tdohconf 2017-ncku
TRANSCRIPT
資安事故應變與處理(Incident Response and Handling)資安事故(incident)是指對組織資訊作業具有負面影響的事件(event),例如系統當機、分散式阻斷攻擊(Distributed Denial of Services,簡稱DDoS)、非授權使用系統、非授權存取資料、執行帶有惡意程式檔案等類型。
× 一、準備(Preparation)階段
× 二、偵測與分析(Detection & Analysis)階段
× 三、控制移除與復原(Containment, Eradication & Recover )階
段
× 四、後續活動(Post-Incident Activity)階段
15
資安事件調查思路有什麼異常?(What):
× 請回憶前面的案例
受害對象是誰?(Who):
× 請回憶前面案例的主角
受害對象在哪?(Where) :
× XX網段?誰能管理? …等
如何受害?(How) :
× 設想所有可能
Timeline Analysis:× 羅卡定理與時間的愛情故事
盡調查之能事!!!17
"The cyber adversary's tactics flow like water, seeking the path
of least resistance. Plan accordingly.”
The Art of Cyber War孫子兵法網戰篇…
18
調查思路-工具使用OSINT:× 域名列舉、SCAN、OSINT
× https://www.threatcrowd.org/ (情資)
× https://www.threatminer.org/ (情資)
× https://community.riskiq.com/home (passivetotal)
× http://www.t1shopper.com/tools/port-scan/ (SCAN)
× https://exchange.xforce.ibmcloud.com/ (情資)
× https://www.hybrid-analysis.com/advanced-search (找樣本)
× https://koodous.com/ (APK樣本)
× http://mxtoolbox.com/EmailHeaders.aspx (爬Email)
受害單位架構圖MAPPING:
× 研判可行的入侵路徑?
調查收斂論:
× XX網段?誰能管理? …等21
企業分析DNS情資方法:
× https://github.com/mlsecproject/combine
× https://github.com/stamparm/maltrail
× https://github.com/keithjjones/hostintel
× https://github.com/QTek/QRadio
× https://github.com/1aN0rmus/TekDefense-Automater
白名單:
× Alexa Top 1 Million Download and Lookups
× https://scans.io/series/alexa-dl-top1mil
22
IR Tool with PowershellLRUP.PS1:× https://ppt.cc/fMRChx
× https://github.com/Invoke-IR/PowerForensics
Live Response Using PowerShell - SANS Institute:
https://www.sans.org/reading-room/whitepapers/forensics/live-
response-powershell-34302
23
LokiSimple IOC and Incident Response Scanner:× https://www.bsk-consulting.de/loki-free-ioc-scanner/
× https://github.com/Neo23x0/Loki/releases/download/v0.24.2
/loki_0.24.2.zip
24
BrimorlabsLive ResponseLive Response Collection – Bambiraptor Build:× Automated tool that collects volatile data from
× Windows
× OSX
× *nix
× based operating systems
× https://www.brimorlabs.com/Tools/LiveResponseCollection-
Bambiraptor.zip
25
macOS IRTOOL:× KnockKnock
× TaskExplorer
× Dylib Hijack Scanner
× https://objective-see.com/products.html
29
"The competent cyber warrior learns from their mistakes.
The cyber master learns from the mistakes & knowhow of others."
The Art of Cyber War孫子兵法網戰篇…
31
Anti Analysis
× https://github.com/a0rtega/pafish× https://github.com/AlicanAkyol/sems/× https://github.com/google/sandbox-attacksurface-
analysis-tools× https://github.com/LordNoteworthy/al-khaser× https://github.com/marcusbotacin/Anti.Analysis× https://github.com/ricardojrdez/anti-analysis-tricks
"Cyber deterrence creates the next decade's malware problem." - Sun Tzu, The Art of Cyber War
36
ATT&CK Matrix× https://attack.mitre.org/wiki/Main_Page× https://github.com/redcanaryco/atomic-red-
team
37
Thanks!Any questions?
You can find me at:https://www.facebook.com/jack.chou.351
[email protected]://twitter.com/jackchou51706
https://github.com/jack51706https://www.linkedin.com/in/keyboard007/
47