【首发】美国CIA净网标准
网络安全响应步骤:
首先,收集并删除以进行进一步分析:
与网络活动有关的程序,日志和数据。
实施缓解步骤,以避免提示对手在网络上已经找到它。
最后,考虑从第三方IT安全组织寻求紧急响应帮助:从紧急响应的角度
提供专业知识和技术支持
,以确保从网络中消除所有攻击者的痕迹,
避免残留问题(例如未修补的漏洞和未清除的后门)事件一旦结束,这些残留的问题可能会导致随后的入侵。
技术细节
事件响应过程需要多种技术方法来检测恶意活动。事件响应者应考虑以下步骤。黑鸟认为,从根本上说,它是一种自动检测恶意活动的威胁情报和机器学习方法。
入侵威胁指示器(IOC)搜索:
从各种来源收集已知的恶意指示器,并在网络和主机中搜索那些指示器。搜索结果可以进一步确认是否存在恶意活动,以消除误报。
频率分析:
使用大型数据集来计算网络和主机系统中的正常流量。使用这些预测算法来识别与正常模式不一致的网络活动。通常考虑的变量包括时间,源位置,目标位置,端口利用率,协议遵从性,文件位置,通过散列的完整性,文件大小,命名约定和其他属性。
模式分析:
分析数据以识别重复模式,这些重复模式指示自动化机制(例如,恶意软件,脚本)或例行攻击者活动。筛选出包含正常活动的数据,并评估其余数据以识别可疑或恶意活动。
图片
异常检测:
分析并检查收集到的程序(基于团队的知识和系统管理经验),以确认它们是否为恶意软件。查看各种数据集的唯一值,并在适当的情况下研究相关数据,以发现可能表明威胁行为者活动的异常活动。
如果检测到可疑的恶意活动,则在搜索恶意活动的过程中,建议搜索应用程序和文件。
在搜索和/或调查网络时,检查各种程序文件以识别与事件相关的可能事件很重要。任何可疑活动。以下是建议在受害主机上搜索的部分:
主机层的运行过程,
正在运行的
服务,
父进程和子进程的完整哈希,
后台可执行文件,已
安装的应用程序,
本地和域帐户用户,
异常身份验证是
非标准的用户名
监视端口和相关服务的格式
域名称系统(DNS)解析设置和静态路由。
最近建立的网络连接正在
运行密钥或其他自动运行的持久性程序。
计划任务
执行工件(预取和Shimcache)
事件记录被
杀死软检测将
主机信息收集和分析记录到
标记任何试图连接到Internet的未签名进程,以查找发送的信标或重要数据。
收集所有PowerShell命令行请求以查找Base64编码的命令,以帮助识别恶意的无文件攻击。
我一直在寻找.RAR,7zip或WinZip进程,尤其是可疑文件名,以帮助查找恶意压缩包(可疑文件的名称,例如1.zip,2.zip等)。
收集所有用户登录名并查找异常行为,例如用户的异常登录时间或来自用户通常不使用的Internet协议(IP)地址的登录。
在Linux / Unix操作系统(OS)和服务上,收集所有cron文件和systemd / etc / passwd文件以查找异常帐户和日志文件,例如看似是system / proc用户但具有交互式外壳的帐户,例如,
在Microsoft操作系统上,使用/ bin / bash代替/ bin / false / nologin ,在目标主机,组策略对象(GPO)和Windows Management Instrumentation(WMI)数据库存储上收集计划的任务,以查找恶意的持久性。
使用Microsoft Windows Sysinternals自动运行工具,该工具可使IT安全从业人员查看自动加载到系统上的大多数程序(如果需要,可以轻松禁用它们)。
检查Windows注册表和Volume Shadow Copy服务是否有入侵迹象。
考虑禁止脚本文件
原文:
Network security response steps:
First, collect and delete for further analysis:
network activities related programs, logs and data.
Implement mitigation steps to avoid prompting the adversary that it has been found on the network.
Finally, consider seeking emergency response assistance from a third-party IT security organization:
Provide professional knowledge and technical support
from the perspective of emergency response to ensure that all traces of attackers are eliminated from the network to
avoid residual problems (such as unpatched vulnerabilities and uncleared backdoors) Once the incident is over, these residual problems may lead to subsequent invasions.
Technical details The
incident response process requires multiple technical methods to detect malicious activities. Incident responders should consider the following steps. Blackbird believes that it is basically a method of threat intelligence and machine learning to automatically detect malicious activities.
Intrusion threat indicator (IOC) search:
Collect known malicious indicators from a variety of sources, and search for those indicators in the network and hosts. The search results can further confirm whether there is malicious activity in order to eliminate false positives.
Frequency analysis:
Use large data sets to calculate the normal traffic in the network and host systems. Use these predictive algorithms to identify network activity that is inconsistent with normal patterns. Variables commonly considered include time, source location, destination location, port utilization, protocol compliance, file location, integrity through hashing, file size, naming conventions, and other attributes.
Pattern analysis:
Analyze data to identify repeating patterns, which indicate automated mechanisms (eg, malware, scripts) or routine attacker activities. Filter out data containing normal activities and evaluate the remaining data to identify suspicious or malicious activities.
Picture
anomaly detection:
Analyze and check the collected programs (based on the team's knowledge and experience of system management) to identify whether they are malicious. Review the unique values of various data sets, and study relevant data where appropriate, to find abnormal activities that can indicate the activities of threat actors.
If suspected malicious activity is detected, in the process of searching for malicious activity, it is recommended to search for applications and files.
