Originally thought that it had been four days, and the stiff neck should be a little better, so I didn't take Ibuprofen. As a result, after the effect of Ibuprofen wore off, I found it still hurt the same as before, and the new Ibuprofen would take one or two hours to take effect. Therefore, the update will be a bit later today, probably around one or two in the morning, and I'll refresh this chapter then.
Abstract: The trend of using cybersecurity vulnerabilities for organized and purposeful cyber attacks is becoming increasingly apparent. On one hand, the response window for emergency response is diminishing, while on the other hand, the threat knowledge, professional skills, and proficiency required for emergency response are continuously increasing. This paper proposes a concise process and response steps for network operators as defenders to conduct emergency responses, providing practical reference for relevant units.
Keywords: Cybersecurity critical information infrastructure attack and defense exercise
As information technology's importance in societal development continues to rise, cyberspace has become a new battleground for major powers. Network security attack and defense drills are important means to test the cybersecurity protection of critical information infrastructure and improve the emergency response level of network operators. By fostering improvement in network security protection ability through actual combat and confrontation methods, these drills hold significant importance. This paper, from the perspective of network operators, outlines how defenders conduct work during such drills, using a live attack and defense exercise of a government website as an example, to provide organizational response experience for relevant units.
A certain unit organizes a number of attack teams composed of cybersecurity professionals to conduct continuous five-day security attack tests on the official websites and business systems of second-level institutions within its jurisdiction, to verify the effectiveness of the target system's security protection capabilities. Each day, reports are submitted at a fixed time on a unified drill platform by the defense party. The unit to which the author belongs, as the operation unit of the target website and business system, needs to ensure the physical safety, operational safety, and data security of the target information system to minimize the harm of cybersecurity emergencies.
3 Organizational Structure
A Defense Command Center is established, with the cybersecurity chief executive as the commander-in-chief, and members comprising of the leaders from cybersecurity and business systems operation departments. The command center is divided into a Defense Working Group, Monitoring and Analysis Team, and Judgement and Disposal Team, totaling 20 people.
3.1 Defense Command Center
Overall coordination of the entire drill defense work is managed, responsible for the command, organization, coordination, and process control of information system attack defense drills; issuing system shutdown, recovery critical operations, and external information reporting authorization instructions; and reporting drill progress and summary reports to ensure the drill achieves the expected purpose.
3.2 Defense Working Group
Responsible for the specific tasks of the information system emergency drill; building and maintaining the environment for centralized monitoring and disposal during the drill; analyzing and evaluating the impact of information system emergencies on business; collecting and analyzing data information and records during the disposition of information system emergencies; reporting the progress and development status of the drill to the command center; responsible for leading the daily summary and analysis of security incidents; compiling, filtering, and submitting reports from the defensive side.
3.3 Monitoring and Analysis Team
Responsible for business system access monitoring and cybersecurity situation monitoring during the attack and defense drill, detecting and identifying network attacks, keeping records of the monitoring process, and issuing attack warnings to the Judgment and Disposal Team; timely patching existing vulnerabilities in the business system, and carrying out business system shutdown and recovery work.
3.4 Judgement and Disposal Team
During the preparatory stage of the drill, responsible for rectifying discovered cybersecurity risks and implementing various security protection measures. During the practical stage of the drill, cleaning up network attack traffic to ensure the availability of business systems; flexibly and actively deploying technical resources as needed to complete technical analysis and judgment, real-time attack confrontation, emergency response, and other tasks.
4 Drill Implementation
According to past drill experience, small-scale defenses should conduct relevant work in three stages: before, during, and after the drill.
