CN116708028A - External attack surface management method and system based on attacker view angle - Google Patents

Abstract

The invention discloses an external attack surface management method and system based on an attacker view angle, which relate to the technical field of network security, and the method comprises the following steps: collecting IP addresses and full domain name data in a preset area, performing asset full port scanning, and performing fingerprint identification on the asset to obtain fingerprint information; performing collision comparison on the fingerprint information by using a vulnerability database, analyzing suspected vulnerabilities, and obtaining network space vulnerabilities through POC verification; performing risk inspection by using a preset risk inspection rule base to obtain asset risk; constructing a mapped network space, a mapped social space and a mapped geographic space to form a network space map; and drawing and displaying the network space loopholes and the asset risks by using the visualization tool. By the technical scheme, the problem that the conventional vulnerability scanning tool leaks and scans the area in a large area is solved, the efficiency of area attack surface management is improved, and the risk of potential attack is reduced, so that a comprehensive network security assessment and management solution is provided.

Description

External attack surface management method and system based on attacker view angle

Technical Field

The invention relates to the technical field of network security, in particular to an external attack surface management method based on an attacker view angle and an external attack surface management system based on the attacker view angle.

Background

With the rapid development and popularity of computer networks, cyber security threats are also increasing. Malicious attack means such as hackers, viruses and botnets are endless, and serious challenges are brought to information security of enterprises and individuals. Traditional network security defense methods mainly focus on protection of fixed rules and modes, and often can only deal with known attack means, and can not be detected and prevented easily for novel and unknown attack means, so that dead zones and weak links of network security defense are caused. The comprehensive scanning and management of vulnerabilities existing in large network environments is a complex and time-consuming task. In order to better understand the attack surface and potential risks of a network, it is important to evaluate and manage network risks from an attacker's perspective. The attacker has various attack means and strategies, and the behavior mode and attack path can provide important references and ideas for network administrators.

Traditional network security defense methods are mainly based on fixed rules and patterns, and often only known attack means can be identified and blocked. This results in a failure to detect and guard against in time against new and unknown attack patterns, making the network vulnerable to new attacks. While conventional vulnerability scanning tools are able to detect some known vulnerabilities present in the network, they lack comprehensive security assessment and guidance for vulnerability remediation. This results in a lack of guidance and priority decisions by the network administrator in repairing vulnerabilities and an inability to efficiently manage vulnerabilities. Conventional methods are often limited to specific vulnerabilities or attack points in assessing network security and do not provide comprehensive attack surface assessment. This makes it difficult for network administrators to know the overall security conditions in the network and to accurately identify potential attack paths and risks. In the field of network security, the behavior and the strategy of an attacker are lack of comprehensive knowledge and reference, so that a network manager is lack of relevant guidance in the process of preparing security strategies and defensive measures, and the consideration of an attacker behavior model is lacked, and the imperfection of the defensive strategies and the omission of loopholes are easily caused.

Disclosure of Invention

Aiming at the problems, the invention provides an external attack surface management method and system based on an attacker view angle, which are used for simulating the behavior and strategy of the attacker by comprehensively considering the behavior mode and the attack path of the attacker, solving the problem that a traditional vulnerability scanning tool performs large-area missing scanning on an area by combining the strategy of vulnerability scanning through suspected vulnerability analysis, and recognizing potential attack paths, vulnerabilities and risks through risk inspection based on a risk inspection rule base, so that the overall security condition and risks of a network are known, the efficiency of managing the attack surface of the area is improved, the risks of potential attacks are reduced, important information and assets are protected, and the external attack surface of a network is evaluated and managed from the angle of the attacker by displaying network space vulnerabilities and asset risks in a certain area through the visualization tool, so that a comprehensive network security evaluation and management solution is provided.

In order to achieve the above object, the present invention provides an external attack surface management method based on an attacker's view angle, including:

collecting IP addresses and full domain name data in a preset area, and carrying out full port scanning on the IP addresses and the domain name data;

Summarizing the scanned and identified assets to obtain an asset data set of the preset area, and carrying out fingerprint identification on the assets in the asset data set to obtain fingerprint information of the assets;

performing collision comparison on fingerprint information of the assets in a preset vulnerability database, and analyzing suspected vulnerabilities in each asset;

performing POC verification on the suspected vulnerabilities by using a vulnerability scanning engine to obtain network space vulnerabilities in the assets in the preset area;

performing risk inspection on the asset by using a rule comparison method in a preset risk inspection rule base to obtain asset risk of the preset area;

based on the network space geography, constructing a mapping relation between the network space and the social space and geographic space to form a network space map of the preset area;

and drawing and displaying the network space loopholes and the asset risks corresponding to the preset area in the network space map by utilizing a visualization tool.

