Originally thought that it had been four days, and the stiff neck should be a little better, so I didn't take Ibuprofen. As a result, after the effect of Ibuprofen wore off, I found it still hurt the sa as before, and the new Ibuprofen would take one or two hours to take effect. Therefore, the update will be a bit later today, probably around one or two in the morning, and I'll refresh this chapter then.
......
Abstract: The trend of using cybersecurity vulnerabilities for organized and purposeful cyber attacks is becoming increasingly apparent. On one hand, the response window for ergency response is diminishing, while on the other hand, the threat knowledge, professional skills, and proficiency required for ergency response are continuously increasing. This paper proposes a concise process and response steps for network operators as defenders to conduct ergency responses, providing practical reference for relevant units.
Keywords: Cybersecurity critical information infrastructure attack and defense exercise
1 Introduction
As information technology's importance in societal developnt continues to rise, cyberspace has beco a new battleground for major powers. Network security attack and defense drills are important ans to test the cybersecurity protection of critical information infrastructure and improve the ergency response level of network operators. By fostering improvent in network security protection ability through actual combat and confrontation thods, these drills hold significant importance. This paper, from the perspective of network operators, outlines how defenders conduct work during such drills, using a live attack and defense exercise of a governnt website as an example, to provide organizational response experience for relevant units.
2 Exercise Content
A certain unit organizes a number of attack teams composed of cybersecurity professionals to conduct continuous five-day security attack tests on the official websites and business systems of second-level institutions within its jurisdiction, to verify the effectiveness of the target system's security protection capabilities. Each day, reports are submitted at a fixed ti on a unified drill platform by the defense party. The unit to which the author belongs, as the operation unit of the target website and business system, needs to ensure the physical safety, operational safety, and data security of the target information system to minimize the harm of cybersecurity ergencies.
3 Organizational Structure
A Defense Command Center is established, with the cybersecurity chief executive as the commander-in-chief, and mbers comprising of the leaders from cybersecurity and business systems operation departnts. The command center is divided into a Defense Working Group, Monitoring and Analysis Team, and Judgent and Disposal Team, totaling 20 people.
3.1 Defense Command Center
Overall coordination of the entire drill defense work is managed, responsible for the command, organization, coordination, and process control of information system attack defense drills; issuing system shutdown, recovery critical operations, and external information reporting authorization instructions; and reporting drill progress and summary reports to ensure the drill achieves the expected purpose.
3.2 Defense Working Group
Responsible for the specific tasks of the information system ergency drill; building and maintaining the environnt for centralized monitoring and disposal during the drill; analyzing and evaluating the impact of information system ergencies on business; collecting and analyzing data information and records during the disposition of information system ergencies; reporting the progress and developnt status of the drill to the command center; responsible for leading the daily summary and analysis of security incidents; compiling, filtering, and submitting reports from the defensive side.
3.3 Monitoring and Analysis Team
Responsible for business system access monitoring and cybersecurity situation monitoring during the attack and defense drill, detecting and identifying network attacks, keeping records of the monitoring process, and issuing attack warnings to the Judgnt and Disposal Team; tily patching existing vulnerabilities in the business system, and carrying out business system shutdown and recovery work.
3.4 Judgent and Disposal Team
During the preparatory stage of the drill, responsible for rectifying discovered cybersecurity risks and implenting various security protection asures. During the practical stage of the drill, cleaning up network attack traffic to ensure the availability of business systems; flexibly and actively deploying technical resources as needed to complete technical analysis and judgnt, real-ti attack confrontation, ergency response, and other tasks.
4 Drill Implentation
According to past drill experience, small-scale defenses should conduct relevant work in three stages: before, during, and after the drill.