4.1 Before the Attack and Defense Drill
Establish a comprehensive support team before the attack and defense drill. From the perspective of security technology, establish a monitoring and early warning system, and from the perspective of security procedures, build a notification, early warning, and disposal feedback mechanism. Conduct detailed risk assessment and security strengthening for the information systems within the protection scope, develop a "Network Security Attack and Defense Drill Implementation Plan," and promote information security awareness among relevant personnel. 4.1.1 Asset Reorganization. Carry out the reorganization of informational assets, mainly including but not limited to: reorganizing internet application systems released externally; reorganizing internet exits and the devices and security measures used at them; reorganizing network structure (network topology); reorganizing the topology structure between critical or highly protected information systems and application systems servers; reorganizing network security equipment and protection status; reorganizing SSLVPN and IPSecVPN access situations. 4.1.2 Risk Assessment. Security guarantee experts conduct a security risk assessment based on the results of the informational asset reorganization. Security guarantee experts can use research questionnaires, personnel interviews, security technologies (penetration testing, vulnerability scanning, baseline inspection, etc.) through security tools or manual methods to conduct security risk assessments in dimensions such as network security risk, application security risk, host security risk, terminal security risk, and data security risk. Specific parts can refer to the following. (1) Network Security Risk Assessment: Network architecture risk assessment, using manual and tool methods to delve deeper into threats and risks existing in the current network from technical, policy, and management perspectives. Security vulnerabilities and security baseline risk assessment, using scanning tools to scan and thoroughly inspect network devices. Weak password risk assessment, strictly prohibiting weak passwords and blank passwords for all accounts. Account and permission risk assessment, examining administrator accounts and permissions, closing unnecessary accounts, and canceling unreasonable account permissions; ensuring that password strength meets security baseline requirements. Remote login whitelist risk assessment, strictly limiting IP addresses that can remotely manage, and disabling Telnet for remote management. Configuration backup risk assessment, ensuring all network device configurations have backups and confirming that backups are valid and restorable. (2) Application Security Risk Assessment: Identity authentication risk assessment, evaluating the setting and use configuration of application system identity identification and authentication functions, handling various user login situations such as login failure, login connection timeout, etc. Access control risk assessment, evaluating the access control function settings of application systems, such as access control policies, permission settings, etc. Security audit risk assessment, evaluating the security audit configurations of application systems, such as coverage, recorded items and content, etc. Asset exposure risk assessment, simulating hackers to collect information and obtain detailed asset information (program name, version), open dangerous ports, business management backend, etc. Application vulnerability risk assessment, including Web services like Apache, WebSphere, Tomcat, IIS, and detecting missing patches or version vulnerabilities in other programs like SSH, FTP, etc. Penetration testing, using appropriate testing methods to identify security vulnerabilities in areas like system certification and authorization, code review, etc., for test targets and demonstrating the potential losses caused by exploiting these vulnerabilities, providing specific improvement or strengthening measures to avoid or prevent such threats, risks, or vulnerabilities. (3) Host Security Risk Assessment: WebShell risk assessment, conducting WebShell backdoor inspection on systems providing Web services, verifying server security, and ensuring the removal of any backdoor that may have been left from a previous attack. Malicious file risk assessment, using professional zombie trojan worm detection tools to examine operating systems for malicious files, and conducting behavior analysis on malicious files, confirming the virus family and its harm. Weak password risk assessment, strictly prohibiting weak passwords and blank passwords for all accounts. Port and service risk assessment, the server opening only ports related to its services, closing unnecessary ports and external services. Server firewall risk assessment, banning all active external access by default, if needed, strictly formulating access control policies and implementing an outbound whitelist for the server. System vulnerability scanning risk assessment, scanning for vulnerabilities in operating systems, databases, and common applications and protocols. (4) Terminal Security Risk Assessment: Security baseline risk assessment, conducting baseline security configuration checks on terminal operating systems to ensure terminal device security. Weak password risk assessment, strictly prohibiting weak passwords and blank passwords for all accounts. Antivirus software risk assessment, checking if the terminal has antivirus software installed and if security policies are enabled. Illegal network connection risk assessment, checking if the terminal has dual network cards configured or has open or connected hotspots. Patch update risk assessment, checking the status of patch updates. (5) Data Security Risk Assessment: Security baseline risk assessment, conducting baseline security configuration checks on the database operating system to ensure database system security. Data access control risk assessment, assessing data access and permission settings. Data backup risk assessment, checking data backup policies and disaster recovery situations. 