In the above technical solution, preferably, the external attack surface management method based on an attacker view angle further includes:

inquiring the IP address and domain name data of the preset area in a preset threat information library, and judging whether the IP address or the domain name data is threat information or not;

And drawing and displaying threat information corresponding to the preset area in the network space map by utilizing the visualization tool.

In the above technical solution, preferably, the external attack surface management method based on an attacker view angle further includes:

according to a risk inspection result and based on a CVSS universal vulnerability assessment system, carrying out risk scoring on the asset by utilizing a risk assessment model to synthesize different assessment dimensions;

wherein the evaluation dimensions on which the risk assessment model is based include scanning risk, penetration risk, website security, network security, brand and reputation risk, phishing and malware risk, email security, penetration risk, and questionnaire risk;

under the CVSS universal vulnerability assessment system, determining CVSS scores of the assets in corresponding assessment dimensions between 0-10 measures according to whether vulnerabilities exist in different assessment dimensions in the assets and the risk level of the vulnerabilities.

In the above technical solution, preferably, the external attack surface management method based on an attacker view angle further includes:

aiming at the risks of the assets in the preset area, respectively giving corresponding weights to the evaluation indexes of different risks according to the evaluation indexes of the predefined risk priority standards;

Calculating priority scores of corresponding risks based on the quantized scores and weights of the evaluation indexes;

determining the priority of each risk according to the priority scores of all risks;

and classifying risks of the assets in the preset area according to the priority order.

In the above technical solution, preferably, the port scanning technique for performing full port scanning includes TCP connection scanning, SYN scanning, NULL scanning, FIN scanning, XMAS scanning, UDP scanning, IDLE scanning, and SCTP scanning; the fingerprint identification mode for fingerprint identification comprises comparing MD5 of a specific file, detecting keywords contained in a normal page or an error webpage, keyword matching of request header information and keywords contained in partial URL; the analysis tool for performing collision contrast is a spark distributed computing engine.

In the above technical solution, preferably, the risk check items in the preset risk check rule base include, but are not limited to, unavailable SSL, non-support for HTTPS redirection, SSL will expire within 20 days, weak SSL algorithm, support for unsafe SSL/TLS version, revoked certificate in use, HTTP non-redirect to HTTPS, non-enforcement of HTTP strict transmission security, HSTS header without including include cloudesubdomains, no domain found in HSTS preloaded list, non-use of security cookies, header exposure using asp.net, header exposure specific asp.net version, non-use of httpolycookie, enabled WordPress-RPC API, wordPress version exposure, wordPress user list exposure, domain name imminent expiration, domain name expiration, non-enablement of domain registrar transfer protection, non-enablement of domain registrar protection, domain marking as inactive, domain registrar DNS reservation, domain name registrar prevention, domain name renewal, SPF software provisioning, syntax X-powerx-bye, and non-policy-Server error-exposure, and non-match policy-Server policy-exposure.

The invention also provides an external attack surface management system based on the view angle of the attacker, which applies the external attack surface management method based on the view angle of the attacker disclosed by any one of the technical schemes, and comprises the following steps:

the asset scanning module is used for collecting the IP address and the full domain name data in a preset area and carrying out full port scanning on the IP address and the domain name data;

the fingerprint identification module is used for summarizing the scanned and identified assets to obtain an asset data set of the preset area, and carrying out fingerprint identification on the assets in the asset data set to obtain fingerprint information of the assets;

the suspected analysis module is used for carrying out collision comparison on fingerprint information of the assets in a preset vulnerability database and analyzing suspected vulnerabilities in each asset;

the vulnerability verification module is used for performing POC verification on the suspected vulnerability by utilizing a vulnerability scanning engine to obtain network space vulnerabilities in the assets in the preset area;

the risk checking module is used for checking the risk of the asset by using a rule comparison method in a preset risk checking rule base to obtain the asset risk of the preset area;

the map construction module is used for constructing a mapping relation between the network space and the social space and geographic space based on the network space geography to form a network space map of the preset area;

And the risk visualization module is used for drawing and displaying the network space loopholes and the asset risks corresponding to the preset area in the network space map by utilizing the visualization tool.

In the above technical solution, preferably, the external attack surface management system based on an attacker view angle further includes a threat query module, configured to query, in a preset threat information library, an IP address and domain name data of the preset area, and determine whether the IP address or the domain name data is threat information;

the risk visualization module is further used for drawing and displaying threat information corresponding to the preset area in the network space map by utilizing the visualization tool.

In the foregoing technical solution, preferably, the external attack surface management system based on an attacker view angle further includes a risk scoring module, specifically configured to:

according to a risk inspection result and based on a CVSS universal vulnerability assessment system, carrying out risk scoring on the asset by utilizing a risk assessment model to synthesize different assessment dimensions;

wherein the evaluation dimensions on which the risk assessment model is based include scanning risk, penetration risk, website security, network security, brand and reputation risk, phishing and malware risk, email security, penetration risk, and questionnaire risk;

Under the CVSS universal vulnerability assessment system, determining CVSS scores of the assets in corresponding assessment dimensions between 0-10 measures according to whether vulnerabilities exist in different assessment dimensions in the assets and the risk level of the vulnerabilities.