When searching and/or investigating the network, it is important to check various program files to identify possible events related to the incident. Any suspicious activity. The following is the recommended part to search on the victim's host: the running process of the
host layer, the
running
service , the full hash of the
parent process and the child process, the
background executable file, the
installed application, the
local and the domain account users, the
abnormal authentication is
non-standard The format of the user name
monitoring port and related services
Domain Name System (DNS) resolution settings and static routing.
Recently established network connections are
running keys or other automatically running persistent programs.
Scheduled tasks
Artifacts of Execution (Prefetch and Shimcache)
event records
kill The soft detection records the
host information collection and analysis to
mark any unsigned processes that are trying to connect to the Internet to find beacons or important data transmitted.
Collect all PowerShell command line requests to find Base64-encoded commands to help identify malicious fileless attacks.
I have looked for the .RAR, 7zip or WinZip process, especially the suspicious file name, to help find the malicious compressed package (the name of the suspicious file, for example, 1.zip, 2.zip, etc.).
Collect all user login names and look for unusual behaviors, such as unusual login times for users or logins from Internet Protocol (IP) addresses that users do not normally use.
On Linux/Unix operating systems (OS) and services, collect all files cron and systemd /etc/passwd files to find unusual accounts and log files, such as accounts that appear to be system/proc users but have an interactive shell For example, /bin/bash instead of /bin/false/nologin
on the Microsoft operating system, collect scheduled tasks on the target host, Group Policy Objects (GPO) and Windows Management Instrumentation (WMI) database storage to find malicious persistence.
Use the Microsoft Windows Sysinternals autorun tool, which allows IT security practitioners to view most programs that are automatically loaded onto the system (you can easily disable them if needed).
Check the Windows registry and Volume Shadow Copy service for evidence of intrusion.
Consider prohibiting script files from running, such as .js, .vbs, .zip, .7z, .sfx or even Microsoft Office documents or PDF files.
Collect any script or binary ELF files from /dev/shm/tmp and /var/tmp.
The listed kernel module (lsmod) is a sign of rootkit; dmesg command output can show signs of rootkit loading and device connection.
Store and export the contents of all hosts in /var/log.
Export logs from journald. These logs are almost the same as /var/log; however, they provide some integrity checks and are not so easy to modify. This will eventually replace the contents of /var/log in some aspects of the system. Check if there are other Secure Shell (SSH) keys authorized_keys added to the user. Abnormal DNS traffic and activity at the
network layer
, unexpected DNS resolution servers, unauthorized DNS zone transfers, data leakage through DNS, and changes to host files
Remote Desktop Protocol (RDP), Virtual Private Network (VPN) sessions, SSH Terminal connections and other evaluation of inbound connections, unauthorized third-party tools, plain text information and unauthorized lateral movement of the remote function
Uniform Resource Identifier (URI) string, user agent string and agent implementation operations, used Malicious use, suspicious or malicious website access
Hypertext Transfer Protocol Security/Secure Socket Layer (HTTPS/SSL)
Unauthorized Connection with Known Threat Indicators (IOC)
Telnet
Internet Relay Chat (IRC)
File Transfer Protocol (FTP)
Review information for network analysis
to find new connections on ports that have never been used before. (Such as weird high port)
Find traffic patterns related to the time, frequency, and number of bytes of the network connection.
Keep agent logs. If possible, add URI parameters to the event log.
Disable LLMNR on the company network; if you cannot disable it, please collect LLMNR (UDP port 5355) and NetBIOS-NS (UDP port 137).
View changes to the routing table, such as weights, static entries, gateways, and peer relationships.
Common mistakes in incident handling
After determining that one or more systems may be threatened, system administrators and/or system owners are usually induced to take immediate action. Although there are good intentions to limit the system from being destroyed, some of these actions may have negative effects:
Modifying easily lost data
reminds the attacker that the victim organization knows that it has been compromised, which can easily lead to retaliatory behaviors, such as ransomware. Software or destruction.
The following (partially listed in Figure 1) are measures to avoid and some of the consequences of such measures.
Restore the affected system before the responder can protect and restore the data.
This may result in the loss of volatile data (such as memory and other host-based artifacts).
The opponent may notice and change its tactics, techniques, and procedures.
Contacting the attacker's network infrastructure (Ping, NSlookup, browsing, etc.) (Blackbird Note: I want to ping when I see C2)
These actions can indicate that the opponent has been detected.
Block the attacker's network infrastructure first. The network infrastructure
is quite cheap. The opponent can easily change to the new command and control infrastructure, and you will lose knowledge of their activities.
The
adversary may have multiple credentials, or worse, have access to the entire Active Directory.
The opponent will use other credentials, create new credentials or forge tickets.
Inability to save or collect log data, which may be critical to identifying access to an infected system.
If critical log types are not collected or are not kept long enough, it may not be possible to determine critical information about the event. Keep log data for at least one year.
Communicating on the same network as the incident response (make sure all communications are kept out of band)
only fix the symptoms, not the root cause
"Say hello" by blocking the IP address without taking steps to determine the meaning of the binary file and how to reach the binary file, which gives the adversary the opportunity to change strategy and maintain access to the network.
Picture
1: Common mistakes to avoid when responding to incidents.
Blackbirds are more concerned about the traceability part. Therefore, I summarize the central idea of the five-eye alliance's technical methods for detecting malicious activities and carrying out emergency response:
fully understanding the attacker’s attack methods and victims Do not act rashly before the scope, prevent attackers from making destructive actions or change attack strategies, thereby increasing the difficulty of detecting malicious activities and emergency response.
At the same time, it is also to reduce the difficulty of forensics and future traceability, not to access the attacker's network assets, modify the data of the victim's host, etc.
The more comprehensive information collected on the victim host, the better, see the list.