnerabilities. (3) Host Security Risk Assessnt: WebShell risk assessnt investigates backdoor WebShells in systems providing Web services, verifies server security, and ensures the removal of any backdoors left from possible past breaches. Malicious file risk assessnt uses professional zombie trojan detection tools to inspect the operating system for malicious files and conducts behavior analysis on these files to identify the virus family and its dangers. Weak password risk assessnt, strictly prohibiting all accounts' use of weak or empty passwords. Port and service risk assessnt only opens ports related to the services provided by the server and closes unnecessary ports and external services. Server firewall risk assessnt, by default, prohibits all active outbound access, and if necessary, strict access control policies must be formulated to implent a server outbound access whitelist. System vulnerability scan risk assessnt, which scans the operating system, databases, and common applications and protocols for vulnerabilities. (4) Endpoint Security Risk Assessnt: Security baseline risk assessnt checks the endpoint's operating system for security configuration baselines to ensure endpoints' security. Weak password risk assessnt, strictly prohibiting all accounts' use of weak or empty passwords. Antivirus software risk assessnt checks whether endpoints have antivirus software installed and whether security policies are activated. Illegal external link risk assessnt checks whether endpoints are equipped with dual network cards, whether they are open or connected to hotspots. Patch update risk assessnt inspects the status of patch updates. (5) Data Security Risk Assessnt: Security baseline risk assessnt checks the database's operating system for security configuration baselines to ensure database system security. Data access control risk assessnt evaluates data access and permissions settings. Data backup risk assessnt checks data backup strategies and disaster recovery situations. 4.1.3 Security Reinforcent. Through assessnt and inspection, analyze the cybersecurity vulnerabilities and risks of informatization assets and critical information systems and conduct targeted security reinforcent. Network issues such as network devices, security devices, and security systems are the responsibility of the Basic Network Operation Departnt; host and application layer issues such as existing vulnerabilities, code logic errors, administrator weak passwords, middleware vulnerabilities, etc., are the responsibility of the relevant system heads to reinforce, guided and advised by security experts to address the technical security issues found during the security assessnt, optimize system security configurations, and eliminate weaknesses due to improper system configurations. 4.1.4 Security Training. To enhance the security technical abilities of security personnel and the information security awareness of non-security personnel, the Defense Working Group customizes training course content using related textbooks and practical case materials to help relevant personnel strengthen security awareness and enhance information security knowledge in attack and defense, so as to better respond to cyberattacks during the drill process effectively. Main training content: For security technical personnel and security administrators, training covers security awareness, security basics, Web composition, common vulnerabilities, hot 0Day events, intrusion processes, malicious software phenona, and defensive techniques; for non-security technical personnel, training intensifies security awareness concerning personal computer security, email security, mobile security, and daily work and life. 4.1.5 Simulated Attack and Defense. After security reinforcent, to test the results of security reinforcent and examine the robustness and effectiveness of the security defense system, it is necessary to organize simulated attack and defense drills to test security capabilities. Invite security companies' attack teams to conduct attack drills on the target unit's 정보화 sistem from the outside to test the system's defensive ability and examine the collaborative security ability of the drill defense team. The attack team's thods should not affect the normal business operations of the target unit, including, but not limited to penetration testing, system vulnerab...
4.2 During the cybersecurity exercise
The Defense Working Group directed the Monitoring and Analysis Team and the Judgent and Disposal Team to defend against cyberattacks from any attacker with the utmost effort during the cybersecurity exercise, to monitor the cyberattack situation on the target system in real ti; to imdiately notify the Defense Command Center in the event of a cybersecurity incident, to keep abreast of the exercise's progress, to conduct analysis and judgent on security incidents, and to prepare analytical and disposal reports for submission. 4.2.17×24-hour monitoring and early warning. The Monitoring and Analysis Team accomplishes centralized monitoring of website security through business system access logs, website security monitoring, cybersecurity managent centers, and cyberspace situational awareness and other early warning platforms. A designated person in the cloud is assigned to consistently analyze and verify the security events of monitored websites in real ti, and to imdiately report to the on-site Judgent and Disposal Team whenever a security incident occurs. All monitoring tasks are assigned to personnel, and all detected security events must retain event logs, maintain system backups, keep detailed records of faults, and conduct preliminary diagnoses. 4.2.2 Technical analysis. During the cybersecurity exercise, the number of cyberattacks grows exponentially. Traditional security threat detection thods based on black and white lists, signatures, and rules are no longer sufficient to deal with the continually evolving and targeted cyber threats during the exercise. Therefore, when the internet security monitoring platform and cyberspace situational awareness detect a security incident, the Monitoring and Analysis Team must imdiately analyze the security incident, pinpoint the problem, and trace its origins. Once confird not to be false alarms, details such as the attack path and attacker IP are reported back to the Judgent and Disposal Team and the Defense Working Group for further reporting. Combining fault descriptions and diagnoses to pinpoint security issues, based on the situation, proposed solutions are generated and feedback is provided to the Judgent and Disposal Team. Issues that can't be pinpointed or analyzed are directly referred to the Defense Working Group. 4.2.3 Expert judgent and real-ti attack response. The greatest security risk during the cybersecurity exercise cos from the attackers, particularly those who are targeted and persistent. Early detection and containnt of targeted and persistent attacks are effective ans of mitigating external threats. The exercise period is also when illegal hacker organizations are most active. Hacker organizations might disguise themselves as an Attack Team to attack Defense Units, thus the Monitoring and Analysis Team and the Judgent and Disposal Team must continuously judge security incidents in real ti, based on characteristics of the events, and add appropriate protective strategies in intrusion defense systems, Web application firewalls, and other security devices, to categorize and confront illegal attack incidents in real ti. 4.2.4 Ergency response and business recovery. The key to successfully handling an ergency response swiftly is to solve the security incidents that have occurred in an orderly manner based on predetermined processes, to ensure minimizing the damage caused by security incidents and reducing the risks in ergency handling. The Judgent and Disposal Team, upon receiving the early warning report from the Monitoring and Analysis Team, directly tackles identified problems (such as availability).
Reviews
All reviews (0)