4.1.3 Security Strengthening. Through assessment and inspection methods, analyze the security vulnerabilities and risks of informational assets and critical information systems, and strengthen security in a targeted manner. Security issues at the network level, such as network devices, security devices, and security systems, are reinforced by the Basic Network Operation Department; vulnerabilities in application systems, code logic errors, administrator weak passwords, middleware vulnerabilities, and other issues at the host and application layers are reinforced by the responsible personnel of the respective systems, with security experts providing related guidance and suggestions to solve the technical security issues found in security assessments, optimizing system security configurations to prevent weaknesses caused by improper system configurations. 4.1.4 Security Training. To enhance the cybersecurity skills of security technical personnel and the security awareness of non-technical personnel, the Defense Working Group customizes training course contents, using related textbooks and real-case scenarios, to help relevant personnel strengthen their security awareness and knowledge about information security attack and defense, enabling better responses to network attacks during drills. Training main contents: providing training on security awareness, security basics, Web composition, common vulnerabilities, popular 0Day events, intrusion processes, malicious software phenomena, and defensive methods for security technical personnel and security administrators; conducting security awareness reinforcement training for non-technical personnel from dimensions of personal computer security, email security, mobile security, and daily work and life. 4.1.5 Simulated Attack and Defense. After security strengthening, to test the results of security strengthening, and evaluate the robustness and effectiveness of the security protection system, it is necessary to organize simulated attack and defense drills for security capability verification. A security company can be invited to simulate an attack team to conduct attack drills on the target institution's informational system from the outside, testing the protection capacity of the drill's target system and the collaborative support capacity of the drill's defense team. The attack methods used by the attack team should not affect the normal conduct of the target institution's business, and may include but are not limited to penetration testing, system vulnerability attack, phishing attack/APT comprehensive attack, social engineering attack, etc. 4.1.6 Environment Preparation. Set up the necessary electricity and network equipment for the centralized monitoring and disposal environment of the drill in an appropriate location, allocating network access according to work tasks, ensuring normal operation of equipment during the attack and defense drill.
4.2 During the Attack and Defense Drill
The Defense Working Group guides the Monitoring and Analysis Team and the Judgement and Disposal Team to maximize defense against network attacks from any attackers during the attack and defense drill, while monitoring attack situations on target systems in real-time; in case of a cybersecurity incident, the Defense Command Center is immediately notified to keep track of the drill situation, analyzing and judging the security incident to form an analysis and disposal report for submission. 4.2.1 7×24 Hour Monitoring and Warning. The Monitoring and Analysis Team achieves centralized monitoring of website security through business system access logs, website security monitoring, network security management center, and cybersecurity situation awareness platform notification and early warning. A dedicated person is assigned in the cloud to conduct real-time judgment and verification of security incidents on monitored websites. When a security incident occurs, it is immediately reported to the on-site Judgement and Disposal Team. All monitoring tasks are assigned to individuals, and records of detected security incidents must be kept. Backing up the system and keeping detailed records of failures for preliminary diagnosis is carried out. 4.2.2 Technical Analysis. During the attack and defense drill, the number of network attacks grows exponentially. Traditional security threat detection methods based on blacklists, whitelists, signatures, and rules can no longer cope with the continuously escalating and targeted network threats during the drill. Hence, when the internet security monitoring platform and security situation awareness detect a security event, the Monitoring and Analysis Team must immediately analyze the security incident, locate issues and trace the source. After confirming it is not a false alarm, they provide detailed feedback on the attack path, attack IP, etc., to the Judgement and Disposal Team and the Defense Working Group for reporting. Combining fault descriptions and diagnosis, after locating security issues, solutions are output as needed, and feedback is given to the Judgement and Disposal Team. Issues that cannot be located or analyzed are directly reported to the Defense Working Group. 4.2.3 Expert Judgment and Real-Time Attack Confrontation. The greatest security risk during the attack and defense drill comes from attacker actions, especially targeted and persistent attacks. Early identification and containment of targeted and persistent attacks are effective means to avoid external risks. The drill period is also an active period for illegal hacker organizations. Hacker organizations may disguise themselves as attack teams to target defense units, requiring the Monitoring and Analysis Team and the Judgement and Disposal Team to conduct real-time judgment of security incidents. According to event characteristics, corresponding defense strategies are added in intrusion prevention systems, web application firewalls, and other security devices to undertake real-time attack confrontation against illegal attack incidents. 4.2.4 Emergency Response and Business Recovery. The key to successful emergency response is orderly resolving already occurring security incidents according to pre-established procedures.