4.1 Before the Attack and Defense Drill
Establish a comprehensive support team before the attack and defense drill. From the perspective of security technology, establish a monitoring and early warning system, and from the perspective of security procedures, build a notification, early warning, and disposal feedback chanism. Conduct detailed risk assessnt and security strengthening for the information systems within the protection scope, develop a "Network Security Attack and Defense Drill Implentation Plan," and promote information security awareness among relevant personnel. 4.1.1 Asset Reorganization. Carry out the reorganization of informational assets, mainly including but not limited to: reorganizing internet application systems released externally; reorganizing internet exits and the devices and security asures used at them; reorganizing network structure (network topology); reorganizing the topology structure between critical or highly protected information systems and application systems servers; reorganizing network security equipnt and protection status; reorganizing SSLVPN and IPSecVPN access situations. 4.1.2 Risk Assessnt. Security guarantee experts conduct a security risk assessnt based on the results of the informational asset reorganization. Security guarantee experts can use research questionnaires, personnel interviews, security technologies (penetration testing, vulnerability scanning, baseline inspection, etc.) through security tools or manual thods to conduct security risk assessnts in dinsions such as network security risk, application security risk, host security risk, terminal security risk, and data security risk. Specific parts can refer to the following. (1) Network Security Risk Assessnt: Network architecture risk assessnt, using manual and tool thods to delve deeper into threats and risks existing in the current network from technical, policy, and managent perspectives. Security vulnerabilities and security baseline risk assessnt, using scanning tools to scan and thoroughly inspect network devices. Weak password risk assessnt, strictly prohibiting weak passwords and blank passwords for all accounts. Account and permission risk assessnt, examining administrator accounts and permissions, closing unnecessary accounts, and canceling unreasonable account permissions; ensuring that password strength ets security baseline requirents. Remote login whitelist risk assessnt, strictly limiting IP addresses that can remotely manage, and disabling Telnet for remote managent. Configuration backup risk assessnt, ensuring all network device configurations have backups and confirming that backups are valid and restorable. (2) Application Security Risk Assessnt: Identity authentication risk assessnt, evaluating the setting and use configuration of application system identity identification and authentication functions, handling various user login situations such as login failure, login connection tiout, etc. Access control risk assessnt, evaluating the access control function settings of application systems, such as access control policies, permission settings, etc. Security audit risk assessnt, evaluating the security audit configurations of application systems, such as coverage, recorded items and content, etc. Asset exposure risk assessnt, simulating hackers to collect information and obtain detailed asset information (program na, version), open dangerous ports, business managent backend, etc. Application vulnerability risk assessnt, including Web services like Apache, WebSphere, Tomcat, IIS, and detecting missing patches or version vulnerabilities in other programs like SSH, FTP, etc. Penetration testing, using appropriate testing thods to identify security vulnerabilities in areas like system certification and authorization, code review, etc., for test targets and demonstrating the potential losses caused by exploiting these vulnerabilities, providing specific improvent or strengthening asures to avoid or prevent such threats, risks, or vulnerabilities. (3) Host Security Risk Assessnt: WebShell risk assessnt, conducting WebShell backdoor inspection on systems providing Web services, verifying server security, and ensuring the removal of any backdoor that may have been left from a previous attack. Malicious file risk assessnt, using professional zombie trojan worm detection tools to examine operating systems for malicious files, and conducting behavior analysis on malicious files, confirming the virus family and its harm. Weak password risk assessnt, strictly prohibiting weak passwords and blank passwords for all accounts. Port and service risk assessnt, the server opening only ports related to its services, closing unnecessary ports and external services. Server firewall risk assessnt, banning all active external access by default, if needed, strictly formulating access control policies and implenting an outbound whitelist for the server. System vulnerability scanning risk assessnt, scanning for vulnerabilities in operating systems, databases, and common applications and protocols. (4) Terminal Security Risk Assessnt: Security baseline risk assessnt, conducting baseline security configuration checks on terminal operating systems to ensure terminal device security. Weak password risk assessnt, strictly prohibiting weak passwords and blank passwords for all accounts. Antivirus software risk assessnt, checking if the terminal has antivirus software installed and if security policies are enabled. Illegal network connection risk assessnt, checking if the terminal has dual network cards configured or has open or connected hotspots. Patch update risk assessnt, checking the status of patch updates. (5) Data Security Risk Assessnt: Security baseline risk assessnt, conducting baseline security configuration checks on the database operating system to ensure database system security. Data access control risk assessnt, assessing data access and permission settings. Data backup risk assessnt, checking data backup policies and disaster recovery situations. 