那些年失守的類比家園

Jack ChouTDOH Conf @ NCKU

數聯資安-滲透鑑識工程師法務部調查局 -外聘資安顧問

麟銳科技-資深工程師宏碁商軟-雲端商業應用顧問

CEH CHFI MVM PA

2

Agenda

1. 資安事件分類與分享

2. 事件調查思路、工具及資料分享

3.反調查及分析

3

1.資安事件分類與案例分享

4

系統入侵系統異常、RDP爆破、SSH爆破、主機漏洞

5

Web入侵與資料外洩Webshell

6

Web入侵與資料外洩親身案例…你只值新台幣二十二萬三千的故事:

× 故事背景

× 兩組人馬

× 車手轄區

× 攝影機死角

× 法律問題

× 沒事就打通電話回家給長輩吧…

7

APTTWITTER C&C

8

APT遠控(RAT)、後門

9

病毒木馬雲端主機中勒索軟體

10

電商勒索DDOS撈庫

11

澳門首家線上賭場上線啦~

12

13

民意型DDOS…

2.事件調查思路、工具及資料分享

14

資安事故應變與處理(Incident Response and Handling)資安事故(incident)是指對組織資訊作業具有負面影響的事件(event)，例如系統當機、分散式阻斷攻擊(Distributed Denial of Services，簡稱DDoS)、非授權使用系統、非授權存取資料、執行帶有惡意程式檔案等類型。

× 一、準備(Preparation)階段

× 二、偵測與分析(Detection & Analysis)階段

× 三、控制移除與復原(Containment, Eradication & Recover )階

段

× 四、後續活動(Post-Incident Activity)階段

15

Locard exchange principle「凡兩個物體接觸，必會產生轉移現象」

Dr. Edmond Locard(13 December 1877 – 4 April

1966) 16

資安事件調查思路有什麼異常?(What):

× 請回憶前面的案例

受害對象是誰?(Who):

× 請回憶前面案例的主角

受害對象在哪?(Where) :

× XX網段?誰能管理? …等

如何受害?(How) :

× 設想所有可能

Timeline Analysis:× 羅卡定理與時間的愛情故事

盡調查之能事!!!17

"The cyber adversary's tactics flow like water, seeking the path

of least resistance. Plan accordingly.”

The Art of Cyber War孫子兵法網戰篇…

18

網站駭侵調查思路有LOG:

× 網頁平台記錄檔

× 網頁主機其餘服務存取記錄檔

× 檔案時間軸分析

沒LOG:

× 用入侵網站的思維作研判

× 請參考右圖黑站思路

19

IR Training Resource× https://ppt.cc/fwcwpx

20

調查思路-工具使用OSINT:× 域名列舉、SCAN、OSINT

× https://www.threatcrowd.org/ (情資)

× https://www.threatminer.org/ (情資)

× https://community.riskiq.com/home (passivetotal)

× http://www.t1shopper.com/tools/port-scan/ (SCAN)

× https://exchange.xforce.ibmcloud.com/ (情資)

× https://www.hybrid-analysis.com/advanced-search (找樣本)

× https://koodous.com/ (APK樣本)

× http://mxtoolbox.com/EmailHeaders.aspx (爬Email)

受害單位架構圖MAPPING:

× 研判可行的入侵路徑?

調查收斂論:

× XX網段?誰能管理? …等21

企業分析DNS情資方法:

× https://github.com/mlsecproject/combine

× https://github.com/stamparm/maltrail

× https://github.com/keithjjones/hostintel

× https://github.com/QTek/QRadio

× https://github.com/1aN0rmus/TekDefense-Automater

白名單:

× Alexa Top 1 Million Download and Lookups

× https://scans.io/series/alexa-dl-top1mil

22

IR Tool with PowershellLRUP.PS1:× https://ppt.cc/fMRChx

× https://github.com/Invoke-IR/PowerForensics

Live Response Using PowerShell - SANS Institute:

https://www.sans.org/reading-room/whitepapers/forensics/live-

response-powershell-34302

23

LokiSimple IOC and Incident Response Scanner:× https://www.bsk-consulting.de/loki-free-ioc-scanner/

× https://github.com/Neo23x0/Loki/releases/download/v0.24.2

/loki_0.24.2.zip

24

BrimorlabsLive ResponseLive Response Collection – Bambiraptor Build:× Automated tool that collects volatile data from

× Windows

× OSX

× *nix

× based operating systems

× https://www.brimorlabs.com/Tools/LiveResponseCollection-

Bambiraptor.zip

25

BrimorlabsLive Response

26

PESTUDIOMalware Initial Assessment

27

LINUX IRLINUX IR 好文匯整:

https://www.one-tab.com/page/3tLqOfx8T8qkCDp4dDm6_Q

28

macOS IRTOOL:× KnockKnock

× TaskExplorer

× Dylib Hijack Scanner

× https://objective-see.com/products.html

29

3.反調查及分析Anti! Anti! Anti!

30

"The competent cyber warrior learns from their mistakes.

The cyber master learns from the mistakes & knowhow of others."

The Art of Cyber War孫子兵法網戰篇…

31

Place your screenshot here

32

ClearEventLog望文生義就是那個意思…

Place your screenshot here

33

Master Boot Record當然啦放勒索軟體也是可以的...

Place your screenshot here

34

Sdelete-p X > 6

Place your screenshot here

35

軟體保護方案保護太多可能被防毒直接警告…

Anti Analysis

× https://github.com/a0rtega/pafish× https://github.com/AlicanAkyol/sems/× https://github.com/google/sandbox-attacksurface-

analysis-tools× https://github.com/LordNoteworthy/al-khaser× https://github.com/marcusbotacin/Anti.Analysis× https://github.com/ricardojrdez/anti-analysis-tricks

"Cyber deterrence creates the next decade's malware problem." - Sun Tzu, The Art of Cyber War

36

ATT&CK Matrix× https://attack.mitre.org/wiki/Main_Page× https://github.com/redcanaryco/atomic-red-

team

37

NG-PT × https://ppt.cc/f0lonx

38

Threat Hunting× https://ppt.cc/fs5kGx

39

Red Team Tips× https://ppt.cc/f0tn5x× 持續更新中…

40

駭客技術就像一把雙面刃

41

42

43

維繫類比家園的安全…44

資電作戰指揮部網路戰大隊× 覺得防守很無趣嗎?× 請洽會場內的國軍招募單位!!!

45

46

Thanks!Any questions?

You can find me at:https://www.facebook.com/jack.chou.351

jackzzsh11235813800626@gmail.comhttps://twitter.com/jackchou51706

https://github.com/jack51706https://www.linkedin.com/in/keyboard007/

47