CN117439814A - ATT & CK-based network security event linkage treatment system and method - Google Patents

ATT & CK-based network security event linkage treatment system and method Download PDF

Info

Publication number
CN117439814A
CN117439814A CN202311627758.3A CN202311627758A CN117439814A CN 117439814 A CN117439814 A CN 117439814A CN 202311627758 A CN202311627758 A CN 202311627758A CN 117439814 A CN117439814 A CN 117439814A
Authority
CN
China
Prior art keywords
network security
malicious code
module
threat information
management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311627758.3A
Other languages
Chinese (zh)
Inventor
冯馨仪
何纪成
高明慧
张志军
马力
高航
马睿
王洋
杨兰
邢世龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kedong Electric Power Control System Co Ltd
Original Assignee
Beijing Kedong Electric Power Control System Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kedong Electric Power Control System Co Ltd filed Critical Beijing Kedong Electric Power Control System Co Ltd
Priority to CN202311627758.3A priority Critical patent/CN117439814A/en
Publication of CN117439814A publication Critical patent/CN117439814A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The invention discloses a network security event linkage treatment system and method based on ATT & CK, which relate to the technical field of network security.

Description

ATT & CK-based network security event linkage treatment system and method
Technical Field
The invention relates to the technical field of network security, in particular to a network security event linkage handling system and method based on ATT & CK.
Background
With the rapid development of network technology, network applications have penetrated various parts of our lives. Meanwhile, network security events are endless, and influence is caused to the safe and stable operation of our production and life. Thus, timely discovery and handling of security events is critical to securing the network.
Traditional security event handling approaches mainly utilize different kinds of security products so that they each function independently. The disposal mode ignores the relation and interaction relation among various security products, and does not fully exert the advantages of the various security products.
Disclosure of Invention
The present invention has been developed in view of the problem of lack of linkage between security products in existing conventional security event handling approaches.
Therefore, the problem to be solved by the invention is how to provide a security event linkage handling method to realize effective cooperation between security products, effectively identify and handle threats, and improve the reliability and efficiency of network security protection.
In order to solve the technical problems, the invention provides the following technical scheme:
in a first aspect, an embodiment of the present invention provides an ATT & CK-based network security event linkage handling system, which includes a threat information module configured to collect threat information, upload the threat information to a network security management platform, and update new threat information formed by analysis of the network security management platform to a threat information library of the network security management platform; the threat information analysis module is used for classifying the threat information according to the ATT & CK matrix to determine a data source to which the threat information belongs, and reporting the data source composition to the data source processing module; the data source processing module is used for receiving and analyzing the data source composition uploaded by the threat information analysis module to generate a monitoring strategy and a management and control means, and uploading the monitoring strategy and the management and control means to a network security management platform; the trusted verification module is used for verifying and evaluating the assets according to the monitoring strategy, the management and control means and the standard requirements set by the safety management specification requirements generated by the data source processing module so as to generate measurement results, and uploading measurement failure logs to the network management platform; the malicious code monitoring module is used for monitoring malicious codes in the system, detecting and analyzing the monitored malicious codes to generate an alarm log, uploading the alarm log to the network security management platform, and simultaneously receiving strategies and commands issued by the network security management platform, and timely blocking and stopping damage and destruction of the malicious codes to the system; and the management and control module is used for executing a management and control command issued by the network security management platform and taking management and control measures on the assets with security risks.
As a preferable mode of the ATT & CK based network security event linkage handling system of the present invention, wherein: the malicious code monitoring module comprises an anti-malicious code client management module, an anti-malicious code client, a malicious code flow monitoring and collecting module and a malicious code analysis module, wherein the anti-malicious code client management module is used for centrally managing, configuring and upgrading the anti-malicious code client and receiving monitoring results of the malicious code client; the malicious code prevention client is used for monitoring malicious codes of programs and file data resources on the terminal equipment and actively preventing the malicious codes from accessing, transmitting and running software; the malicious code flow monitoring and collecting module is used for collecting malicious code flow data from a network and transmitting the malicious code flow data to the malicious code analysis module for analysis; the malicious code analysis module is used for carrying out deep analysis on collected malicious code flow data, extracting relevant characteristic information to identify the type and behavior of the malicious code, and generating corresponding detection and defense rules.
As a preferable mode of the ATT & CK based network security event linkage handling system of the present invention, wherein: the workflow of the threat intelligence module is as follows: the network security management platform classifies threat information according to the received threat information; by analyzing the characteristics and the harmfulness of the threat, threat information is classified into corresponding ATT & CK tactical stages; comparing the threat information with technical characteristics in an ATT & CK matrix tactical stage, and merging the threat information into a technical matrix of the tactical stage if the threat information accords with the technical characteristics of a certain ATT & CK tactical stage; if the threat information accords with the technical characteristics of a plurality of ATT & CK tactical stages, merging the threat information into a plurality of corresponding technical matrixes; gradually accumulating the merging of threat information to form a threat information matrix specific to the network security management platform; and determining a monitoring data source according to the technical characteristics of the threat information so as to form the threat information data source.
As a preferable mode of the ATT & CK based network security event linkage handling system of the present invention, wherein: the ATT & CK tactical phase includes reconnaissance, resource development, initial access, execution, persistence, rights promotion, defensive avoidance, credential acquisition, discovery, lateral movement, collection, command and control, data leakage, and impact; threat intelligence data sources include dynamic directories, application logs, certificates, cloud services, cloud storage, commands, containers, domain names, drivers, files, firewalls, firmware, user groups, images, instances, network scans, kernels, session logs in, malicious repositories, modules, named pipes, network shares, network traffic, disguises, cluster sharing units, processes, planning tasks, scripts, device health status, services, snapshots, user accounts, storage units, network credentials, windows registry, and WMI.
As a preferable mode of the ATT & CK based network security event linkage handling system of the present invention, wherein: the workflow of the trusted verification module is as follows: the network security management platform adopts a trusted verification module to defend important assets; the trusted root monitors and measures the BIOS firmware data source according to the platform requirement so as to ensure the integrity and the safety of the BIOS firmware data in the transmission process; after passing the root of trust verification, the trust verification module will load the operating system boot program; after passing the verification of the basic trust base, the trusted verification module loads an operating system and an application program, and monitors and measures the dynamic catalogue and the application log at the same time; after verification by the trusted software base, the trusted verification module will load the service network and check the security and integrity of the network connection.
As a preferable mode of the ATT & CK based network security event linkage handling system of the present invention, wherein: the workflow of the malicious code monitoring module is as follows: according to the system security condition and the actual demand, the network security management platform judges whether a management and control instruction needs to be issued; if the condition of issuing the control instruction is met, the network security management platform issues the control instruction to the malicious code prevention client, wherein the control instruction comprises a timing task strategy and library upgrading; the malicious code prevention client management module judges whether a management and control instruction is received or not; if a control instruction is received, the anti-malicious code client management module issues a timing task strategy and library upgrading to the anti-malicious code client and receives search and kill log operation information from the anti-malicious code; the malicious code monitoring and collecting device judges whether the collecting condition is met; if the acquisition conditions are met, the malicious code monitoring and acquisition device acquires malicious code flow data from the network and transmits the data to the malicious code analysis module; the malicious code analysis module judges whether analysis processing conditions are met; if the analysis processing conditions are met, the malicious code analysis module receives the collected flow data and the asset alarm information, and further analyzes and processes the collected flow data and the asset alarm information to generate a corresponding alarm log; according to the alarm information sent by the trusted verification module and the malicious code monitoring system, the network security platform issues a management and control command to the management and control module so as to realize management and control of the asset; according to the situation and threat level, the security platform adopts a proper control means to improve the network security.
As a preferable mode of the ATT & CK based network security event linkage handling system of the present invention, wherein: the conditions for satisfying the issuing control instruction include the following: the network security management platform judges whether a management control instruction needs to be issued according to the security threat situation monitored in real time, and if the high-risk malicious code activity or other security threats exist, the network security management platform correspondingly issues the management control instruction; the network security management platform judges whether a management control instruction needs to be issued according to the security level and the importance of different assets, and if a certain asset is defined as high risk or has importance, the network security management platform correspondingly issues the management control instruction; the network security management platform judges whether a management and control instruction needs to be issued according to the formulated security policy and rule, and if the security policy and rule indicate that a certain asset needs to be managed and controlled, the network security management platform correspondingly issues the management and control instruction; the administrator decides whether to issue a control instruction according to his own judgment and experience by manual intervention, and if the administrator decides that control is required, the network security management platform issues a corresponding control instruction according to the administrator's decision.
In a second aspect, an embodiment of the present invention provides an ATT & CK based network security event linkage handling method, which includes a threat intelligence module acquiring threat intelligence information from a commercial database, a malicious code library, self threat intelligence data and a national level intelligence sharing source, and uploading the threat intelligence information to a network security management platform; the network security platform classifies and merges threat information according to the characteristics of the threat information and tactics and technical specifications of a reference ATT & CK matrix to form a threat information matrix; according to tactics and technologies related to threat information, referring to the characteristics of the ATT & CK matrix data source, and creating a corresponding threat information data source; uploading the data source composition to a data source processing module, analyzing and processing the data source to generate a monitoring strategy and a management and control means, and uploading the monitoring strategy and the management and control means to a network security platform; the network security platform issues corresponding strategy and control commands to the trusted verification module and the malicious code monitoring system according to the uploaded monitoring strategy and control means; the trusted verification module and the malicious code monitoring system upload logs and alarm logs with failed measurement to a network security management platform; the network security management platform comprehensively analyzes the measurement log and the alarm log, discovers new threat information and transmits the new threat information into a threat information system so as to perfect threat information; the network security management platform comprehensively analyzes the alarm and log information, issues corresponding management and control commands to the management and control module, and timely takes corresponding measures to treat the assets with security problems.
In a third aspect, embodiments of the present invention provide a computer apparatus comprising a memory and a processor, the memory storing a computer program, wherein: the computer program instructions, when executed by a processor, implement the steps of the ATT & CK based network security event coordinated handling system according to the first aspect of the present invention.
In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium having a computer program stored thereon, wherein: the computer program instructions, when executed by a processor, implement the steps of the ATT & CK based network security event coordinated handling system according to the first aspect of the present invention.
The invention has the beneficial effects that: the invention realizes the linkage of the threat information system, the trusted verification module and the malicious code monitoring system by utilizing the ATT & CK matrix, classifies threat information by the ATT & CK technology angle, monitors the data source according to the technical characteristics, and provides a new network security event disposal flow, thereby effectively improving the threat information processing efficiency, identifying the threat source and improving the disposal mode of the network security event, so as to improve the integral capability of network security protection.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a system flow diagram of an ATT & CK based network security event coordinated handling system.
Fig. 2 is a schematic diagram of threat information system information sources of an ATT & CK based network security event linked handling system.
Fig. 3 is a schematic diagram of trusted verification module composition and working principle of the ATT & CK based network security event linkage handling system.
Fig. 4 is a schematic diagram of malicious code monitoring module composition and working principle of an ATT & CK based network security event linkage handling system.
Fig. 5 is a diagram of the monitoring effect of the network security management platform data source of the ATT & CK based network security event linked handling system.
Fig. 6 is a diagram of the network security management platform linkage analysis effect of the ATT & CK based network security event linkage handling system.
Detailed Description
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present invention is not limited to the specific embodiments disclosed below.
Further, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic can be included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
Example 1
Referring to fig. 1-6, a first embodiment of the present invention provides an ATT & CK based network security event coordinated handling system, comprising,
and the threat information module is used for collecting threat information and uploading the threat information to the data source processing module.
Specifically, the network security management platform classifies threat information according to the information of the received threat information; by analyzing the characteristics and the harmfulness of the threat, threat information is classified into corresponding ATT & CK tactical stages; comparing the threat information with technical characteristics in an ATT & CK matrix tactical stage, merging the threat information into a technical matrix of the tactical stage if the threat information accords with the technical characteristics of a certain ATT & CK tactical stage, merging the threat information into a plurality of corresponding technical matrices if the threat information accords with the technical characteristics of a plurality of ATT & CK tactical stages; gradually accumulating the merging of threat information to form a threat information matrix specific to the network security management platform; and determining a monitoring data source according to the technical characteristics of the threat information so as to form the threat information data source.
Note that ATT & CK tactical phases include reconnaissance, resource development, initial access, execution, persistence, rights promotion, defense avoidance, credential acquisition, discovery, lateral movement, collection, command and control, data leakage, and impact, for a total of 14 tactical phases.
Preferably, the threat intelligence data source includes 37 items of dynamic directory, application log, certificate, cloud service, cloud storage, command, container, domain name, driver, file, firewall, firmware, user group, mirror image, instance, network scan, kernel, session login, malicious repository, module, named pipe, network share, network traffic, disguise, cluster share unit, process, planning task, script, device health status, service, snapshot, user account, storage unit, network credential, windows registry, WMI.
In particular, dynamic directory refers to a database and set of services that allow an administrator to manage permissions, access network resources, and store data objects (users, groups of users, applications, or devices), including dynamic directory credential requests, dynamic directory object access, dynamic directory object creation, dynamic directory object deletion, and dynamic directory object modification. The dynamic catalog credential request refers to a dynamic catalog credential (e.g., a work order or token) requested by a user for verifying and authorizing an identity, and an administrator enables the user to perform corresponding authorization operations by processing the credential requests to meet the requirements of the user for accessing network resources and executing specific tasks; the creation of the dynamic directory object refers to the initialization construction of a new dynamic directory object; dynamic directory object deletion refers to removing dynamic directory objects that are no longer needed; dynamic directory object modification refers to making changes to existing dynamic directory objects.
Further, an application log refers to events collected by a third party service, the data source mainly contains application log content items, and the application log content refers to log records, messages and other components provided by the third party service; certificates refer to digital files that highlight information such as owners for use in progressively trust of public keys used in network communication processes, which data sources contain mainly certificate registrations, which refer to querying or recording information highlighting current and expired digital certificates.
Further, cloud services refer to an infrastructure, a platform or software provided by a third party provider that enables users to use through network connections and/or APIs, mainly including cloud service stoppage, cloud service enumeration and cloud service modification; cloud service stopping refers to disabling or stopping the cloud service, cloud service enumeration refers to extracting a list of cloud services, and cloud service modification refers to making changes to the cloud service including its settings and/or data.
Preferably, the cloud storage is a data object storage infrastructure provided or hosted by a third party provider that is made available to users via network connections and/or APIs, the primary operations of the cloud storage including cloud storage access, cloud storage creation, cloud storage deletion, cloud storage enumeration, cloud storage metadata, and cloud storage modification; commands are instructions given to a computer program for performing a specific task, mainly comprising command execution items, specifying parameters and options required for executing the command.
Further, the container is a standardized portable unit that contains applications and all their dependencies and configuration information to run quickly and reliably in different computing environments, and mainly contains container creation, container enumeration, and container enablement; the domain name is a readable name for acquiring one or more pieces of corresponding IP address information, and mainly comprises active DNS, domain name registration and passive DNS.
Further, the drive is a non-volatile data storage device, such as a hard disk drive, a floppy disk drive, a USB flash drive, etc., having at least one formatted partition, and the main operations of the drive include drive access, drive creation, and drive modification. Drive access refers to opening a data storage device assigned a drive number or mounting point; the creation of the drive refers to the initialization allocation of a drive number or mounting point for a data storage device; drive modification refers to a change made to the drive number or mounting point of a data storage device.
Further, a driver refers to a computer program that operates or controls a particular type of device connected to a computer, and the data source mainly contains both driver loading and driver metadata. Driver loading refers to attaching a driver to a user or kernel mode of the system; driver metadata refers to driver and its associated activity-related context data, such as driver problem reports or integrity checks.
Further, a file refers to a computer resource object managed by an I/O system for storing data (e.g., images, text, video, computer programs, or other various media), which mainly contains file access, file creation, file deletion, file metadata, and file modification. A firewall is a network security system that operates as a local terminal or remote service to monitor and control traffic to and from a network based on preset rules, and its primary operations include firewall shutdown, firewall enumeration, firewall metadata, and firewall rule modification.
In particular, firmware refers to computer software, such as BIOS or UEFI/EFI, that provides the underlying control of host devices and hardware, the data source containing primarily firmware modification items, firmware modification refers to changes to firmware, including its settings and/or data, such as MBR and VBR; user group refers to a collection of multiple user accounts sharing the same access rights to computer and/or network resources and having the same security rights, the data source mainly containing a user group enumeration, user group metadata, and user group modification; mirroring refers to a single file used to deploy virtual machines/bootable disks into a local or third party cloud environment, the data source consisting essentially of mirror creation, mirror deletion, mirror metadata, and mirror modification.
Preferably, an instance refers to a virtual server environment running a workload, hosted locally or provided by a third party cloud provider, the data source comprising instance creation, instance deletion, instance enumeration, instance metadata, instance modification, instance start and instance stop; network scanning refers to obtaining information about various resources and servers connected to the public internet, the data sources including response content and response metadata, the response content referring to recorded network traffic responses to scanning, and displaying protocol header and protocol body content; response metadata refers to context data collected from a scan about network-oriented resources, such as running services or ports.
Further, a kernel refers to a computer program residing in the core of a computer operating system, residing in memory, for facilitating interactions between hardware and software components. The data source mainly comprises a kernel module loading item. Kernel module loading refers to an object file containing code that extends the kernel on which the operating system is running, typically to add support for new hardware (as device drivers) and/or file systems, or to add system calls.
In particular, a kernel refers to a computer program residing in the core of a computer operating system, residing in memory, for facilitating interaction between hardware and software components, the data source consisting essentially of kernel module loaders. Kernel module loading refers to an object file containing code that extends the running kernel of the operating system, typically to add support for new hardware (as device drivers) and/or file systems, or to add system calls.
Further, session login refers to login occurring on a system or resource, and the user/device obtains access rights after successful authentication and authorization, and the data source contains session login creation and session login metadata. Session login creation refers to the initial construction of a successful new user login after an authentication attempt. Session login metadata refers to the context data (e.g., user name, login mode, token acquisition) of a login session and related activities under the session login.
Preferably, the malicious repository refers to information acquisition related to malicious software used by an attacker, the data source containing malicious content and malicious metadata. Malicious content refers to code, strings, and other destructive markers in a malicious payload. Malicious metadata refers to contextual data (e.g., compile time, file hash, watermark) or other identifiable configuration information about a malicious payload.
Further, a module refers to an executable file composed of one or more shared classes and interfaces, such as a portable PE-formatted binary/Dynamic Link Library (DLL), an Executable and Linkable (ELF) binary/shared library, and a MACH-O-formatted binary/shared library, the data source containing module loads. Module loading refers to attaching a module to the memory of a process/program, typically in order to access shared resources/features provided by the module.
Further, naming conduits generally refer to the presence of files and the addition of processes to mechanisms that allow inter-processes to communicate locally or over a network, the data source containing naming conduit metadata. Named pipe metadata refers to context data on the system about named pipes, including pipe names and creation processes.
Further, network sharing refers to the use of network protocols to provide storage resources (typically folders or drives) from one host to another, the data source containing network sharing access. Network share access refers to opening a network share so that the requestor can access the content.
Further, network traffic refers to data transmitted over a network, either summarized or captured as raw data in an analyzable format, including network connection creation, network traffic content, and network traffic data streams. Network connection creation refers to the initial construction of a network connection, such as capturing socket information using source/destination IP addresses and ports; the network flow content refers to recording network flow data and displaying protocol header and protocol body content; network traffic data flows refer to summarized network packet data, including metrics such as protocol header and capacity.
Further, disguise refers to a malicious online profile used by an attacker on behalf of a user for social interaction with the user or other target victim, the data source containing social media; social media refers to a cluster sharing unit which is established, destroyed or otherwise obtained, refers to a resource sharing unit in a cluster, and consists of one or more containers, and the data source comprises cluster sharing unit creation, cluster sharing unit enumeration and cluster sharing unit modification; cluster sharing unit creation refers to initializing a new cluster sharing unit; the cluster sharing unit enumeration refers to an extraction list of cluster sharing units within a cluster; cluster-sharing unit modification refers to a change to a cluster-sharing unit, including its settings and/or control data.
Further, a process refers to an instance of a computer program being executed by at least one thread, the process having memory space for process executables, load modules (DLLs or shared libraries), and allocated memory areas containing all of the content entered from a user into an application-specific data structure; the process comprises an operating system API execution, a process access, a process creation, a process metadata, a process modification and a process termination; operating system API execution refers to operating system functions/method calls performed by a process; process access refers to the opening of one process by another process, typically to read the memory of the target process; process creation refers to an operating system managed executable initialization build, which may involve one or more tasks or threads; process metadata refers to context data associated with a running process, possibly containing information such as environment variables, mirror names, user/owners, etc.; process modification refers to a change to a process or its contents, typically writing and/or executing code in the target process memory; process termination refers to exiting a running process.
Further, the planning task refers to a task automatically executed at a specific time or a task repeatedly executing a daily table in the background, and the data source comprises planning task creation, planning task metadata and planning task modification; script refers to a file or instruction stream containing a series of commands that allows for sequential execution, the data source containing script execution; device health refers to information from automatic measurements by the host that provides information about system status, errors, or other important functional activities, including host status, which refers to the work piece that records, communicates, and otherwise displays host sensor health.
Further, a service refers to a computer process configured to continuously execute and perform system tasks in the background, in some cases prior to any user logging in, the data source containing service creation, service metadata, and service modification; a snapshot refers to a cloud storage unit instance (file, setting, etc.) at some point in time that may be created and/or deployed in a cloud environment, the snapshot including snapshot creation, snapshot deletion, snapshot enumeration, snapshot metadata, and snapshot modification.
Preferably, the user account represents a profile of a user, device, service or application for verifying and accessing the resource, the data source comprising user account authentication, user account creation, user account deletion, user account metadata and user account modification. Storage units refer to block object storage carried by a local or third party vendor, typically provided as virtualized hardware drivers to resources, including storage unit creation, storage unit deletion, storage unit enumeration, storage unit metadata, and storage unit modification.
Further, network credentials refer to credential material (such as session cookies or tokens) used for network application and service authentication, the data source comprising network credential creation and network credential utilization; windows registration refers to a Windows OS hierarchical database for storing most of the information and settings of software programs, hardware devices, user preferences, and operating system configuration, including Windows registry access, windows registry creation, windows registry deletion, and Windows registry modification; WMI refers to an infrastructure for managing data and operations that makes it possible to manage Windows personal computers and servers locally and remotely, the data source containing WMI creation.
The data source processing module is used for receiving and analyzing the threat information uploaded by the threat information module so as to generate a monitoring strategy and a management and control means.
Further, the threat information data source uploads the composition of the data source to the data source processing module, and the data source processing module analyzes and forms a monitoring strategy and a management and control means to upload to the network security management platform according to the condition of the data source.
And the trusted verification module is used for verifying and evaluating the asset according to the monitoring strategy and the management and control means generated by the data source processing module and generating a measurement result.
Furthermore, the network security management platform adopts a trusted verification module to defend important assets; the trusted root monitors and measures the BIOS firmware data source according to the platform requirement so as to ensure the integrity and the safety of the BIOS firmware data in the transmission process; after passing the root of trust verification, the trust verification module will load the operating system boot program; after passing the verification of the basic trust base, the trusted verification module loads an operating system and an application program, and monitors and measures the dynamic catalogue and the application log at the same time; after verification by the trusted software base, the trusted verification module will load the service network and check the security and integrity of the network connection.
It should be noted that, the trusted root mainly provides basic services such as password calculation, trusted reference value storage, policy storage, etc. for the trusted verification module. The verification of the trusted root is mainly aimed at whether the functions of the trusted root and the used cryptographic algorithm meet the requirements of the country and industry. In the system boot stage, static measurement and verification are carried out on key files (such as kernel files, initial disk files, program files, configuration files and the like) under a system boot program directory, and if the verification is passed, the system boot program can be normally loaded and started; if the verification fails, the system is actively blocked from being started to form an audit record.
Preferably, when the protected system program (system kernel layer program, system file, etc.) is loaded, the trust verification module should check the accuracy of its absolute path, file name and file content, and perform static measurement and verification. If the verification is passed, the system program can be normally loaded and started; if the verification fails, the starting of the system program is actively blocked, and an audit record and an alarm are formed.
Further, the trusted verification module can identify and actively block the deleting, tampering and other actions of the protected system program to form an audit record. When the protected application program (dynamic library, executable program, etc.) is loaded, the trusted verification module should check the absolute path, file name, and file content correctness of the application program, and perform static measurement and verification. If the verification is passed, the application program can be normally loaded and started; if the verification fails, actively blocking the starting of the application program, forming an audit record and alarming;
Further, the trusted verification module can identify and actively block the deleting, tampering and other actions of the protected application program, and form audit records and alarms; and dynamically measuring all execution links of the application program by the system with more than three levels of equivalent protection. The measurement object comprises a program process code segment, a memory code segment, a read-only data segment and the like, and the measurement element comprises a code segment, a data segment length, content and the like. If the metrics pass, the application may continue to run; if the measurement fails, an audit record is formed and an alarm is given.
Preferably, the trusted verification module provides identity trusted verification to realize verification of data sources such as a user group, a user account and the like; program execution credibility verification is provided, and verification of data sources such as executable files, kernel modules, scripts and the like is realized; providing storage credibility verification, and realizing verification of data sources such as certificates, storage units and the like; providing behavior credibility verification, and realizing verification of operation behaviors of data sources such as files, processes and the like; and blocking the data sources which are not verified and the operation thereof, and recording an alarm reporting platform.
And the management and control module is used for taking management and control measures for the assets with safety problems according to the management and control means generated by the data source processing module and the detection result of the malicious code monitoring module.
Furthermore, a malicious code monitoring system is adopted for the network security management platform to manage and control other assets for defending; the malicious code monitoring system mainly comprises four parts, namely an anti-malicious code client management module, an anti-malicious code client, a malicious code flow monitoring and collecting device and a malicious code analysis module, and achieves corresponding functions through interaction with a network security management platform.
Further, the workflow of the malicious code monitoring module is as follows: according to the system security condition and the actual demand, the network security management platform judges whether a management and control instruction needs to be issued; if the condition of issuing the control instruction is met, the network security management platform issues the control instruction to the malicious code prevention client, wherein the control instruction comprises a timing task strategy and library upgrading; the malicious code prevention client management module judges whether a management and control instruction is received or not; if a control instruction is received, the anti-malicious code client management module issues a timing task strategy and library upgrading to the anti-malicious code client and receives search and kill log operation information from the anti-malicious code client; the malicious code monitoring and collecting device judges whether the collecting condition is met; if the acquisition conditions are met, the malicious code monitoring and acquisition device acquires malicious code flow data from the network and transmits the data to the malicious code analysis module; the malicious code analysis module judges whether analysis processing conditions are met; if the analysis processing conditions are met, the malicious code analysis module receives the collected flow data and the asset alarm information, and further analyzes and processes the collected flow data and the asset alarm information to generate a corresponding alarm log; according to the alarm information sent by the trusted verification module and the malicious code monitoring system, the network security platform issues a management and control command to the management and control module so as to realize management and control of the asset; according to the actual situation and threat level, the security platform adopts a proper control means to improve the network security.
It should be noted that, the conditions for satisfying the issue control instruction include the following: the network security management platform judges whether a management control instruction needs to be issued according to the security threat situation monitored in real time, and if the high-risk malicious code activity or other security threats exist, the network security management platform correspondingly issues the management control instruction; the network security management platform judges whether a management control instruction needs to be issued according to the security level and the importance of different assets, and if a certain asset is defined as high risk or has importance, the network security management platform correspondingly issues the management control instruction; the network security management platform judges whether a management and control instruction needs to be issued according to the formulated security policy and rule, and if the security policy and rule indicate that a certain asset needs to be managed and controlled, the network security management platform correspondingly issues the management and control instruction; the administrator decides whether to issue a control instruction according to his own judgment and experience by manual intervention, and if the administrator decides that control is required, the network security management platform issues a corresponding control instruction according to the administrator's decision.
It should be noted that specific acquisition conditions may vary depending on the settings, policies, and requirements of the malicious code monitoring acquisition device.
The analysis processing condition determination includes, but is not limited to, the following: the analysis module judges whether analysis processing conditions are met according to a predefined sample classification rule; the analysis module judges whether analysis processing conditions are met according to preset malicious behavior characteristics, such as file modification, system intrusion, network communication and the like; the analysis module judges whether analysis processing conditions are met according to the network propagation capability of the sample; the analysis module judges whether analysis processing conditions are met according to the importance and the priority of the samples.
The malicious code flow monitoring and collecting device is mainly used for collecting and analyzing data source information such as network flow and session login, and the malicious code is mainly used for comparing and finding abnormal conditions of assets through data sources such as a malicious knowledge base.
Further, according to the alarm information sent by the trusted verification module and the malicious code monitoring system, the network security platform issues a management and control command to the management and control module so as to realize management and control of the asset; according to the situation and threat level, the security platform adopts proper management and control means to improve network security, such as link blocking, network connection blocking, network card blocking, process blocking, file isolation, and movable disk ejection, so as to prevent threat from spreading and influencing.
Further, the embodiment also provides a network security event linkage treatment method based on ATT & CK, which comprises the steps that a threat information module acquires threat information from a commercial database, a malicious code base, self threat information data and a national level information sharing source and uploads the threat information to a network security management platform; the network security platform classifies and merges threat information according to the characteristics of the threat information and tactics and technical specifications of a reference ATT & CK matrix to form a threat information matrix; according to tactics and technologies related to threat information, referring to the characteristics of the ATT & CK matrix data source, and creating a corresponding threat information data source; uploading the data source composition to a data source processing module, analyzing and processing the data source to generate a monitoring strategy and a management and control means, and uploading the monitoring strategy and the management and control means to a network security platform; the network security platform issues corresponding strategy and control commands to the trusted verification module and the malicious code monitoring system according to the uploaded monitoring strategy and control means; the trusted verification module and the malicious code monitoring system upload logs and alarm logs with failed measurement to a network security management platform; the network security management platform comprehensively analyzes the measurement log and the alarm log, discovers new threat information and transmits the new threat information into a threat information system so as to perfect threat information; the network safety management platform comprehensively analyzes information such as alarms and logs, issues corresponding management and control commands to the management and control module, and timely takes corresponding measures to treat the assets with safety problems.
The embodiment also provides a computer device, which is applicable to the situation of an ATT & CK-based network security event linkage treatment system, and comprises a memory and a processor; the memory is used for storing computer executable instructions, and the processor is used for executing the computer executable instructions to realize the network security event linkage treatment system based on the ATT & CK as set forth in the embodiment.
The computer device may be a terminal comprising a processor, a memory, a communication interface, a display screen and input means connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
The present embodiment also provides a storage medium having stored thereon a computer program which, when executed by a processor, implements the network security event coordinated handling system based on ATT & CK as proposed by the above embodiment.
In summary, the threat information system, the trusted verification module and the malicious code monitoring system are linked by utilizing the ATT & CK matrix, threat information is classified in the ATT & CK technical angle, and data sources are monitored according to technical characteristics, so that a new network security event disposal flow is provided, threat information processing efficiency can be effectively improved, threat sources can be identified, and the disposal mode of network security events can be improved, thereby improving the overall capability of network security protection.
Example 2
Referring to fig. 1 to 6, for a second embodiment of the present invention, the embodiment provides an ATT & CK based network security event linkage handling system, and in order to verify the beneficial effects of the present invention, scientific demonstration is performed through economic benefit calculation and simulation experiments.
Specifically, taking the test point application of the system as an example, the data volume of the system acquisition information and the like reaches tens of millions, the accuracy and the speed of alarming are obviously improved on the premise of not adding extra equipment, and the network security manager is facilitated to timely find and process the existing network security risks.
Furthermore, the core service system of the company is also accessed to the network security management platform in the scheme, so as to prevent the service system from being attacked. The platform firstly collects a large amount of data such as logs and events in the operation and maintenance process of the service system, and the huge data volume improves the accuracy of threat information analysis of the platform.
Preferably, the platform can generate more accurate security risk early warning through correlation analysis on the data source, such as a certain correlation between the account abnormal login location and the existence of the data leakage event. Meanwhile, under the support of a large amount of data, the platform adopts a machine learning algorithm to train a threat detection model specific to the service system, so that the threat alarm accuracy is further improved.
Further, the alarms are centrally presented to the network security administrator through the platform. The platform performs clustering and association analysis according to the event association relation, assists the network security manager to identify threats contained in the event, and if a certain workstation is found to generate a large number of connection requests to a plurality of service systems and other workstations in a short time, the workstation can reasonably doubt that security risks exist, and security events of ip port scanning are performed, so that the workload of the network security manager is reduced, and the network security manager can respond more quickly.
Furthermore, by applying the scheme, the company realizes the automation of the security protection of the service system, the alarm quality is still effectively ensured under the condition of large data volume, and the integral network security defense capability of the company is improved.
It should be noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that the technical solution of the present invention may be modified or substituted without departing from the spirit and scope of the technical solution of the present invention, which is intended to be covered in the scope of the claims of the present invention.

Claims (10)

1. An ATT & CK based network security event linkage handling system, characterized in that: comprising the steps of (a) a step of,
the threat information module is used for collecting threat information, uploading the threat information to the network security management platform, and updating the new threat information formed by the analysis of the network security management platform to a threat information library of the threat information module;
the threat information analysis module is used for classifying the threat information according to the ATT & CK matrix to determine a data source to which the threat information belongs, and reporting the data source composition to the data source processing module;
The data source processing module is used for receiving and analyzing the data source composition uploaded by the threat information analysis module to generate a monitoring strategy and a management and control means, and uploading the monitoring strategy and the management and control means to a network security management platform;
the trusted verification module is used for verifying and evaluating the assets according to the monitoring strategy, the management and control means and the standard requirements set by the safety management specification requirements generated by the data source processing module so as to generate measurement results, and uploading measurement failure logs to the network management platform;
the malicious code monitoring module is used for monitoring malicious codes in the system, detecting and analyzing the monitored malicious codes to generate an alarm log, uploading the alarm log to the network security management platform, and simultaneously receiving strategies and commands issued by the network security management platform, and timely blocking and stopping damage and destruction of the malicious codes to the system;
and the management and control module is used for executing a management and control command issued by the network security management platform and taking management and control measures on the assets with security risks.
2. The ATT & CK based network security event coordinated handling system of claim 1, wherein: the malicious code monitoring module comprises an anti-malicious code client management module, an anti-malicious code client, a malicious code flow monitoring and collecting module and a malicious code analyzing module,
The malicious code prevention client management module is used for centrally managing, configuring and upgrading the malicious code prevention client and receiving monitoring results of the malicious code client;
the malicious code prevention client is used for monitoring malicious codes of programs and file data resources on the terminal equipment and actively preventing the malicious codes from accessing, transmitting and running software;
the malicious code flow monitoring and collecting module is used for collecting malicious code flow data from a network and transmitting the malicious code flow data to the malicious code analysis module for analysis;
the malicious code analysis module is used for carrying out deep analysis on collected malicious code flow data, extracting relevant characteristic information to identify the type and behavior of the malicious code, and generating corresponding detection and defense rules.
3. The ATT & CK based network security event coordinated handling system of claim 1, wherein: the workflow of the threat intelligence module is as follows,
the network security management platform classifies threat information according to the received threat information;
by analyzing the characteristics and the harmfulness of the threat, threat information is classified into corresponding ATT & CK tactical stages;
The threat information is compared with the technical features in the ATT & CK matrix tactical phase,
if the threat information accords with the technical characteristics of a certain ATT & CK tactical stage, merging the threat information into a technical matrix of the tactical stage;
if the threat information accords with the technical characteristics of a plurality of ATT & CK tactical stages, merging the threat information into a plurality of corresponding technical matrixes;
gradually accumulating the merging of threat information to form a threat information matrix specific to the network security management platform;
and determining a monitoring data source according to the technical characteristics of the threat information so as to form the threat information data source.
4. The ATT & CK based network security event coordinated handling system of claim 3, wherein: the ATT & CK tactical stage comprises reconnaissance, resource development, initial access, execution, persistence, authority improvement, defense avoidance, credential acquisition, discovery, lateral movement, collection, command and control, data leakage and influence;
the threat intelligence data sources include dynamic directories, application logs, certificates, cloud services, cloud storage, commands, containers, domain names, drivers, files, firewalls, firmware, user groups, images, instances, network scans, kernels, session logins, malicious repositories, modules, named pipes, network shares, network traffic, disguises, cluster sharing units, processes, planning tasks, scripts, device health status, services, snapshots, user accounts, storage units, network credentials, windows registry, and WMIs.
5. The ATT & CK based network security event coordinated handling system of claim 1, wherein: the working flow of the trusted verification module is as follows:
the network security management platform adopts a trusted verification module to defend important assets;
the trusted root monitors and measures the BIOS firmware data source according to the platform requirement so as to ensure the integrity and the safety of the BIOS firmware data in the transmission process;
after passing the root of trust verification, the trust verification module will load the operating system boot program;
after passing the verification of the basic trust base, the trusted verification module loads an operating system and an application program, and monitors and measures the dynamic catalogue and the application log at the same time;
after verification by the trusted software base, the trusted verification module will load the service network and check the security and integrity of the network connection.
6. The ATT & CK based network security event coordinated handling system of claim 1, wherein: the workflow of the malicious code monitoring module is as follows:
according to the system security condition and the actual demand, the network security management platform judges whether a management and control instruction needs to be issued;
if the condition of issuing the control instruction is met, the network security management platform issues the control instruction to the malicious code prevention client, wherein the control instruction comprises a timing task strategy and library upgrading;
The malicious code prevention client management module judges whether a management and control instruction is received or not;
if a control instruction is received, the anti-malicious code client management module issues a timing task strategy and library upgrading to the anti-malicious code client and receives search and kill log operation information from the anti-malicious code;
the malicious code monitoring and collecting device judges whether the collecting condition is met;
if the acquisition conditions are met, the malicious code monitoring and acquisition device acquires malicious code flow data from the network and transmits the data to the malicious code analysis module;
the malicious code analysis module judges whether analysis processing conditions are met;
if the analysis processing conditions are met, the malicious code analysis module receives the collected flow data and the asset alarm information, and further analyzes and processes the collected flow data and the asset alarm information to generate a corresponding alarm log;
according to the alarm information sent by the trusted verification module and the malicious code monitoring system, the network security platform issues a management and control command to the management and control module so as to realize management and control of the asset;
according to the situation and threat level, the security platform adopts a proper control means to improve the network security.
7. The ATT & CK based network security event coordinated handling system of claim 6, wherein: the condition for satisfying the issuing control instruction comprises the following contents:
The network security management platform judges whether a management control instruction needs to be issued according to the security threat situation monitored in real time, and if the high-risk malicious code activity or other security threats exist, the network security management platform correspondingly issues the management control instruction;
the network security management platform judges whether a management control instruction needs to be issued according to the security level and the importance of different assets, and if a certain asset is defined as high risk or has importance, the network security management platform correspondingly issues the management control instruction;
the network security management platform judges whether a management and control instruction needs to be issued according to the formulated security policy and rule, and if the security policy and rule indicate that a certain asset needs to be managed and controlled, the network security management platform correspondingly issues the management and control instruction;
the administrator decides whether to issue a control instruction according to his own judgment and experience by manual intervention, and if the administrator decides that control is required, the network security management platform issues a corresponding control instruction according to the administrator's decision.
8. An ATT & CK based network security event linkage handling method, based on the ATT & CK based network security event linkage handling system of any one of claims 1-7, characterized in that: also included is a method of manufacturing a semiconductor device,
The threat information module acquires threat information from a commercial database, a malicious code base, self threat information data and a national level information sharing source and uploads the threat information to the network security management platform;
the network security platform classifies and merges threat information according to the characteristics of the threat information and tactics and technical specifications of the reference ATT & CK matrix to form a threat information matrix;
according to tactics and technologies related to threat information, referring to characteristics of ATT & CK matrix data sources, and creating corresponding threat information data sources;
uploading the data source composition to a data source processing module, analyzing and processing the data source to generate a monitoring strategy and a management and control means, and uploading the monitoring strategy and the management and control means to a network security platform;
the network security platform issues corresponding strategy and control commands to the trusted verification module and the malicious code monitoring system according to the uploaded monitoring strategy and control means;
the trusted verification module and the malicious code monitoring system upload logs and alarm logs with failed measurement to a network security management platform;
the network security management platform comprehensively analyzes the measurement log and the alarm log, discovers new threat information and transmits the new threat information into a threat information system so as to perfect threat information;
The network security management platform comprehensively analyzes the alarm and log information, issues corresponding management and control commands to the management and control module, and timely takes corresponding measures to treat the assets with security problems.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that: the steps of implementing the ATT & CK based network security event coordinated handling system of any one of claims 1 to 7 when the processor executes the computer program.
10. A computer-readable storage medium having stored thereon a computer program, characterized by: the computer program when executed by a processor implements the steps of the ATT & CK based network security event coordinated handling system of any of claims 1 to 7.
CN202311627758.3A 2023-11-30 2023-11-30 ATT & CK-based network security event linkage treatment system and method Pending CN117439814A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311627758.3A CN117439814A (en) 2023-11-30 2023-11-30 ATT & CK-based network security event linkage treatment system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311627758.3A CN117439814A (en) 2023-11-30 2023-11-30 ATT & CK-based network security event linkage treatment system and method

