NG-SOC In Taiwan The Realities , The Difficulties And The Future

1y ago

22 Views

1 Downloads

4.88 MB

38 Pages

Report/dmca

Download PDF

Transcription

NG-SOC in TaiwanThe realities , the difficultiesand the futureSenior Technical ConsultantJack Chou

Who am I就是一個不長證照: CEH CHFI Palo Alto Network ACE McAfee Vulnerability Manager 經歷: 協助調查局偵辦第一銀行盜領案建置企業APT防護協助企業資安事件處理司法官律師學分班結業萬惡考生中專長: Incident ResponsePenetration Testing & Exploit ResearchMalware AnalysisSecurity Solution ImplementationAPT Gateway (TM DDI)APT Mail (TM DDEI)APT Endpoint (CounterTack MDR) 犯罪研究及調查

Agenda What is NG-SOC? The Realities (罪) The Difficulties (苦) The Future (未來)

新一代SOC-OODA(1)大人物(Tactics Techniques and Procedures) 增加監控可視性 EDR / EPP 減少人為疏失及人力 ocstrategy-using-siem-soar-edr/

ormed-security-operations-is-important/

Taiwan SOCSecurity Operation Center客戶的期望是甚麼?

�罪

�圍與目標數低流量 EPS: 900 IR: 3次中流量 EPS: 2300 IR: 7次高流量 EPS: 4900 IR: 15次

我們都是萬能的資安從業人員客戶還有您的老闆對我們的高度期待 https://sansorg.egnyte.com/dl/K0PbjzWWau/

� 保留

�的高度期望

��以上搜尋使用近期CVE 甚麼!!!大規模預謀攻擊!!! 是 �回饋分享

Offensive OSINTAttack Surface Management

Attack Surface Management來源及方法例舉Asset DiscoveryDark Web Monitoring APIs & Web Services Leaked/Stolen Credentials Web Applications & Websites Domains & SSL Certificates Critical Network Services IoT & Connected Objects Public Code Repositories SaaS & PaaS Systems Public Cloud & CDN Mobile Apps Databases Pastebin Mentions Exposed Documents Leaked Source Code Breached IT Systems & IoC Phishing Websites & Pages Fake Accounts in Social Networks Unsolicited Vulnerability Reports Trademark Infringements Squatted Domain Names

Hunting Leaked & MisconfigAPI 使用VTgrep �現可能洩漏的帳號密碼 https://buckets.grayhatwarfare.com

Potential squatting https://www.immuniweb.com/radar/ https://dnstwist.it/ (phishingdomain scanner) 廠牌名稱客戶域名 �Microsoft 等) Example: symantecupdates.info kaspernsky.com windowsupdate.microsoft.365filtering.com

Leaked/Stolen CredentialsDark Data Discovery(暗網情資蒐集) https://raidforums.com/ HUMINT https://github.com/kevthehermit/PasteHunter Hunchly Dark WebReport https://darksearch.io/ https://github.com/s-rah/onionscan

Defensive OSINT攻擊者視角

Digital Discovery Open Service & Unrestricted Web https://www.immuniweb.com/websec/ https://www.immuniweb.com/mobile/ https://www.immuniweb.com/ssl/ https://github.com/jack51706/LeakLooker-X

Outbound Hunting連線 metadata andabanker/ data-and-automation.html https://app.binaryedge.io/services/query?filter MALWARE https://www.shodan.io/search?query category%3Amalware altstrike-team-servers-in-the-wild/ https://censys.io/blog/hunting-mirai lebanking-threat ecryptocurrency-miner https://censys.io/blog/finding-hacked-web-servers Infiltrate C&C Backdoor Reversing

Intelligence-DrivenIncident Response andThreat Hunting問世間情資是何物

Pivot and Threat AttributionSampleMake Enrichment Great AgainInfrastructure Unique Strings Passive DNS Network Communication/EncryptionAlgorithm TLS certificate tracking Code / Strings Reuse Metadata(filename, description,version, title, author name) Mutexes Behavior Correlation through metadata (webserver version, hosting provider,HTTP headers, Whois ) Search of domain names/IPaddresses on public sandboxesresults HTTP static content tracking Network 2020

情資蒐集方法及來源 IR VIRUSTOTAL Yara Hunting Event Hunting OSINT 客戶提供之不明樣本分析及後續關聯 Honeypot( Open Proxy、Tor node) 主動木馬檢測(資安健診) 客戶資產監控 https://www.onetab.com/page/BQ9hxrRER9GYDMd5d v09Q 多來源交叉關聯查證

CTI LifecyclePivot Enrichment Attribution IPS Detection IP / DN Block Sample(175 ) AVBlock VT similar-to: VT codesimilar-to: CTI platformHTTP PlugX TrojanCnC185.161.209.234Deliver & ResponseVT Hunting &Crowdstrike185.161.209.234追蹤與分析 t2-winnti-4-0/ 情資報告該入侵源頭標記為Winnti4.0 該文章可取得樣本共19隻Enrichment VT: tag:winnti Infra enrichment

Attack Surface ManagementCommercial https://cyberint.com/solutions/ https://www.immuniweb.com/ https://www.riskiq.com/illuminateplatform/

Human-IntelligenceNetwork Anomaly Detection工人智慧

SOC&IR如何找未知設備 RULE TM DDI Rule: Executable requested from root directory of web server

AI Network Anomaly DetectionExtraHop & DarkTrace 圖論權重可視化協定流量統計分析攻擊途徑階段統計分析資產屬性統計分析 Network artifact metadata

SOC&IR如何找未知連線 metadata PASTEBIN GITHUB Vultr.com 頻率過濾資料比對 Dest IP/DN 不在Alexa TOP 100M DDNS

SOC&IR如何找未知防毒 RULE 偵測到駭客工具 (TM OfficeScan) (HKTL DUMP*) 偵測到駭客工具 (TM OfficeScan) (HKTL PASS*) 偵測到駭客工具 (SEP) (Hacktool) 防毒不是沒用，只是要看怎麼用跟看

Endpoint Visibility and Response

傳統端點偵測應處EVTX分析 https://github.com/sans-blueteam/DeepBlueCLI https://github.com/sbousseaden/EVTXATTACK-SAMPLES https://www.malwarearchaeology.com/cheatsheets alytics https://github.com/0Kee-Team/WatchAD https://github.com/JPCERTCC/LogonTracer cking-event-logs-version-2.html https://github.com/NVISO-BE/ee-outliers

滅證人工IR的極限 Sdelete ClearEventLog https://github.com/Rizer0/Log-killer https://github.com/hlldz/Invoke-Phant0m Clear MBR Ransomware

端點偵測應處EDRHunting Hypothesis Office 0 day 產生 Powershell 執行緒 (Fileless) 中繼站連線 (網路連線行為) 以客制 Threat Hunting 規則，即時發現並進行處置 (process name:winword.exe ORprocess name:excel.exe ORprocess name:powerpnt.exe) ANDnetconn count:[1 TO *] ANDchildproc name:powershell.exe APT VPN Lateral MovementERS20191125 cb.urlver 1&q file desc:PacketiX

未來如何在客戶高度期待下

��半自動化 Security Orchestration Use Case:Automating Threat Hunting Playbook (436) DetonateEnrichmentExtractHuntingInvestigation Integration (569) Automation (677) Script (617)

ISSDU 新世代SOC架構

Thank You

McAfee Vulnerability Manager 經歷: 協助調查局偵辦第一銀行盜領案建置企業APT防護協助企業資安事件處理司法官律師學分班結業萬惡考生中就是一個不長專長: Incident Response Penetration Testing & Exploit Research Malware Analysis Security Solution .