In the foregoing technical solution, preferably, the external attack surface management system based on an attacker view further includes a risk classification module, specifically configured to:

aiming at the risks of the assets in the preset area, respectively giving corresponding weights to the evaluation indexes of different risks according to the evaluation indexes of the predefined risk priority standards;

calculating priority scores of corresponding risks based on the quantized scores and weights of the evaluation indexes;

determining the priority of each risk according to the priority scores of all risks;

and classifying risks of the assets in the preset area according to the priority order.

Compared with the prior art, the invention has the beneficial effects that: the method has the advantages that the behavior mode and the attack path of an attacker are comprehensively considered, the behavior and the strategy of the attacker are simulated, the problem that a traditional vulnerability scanning tool performs large-area omission on an area is solved by combining the suspected vulnerability analysis with the vulnerability scanning strategy, the potential attack path, the vulnerability and the risk can be identified by performing risk inspection based on a risk inspection rule base, so that the overall safety condition and the risk of a network are known, the efficiency of area attack surface management is improved, the risk of potential attacks is reduced, important information and assets are protected, and the network space vulnerability and asset risk in a certain area are displayed by a visualization tool, so that the external attack surface of the network can be evaluated and managed from the angle of the attacker, and a comprehensive network safety evaluation and management solution is provided.

Drawings

Fig. 1 is a flow chart of an external attack surface management method based on an attacker view according to an embodiment of the invention;

FIG. 2 is a schematic diagram of a logic framework of an external attack surface management method based on an attacker perspective according to an embodiment of the present invention;

fig. 3 is a schematic block diagram of an external attack surface management system based on an attacker perspective according to an embodiment of the present invention.

In the figure, the correspondence between each component and the reference numeral is:

1. the system comprises an asset scanning module, a fingerprint identification module, a suspected analysis module, a vulnerability verification module, a risk checking module, a map construction module, a risk visual module, a threat query module, a risk scoring module and a risk grading module.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

The invention is described in further detail below with reference to the attached drawing figures:

as shown in fig. 1 and fig. 2, the external attack surface management method based on the view angle of an attacker provided by the invention includes:

collecting IP addresses and full domain name data in a preset area, and carrying out full port scanning on the IP addresses and the domain name data;

summarizing the scanned and identified assets to obtain an asset data set of a preset area, and carrying out fingerprint identification on the assets in the asset data set to obtain fingerprint information of the assets;

performing collision comparison on fingerprint information of the assets in a preset vulnerability database, and analyzing suspected vulnerabilities in each asset;

POC verification is carried out on the suspected vulnerabilities by utilizing a vulnerability scanning engine, so as to obtain network space vulnerabilities in assets in a preset area;

performing risk inspection on the asset by using a rule comparison method in a preset risk inspection rule base to obtain asset risk of a preset area;

based on the network space geography, constructing a mapping relation between the network space and the social space and the geographic space to form a network space map of a preset area;

and drawing and displaying the network space loopholes and the asset risks corresponding to the preset areas in the network space map by utilizing the visualization tool.

In the embodiment, the behavior mode and the attack path of an attacker are comprehensively considered, the behavior and the strategy of the attacker are simulated, the problem that a traditional vulnerability scanning tool performs large-area omission on an area is solved by combining the suspected vulnerability analysis with the vulnerability scanning strategy, and potential attack paths, vulnerabilities and risks can be identified by risk inspection based on a risk inspection rule base, so that the overall security condition and risks of a network are known, the efficiency of managing the attack surface of the area is improved, the risks of potential attacks are reduced, important information and assets are protected, and the network space vulnerabilities and asset risks in a certain area are displayed by a visual tool, so that the external attack surface of the network can be evaluated and managed from the angle of the attacker, and a comprehensive network security evaluation and management solution is provided.

Specifically, to collect all the IPs of a city or a province, the total number of IPs or IP segments of the region needs to be obtained by means of an IP geographic location database through the names of the cities or provinces or longitude and latitude data.