Publications (1)

Publication Number Publication Date
CN117439814A true CN117439814A (en) 2024-01-23

Family

ID=89555364

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311627758.3A Pending CN117439814A (en) 2023-11-30 2023-11-30 ATT & CK-based network security event linkage treatment system and method

Country Status (1)

Country Link
CN (1) CN117439814A (en)

Similar Documents

Publication Publication Date Title
US11283822B2 (en) System and method for cloud-based operating system event and data access monitoring
AU2018204262B2 (en) Automated code lockdown to reduce attack surface for software
US11797684B2 (en) Methods and systems for hardware and firmware security monitoring
US9166988B1 (en) System and method for controlling virtual network including security function
US8955108B2 (en) Security virtual machine for advanced auditing
US9401922B1 (en) Systems and methods for analysis of abnormal conditions in computing machines
US20180191779A1 (en) Flexible Deception Architecture
US10412109B2 (en) Method for detecting vulnerabilities in a virtual production server of a virtual or cloud computer system
US20150264077A1 (en) Computer Implemented Techniques for Detecting, Investigating and Remediating Security Violations to IT Infrastructure
US20200311231A1 (en) Anomalous user session detector
KR101994664B1 (en) Vulnerability checking system based on cloud service
Abbas et al. Paced: Provenance-based automated container escape detection
EP3964990A1 (en) Method and system for deciding on the need for an automated response to an incident
Srivastava et al. Evolving evidence gathering process: cloud forensics
Shalev et al. WatchIT: Who watches your IT guy?
Sun et al. Cloud armor: Protecting cloud commands from compromised cloud services
US20230019015A1 (en) Method and system for detecting and preventing application privilege escalation attacks
CN117439814A (en) ATT & CK-based network security event linkage treatment system and method
Essid et al. Distributed architecture of snort IDS in cloud environment
Cai et al. Medical big data intrusion detection system based on virtual data analysis from assurance perspective
US20160197946A1 (en) System and Method for Monitoring a Computer System Using Machine Interpretable Code
Abduvaliyevich et al. Creation and Security of the Cloud Platform for Educational Technologies
Umamaheswari et al. A defensible role-based case management system for remote forensic investigation
Liu et al. MalPEFinder: fast and retrospective assessment of data breaches in malware attacks
LaPointe Detecting Evasive Multiprocess Ransomware

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination