CN117811773A - Risk assessment method and device and electronic equipment - Google Patents

Risk assessment method and device and electronic equipment Download PDF

Info

Publication number
CN117811773A
CN117811773A CN202311657291.7A CN202311657291A CN117811773A CN 117811773 A CN117811773 A CN 117811773A CN 202311657291 A CN202311657291 A CN 202311657291A CN 117811773 A CN117811773 A CN 117811773A
Authority
CN
China
Prior art keywords
risk
domain
node
information
nodes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311657291.7A
Other languages
Chinese (zh)
Inventor
李文瑾
高东
尹圣超
董银龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Nsfocus Technologies Inc
Priority to CN202311657291.7A priority Critical patent/CN117811773A/en
Publication of CN117811773A publication Critical patent/CN117811773A/en
Pending legal-status Critical Current

Links

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application provides a risk assessment method, a risk assessment device and electronic equipment, relates to the technical field of network security, and is used for improving the risk assessment efficiency of an AD domain. The risk assessment method comprises the following steps: acquiring necessary information from a graph database of a knowledge graph of an active directory AD domain according to a preset query statement, wherein the necessary information comprises risk information and a risk path set, the knowledge graph is constructed based on a logic structure of the AD domain and relationship information of each node in the AD domain, and the risk path characterization in the risk path set can improve the authority of a first node in the AD domain to the authority of a second node in the AD domain; and generating a risk assessment report based on a preset risk report template, risk information and a risk path set.