Common IP geographic location databases include:

(1) GeoIP2: the GeoIP2 database is one of the IP geographic location databases that are currently more widely used. The system provides accurate IP positioning data, including country, province/state, city, longitude and latitude information, which can be used as API or local database for access;

(2) IP2Location: IP2Location is another well known IP geographic Location database provider. The system provides global IP positioning data, including country, province/state, city, postal code, longitude and latitude, time zone and other information, and can be inquired through an API or a local database;

(3) QQWry: QQWry is an earlier-used IP geographic location database. It provides basic information of country, province/city, operator, etc. corresponding to the IP address. The library is more commonly used in China, but the IP positioning accuracy in foreign countries is relatively low;

(4) IP2Location LITE: the IP2Location LITE is a free IP geographic Location database, and although the accuracy is not as high as that of a paid version, a certain degree of IP positioning function is provided;

(5) Pure library: the pure library is one of the most commonly used IP address locating tools on the internet of china, provides a corresponding relationship between an IP address and a geographic location (country, province/city, operator) based on the IP address, and can obtain corresponding geographic location information, such as country, province/city, operator, etc., by querying the IP address. The data of the true library is collected and arranged based on a large amount of network data, and is continuously updated and maintained, so that higher IP positioning accuracy is provided.

In the implementation of the present invention, the IP segment of the region is preferably obtained by city or province name using a pure library.

The collection of the domain name data is to collect all enterprise information of the region from a national enterprise credit information presentation system (https:// www.gsxt.gov.cn /) by means of unit data, then acquire all record data of the enterprise from an ICP/IP address/domain name information record management system (https:// bias. Mit. Gov. Cn /) by means of the enterprise name, thereby obtaining a website domain name of the region, and further carrying out subdomain name mining based on the domain name, thereby obtaining full domain name data.

An external attack surface refers to all elements and combinations of elements in an enterprise IT infrastructure that can be utilized by hacking, including various known and unknown assets, vulnerabilities, and network access paths. Network space asset scanning is the basis for external attack surface management, and IP blocking during port scanning is a problem that is frequently encountered. In the implementation process, preferably, the method of scanning the IP in the preset area one by using a single port is adopted, so that the scanning interval of the same target IP is prolonged to tens of minutes, a large number of scanning packets are prevented from being sent to the same IP in a short time, and the blocking of the scanning IP is effectively avoided.

And (3) sending a probe packet to carry out full-port scanning on the IP addresses collected in the steps by using an active scanning and identification technology, and detecting which ports are opened on the IP and what protocol is operated on each port.

Among them, the port scanning technology for performing full port scanning preferably includes TCP connection scanning, SYN scanning, NULL scanning, FIN scanning, XMAS scanning, UDP scanning, IDLE scanning, SCTP scanning, and the like, for identifying open services and applications on the target host.

Specifically, TCP connection scanning is one of the most common port scanning techniques. It establishes a TCP connection with the target host by sending a TCP SYN or TCP Connect request. If the target host responds to the SYN/ACK packet, indicating that the port is open; if the target host responds to the RST packet, it indicates that the port is closed.

SYN scanning is a fast and covert scanning technique. It terminates the connection by sending a TCP SYN packet, but sending a RST packet before receiving the SYN/ACK response of the target host. If the target host responds with a SYN/ACK, indicating that the port is open; if the target host responds to the RST/ACK, indicating that the port is closed; the domain name data is scanned 80 and 443 ports and finally summarized to form an asset data set.

The port scan tool commonly used has:

(1) masscan: masscan is a high-speed port scanning tool that focuses on scanning large-scale networks quickly. The method uses the mode of asynchronously sending and receiving data packets, and can scan a large number of IP addresses and ports in a short time;

(2) zmap: zmap is another high-speed port scanning tool aimed at rapidly port scanning the entire IPv4 address space. The method adopts a multithreading and efficient data packet sending mechanism, and can rapidly scan a large range of IP addresses;

(3) xmap: the xmap is a rapid network scanner and is specially designed for executing the research and scanning of IPv6 and IPv4 networks in the internet range;

(4) nmap: nmap is a widely used open source network security scanning tool. It aims to probe open ports, service identification, operating system detection, and vulnerability discovery on target hosts and networks. nmap provides rich functionality and flexible scanning options, making it an important tool in the fields of penetration testing, vulnerability assessment, network management, etc.

In the implementation process of the invention, the zmap is preferably adopted to scan the assets, and one port is scanned by the zmap each time, so that time difference exists between two port scans of all the IP of one city, and one scan is performed for the same IP target for a long time, thereby effectively preventing the targets from being blocked. Through this step, the full asset data of the region is obtained, including ip, port, protocol, port status fields.

Fingerprint identification provides a large amount of useful information for penetration testers, and fingerprint is a piece of characteristic information on a component, which can identify the type of an object, and is used for quickly identifying a target service in a penetration test information collecting link. Fingerprinting typically requires acquisition of CMS information (e.g., CMS of chinese, dreams, imperial CMS, phpcms, ecshop, etc.), front-end technology (e.g., HTML5, jquery, bootstrap, pure, ace, etc.), web servers (e.g., apache, lighttpd, naginx, IIS, etc.), application servers (e.g., tomcat, jboss, weblogic, websphere, etc.), development language (e.g., PHP, java, ruby, python, C #), operating system information (e.g., linux, win2k8, win7, kali, centos, etc.), CDN information (whether CDN is used, e.g., clodfire, 360CDN, 365cyd, yunjiasu, etc.), WAF information (whether WAF is used, e.g., topsec, jiasule, yundun, etc.), IP and domain name information (IP and domain name registration information, service provider information, etc.).

In the above embodiment, the fingerprint identification method for fingerprint identification preferably includes comparing MD5 (e.g., static files such as specific picture files, js files, CSS, etc., favicon, ico, js, etc.) of specific files, detecting keywords (e.g., keywords such as Powered By Discuz, decms, etc., in robots. Txt files) contained in normal pages or erroneous web pages, matching keywords of request header information (identification is performed according to response header in general By checking X-power-By field of http response header, determination is performed according to Cookies, e.g., waf may contain some information in return header, e.g., 360wzws, safedog, yunsuo, etc., determination is performed according to Server information in header, e.g., DVRDVS-Webs, yunjiasu-nginx, mod_ Security, nginx-wallarm, etc., determination is performed according to w-Authenticate, some route switching devices may exist in this field, e.g., 373 c) and keyword (e.g., URL 23-5634) containing features, etc.

And obtaining all network assets and fingerprint information of the assets in the area according to the steps, wherein the fingerprint information comprises protocols, services, middleware and corresponding version numbers, then performing collision comparison with data in a vulnerability database by using a big data analysis technology, and performing version comparison to analyze suspected vulnerabilities of each asset. Preferably, the analysis tool for performing collision comparison adopts a spark distributed computing engine to compare the version numbers of the middleware and the framework identified on each asset with the version numbers in the vulnerability database, and the asset can be considered to have a suspected vulnerability as long as the version numbers are in the version range related to the vulnerability.

And aiming at the suspected vulnerabilities obtained through the comparison and analysis, performing POC verification by using a vulnerability scanning engine, so as to obtain vulnerability information of each asset. This step is critical because the traditional leaky-scan tool mainly aims at performing physical examination type vulnerability scan on a single target, and traverses all POCs in the POC library on one target, which is time-consuming, has large received traffic, is more easily perceived and affects the target. The invention uses the self-developed concurrent scanning engine to only verify the found suspected bug aiming at a single target, and has high efficiency and difficult blocking. POC verification is carried out, so that the network space vulnerability situation in a real geographic area can be obtained.

In the above embodiment, the risk check items in the preset risk check rule base preferably include, but are not limited to, SSL unavailable, HTTPS redirection not supported, SSL will expire within 20 days, weak SSL algorithm, unsafe SSL/TLS version supported, revoked certificates in use, HTTP not redirected to HTTPS, HTTP strict transfer security not enforced, HSTS header not including include cludsubdomains, no domain found in HSTS preloaded list, no use of secure cookies, header exposure using asp.net, header exposure specific asp.net version, httpolyxml not used cookie, wordPress-RPC enabled, wordPress version exposure, wordPress user list exposure, domain name imminent expiration, expired, domain name registrar transfer protection not enabled, domain registrar deletion protection not enabled, domain marking as inactive, domain registrar DNS reservation, registration blocking domain name subscription, suspected malware provider, SPF syntax-header, powerx-By, and ssec-error policy, and no policy matching with the host, no policy is found.

In the traditional geographic space, the map is an indispensable tool for commanding the fight as an important carrier for describing geographic phenomena; in the network space, there is also an urgent need for a network space map capable of comprehensively displaying network space information. In the invention, based on network space geography, the mapping relation between network space and social space and between the network space and the geographic space is constructed through the geographic attribute and the social attribute of network space elements, the geographic environment layer/network environment layer/behavior main body layer/business environment layer are subjected to technical fusion, the network space asset is dotted on a map, and real-time, reliable and effective network space external attack surface risks are drawn. The chart is visualized by chart from dimensions of scan risk, penetration risk, website security, network security, brand and reputation risk, phishing and malware risk, email security, penetration risk, questionnaire risk, and the like.

In the above embodiment, preferably, the external attack surface management method based on an attacker view angle further includes:

inquiring the IP address and the domain name data of a preset area in a preset threat information library, and judging whether the IP address or the domain name data is threat information or not;

and drawing and displaying threat information corresponding to the preset area in the network space map by utilizing the visualization tool.

Specifically, for each IP address and domain name data obtained in the above embodiment, the whois information is queried, and then a preset threat information library is queried for the IP address and domain name data, so as to obtain whether the current IP address or domain name data is malicious or not. If malicious, it can be correlated to what threat intelligence reports, malicious files, malicious URLs, malicious organizations, attack events, etc.

Specifically, querying each IP address for its whois information includes: ip address, scan time, network address field, network name, organization, address description, country, administrator, technician, owner, ip partition source, contact address, phone, fax, contact mailbox, domain name resolution server, routing field, area, insertion time, update time, etc.

The whois information is also obtained for the domain name data, and fields such as registrar, creation time, expiration time, domain name server, domain name status, DNS resolution server, registration mailbox, registration telephone, last update time, etc. are obtained.

The construction of the threat information library is that key points need to collect reports of threat information issued by various large vendors, and key elements such as events, files MD5, file sizes, file types, C2 server IP, domain names, malicious URLs and the like are analyzed from the reports, so that the threat information library is constructed.

In the above embodiment, preferably, the external attack surface management method based on an attacker view angle further includes:

according to the risk inspection result and based on a CVSS universal vulnerability assessment system, comprehensive different assessment dimensions are utilized to carry out risk scoring on the asset;

wherein the evaluation dimensions on which the risk evaluation model is based include scan risk, penetration risk, website security, network security, brand and reputation risk, phishing and malware risk, email security, penetration risk, and questionnaire risk;

under a CVSS universal vulnerability assessment system, determining CVSS scores of the assets in corresponding assessment dimensions between 0-10 measures according to whether vulnerabilities exist in different assessment dimensions and the risk level of the vulnerabilities.

Specifically, in the above embodiment, on the basis of performing risk inspection on the asset by using the risk inspection rule base, a risk assessment model is used to analyze the risk score of each asset, and the risk of each vulnerability refers to the CVSS universal vulnerability assessment system. CVSS scoring is based on measurements over a range of dimensions, known as Metrics, with the final score of loopholes being at most 10 and at least 0, loopholes scored 7-10 being generally considered more severe, medium loopholes between scores 4-6.9, low loopholes between scores 0-3.9, and no loopholes for a score of 0. CVSS systems include three types of scores: basic score, transient time division, and environmental score.

The risk assessment model is a constructed regression model, and the asset risk score of the area is calculated from the assessment dimensions of scanning risk, penetration risk, website security, network security, brand and reputation risk, phishing and malicious software risk, email security, penetration risk, questionnaire risk and the like.

In the above embodiment, preferably, the external attack surface management method based on an attacker view angle further includes:

aiming at the risk of the assets in the preset area, respectively giving corresponding weights to the evaluation indexes of different risks according to the evaluation indexes of the predefined risk priority standards;

Calculating priority scores of corresponding risks based on the quantized scores and weights of the evaluation indexes;

determining the priority of each risk according to the priority scores of all risks;

and classifying risks of the assets in the preset area according to the priority order.

Specifically, although a large amount of data such as assets, vulnerabilities, and risks in this area is obtained through the above steps, the huge data is difficult to manage, and therefore, it is necessary to perform risk priority determination to preferentially handle risks with high priority.

Risk priority decision is the process of evaluating and ordering different risks in a risk management process. First, risk assessment is required to identify and quantify potential risks. This includes determining the likelihood and extent of impact of the risk, and qualitative and quantitative methods are often used to measure the severity of the risk. In order to make a risk priority decision, a set of priority criteria or evaluation criteria need to be defined. These criteria may include the potential impact range of risk, likelihood, vulnerability, asset value, regulatory compliance requirements, etc. Different criteria may be given different weights depending on the specific needs and context of the organization.

To make the risk priority determination more objective, a set of evaluation indicators may be defined to measure risk. These metrics may be based on qualitative or quantitative data, such as historical event data, vulnerability scores, threat intelligence, safety performance metrics, and the like. By comprehensively considering these metrics, a more comprehensive risk priority assessment can be derived.

Based on the risk assessment and the priority criteria, an appropriate algorithm or model may be used to calculate the priority of the risk. Common methods include weighted scoring, failure mode and impact analysis (FMEA), risk matrix, and the like. These methods will take into account various risk factors and assign a relative weight or score to each risk to determine its priority.

Finally, according to the calculated priority, the risks can be ranked and graded.

As shown in fig. 3, the present invention further provides an external attack surface management system based on an attacker view, and the external attack surface management method based on the attacker view disclosed in any one of the above embodiments is applied, including:

the asset scanning module 1 is used for collecting IP addresses and full domain name data in a preset area and carrying out full port scanning on the IP addresses and the domain name data;

The fingerprint identification module 2 is used for summarizing the scanned and identified assets to obtain an asset data set of a preset area, and carrying out fingerprint identification on the assets in the asset data set to obtain fingerprint information of the assets;

the suspected analysis module 3 is used for carrying out collision comparison on fingerprint information of the assets in a preset vulnerability database and analyzing suspected vulnerabilities in each asset;

the vulnerability verification module 4 is configured to perform POC verification on the suspected vulnerability by using the vulnerability scanning engine to obtain a network space vulnerability in the asset in the preset area;

the risk checking module 5 is used for checking the risk of the asset by using a rule comparison method in a preset risk checking rule base to obtain the asset risk of the preset area;

the map construction module 6 is used for constructing a mapping relation between the network space and the social space and the geographic space based on the network space geography to form a network space map of a preset area;

and the risk visualization module 7 is used for drawing and displaying the network space loopholes and asset risks corresponding to the preset areas in the network space map by utilizing the visualization tool.

In the embodiment, the behavior mode and the attack path of an attacker are comprehensively considered, the behavior and the strategy of the attacker are simulated, the problem that a traditional vulnerability scanning tool performs large-area omission on an area is solved by combining the suspected vulnerability analysis with the vulnerability scanning strategy, and potential attack paths, vulnerabilities and risks can be identified by risk inspection based on a risk inspection rule base, so that the overall security condition and risks of a network are known, the efficiency of managing the attack surface of the area is improved, the risks of potential attacks are reduced, important information and assets are protected, the network space vulnerabilities and asset risks in a certain area are displayed through a visual tool, and the external attack surface of the network is evaluated and managed from the perspective of the attacker, so that a comprehensive network security evaluation and management solution is provided.

In the foregoing embodiment, preferably, the external attack surface management system based on the view angle of the attacker further includes a threat query module 8, configured to query, in a preset threat information library, an IP address and domain name data of a preset area, and determine whether the IP address or domain name data is threat information;

the risk visualization module 7 is further configured to draw and display threat information corresponding to the preset area in the network space map by using the visualization tool.

In the above embodiment, preferably, the external attack surface management system based on the view angle of the attacker further includes a risk scoring module 9, specifically configured to:

according to the risk inspection result and based on a CVSS universal vulnerability assessment system, comprehensive different assessment dimensions are utilized to carry out risk scoring on the asset;

wherein the evaluation dimensions on which the risk evaluation model is based include scan risk, penetration risk, website security, network security, brand and reputation risk, phishing and malware risk, email security, penetration risk, and questionnaire risk;

under a CVSS universal vulnerability assessment system, determining CVSS scores of the assets in corresponding assessment dimensions between 0-10 measures according to whether vulnerabilities exist in different assessment dimensions and the risk level of the vulnerabilities.

In the above embodiment, preferably, the external attack surface management system based on the view angle of the attacker further includes a risk classification module 10, specifically configured to:

aiming at the risk of the assets in the preset area, respectively giving corresponding weights to the evaluation indexes of different risks according to the evaluation indexes of the predefined risk priority standards;

calculating priority scores of corresponding risks based on the quantized scores and weights of the evaluation indexes;

determining the priority of each risk according to the priority scores of all risks;

and classifying risks of the assets in the preset area according to the priority order.

The functions to be implemented by each module of the external attack surface management system based on the attacker view angle disclosed in the above embodiment are respectively corresponding to and consistent with each step in the external attack surface management method based on the attacker view angle disclosed in the above embodiment, and are performed with reference to the above embodiment in the implementation process, and are not repeated herein.

The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. An external attack surface management method based on an attacker view angle is characterized by comprising the following steps:

collecting IP addresses and full domain name data in a preset area, and carrying out full port scanning on the IP addresses and the domain name data;

summarizing the scanned and identified assets to obtain an asset data set of the preset area, and carrying out fingerprint identification on the assets in the asset data set to obtain fingerprint information of the assets;

performing collision comparison on fingerprint information of the assets in a preset vulnerability database, and analyzing suspected vulnerabilities in each asset;

performing POC verification on the suspected vulnerabilities by using a vulnerability scanning engine to obtain network space vulnerabilities in the assets in the preset area;

performing risk inspection on the asset by using a rule comparison method in a preset risk inspection rule base to obtain asset risk of the preset area;

based on the network space geography, constructing a mapping relation between the network space and the social space and geographic space to form a network space map of the preset area;

and drawing and displaying the network space loopholes and the asset risks corresponding to the preset area in the network space map by utilizing a visualization tool.

2. The external attack surface management method based on the attacker view angle according to claim 1, further comprising:

inquiring the IP address and domain name data of the preset area in a preset threat information library, and judging whether the IP address or the domain name data is threat information or not;

and drawing and displaying threat information corresponding to the preset area in the network space map by utilizing the visualization tool.

3. The external attack surface management method based on the attacker view according to claim 1 or 2, further comprising:

according to a risk inspection result and based on a CVSS universal vulnerability assessment system, carrying out risk scoring on the asset by utilizing a risk assessment model to synthesize different assessment dimensions;

wherein the evaluation dimensions on which the risk assessment model is based include scanning risk, penetration risk, website security, network security, brand and reputation risk, phishing and malware risk, email security, penetration risk, and questionnaire risk;

under the CVSS universal vulnerability assessment system, determining CVSS scores of the assets in corresponding assessment dimensions between 0-10 measures according to whether vulnerabilities exist in different assessment dimensions in the assets and the risk level of the vulnerabilities.

4. The external attack surface management method according to claim 3, further comprising:

aiming at the risks of the assets in the preset area, respectively giving corresponding weights to the evaluation indexes of different risks according to the evaluation indexes of the predefined risk priority standards;

calculating priority scores of corresponding risks based on the quantized scores and weights of the evaluation indexes;

determining the priority of each risk according to the priority scores of all risks;

and classifying risks of the assets in the preset area according to the priority order.

5. The external attack surface management method according to claim 4, wherein the port scanning technique for performing full port scanning comprises TCP connection scanning, SYN scanning, NULL scanning, FIN scanning, XMAS scanning, UDP scanning, IDLE scanning and SCTP scanning; the fingerprint identification mode for fingerprint identification comprises comparing MD5 of a specific file, detecting keywords contained in a normal page or an error webpage, keyword matching of request header information and keywords contained in partial URL; the analysis tool for performing collision contrast is a spark distributed computing engine.

6. The attacker view-based external attack surface management according to claim 3, wherein the risk check items in the pre-set risk check rule base include, but are not limited to, SSL unavailability, HTTPS redirection not supported, SSL will expire within 20 days, weak SSL algorithm, SSL/TLS version supporting unsafe, revoked certificates in use, HTTP not redirected to HTTPS, HTTP strict transmission security not enforced, HSTS header does not include name domains, no domain found in HSTS pre-load list, no security cookie used, header exposure using asp.net, header exposure specific asp.net version, no httpon cookie used, wordPress XML-RPC API enabled, wordPress version exposure, wordPress user list exposure, domain name expiration, domain name registrar transfer protection not enabled, domain registrar deletion protection, domain marking inactive, domain name registrar reservation, domain name registrar blocking, server name provider, grammar, DNS header exposure specific asp.net version, no malicious domain name registration policy, and error message match, and error message enabled, suspected name provider, and malicious host name exposure.

7. An external attack surface management system based on an attacker view, wherein the external attack surface management method based on an attacker view according to any one of claims 1 to 6 is applied, comprising:

the asset scanning module is used for collecting the IP address and the full domain name data in a preset area and carrying out full port scanning on the IP address and the domain name data;

the fingerprint identification module is used for summarizing the scanned and identified assets to obtain an asset data set of the preset area, and carrying out fingerprint identification on the assets in the asset data set to obtain fingerprint information of the assets;

the suspected analysis module is used for carrying out collision comparison on fingerprint information of the assets in a preset vulnerability database and analyzing suspected vulnerabilities in each asset;

the vulnerability verification module is used for performing POC verification on the suspected vulnerability by utilizing a vulnerability scanning engine to obtain network space vulnerabilities in the assets in the preset area;

the risk checking module is used for checking the risk of the asset by using a rule comparison method in a preset risk checking rule base to obtain the asset risk of the preset area;

the map construction module is used for constructing a mapping relation between the network space and the social space and geographic space based on the network space geography to form a network space map of the preset area;

And the risk visualization module is used for drawing and displaying the network space loopholes and the asset risks corresponding to the preset area in the network space map by utilizing the visualization tool.

8. The external attack surface management system based on the view angle of an attacker according to claim 7, further comprising a threat query module, configured to query a preset threat intelligence library for an IP address and domain name data of the preset area, and determine whether the IP address or the domain name data is threat intelligence;

the risk visualization module is further used for drawing and displaying threat information corresponding to the preset area in the network space map by utilizing the visualization tool.

9. The external attack surface management system based on an attacker view according to claim 7 or 8, further comprising a risk scoring module, in particular for:

according to a risk inspection result and based on a CVSS universal vulnerability assessment system, carrying out risk scoring on the asset by utilizing a risk assessment model to synthesize different assessment dimensions;

wherein the evaluation dimensions on which the risk assessment model is based include scanning risk, penetration risk, website security, network security, brand and reputation risk, phishing and malware risk, email security, penetration risk, and questionnaire risk;

Under the CVSS universal vulnerability assessment system, determining CVSS scores of the assets in corresponding assessment dimensions between 0-10 measures according to whether vulnerabilities exist in different assessment dimensions in the assets and the risk level of the vulnerabilities.

10. The external attack surface management system based on the attacker view according to claim 9, further comprising a risk classification module, in particular for:

aiming at the risks of the assets in the preset area, respectively giving corresponding weights to the evaluation indexes of different risks according to the evaluation indexes of the predefined risk priority standards;

calculating priority scores of corresponding risks based on the quantized scores and weights of the evaluation indexes;

determining the priority of each risk according to the priority scores of all risks;

and classifying risks of the assets in the preset area according to the priority order.