4.1.3 Security Strengthening. Through assessnt and inspection thods, analyze the security vulnerabilities and risks of informational assets and critical information systems, and strengthen security in a targeted manner. Security issues at the network level, such as network devices, security devices, and security systems, are reinforced by the Basic Network Operation Departnt; vulnerabilities in application systems, code logic errors, administrator weak passwords, middleware vulnerabilities, and other issues at the host and application layers are reinforced by the responsible personnel of the respective systems, with security experts providing related guidance and suggestions to solve the technical security issues found in security assessnts, optimizing system security configurations to prevent weaknesses caused by improper system configurations. 4.1.4 Security Training. To enhance the cybersecurity skills of security technical personnel and the security awareness of non-technical personnel, the Defense Working Group customizes training course contents, using related textbooks and real-case scenarios, to help relevant personnel strengthen their security awareness and knowledge about information security attack and defense, enabling better responses to network attacks during drills. Training main contents: providing training on security awareness, security basics, Web composition, common vulnerabilities, popular 0Day events, intrusion processes, malicious software phenona, and defensive thods for security technical personnel and security administrators; conducting security awareness reinforcent training for non-technical personnel from dinsions of personal computer security, email security, mobile security, and daily work and life. 4.1.5 Simulated Attack and Defense. After security strengthening, to test the results of security strengthening, and evaluate the robustness and effectiveness of the security protection system, it is necessary to organize simulated attack and defense drills for security capability verification. A security company can be invited to simulate an attack team to conduct attack drills on the target institution's informational system from the outside, testing the protection capacity of the drill's target system and the collaborative support capacity of the drill's defense team. The attack thods used by the attack team should not affect the normal conduct of the target institution's business, and may include but are not limited to penetration testing, system vulnerability attack, phishing attack/APT comprehensive attack, social engineering attack, etc. 4.1.6 Environnt Preparation. Set up the necessary electricity and network equipnt for the centralized monitoring and disposal environnt of the drill in an appropriate location, allocating network access according to work tasks, ensuring normal operation of equipnt during the attack and defense drill.
4.2 During the Attack and Defense Drill
The Defense Working Group guides the Monitoring and Analysis Team and the Judgent and Disposal Team to maximize defense against network attacks from any attackers during the attack and defense drill, while monitoring attack situations on target systems in real-ti; in case of a cybersecurity incident, the Defense Command Center is imdiately notified to keep track of the drill situation, analyzing and judging the security incident to form an analysis and disposal report for submission. 4.2.1 7×24 Hour Monitoring and Warning. The Monitoring and Analysis Team achieves centralized monitoring of website security through business system access logs, website security monitoring, network security managent center, and cybersecurity situation awareness platform notification and early warning. A dedicated person is assigned in the cloud to conduct real-ti judgnt and verification of security incidents on monitored websites. When a security incident occurs, it is imdiately reported to the on-site Judgent and Disposal Team. All monitoring tasks are assigned to individuals, and records of detected security incidents must be kept. Backing up the system and keeping detailed records of failures for preliminary diagnosis is carried out. 4.2.2 Technical Analysis. During the attack and defense drill, the number of network attacks grows exponentially. Traditional security threat detection thods based on blacklists, whitelists, signatures, and rules can no longer cope with the continuously escalating and targeted network threats during the drill. Hence, when the internet security monitoring platform and security situation awareness detect a security event, the Monitoring and Analysis Team must imdiately analyze the security incident, locate issues and trace the source. After confirming it is not a false alarm, they provide detailed feedback on the attack path, attack IP, etc., to the Judgent and Disposal Team and the Defense Working Group for reporting. Combining fault descriptions and diagnosis, after locating security issues, solutions are output as needed, and feedback is given to the Judgent and Disposal Team. Issues that cannot be located or analyzed are directly reported to the Defense Working Group. 4.2.3 Expert Judgnt and Real-Ti Attack Confrontation. The greatest security risk during the attack and defense drill cos from attacker actions, especially targeted and persistent attacks. Early identification and containnt of targeted and persistent attacks are effective ans to avoid external risks. The drill period is also an active period for illegal hacker organizations. Hacker organizations may disguise themselves as attack teams to target defense units, requiring the Monitoring and Analysis Team and the Judgent and Disposal Team to conduct real-ti judgnt of security incidents. According to event characteristics, corresponding defense strategies are added in intrusion prevention systems, web application firewalls, and other security devices to undertake real-ti attack confrontation against illegal attack incidents. 4.2.4 Ergency Response and Business Recovery. The key to successful ergency response is orderly resolving already occurring security incidents according to pre-established procedures.
Reviews
All reviews (0)