Description

Risk assessment method and device and electronic equipment
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a risk assessment method, a risk assessment device, and an electronic device.
Background
An Active Directory (AD) domain is a Directory service used in microsoft Windows operating system to organize and manage network resources, and is used in a large amount in an enterprise network and plays a key role in enterprise network device management. An AD domain is a highly complex system that typically contains multiple roles of domain controllers (Domain Controller, DC), organizational units (Orginazational Unit, OU), user accounts, computer accounts, group and group policy objects (Group Policy Object, GPO), etc., where there may be one or more links between each role and the same or different types of roles, which makes the AD domain a logically complex network system. And the larger the size of the AD domain, the longer the run time, the more complex the network becomes.
In order to ensure the security of the AD domain, during the running of the AD domain, risk assessment needs to be performed on the AD domain, so as to find the hidden risk in the AD domain in time, and timely implement protective measures, so as to avoid the network security problem caused by the hidden risk.
For risk assessment of an AD domain, at present, a worker sequentially carries out risk assessment on each role in the AD domain, but for some larger-scale AD domains, the number of the included roles is numerous, so that the risk assessment is long in time consumption, low in efficiency and high in labor cost.
Disclosure of Invention
The application provides a risk assessment method, a risk assessment device and electronic equipment, which are used for improving risk assessment efficiency of an AD domain.
In a first aspect, an embodiment of the present application provides a risk assessment method, including: acquiring necessary information from a graph database of a knowledge graph of an active directory AD domain according to a preset query statement, wherein the necessary information comprises risk information and a risk path set; the knowledge graph is constructed based on the logic structure of the AD domain and the relation information of each node in the AD domain, and each risk path in the risk path set represents the authority capable of improving the authority of a first node in the AD domain to the authority of a second node in the AD domain; and generating a risk assessment report based on a preset risk report template, the risk information and the risk path set.
In the embodiment of the application, the risk information and the risk path set are inquired from the graph database of the AD domain knowledge graph by using the preset inquiry statement, the risk assessment operation of the AD domain is automatically completed by using the preset risk report template, and the risk assessment report is obtained. In addition, the logic structure of the AD domain and the relation information of each node are utilized to map the logic relation among each node (role) in the AD domain through the knowledge graph, so that the possibility that the hidden relation among each role in the AD domain is ignored can be avoided when the risk assessment is carried out by utilizing the AD domain knowledge graph, and the accuracy and the comprehensiveness of the risk assessment of the AD domain are improved.
In a possible implementation manner, before obtaining the necessary information from the graph database of the knowledge graph of the active directory AD domain according to the preset query statement, the method further includes: constructing an initial knowledge graph model of the AD domain based on the logic structure of the AD domain and a pre-stored first relation set; acquiring relationship information of each node in the AD domain, wherein the relationship information of each node in the AD domain is used for indicating the relationship between each node and other nodes; and processing the initial knowledge-graph model according to the relation information among the nodes to obtain the knowledge graph of the AD domain.
In a possible implementation manner, obtaining relationship information of each node in the AD domain includes: acquiring the AD domain information, wherein the AD domain information comprises object information and various attribute information in the AD domain; traversing the AD domain information, and analyzing the relation between each node and other nodes from the AD domain information according to a predefined relation set, wherein the relation set comprises the first relation set; and obtaining the relation information of each node in the AD domain based on the relation between each node and other nodes.
In one possible embodiment, the method further comprises: acquiring an attack means set aiming at the AD domain from the attack knowledge base; analyzing and acquiring risk relations among all nodes in the AD domain by utilizing each attack means in the attack means set; and acquiring the first relation set according to the risk relation among the nodes.
In this embodiment, based on a pre-stored attack knowledge base, means of simulating an attacker discovers possible attack paths among nodes, and defines a reference relationship among the nodes, so as to assist in constructing an AD domain knowledge graph, so that an initial knowledge graph constructed based on a first relationship set and an AD domain logic structure can better conform to the actual situation of an AD domain, and the accuracy of the knowledge graph is improved.
In a possible implementation manner, the preset query statement includes a first query statement, where the first query statement is used to instruct to obtain information including a preset risk condition; obtaining necessary information from a graph database of the knowledge graph of the active directory AD domain according to a preset query statement, wherein the necessary information comprises the following steps: inquiring nodes, node relations and node quantity which accord with preset risk conditions from a graph database of the knowledge graph according to the first inquiry statement; and generating the information corresponding to the nodes, the node relations and the node quantity which accord with the preset risk conditions into the risk information.
In a possible implementation manner, the preset query statement further includes a second query statement, where the second query statement is used to obtain a path between second nodes connected to each first node in the first node set; obtaining necessary information from a graph database of the knowledge graph of the active directory AD domain according to a preset query statement, wherein the necessary information comprises the following steps: traversing the first node set in the knowledge graph according to the second query statement; determining at least one second node connected with each first node in the first node set from the knowledge graph; determining a path between each second node in at least one second node connected with each first node as a risk path, and obtaining at least one risk path corresponding to each first node; and obtaining the risk path set according to at least one risk path corresponding to each first node.
In one possible implementation, generating a risk assessment report based on a preset risk report template, the risk information, and the risk path set includes: converting the risk information into one or more of a graph, a text and a table format according to the data type in the risk information; generating a risk path graph based on the risk path set and nodes related to the risk path set; and filling the risk information and the risk path diagram after the format conversion into the preset risk report template to obtain the risk assessment report.
In this embodiment, since the acquired risk information is redundant and complicated, the risk information may be converted into one or more of a graph, a text, and a table format based on the data type in the risk information, thereby improving the readability of the risk assessment report.
In a second aspect, an embodiment of the present application provides a risk assessment apparatus, including: the acquisition module is used for acquiring necessary information from a graph database of the knowledge graph of the active directory AD domain according to a preset query statement, wherein the necessary information comprises risk information and a risk path set; the knowledge graph is constructed based on the logic structure of the AD domain and the relation information of each node in the AD domain, and each risk path in the risk path set represents the authority capable of improving the authority of a first node in the AD domain to the authority of a second node in the AD domain; and the evaluation module is used for generating a risk evaluation report based on a preset risk report template, the risk information and the risk path set.
In a possible implementation manner, the risk assessment device further comprises a determining module, wherein the determining module is used for constructing an initial knowledge graph model of the AD domain based on a logic structure of the AD domain and a pre-stored first relation set before acquiring necessary information from a graph database of the knowledge graph of the active directory AD domain according to a preset query statement; the acquisition module is further configured to acquire relationship information of each node in the AD domain, where the relationship information of each node in the AD domain is used to indicate a relationship between each node and other nodes; and the determining module is further used for processing the initial knowledge graph model according to the relation information among the nodes to obtain the knowledge graph of the AD domain.
In a possible implementation manner, the acquiring module is specifically configured to: acquiring the AD domain information, wherein the AD domain information comprises object information and various attribute information in the AD domain; traversing the AD domain information, and analyzing the relation between each node and other nodes from the AD domain information according to a predefined relation set, wherein the relation set comprises the first relation set; and obtaining the relation information of each node in the AD domain based on the relation between each node and other nodes.
In a possible implementation manner, the obtaining module is further configured to obtain, from the attack knowledge base, a set of attack means for the AD domain; the determining module is further configured to analyze and obtain a risk relationship between each node in the AD domain by using each attack means in the attack means set, and obtain the first relationship set according to the risk relationship between each node.
In a possible implementation manner, the preset query statement includes a first query statement, where the first query statement is used to instruct to obtain information including a preset risk condition; the acquisition module is specifically configured to: inquiring nodes, node relations and node quantity which accord with preset risk conditions from a graph database of the knowledge graph according to the first inquiry statement; and generating the information corresponding to the nodes, the node relations and the node quantity which accord with the preset risk conditions into the risk information.
In a possible implementation manner, the preset query statement further includes a second query statement, where the second query statement is used to obtain a path between second nodes connected to each first node in the first node set; the acquisition module is specifically configured to: traversing the first node set in the knowledge graph according to the second query statement; determining at least one second node connected with each first node in the first node set from the knowledge graph; determining a path between each second node in at least one second node connected with each first node as a risk path, and obtaining at least one risk path corresponding to each first node; and obtaining the risk path set according to at least one risk path corresponding to each first node.
In a possible embodiment, the evaluation module is specifically configured to: converting the risk information into one or more of a graph, a text and a table format according to the data type in the risk information; generating a risk path graph based on the risk path set and nodes related to the risk path set; and filling the risk information and the risk path diagram after the format conversion into the preset risk report template to obtain the risk assessment report.
In a third aspect, an embodiment of the present application provides an electronic device, including: at least one processor, and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the at least one processor implementing the method according to the first aspect and any of the possible implementations described above by executing the instructions stored by the memory.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium storing computer instructions that, when run on a computer, cause the computer to perform a method as described in the first aspect and any one of the possible embodiments.
In a fifth aspect, embodiments of the present application provide a computer program product comprising computer instructions which, when run on a computer, cause the method according to the first aspect and any of the possible embodiments described above to be implemented.
The advantages of the second to fifth aspects may be referred to the description of the first aspect, and are not repeated here.
Drawings
Fig. 1 is an application scenario schematic diagram of a risk assessment method provided in an embodiment of the present application;
fig. 2 is a schematic flow chart of a risk assessment method according to an embodiment of the present application;
fig. 3 is a schematic flow chart for constructing an AD domain knowledge graph according to an embodiment of the present application;
fig. 4 is a schematic diagram of an AD domain knowledge graph according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a risk assessment device according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For a better understanding of the technical solutions provided in the present application, the following description will be given with reference to the drawings and specific embodiments.
For ease of understanding, the following description will be made with respect to terms related to the embodiments of the present application.
1. Active Directory (AD) is a directory service developed by Microsoft for managing and organizing computers, users, groups, and other network resources in a Windows network environment. It is a hierarchical database system for storing and managing information of objects in a network (e.g., users, computers, printers, file sharing, security policies, etc.). Active Directory is part of the Windows Server operating system for building and maintaining Directory services for the network.
2. The autonomic access control list (discretionary access control list, DACL) is an access control list in the Windows operating system for managing and controlling access rights to resources (e.g., files, folders, registry keys, etc.). DACL is used to define which users or groups of users have access to read, write, execute, etc. resources. The DACL is part of an access control model for ensuring security and protection of resources.
3. A local administrator password solution (Local Administrator Password Solution, LAPS) provides management of local account passwords for computers joining an AD domain. The password is stored in the AD and protected by the ACL, only the eligible user can read the password or request to reset the password.
In order to facilitate understanding of the technical solutions provided by the embodiments of the present application, the background technology related to the embodiments of the present application is first described herein.
Currently, risk assessment of an AD domain is performed by a staff, and in the risk assessment process, the staff performs risk assessment on roles in the AD domain based on a pre-set baseline, and the risk assessment mode of the baseline leads the staff to perform risk assessment only on some direct relationships in the AD domain, while omitting some hidden role relationships in the AD domain. That is, current risk assessment is more onesided, resulting in some hidden risk in AD domain, making the security of AD domain lower. In addition, for large-scale AD domains, the staff needs to spend a lot of time to complete risk assessment of the whole AD domain, and in this case, the staff performing risk assessment operation needs to have abundant AD domain management experience, so that risk information can be accurately detected from the AD domain. In summary, the risk assessment of the current AD domain is low in accuracy and efficiency, and the risk assessment of the current AD domain is difficult.
In view of this, the embodiment of the application provides a risk assessment method, which considers a complex logic relationship in an AD domain, and maps roles and relationships in the AD domain to the knowledge graph because the knowledge graph is matched with the structure of the AD domain and the structure of the knowledge graph, so as to comb the relationships between nodes in the AD domain, thereby reducing the possibility that the relationships between the roles in the AD domain are ignored, and realizing comprehensive risk assessment on the AD domain. Specifically, the method constructs a knowledge graph of the AD domain based on the logic structure of the AD domain and the relation among the nodes in the AD domain, and stores the relation information of the nodes in a graph database corresponding to the knowledge graph. Therefore, the risk path set with the first node connected with the second node and the risk information of the AD domain can be queried directly from the graph database of the knowledge graph of the AD domain according to the preset query statement, and further, a risk assessment report is generated according to the obtained risk path set, the risk information and the preset risk report template, wherein the risk information is obtained by screening from the graph database of the knowledge graph of the AD domain based on the preset risk condition.
That is, according to the embodiment of the application, the logic architecture of the AD domain is mapped to the knowledge graph, so that complex logic relations of the AD domain can be clearly displayed in the knowledge graph, the possibility of missing risk problems in the risk assessment process is reduced, the comprehensiveness of risk assessment is improved, in the application, the risk information and the risk path set in the AD domain can be inquired and obtained by directly inputting a preset inquiry statement, a risk assessment report is generated based on a preset risk report template, multiple roles in the AD domain do not need to be assessed one by staff, and the risk assessment efficiency of the AD domain is improved.
Fig. 1 is a schematic application scenario diagram of a risk assessment method according to an embodiment of the present application. As shown in fig. 1, the scenario includes a first device 110 and a second device 120. Wherein wired or wireless communication may be performed between the first device 110 and the second device 120.
The first device 110 is a terminal device, a terminal device set, a server or a server cluster running an AD domain, and the terminal device is, for example, a personal computer (personal computer, PC), a tablet computer, a notebook computer, a palm computer, a workstation, a printer, etc. running a microsoft Windows operating system. The second device 120 refers to a terminal device or a server having data processing capabilities as well as risk assessment capabilities, and the content of the terminal device may be referred to in correspondence with the foregoing.
For example, the second device 120 may obtain the logic structure of the AD domain and the relationship information of each node in the AD domain from the first device 110, and construct a knowledge graph of the AD domain and a graph database corresponding to the knowledge graph based on the logic structure of the AD domain and the relationship information of each node in the AD domain. When the risk assessment operation is carried out on the AD domain in the follow-up, the necessary information can be inquired and obtained from the graph database corresponding to the knowledge graph directly based on a preset inquiry statement, and a risk assessment report is generated based on a preset risk report template and a risk information and risk path set in the necessary information.
It should be noted that the first device 110 and the second device 120 may be the same device, or the first device 110 and the second device 120 may be different devices.
Referring to fig. 2, a flow chart of a risk assessment method according to an embodiment of the present application is shown. The embodiment shown in fig. 2 is applicable to the application scenario shown in fig. 1. The following description will be given by taking the example that the second device performs the steps shown in fig. 2, but the following method may be actually performed by other devices, which is not limited in this application. The second device in the embodiment shown in fig. 2 is, for example, the second device 120 shown in fig. 1, and the first device in the embodiment shown in fig. 2 is, for example, the first device 110 shown in fig. 1.
S201, the second device acquires necessary information from a graph database of a knowledge graph of an AD domain according to a preset query statement, wherein the necessary information comprises risk information and a risk path set, the knowledge graph is constructed based on a logic structure of the AD domain and relation information of each node in the AD domain, and each risk path in the risk path set represents that the authority of a first node in the AD domain can be improved to the authority of a second node in the AD domain.
Wherein one node of each node in the AD domain is used to indicate one object (role) in the AD domain. Roles in AD domains can be divided into seven classes, domain, user group, OU, GPO, computer, container. The relation information of each node of the AD domain is stored in a graph database of the knowledge graph of the AD domain. The knowledge graph of the AD domain is constructed based on the logic structure of the AD domain and the relation information of each node in the AD domain, wherein the logic structure of the AD domain is also constructed based on seven types of roles in the AD domain. The relationship information of the respective nodes in the AD domain includes relationship information of each node in the AD domain, the relationship information of each node indicating a relationship between each node and other nodes or understood as a relationship between each role and other roles. Relationships such as authority relationships, belongings, links relationships, etc., the relationships described in the embodiments of the present application should include all relationships between each role and other roles in the AD domain, and are not listed here.
In one possible implementation manner, before the second device obtains the necessary information from the graph database of the knowledge graph of the AD domain based on the preset query statement, the second device may construct the knowledge graph of the AD domain based on the logic structure of the AD domain and the AD domain information, so as to obtain the necessary information from the knowledge graph later. The specific manner of constructing the AD domain knowledge graph by the second device will be described in detail with reference to a schematic flow chart of constructing the AD domain knowledge graph shown in fig. 3.
S301, the second device builds an initial knowledge graph model of the AD domain based on the logic structure of the AD domain and a pre-stored first relation set.
The description of the logic structure of the AD domain may be referred to the foregoing, and will not be repeated herein. The first set of relationships is derived based on a pre-stored attack knowledge base, e.g. the MITRE ATT & CK framework, comprising the attack technique of the AD domain.
The second device acquires an attack means set for the AD domain from an attack knowledge base, wherein various types of attack means are stored in the attack knowledge base, and therefore the second device needs to screen the attack means for attacking the AD domain from the attack knowledge base. The second device analyzes and acquires a risk relation between each node in the AD domain by using each attack means in the attack means set, wherein the risk relation represents the influence of one node on the safety of the other node between the two nodes. That is, the embodiment of the application is to find out the path possibly attacked by the attacker by simulating the attacker through the known attack means, and define the type and logic of the relationship between the nodes based on the risk relationship between the nodes. The second device composes the analyzed and acquired relationship into a first relationship set for assisting in constructing the AD domain knowledge graph. In other words, the first relation set constructs a reference relation set of the AD domain initial knowledge-graph for the second device.
Illustratively, the user belongs to a group of users and is a type of relationship, denoted as MemberOf, the effect of which is that the user is able to inherit the rights of the group of users. Such relationships may include: the relationship of the user or the user group control computer is used for describing various control rights of the user to the computer; the permission class relation is used for describing permissions owned by one role to another role by taking DACL in a Windwos system as a prototype, and comprises a general permission and an expansion permission; other rights relationships including domain trust relationships, affiliation relationships between roles, linking relationships between roles, containment relationships between roles, session relationships between users and computers.
Specifically, the second device generates a class of nodes corresponding to each class of roles based on the role classification of the AD domain, where each class of roles further includes multiple roles, and each role corresponds to one node. The second device builds an initial knowledge graph model based on the nodes corresponding to each role and each reference relationship in the first relationship set.
S302, the second device acquires relation information of each node in the AD domain.
Wherein, the description of the relation information of each node can be correspondingly referred to the previous description. The relationship information of each of the respective nodes is obtained by the second device by traversing the AD domain information.
The second device obtains AD domain information from the AD domain, which may specifically be the AD domain information from the AD domain of the first device. The AD domain information includes object information and various kinds of attribute information in the AD domain. The object information comprises information of seven classes of objects of a domain, a user group, an OU, a GPO, a computer and a container, and each class of object corresponds to one class of attribute information. For example, the attribute information of the computer includes vulnerability information and session information. The object information and the attribute information of each class of objects are stored in the plurality of domain controllers DC of the AD domain in a classified manner, and therefore, the second device can directly acquire the object information and the various types of attribute information from the plurality of domain controllers DC. In addition, the second device may obtain a computer information list from the AD domain, and detect common vulnerability information from the computer information list, and session information in each computer.
In a possible implementation, when the second device is not the same device as the first device, the second device needs to receive the AD domain information sent from the first device. In this embodiment, in order to ensure the security of the AD domain information, the first device may encrypt the AD domain information using a preset encryption algorithm and then transmit the encrypted AD domain information to the second device. The preset encryption algorithm is, for example, a symmetric encryption (advanced encryption standard, AES) algorithm, a linear hash algorithm, or the like, and specifically, is, for example, an AES256 algorithm.
In this embodiment, in order to improve the efficiency of the second device in constructing the knowledge graph, the first device may further convert the AD domain information into a data format applicable to the knowledge graph, and send the data format applicable to the knowledge graph to the second device, for example, a json data format.
After the second device obtains the AD domain information, the second device traverses and analyzes the AD domain information, specifically may extract a relationship between each node and other nodes from each type of attribute information of each type of attribute information in the AD domain information, and obtain each object in the AD domain from the object information of the AD domain information. The second device matches and names each relationship between each node and other nodes with a predefined set of relationships, which may specifically be the type and logic that defines each relationship from the predefined set of relationships. The second device records and stores the type and logic of each relation between each node and other nodes, and names, and forms relation information of each node. The types and logic of relationships defined in the predefined set of relationships may also be generated by a technician based on past AD domain management experience.
For example, the information of the user admin in the user data includes a MemberOf attribute, and the MemberOf attribute includes the name of the user group Domain Admins, so that the knowledge graph of the AD Domain should include a MemberOf relationship between the user admin and the user group Domain Admins, denoted as (admin) - [ MemberOf ] - > (Domain Admins), and the extraction of other relationships is the same as the example method of the relationship extraction, but the referenced data or attributes are different, and are not listed here.
S303, the second device processes the initial knowledge-graph model according to the relation information of each node to obtain the knowledge-graph of the AD domain.
And the second equipment correspondingly establishes a node corresponding to each object in the knowledge graph of the AD domain according to the obtained objects, and correspondingly stores the object information and the attribute information of each object into the node corresponding to each object. And the second equipment establishes corresponding paths for the nodes according to the relation information of the nodes to generate a knowledge graph. Wherein an edge of a connection between one node and another node may then be represented as a relationship between nodes. Correspondingly, the second device stores the relation information of each node, the object information and the attribute information of each object into a graph database corresponding to the knowledge graph.
It should be noted that, the roles in the AD domain, and the relationship between each role and other roles are not completely fixed, and an increase or decrease in roles or a change in relationship may occur in the AD domain, so the second device needs to acquire relationship information of each node in the AD domain from the AD domain before performing risk assessment on the AD domain. Or the second device correspondingly adjusts the knowledge graph based on the increase or decrease of the roles or the change of the relationships in the AD domain so as to obtain an updated knowledge graph.
After the second device builds and stores the AD domain knowledge graph and the graph database of the knowledge graph, the second device can acquire necessary information from the graph database of the AD knowledge graph according to a preset query statement, wherein the necessary information comprises risk information and a risk path set.
Wherein each risk path in the set of risk paths characterizes a right that can elevate a first node in the AD domain to a right of a second node in the AD domain. Specifically, one risk path in the risk path set is used to indicate a path connecting the first node and the second node, the authority of the first node is at risk of being controlled to be raised to the authority of the second node through the one risk path, the authority of the first node in the AD domain is lower than the authority of the second node in the AD domain, and the first node is a node with hidden risk or low risk. That is, the first node is a low-authority node in the AD domain and has a hidden or low risk node, and the second node is a high-authority node in the AD domain. Thus, there is a connection path between the first node and the high-authority node, which connection path may also be referred to as a path through which the first node can reach the high-authority node through some relationship. When a path from the first node to the second node exists, the first node in the current AD domain is indicated to have the opportunity of realizing the authority improvement, namely the risk of illegal invasion exists.
The low-authority node refers to a node which has no management authority capable of managing or only having some other nodes in the AD domain, and the low-authority node can be specifically exemplified by a common user and a computer account. The high-authority node specifically refers to a node capable of controlling a large number of roles in an AD domain or reading sensitive information of a large number of roles, or the high-authority node refers to a user or a user group having a large control authority in the AD domain, for example, a domain administrator group, that is, a user belonging to the group, has unrestricted management authority in the AD domain. High-authority nodes include, but are not limited to: domain management groups and users, enterprise administrator groups and users, architecture administrator groups and users, account operator groups and users, backup operator groups and users, group policy administrators and users, and domain controllers.
It can be understood that the authority levels of the nodes in the AD domain may be set by a technician based on actual requirements, and the authority levels of the same node may be different or the same under different requirements, which is not limited in the embodiment of the present application.
In a possible embodiment, the preset query statement includes a first query statement for indicating to obtain information including a preset risk condition and a second query statement for obtaining a path between second nodes connected to each of the first nodes in the first node set. The second device may obtain risk information in the AD domain based on the first query statement and obtain a set of risk paths in the AD domain based on the second query statement. The specific manner in which the second device obtains the risk information and the risk path set based on the first query sentence and the second query sentence, respectively, is described below.
1. A first query statement.
And the second equipment inquires nodes, node relations and node quantity which accord with the preset risk conditions from a graph database of the knowledge graph according to the first inquiry statement. Specifically, the second device queries attribute information of each node in turn according to the attribute of each node, and determines information of the node containing the preset risk condition, information of the relationship with other nodes having the preset risk condition, and information of the number of nodes meeting the preset risk condition as risk information. The preset risk condition may be preconfigured in the second device, where the preset risk condition is used to indicate a node that includes information of a security vulnerability and/or a configuration item is not compliant. Risk information includes, but is not limited to: basic information of an AD domain, user and user group risk information of the AD domain, computer risk information of the AD domain, GPO and container risk information of the AD domain, and overview risk of the AD domain. The second device judges the attribute information of the node, for example, risks of the user in the AD domain and risks of the user group, including risks of the user with an empty password, risks of the user without logging in for a long time, risks of the user without changing the password for a long time, and the like, and judges whether the current state of the user includes risks or not according to the attribute information of the user. Some risks are obtained through statistics, such as ranking statistics of user session information in user risks are obtained through statistics of the number and side-by-side names of different users in an AD domain computer. The overview risk is distribution information according to the risk quantity of other risk items, and the occupation ratio conditions of different risks are mainly displayed.
The risk information described above is exemplified below, respectively.
1. Basic information of AD domain, including but not limited to: the method comprises the steps of counting the number of nodes of each type in an AD domain, carrying out trust relationship in the AD domain, counting an administrator group and a user list in the AD domain, counting a domain controller list, counting the number of the members of each OU by counting the number of the nodes in the AD domain, counting the number of the nodes in the high-frequency service assembly by counting the number of the nodes in the domain, and counting the number of the members of each OU by counting the number of the nodes in the high-frequency service assembly.
2. AD domain users and user group risks, including but not limited to: the number of active users in the active user domain is the ratio of the number of inactive users, the number of sessions exceeds a first threshold value, the number of users and the number of sessions exceeds a second threshold value, and the number of privileges (privileges refer to rights capable of directly controlling objects, including write rights, write rights of key attributes, write rights of DACL, local administrator rights, remote interaction type rights, and the like) exceeds information of the number of users and the number of privileges, various information of users and the number of users and the corresponding risks with weak configuration, such as users allowing blank passwords.
3. Computer risks for AD domains, including but not limited to: loophole information of the computer, LAPS configuration duty ratio, computer name and delegation information of constraint delegation, unconstrained delegation and resource constraint delegation, and the number of sessions of the computer is larger than a third threshold value.
4. AD domain GPO and container risks, including but not limited to: GPOs with application numbers greater than the fourth threshold and application number information, GPO login script lists, various GPOs with weak configuration and corresponding risk information, such as GPOs that allow non-administrators to modify.
5. An overview risk of AD domain, comprising: and 1-4, counting a risk statistical table with the number of risks being larger than a fifth threshold value in the number of risks needed to be counted in each part, wherein the risks of each part are not empty, and counting the number of the risks, namely, names and the number of the risks of the four types of objects of the user, the user group, the computer and the GPO with the number of the risks being larger than a sixth threshold value.
The first threshold, the second threshold, the third threshold, the fourth threshold, the fifth threshold, and the sixth threshold may be preconfigured in the second device, and may be set based on actual requirements, which is not limited in the embodiment of the present application.
It should be noted that the risks illustrated in the foregoing examples 1-5 are only a part of examples of risk information of the AD domain in the embodiments of the present application, and the risk information in the embodiments of the present application includes all risk information in the AD domain, which is not listed here.
2. And a second query statement.
And the second equipment traverses the first nodes in the knowledge graph according to the second query statement to obtain a first node set. Illustratively, the second device screens out low-authority nodes which can be directly attacked from the risk information, and takes the low-authority nodes which can be directly attacked as the first node set. For example, the first node such as kerberoassable user and vulnerability host is information already obtained in the risk information.
The second device sequentially determines at least one second node connected with each first node in the first node set in the knowledge graph, and the first node is connected with the second node to indicate that a relationship exists between the first node and the second node and is a relationship capable of affecting the safety of the second node. The second device determines a path between each second node in at least one second node connected with each first node as a risk path, and executes the operation on each first node in the first node set to obtain at least one risk path corresponding to each first node, and forms at least one risk path corresponding to each first node into a risk path set.
Several classes of risk paths included in the set of risk paths are illustrated below.
1. The path of the ordinary user to the second node, which means a path enabling an attacker to boost the authority of the second node from the ordinary user, is part of the graph database, and the starting point in the path of the ordinary user to the second node represents a hidden risk which cannot be detected by the prior art, as is the other paths described below.
2. The shortest path from the kerberoast user to the second node is that the kerberoast user password can be broken by violence and is easily controlled by an attacker, so the starting point of the path should try to be hidden.
3. The shortest path from the loophole host to the second node is that the loophole host is a host with common loopholes of the AD domain path, wherein the common loopholes refer to Windows loopholes capable of realizing code execution in the host, including remote code execution loopholes of AD domain services, SMB protocol loopholes, exchange remote code execution loopholes and the like, and an attacker can directly control the host by utilizing the loopholes, so that the starting point of the path should also try to be hidden.
4. The path from the ASREP rotating table user to the second node is similar to the Kerberorotating table user, and because the AD domain user does not start pre-authentication, a response capable of judging whether the password is correct is returned when the password is wrong, so that the password of the AD domain account can be cracked by violence and is easy to be controlled by an attacker, and therefore, the starting point of the path should also be tried to be hidden.
It should be noted that the above-described risk path is only a representative of the path from the first node to the second node, and the risk path should also include other paths that originally have a low risk and can reach the second node.
By way of example, a specific manner in which the second device determines the risk path will be illustrated below in connection with a schematic diagram of an AD domain knowledge graph as shown in fig. 4.
Referring to fig. 4, a schematic diagram of an AD domain knowledge graph provided in an embodiment of the present application is shown in fig. 4, where the knowledge graph includes a plurality of nodes, and the plurality of nodes are respectively node a, node B, node C, node D, node E, node F, node G, node H, node J, node K, node L, node M, and node N. Wherein one side in the knowledge graph represents a relationship. If the nodes A and K are the first nodes and the nodes H and L are the second nodes, the nodes A, C and H are a risk path, and the nodes K and L are a risk path.
S202, the second device generates a risk assessment report based on a preset risk report template, risk information and a risk path set.
The preset risk report template comprises multiple risks, a risk description of each risk, risk hazards of each risk, risk details to be filled and a risk repair scheme of each risk. The various risks include, but are not limited to: basic information of the AD domain, risks of users and user groups of the AD domain, risks of computers of the AD domain, risks of GPOs and containers of the AD domain, risks of overview of the AD domain, paths from general users to the second node, shortest paths from kerberoassable users to high-authority nodes, shortest paths from vulnerability hosts to high-authority nodes, paths from ASREP rotational users to the second node, and the like, which are not listed here.
And the second equipment can fill the risk information and the risk path set into the risk details to be filled in the preset risk report template, so that a risk assessment report can be obtained.
In one possible implementation manner, in order to improve the readability of the risk assessment report, the risk information and the risk path set may be processed and then filled into a preset risk report template. Specifically, the second device converts the risk information into one or more of a graph, a text and a table format according to the data type in the risk information, and generates a risk path graph according to the risk path set and nodes related to the risk path set, specifically, the risk path graph of the risk path set is constructed by determining a start node and an end node of each risk path. And the second equipment fills the converted risk information and the risk path diagram into a preset risk report template to obtain a risk assessment report.
For example, the second device may convert the information related to the number duty cycle into a form of a profile and the information related to statistics into a form of a table. For example, the second device converts the number of nodes of each type of AD domain into the form of a number-of-nodes distribution map, and the number statistics of each OU member into the form of a table.
Based on the same inventive concept, the embodiment of the present application provides a risk assessment device, which is configured to implement any one of the risk assessment methods described above, for example, the risk assessment method shown in fig. 2, and may further implement the function of the second apparatus.
Fig. 5 is a schematic structural diagram of a risk assessment device according to an embodiment of the present application. As shown in fig. 5, the risk assessment apparatus 500 includes an acquisition module 501 and an assessment module 502.
The obtaining module 501 is configured to obtain, according to a preset query statement, necessary information from a graph database of a knowledge graph of an active directory AD domain, where the necessary information includes risk information and a risk path set; the knowledge graph is constructed based on the logic structure of the AD domain and the relation information of each node in the AD domain, and each risk path in the risk path set represents the authority of a first node in the AD domain to be improved to the authority of a second node in the AD domain; the evaluation module 502 is configured to generate a risk evaluation report based on a preset risk report template, risk information, and a risk path set.
In a possible implementation manner, the risk assessment apparatus 500 further includes a determining module 503, where the determining module 503 is configured to construct an initial knowledge graph model of the AD domain based on the logic structure of the AD domain and a pre-stored first relationship set before obtaining necessary information from a graph database of the knowledge graph of the AD domain of the active directory according to a preset query statement; the obtaining module 501 is further configured to obtain relationship information of each node in the AD domain, where the relationship information of each node in the AD domain is used to indicate a relationship between each node and other nodes; the determining module 503 is further configured to process the initial knowledge-graph model according to the relationship information between the nodes, and obtain a knowledge-graph of the AD domain.
In one possible implementation, the obtaining module 501 is specifically configured to: acquiring AD domain information, wherein the AD domain information comprises object information and various attribute information in the AD domain; traversing the AD domain information, and analyzing the relation between each node and other nodes from the AD domain information according to a predefined relation set, wherein the relation set comprises a first relation set; based on the relationship between each node and other nodes, relationship information of each node in the AD domain is obtained.
In a possible implementation manner, the obtaining module 501 is further configured to obtain an attack means set for the AD domain from an attack knowledge base; the determining module 503 is further configured to parse and obtain a risk relationship between each node in the AD domain by using each attack means in the attack means set, and obtain the first relationship set according to the risk relationship between each node.
In a possible implementation manner, the preset query statement includes a first query statement, where the first query statement is used to indicate that information including a preset risk condition is acquired; the obtaining module 501 is specifically configured to: according to the first query statement, nodes, node relations and node quantity which accord with preset risk conditions are queried from a graph database of the knowledge graph; and generating the information corresponding to the nodes, the node relations and the node quantity which meet the preset risk conditions as risk information.
In a possible implementation manner, the preset query statement further comprises a second query statement, and the second query statement is used for acquiring a path between second nodes connected with each first node in the first node set; the obtaining module 501 is specifically configured to: traversing the first node set in the knowledge graph according to the second query statement; determining at least one second node connected with each first node in the first node set from the knowledge graph; determining a path between each second node in at least one second node connected with each first node as a risk path, and obtaining at least one risk path corresponding to each first node; and obtaining a risk path set according to at least one risk path corresponding to each first node.
In one possible implementation, the evaluation module 502 is specifically configured to: converting the risk information into one or more of a graph, a text and a table format according to the data type in the risk information; generating a risk path graph based on the risk path set and nodes related to the risk path set; and filling the risk information and the risk path diagram after the format conversion into a preset risk report template to obtain a risk assessment report.
Based on the same inventive concept, the embodiment of the present application provides an electronic device, where the electronic device is configured to implement any one of the risk assessment methods described above, for example, the risk assessment method shown in fig. 2, and the device may further implement the function of the second device.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 6, the electronic device 600 includes: at least one processor 601, and a memory 602 communicatively coupled to the at least one processor 601.
The processor 601 may be a general-purpose processor or a special-purpose processor. The processor 601 includes, for example: baseband processor or central processing unit, etc. The baseband processor may be used to process communication protocols as well as communication data. The central processor may be used to control the electronic device 600, execute software programs, and/or process data. The different processors may be separate devices or may be provided in one or more processing circuits, e.g. integrated on one or more application specific integrated circuits.
In an embodiment, the memory 602 stores instructions executable by the at least one processor 601, and the at least one processor 601 performs the functions of the second device as described above by executing the instructions stored in the memory, and correspondingly, performs the steps performed by the second device as described above.
In such an implementation, the electronic device 600 may also implement the functionality of the context risk assessment apparatus 600, and the at least one processor 601 in the electronic device 600 may also implement the functionality of the context acquisition module 501, the assessment module 502, and the determination module 503.
Based on the same inventive concept, embodiments of the present application provide a computer-readable storage medium storing computer instructions that, when executed on a computer, cause the computer to perform a risk assessment method as described above, for example, the risk assessment method shown in fig. 2.
Based on the same inventive concept, an embodiment of the present application provides a computer program product, which contains computer instructions that, when run on a computer, cause the risk assessment method as described above, for example, the risk assessment method shown in fig. 2, to be implemented.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.

Claims (10)

1. A risk assessment method, comprising:
acquiring necessary information from a graph database of a knowledge graph of an active directory AD domain according to a preset query statement, wherein the necessary information comprises risk information and a risk path set; the knowledge graph is constructed based on the logic structure of the AD domain and the relation information of each node in the AD domain, and each risk path in the risk path set represents the authority capable of improving the authority of a first node in the AD domain to the authority of a second node in the AD domain;
And generating a risk assessment report based on a preset risk report template, the risk information and the risk path set.
2. The method according to claim 1, wherein before obtaining necessary information from a graph database of a knowledge graph of an active directory AD domain according to a preset query statement, the method further comprises:
constructing an initial knowledge graph model of the AD domain based on the logic structure of the AD domain and a pre-stored first relation set;
acquiring relationship information of each node in the AD domain, wherein the relationship information of each node in the AD domain is used for indicating the relationship between each node and other nodes;
and processing the initial knowledge-graph model according to the relation information among the nodes to obtain the knowledge graph of the AD domain.
3. The method of claim 2, wherein obtaining relationship information for each node in the AD domain comprises:
acquiring the AD domain information, wherein the AD domain information comprises object information and various attribute information in the AD domain;
traversing the AD domain information, and analyzing the relation between each node and other nodes from the AD domain information according to a predefined relation set, wherein the relation set comprises the first relation set;
And obtaining the relation information of each node in the AD domain based on the relation between each node and other nodes.
4. The method according to claim 2, wherein the method further comprises:
acquiring an attack means set aiming at the AD domain from the attack knowledge base;
analyzing and acquiring risk relations among all nodes in the AD domain by utilizing each attack means in the attack means set;
and acquiring the first relation set according to the risk relation among the nodes.
5. The method of claim 1, wherein the preset query statement comprises a first query statement, the first query statement being used for indicating to obtain information containing preset risk conditions;
obtaining necessary information from a graph database of the knowledge graph of the active directory AD domain according to a preset query statement, wherein the necessary information comprises the following steps:
inquiring nodes, node relations and node quantity which accord with preset risk conditions from a graph database of the knowledge graph according to the first inquiry statement;
and generating the information corresponding to the nodes, the node relations and the node quantity which accord with the preset risk conditions into the risk information.
6. The method of claim 1, wherein the preset query statement further comprises a second query statement for obtaining a path between second nodes connected to each first node in the first set of nodes;
obtaining necessary information from a graph database of the knowledge graph of the active directory AD domain according to a preset query statement, wherein the necessary information comprises the following steps:
traversing the first node set in the knowledge graph according to the second query statement;
determining at least one second node connected with each first node in the first node set from the knowledge graph;
determining a path between each second node in at least one second node connected with each first node as a risk path, and obtaining at least one risk path corresponding to each first node;
and obtaining the risk path set according to at least one risk path corresponding to each first node.
7. The method of any of claims 1-6, wherein generating a risk assessment report based on a preset risk report template, the risk information, and the set of risk paths comprises:
Converting the risk information into one or more of a graph, a text and a table format according to the data type in the risk information;
generating a risk path graph based on the risk path set and nodes related to the risk path set;
and filling the risk information and the risk path diagram after the format conversion into the preset risk report template to obtain the risk assessment report.
8. A risk assessment apparatus, comprising:
the acquisition module is used for acquiring necessary information from a graph database of the knowledge graph of the active directory AD domain according to a preset query statement, wherein the necessary information comprises risk information and a risk path set; the knowledge graph is constructed based on the logic structure of the AD domain and the relation information of each node in the AD domain, and each risk path in the risk path set represents the authority capable of improving the authority of a first node in the AD domain to the authority of a second node in the AD domain;
and the evaluation module is used for generating a risk evaluation report based on a preset risk report template, the risk information and the risk path set.
9. An electronic device, comprising:
At least one processor, and
a memory communicatively coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the at least one processor implementing the method of any of claims 1-7 by executing the memory stored instructions.
10. A computer readable storage medium storing computer instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1-7.
CN202311657291.7A 2023-12-05 2023-12-05 Risk assessment method and device and electronic equipment Pending CN117811773A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311657291.7A CN117811773A (en) 2023-12-05 2023-12-05 Risk assessment method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311657291.7A CN117811773A (en) 2023-12-05 2023-12-05 Risk assessment method and device and electronic equipment

Publications (1)

Publication Number Publication Date
CN117811773A true CN117811773A (en) 2024-04-02

Family

ID=90420830

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311657291.7A Pending CN117811773A (en) 2023-12-05 2023-12-05 Risk assessment method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN117811773A (en)

Similar Documents

Publication Publication Date Title
US11637844B2 (en) Cloud-based threat detection
US11962614B2 (en) Techniques for cloud security monitoring and threat intelligence
CN113949557B (en) Method, system, and medium for monitoring privileged users and detecting abnormal activity in a computing environment
US10536478B2 (en) Techniques for discovering and managing security of applications
CA2998749C (en) Systems and methods for security and risk assessment and testing of applications
Awaysheh et al. Next-generation big data federation access control: A reference model
US10158670B1 (en) Automatic privilege determination
CN107733863B (en) Log debugging method and device under distributed hadoop environment
JP2017532649A (en) Confidential information processing method, apparatus, server, and security determination system
US10547616B2 (en) Systems and methods for supporting information security and sub-system operational protocol conformance
WO2016137397A2 (en) Multi-tenant cloud based systems and methods for secure semiconductor design-to-release manufacturing workflow and digital rights management
US10103948B1 (en) Computing devices for sending and receiving configuration information
JP4848430B2 (en) Virtual role
US9449171B2 (en) Methods, systems, and computer readable mediums for providing supply chain validation
WO2021135257A1 (en) Vulnerability processing method and related device
WO2021133254A1 (en) Method and system for robotic process automation
CN117811773A (en) Risk assessment method and device and electronic equipment
CN116244682A (en) Database access method, device, equipment and storage medium
US11784996B2 (en) Runtime credential requirement identification for incident response
CN113127109A (en) Interface calling method and device, electronic equipment and readable storage medium
US10708282B2 (en) Unauthorized data access detection based on cyber security images
Welling APPLICATION SECURITY TESTING
Daubner Effective computer infrastructure monitoring
US20220086157A1 (en) Automated authorization policy creation for interrelated services
US20230328037A1 (en) Cloud Based Machine Learning Notebook Data Loss Prevention

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination