TWI738078B - Penetration test monitoring server and system - Google Patents

Penetration test monitoring server and system Download PDF

Info

Publication number
TWI738078B
TWI738078B TW108136439A TW108136439A TWI738078B TW I738078 B TWI738078 B TW I738078B TW 108136439 A TW108136439 A TW 108136439A TW 108136439 A TW108136439 A TW 108136439A TW I738078 B TWI738078 B TW I738078B
Authority
TW
Taiwan
Prior art keywords
attack
attacker
target website
report
virtual
Prior art date
Application number
TW108136439A
Other languages
Chinese (zh)
Other versions
TW202115597A (en
Inventor
徐千洋
陳仁偉
林逸
Original Assignee
可立可資安股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 可立可資安股份有限公司 filed Critical 可立可資安股份有限公司
Priority to TW108136439A priority Critical patent/TWI738078B/en
Publication of TW202115597A publication Critical patent/TW202115597A/en
Application granted granted Critical
Publication of TWI738078B publication Critical patent/TWI738078B/en

Links

Images

Abstract

本發明揭露一種滲透測試監控伺服器及系統,包含:一攻擊端,用以對一目標網站執行一駭客攻擊演習;一監控伺服器,電性連接該目標網站以及該攻擊端,且包含一虛擬平台及一分析平台,其中該虛擬平台提供一虛擬帳戶,該攻擊端登入該虛擬帳戶後透過該目標網站執行該駭客攻擊演習;該分析平台電性連接該虛擬平台,用以紀錄該攻擊端執行的該駭客攻擊演習;一觀察端,電性連接該監控伺服器及該攻擊端,用以監測該攻擊端;本發明藉由該監控伺服器監控並記錄該攻擊端的攻擊行為,避免該攻擊端在進行資安測試時擅自加入病毒程式,提高資安檢測時的防護品質。The present invention discloses a penetration test monitoring server and system, including: an attacking terminal for executing a hacking exercise on a target website; a monitoring server electrically connected to the target website and the attacking terminal, and including a A virtual platform and an analysis platform, wherein the virtual platform provides a virtual account, the attacker logs into the virtual account and executes the hacking exercise through the target website; the analysis platform is electrically connected to the virtual platform to record the attack The hacker attack exercise performed by the terminal; an observation terminal is electrically connected to the monitoring server and the attacking terminal to monitor the attacking terminal; the present invention uses the monitoring server to monitor and record the attacking behavior of the attacking terminal to avoid The attacker added a virus program without authorization during information security testing to improve the quality of protection during information security testing.

Description

滲透測試監控伺服器及系統Penetration test monitoring server and system

本發明為一種滲透測試監控伺服器及系統,尤其是指一種可在進行資安檢測時監控攻擊端所有攻擊行為的伺服器及系統。The present invention is a penetration test monitoring server and system, in particular to a server and system that can monitor all attacking behaviors of the attacker during information security detection.

請參見圖3,為習用的資安架構測試示意圖。在過去檢測一目標網站90的資安防護是否有漏洞的技術中,該目標網站90的擁有者會請一資安公司承辦資安檢測的業務。該資安公司提供一攻擊端80,即扮演駭客的角色對該目標網站90進行攻擊,測試該目標網站90的防火牆等各項資安防護措施是否足夠完善,並進一步產生包含測試結果的一資安報告81,在該資安報告上81會記載該目標網站90的資安防護措施是否存在弱點,以及弱點區域位置或是對何種攻擊的防護性較低。Please refer to Figure 3, which is a schematic diagram of the conventional information security architecture test. In the past technology for detecting whether the information security protection of a target website 90 has loopholes, the owner of the target website 90 would ask an information security company to undertake the information security inspection business. The information security company provides an attack terminal 80 that acts as a hacker to attack the target website 90 to test whether the security protection measures such as the firewall of the target website 90 are sufficiently complete, and further generate a test result that contains the test results. Information security report 81. The information security report 81 will record whether there are weaknesses in the information security protection measures of the target website 90, as well as the location of the weakness area or which attacks are less protective.

但在測試的過程當中,該目標網站90的擁有者一般無法得知該資安公司進行各種攻擊模擬的細節,因此若該資安公司在測試的過程中偷偷在該目標網站90裡植入木馬等間諜程式或病毒,藉此有機會私自監控該目標網站90或有意在當下或未來癱瘓該目標網站90,該目標網站90的擁有者很難在測試過程中預防被擅自植入惡意軟體的事宜。However, during the testing process, the owner of the target website 90 generally cannot know the details of the various attack simulations carried out by the information security company. Therefore, if the information security company secretly implants a Trojan horse in the target website 90 during the test process Such as spyware or viruses, taking this opportunity to monitor the target website 90 privately or intend to paralyze the target website 90 now or in the future. It is difficult for the owner of the target website 90 to prevent unauthorized installation of malicious software during the testing process. .

為防止進行測試過程中目標網站造成的相關服務中斷,或被不肖的資安公司擅自植入惡意軟體,造成更嚴重的資安問題,本發明提供一種滲透測試監控伺服器及系統,藉由該監控伺服器提供須登入權限的虛擬平台,使資安公司進行資安測試時必須登入該虛擬平台中才能進行模擬攻擊,同時虛擬平台可記錄該資安公司進行的所有攻擊指令,讓可信任的第三方可即時監控或事後檢查使否被植入惡意軟體,或留下該資安公司完整的第三方實作軌跡紀錄,方便日後稽核時釐清責任歸屬。In order to prevent the related service interruption caused by the target website during the testing process, or the unauthorized implantation of malicious software by an unscrupulous information security company, which may cause more serious information security problems, the present invention provides a penetration testing monitoring server and system. The monitoring server provides a virtual platform that requires login permissions, so that when an information security company conducts an information security test, it must log in to the virtual platform to perform a simulated attack. At the same time, the virtual platform can record all the attack commands carried out by the information security company to allow trusted The third party can immediately monitor or check whether malicious software has been implanted afterwards, or leave a complete third-party implementation track record of the information security company to facilitate future audits to clarify the attribution of responsibility.

為達成上述目的,本發明揭露之滲透測試監控系統,包含: 一攻擊端,用以對一目標網站執行一駭客攻擊演習,並根據對該目標網站攻擊後的結果產生一第一攻擊報告; 一監控伺服器,電性連接該目標網站以及該攻擊端,且包含一虛擬平台及一分析平台,其中該虛擬平台搭載了該攻擊端執行該駭客攻擊演習時所使用之軟體工具,並提供一虛擬帳戶,該攻擊端登入該虛擬帳戶後透過該虛擬平台對該目標網站執行該駭客攻擊演習;該分析平台電性連接該虛擬平台,用以紀錄該攻擊端在該虛擬平台上執行的該駭客攻擊演習以及接收該第一攻擊報告; 一觀察端,電性連接該監控伺服器及該攻擊端,用以監測該攻擊端以及收集該目標網站被攻擊後的結果產生一第二攻擊報告,並將該第二攻擊報告傳送至該分析平台。To achieve the above objective, the penetration test monitoring system disclosed in the present invention includes: An attacker, used to perform a hacking exercise on a target website, and generate a first attack report based on the result of the attack on the target website; A monitoring server, electrically connected to the target website and the attacker, and includes a virtual platform and an analysis platform, wherein the virtual platform is equipped with the software tools used by the attacker to execute the hacking exercise, and provides A virtual account. After logging in to the virtual account, the attacker executes the hacking exercise on the target website through the virtual platform; the analysis platform is electrically connected to the virtual platform to record the execution of the attacker on the virtual platform The hacking exercise and receiving the first attack report; An observation terminal, electrically connected to the monitoring server and the attacking terminal, for monitoring the attacking terminal and collecting the result of the target website being attacked, generating a second attack report, and sending the second attack report to the analysis platform.

本發明另提供一種滲透測試監控伺服器,電性連接一目標網站、一該攻擊端及一觀察端;該滲透測試監控伺服器包含: 一虛擬平台,該虛擬平台搭載了該攻擊端執行該駭客攻擊演習時所使用之軟體工具,並提供一虛擬帳戶,該攻擊端登入該虛擬帳戶後透過該虛擬平台對該目標網站執行該駭客攻擊演習; 一分析平台,其中該分析平台電性連接該虛擬平台,用以紀錄該攻擊端在該虛擬平台上執行的該駭客攻擊演習以及接收該第一攻擊報告。The present invention also provides a penetration test monitoring server, which is electrically connected to a target website, an attack terminal and an observation terminal; the penetration test monitoring server includes: A virtual platform that is equipped with the software tools used by the attacker to execute the hacking exercise and provides a virtual account. The attacker logs into the virtual account and executes the hack on the target website through the virtual platform. Offensive attack exercises; An analysis platform, wherein the analysis platform is electrically connected to the virtual platform for recording the hacking exercise performed by the attacker on the virtual platform and receiving the first attack report.

本發明可藉由設置於該監控伺服器中的一個以上虛擬機器,使該攻擊端進行資安測試時登入該虛擬機器中進行模擬攻擊,而該一個以上虛擬機器可記錄該攻擊端所進行的所有攻擊行為,防止該攻擊端擅自對該目標網站植入惡意軟體,降低未來該目標網站因在資安測試時植入的惡意軟體而遭受癱瘓或攻擊的風險。In the present invention, by setting more than one virtual machine in the monitoring server, the attacker can log in to the virtual machine to perform a simulated attack during the security test, and the one or more virtual machines can record the attack performed by the attacker. All attacks prevent the attacker from implanting malicious software on the target website without authorization, and reduce the risk of paralysis or attack on the target website in the future due to the malicious software implanted in the security test.

請參見圖1,本發明為一種滲透測試監控系統,係由一監控伺服器20執行,該滲透測試監控系統包含:一攻擊端10、該監控伺服器20及一觀察端30。本發明可由一資安公司提供該攻擊端10及該觀察端30,由目標網站的提供者提供該監控伺服器20,由該資安公司內部分成扮演駭客攻擊的該攻擊端10以及扮演資安維護工程師的觀察端30,或是由一資安公司提供該攻擊端10模擬駭客攻擊、另一具高信任度之資安公司提供觀察端30。藉由該觀察端30觀察該攻擊端10攻擊該目標網站時的攻擊數據,產生目標網站的資安報告,並透過該監控伺服器20隨時監控該攻擊端10的所有攻擊行為,防止該攻擊端10假借滲透測試的名義私底下植入木馬等會危害資安的程式。Please refer to FIG. 1, the present invention is a penetration testing monitoring system, which is executed by a monitoring server 20, and the penetration testing monitoring system includes: an attack terminal 10, the monitoring server 20 and an observation terminal 30. In the present invention, an information security company can provide the attack terminal 10 and the observation terminal 30, the provider of the target website provides the monitoring server 20, and the information security company internally divides the attack terminal 10 and the observation terminal 30 into a hacker attack. The observation terminal 30 of the security maintenance engineer, or the attack terminal 10 provided by an information security company to simulate a hacker attack, and another high-trust information security company provides the observation terminal 30. The observer 30 observes the attack data when the attacker 10 attacks the target website, generates a security report of the target website, and monitors all the attack behaviors of the attacker 10 at any time through the monitoring server 20 to prevent the attacker 10 Under the guise of penetration testing, privately implant programs such as Trojan horses that will endanger information security.

該攻擊端10用以對一目標網站40執行一駭客攻擊演習,並可根據對目標網站40攻擊後的結果產生一第一攻擊報告。其中該攻擊端10可由一駭客或一第一資安公司所構成。舉例而言,該駭客攻擊演習可為滲透測試(Penetration Testing, PT)或紅隊測試(Red Teaming)。The attack terminal 10 is used to perform a hacking exercise on a target website 40 and can generate a first attack report based on the result of the attack on the target website 40. The attack terminal 10 can be constituted by a hacker or a first security company. For example, the hacking exercise can be Penetration Testing (PT) or Red Teaming.

該監控伺服器20電性連接該目標網站40以及該攻擊端10,且包含一虛擬平台21及一分析平台22,其中該虛擬平台21搭載了該攻擊端10執行該駭客攻擊演習時所使用之軟體工具,並提供一虛擬帳戶,該攻擊端10需登入該虛擬帳戶後才能透過該虛擬平台21對該目標網站40執行該駭客攻擊演習。更進一步,該軟體工具可包含但不限於IBM AppScan、Netsparker、Acunetix、Probely、ImmuniWeb、Indusface、Tenable Nessus、Core Impact、Canvas、w3af、ZAP、Sqlninja、OpenVAS。在實際運行中,該虛擬平台21會進行FingerPrint特徵分析,得知當前一個或多個的攻擊是透過哪些軟體進行。The monitoring server 20 is electrically connected to the target website 40 and the attacking terminal 10, and includes a virtual platform 21 and an analysis platform 22, wherein the virtual platform 21 carries the attacking terminal 10 used when performing the hacking exercise It also provides a virtual account. The attacker 10 needs to log in to the virtual account to execute the hacking exercise on the target website 40 through the virtual platform 21. Furthermore, the software tool may include, but is not limited to, IBM AppScan, Netsparker, Acunetix, Probely, ImmuniWeb, Indusface, Tenable Nessus, Core Impact, Canvas, w3af, ZAP, Sqlninja, OpenVAS. In actual operation, the virtual platform 21 will perform FingerPrint feature analysis to learn which software is currently used for one or more attacks.

請進一步參見圖2,在該虛擬平台21的較佳實施例中,該虛擬平台21包含一個以上的虛擬機器(Virtual Machine,VM)211,該攻擊端10透過該虛擬帳戶登入該一個以上的虛擬機器211後對該目標網站40執行該駭客攻擊演習。該分析平台22電性連接該虛擬平台21,用以紀錄該攻擊端10在該虛擬平台21上執行的該駭客攻擊演習以及接收該第一攻擊報告,具體而言,該第一攻擊報告可包含但不限於下列兩種內容:1.若攻擊成功,則根據先前定義的攻擊項目進行分類,分類的項目可包含:該攻擊的細部解析、攻擊時間、攻擊的手段、攻擊效果、受攻擊後的嚴重等級;2.若攻擊失敗,則根據先前定義的攻擊項目進行分類,分類的項目可包含:該目標網站40存在的風險,並不包含攻擊的細節。由於該虛擬平台21搭載了該攻擊端10執行該駭客攻擊演習時所使用之軟體工具,該目標網站40的擁有者或是屬於客觀的第三方資安公司可在執行資安檢測前檢查該虛擬平台21中的軟體工具是否有被竄改或是植入病毒的風險,避免進行資安檢測時遭受實際的攻擊。Please further refer to FIG. 2. In a preferred embodiment of the virtual platform 21, the virtual platform 21 includes more than one virtual machine (Virtual Machine, VM) 211, and the attacker 10 logs in the one or more virtual machines through the virtual account. The machine 211 then executes the hacking exercise on the target website 40. The analysis platform 22 is electrically connected to the virtual platform 21 for recording the hacking exercise performed by the attacker 10 on the virtual platform 21 and receiving the first attack report. Specifically, the first attack report may be Including but not limited to the following two contents: 1. If the attack is successful, it will be classified according to the previously defined attack items. The classified items may include: detailed analysis of the attack, attack time, attack means, attack effect, and after the attack 2. If the attack fails, it will be classified according to the previously defined attack items. The classified items may include: the risk of the target website 40 and does not contain the details of the attack. Since the virtual platform 21 is equipped with the software tools used by the attacker 10 to execute the hacking exercise, the owner of the target website 40 or an objective third-party information security company can check the Whether the software tools in the virtual platform 21 are at risk of being tampered with or implanted with viruses, so as to avoid actual attacks during information security testing.

更進一步,由於該虛擬平台21可包含多個虛擬機器211,使該攻擊端10可透過多個虛擬機器211對該目標網站40執行一種以上的該駭客攻擊演習,提高資安檢測的水平,測試該目標網站40能負荷多高強度的駭客攻擊。Furthermore, since the virtual platform 21 can include multiple virtual machines 211, the attacker 10 can execute more than one type of hacking exercises on the target website 40 through multiple virtual machines 211 to improve the level of information security detection. Test how high-intensity hacker attacks the target website 40 can bear.

該觀察端30電性連接該監控伺服器20及該攻擊端10,用以監測該攻擊端10以及收集該目標網站40被攻擊後的結果產生一第二攻擊報告,並將該第二攻擊報告傳送至該分析平台22。該觀察端30可由該第一資安公司提供,或由一客觀的第三方資安公司提供。具體而言,該第二攻擊報告可包含攻擊失敗的過程中沒有作用(無風險)的行為、透過哪些資安軟體進行攻擊、攻擊是否有造成威脅、哪些威脅是安全的等資訊。The observation terminal 30 is electrically connected to the monitoring server 20 and the attack terminal 10 to monitor the attack terminal 10 and collect the result of the target website 40 being attacked to generate a second attack report, and report the second attack Transmitted to the analysis platform 22. The observation terminal 30 may be provided by the first information security company or an objective third-party information security company. Specifically, the second attack report may include information such as ineffective (risk-free) behaviors during the failure of the attack, which information security software was used to attack, whether the attack caused threats, and which threats were safe.

本發明透過建立該虛擬平台21監控該攻擊端10對該目標網站40執行該駭客攻擊演習中所有的攻擊行為,能防止該攻擊端10攻擊該目標網站40時擅自藏入木馬等間諜程式或病毒,在進行該目標網站40的資安分析時同時保護該目標網站40不受該攻擊端10侵害。具體來說,該虛擬平台21可透過以下兩種方式監控攻擊行為:1.該虛擬平台21可架設在實體硬體上,透過底層網路服務取得所有攻擊行為作為紀錄;2.虛擬平台21對該目標網站40進行網路行為流量分析,分析送出與收回的封包傳輸內容。The present invention establishes the virtual platform 21 to monitor the attacker 10 performing all the attacks in the hacking exercise on the target website 40, which can prevent the attacker 10 from concealing spyware or Trojan horses or other spyware or Trojan horses without authorization when the attacker 10 attacks the target website 40 The virus protects the target website 40 from the attacker 10 at the same time when the information security analysis of the target website 40 is performed. Specifically, the virtual platform 21 can monitor attack behaviors in the following two ways: 1. The virtual platform 21 can be set up on physical hardware, and all the attack behaviors can be obtained as a record through the underlying network service; 2. The virtual platform 21 pairs The target website 40 performs network behavior traffic analysis, and analyzes the transmitted and retracted packet transmission content.

本發明更可包含一風險評估端50,該風險評估端50電性連接該觀察端30,用以根據該分析平台22的該第一攻擊報告、該第二攻擊報告以及該駭客攻擊演習的結果進行一檢討程序(After Action Review, AAR),並依據該檢討程序的結果產生一綜合資安報告,且將該綜合資安報告發送至該目標網站40的擁有者,其中該綜合資安報告包含該目標網站40的資安防護系統是否有缺陷、防火牆的完整度、防火牆的弱點等資料,藉此能客觀且有效地對該綜合報告進行評估,產生提升團隊信任感、安全性、耗最小資源、有效監督、針對網域的滲透攻擊、徹底模擬駭客手法等有益效果。The present invention may further include a risk assessment terminal 50, which is electrically connected to the observation terminal 30, and is used for analyzing the first attack report, the second attack report, and the hacking exercise of the analysis platform 22. As a result, a review process (After Action Review, AAR) is performed, and a comprehensive information security report is generated based on the results of the review process, and the comprehensive information security report is sent to the owner of the target website 40, wherein the comprehensive information security report Including the information security protection system of the target website 40 whether there are defects, the integrity of the firewall, the weakness of the firewall, etc., so that the comprehensive report can be evaluated objectively and effectively, and the team's trust, security, and minimum consumption can be improved Resources, effective supervision, penetration attacks against network domains, thorough simulation of hacking techniques and other beneficial effects.

進一步來說,該檢討程序的流程係包含:1.第一步驟:透過該攻擊端10、該觀察端30與該目標網站40三方獨立作業後所產生相關記錄報告,以前述定義的攻擊項目為基礎,互相確認攻擊成功的部分在彼此之間的內容是否不同;接著記錄該攻擊端10在哪些資安弱點領域進行攻擊,並比對該目標網站40在上述資安弱點領域是否有遭受攻擊的風險,在哪些資安領域是安全的,此流程同時可證明該攻擊端10並沒有隱匿攻擊成功事實。因此,該第一攻擊報告的內容必須比該第二攻擊報告揭露的更加完整;2.第二步驟:根據第一步驟的資料回頭檢視該目標網站40的安全性與資訊事件管理(SIEM)與資安監控中心(SOC)資訊相關資訊是否充足且有效,藉機驗證該目標網站40日常自我紀錄與防禦機制是否健全做到稽核效果。Furthermore, the process of the review procedure includes: 1. The first step: through the independent operation of the attacker 10, the observer 30, and the target website 40, the relevant record reports are generated, and the attack items defined above are taken as Basically, mutually confirm whether the content of the successful part of the attack is different from each other; then record which information security weakness area the attacker 10 has attacked, and compare whether the target website 40 has been attacked in the above information security weakness area Risks, in which areas of information security are safe, this process can also prove that the attacker 10 did not conceal the fact that the attack was successful. Therefore, the content of the first attack report must be more complete than that disclosed in the second attack report; 2. The second step: review the security and information event management (SIEM) and information event management (SIEM) of the target website 40 based on the data in the first step Information Security Monitoring Center (SOC) information related information is sufficient and effective, take the opportunity to verify whether the daily self-recording and defense mechanism of the target website 40 is sound to achieve the audit effect.

具體來說,該綜合資安報告包含該第一攻擊報告、該第二攻擊報告以及一紀錄資訊的內容,其中該紀錄資訊由該虛擬平台21在攻擊期間所使用的IP網路傳輸內容彙整之後所產生,所傳輸的內容可包含:觀察、發現、預警、偵測、攔截、阻斷、成立資安事件、後續處理、相關紀錄報告等資訊。Specifically, the comprehensive information security report includes the content of the first attack report, the second attack report, and a record of information, where the record information is collected from the IP network transmission content used by the virtual platform 21 during the attack. The generated and transmitted content may include: observation, discovery, early warning, detection, interception, blocking, establishment of information security incidents, follow-up processing, relevant record reports and other information.

具體而言,在本發明的較佳實施例中,係由該觀察端30根據一安全協定資訊(如SSL Access Log)進行封包側錄,經分析後產生該第二攻擊報告。該目標網站40的擁有者將該第一攻擊報告、該第二攻擊報告及該紀錄資訊傳送至該風險評估端50,使該風險評估端50產生該綜合資安報告,並且將該綜合資安報告發送至該目標網站40的擁有者。舉例而言,若該目標網站40具有SSL加密功能,因SSL預設採用一動態金鑰,使得該監控伺服器50無法解密SSL,因此該風險評估端50可產生一固定金鑰給予該攻擊端10,令該攻擊端10採用該固定金鑰作為SSL的加密金鑰,則該監控伺服器20可將該攻擊端10對於該目標網站40的加密連線作完整且明文的連線記錄;該筆紀錄資訊包括一安全性與資訊事件管理(Security Information and Event Management,SIEM)、一入侵預防系統(Intrusion Prevention System,IPS)、一入侵偵測系統(Intrusion DetectionSystem,IDS)、一網站應用程式防火牆(Web Application Firewall,WAF)或一網絡訪問日誌(Web Access Log)等資訊。Specifically, in the preferred embodiment of the present invention, the observer 30 performs packet recording based on a security protocol information (such as SSL Access Log), and generates the second attack report after analysis. The owner of the target website 40 transmits the first attack report, the second attack report, and the record information to the risk assessment terminal 50 so that the risk assessment terminal 50 generates the comprehensive information security report, and the comprehensive information security report The report is sent to the owner of the target website 40. For example, if the target website 40 has an SSL encryption function, because SSL uses a dynamic key by default, the monitoring server 50 cannot decrypt the SSL. Therefore, the risk assessment end 50 can generate a fixed key for the attacker. 10. Make the attacker 10 use the fixed key as the SSL encryption key, then the monitoring server 20 can make a complete and clear connection record of the encrypted connection of the attacker 10 to the target website 40; The recorded information includes a Security Information and Event Management (SIEM), an Intrusion Prevention System (IPS), an Intrusion Detection System (IDS), and a website application firewall (Web Application Firewall, WAF) or a Web Access Log (Web Access Log) and other information.

另外,該觀察端30除了可由獨立的資安公司所提供(例如圖1),亦可設置於該監控伺服器20中(例如圖2),同樣可觀察該攻擊端10執行該駭客攻擊演習的過程。In addition, the observation terminal 30 can be provided by an independent information security company (for example, FIG. 1), but can also be set in the monitoring server 20 (for example, FIG. 2), and the attack terminal 10 can also be observed to execute the hacking exercise. the process of.

本發明讓該攻擊端10透過該監控伺服器20對該目標網站40進行該駭客攻擊演習,同時由該觀察端30監測該攻擊端10。該攻擊端10與該觀察端30則根據該駭客攻擊演習產生該第一攻擊報告以及該第二攻擊報告,再通過該目標網站40送至該分析平台22進行客觀的分析後,由該風險評估端50產生該綜合資安報告,藉此達到以客觀、有效的立場對該綜合資安報告進行分析,具有提升團隊信任感、安全性、耗最小資源、有效監督、針對網域的滲透攻擊、徹底模擬駭客手法等優點。The present invention allows the attacker 10 to perform the hacking exercise on the target website 40 through the monitoring server 20, and the observer 30 monitors the attacker 10 at the same time. The attack terminal 10 and the observation terminal 30 generate the first attack report and the second attack report according to the hacking exercise, and then send them to the analysis platform 22 through the target website 40 for objective analysis. The evaluation terminal 50 generates the comprehensive information security report, so as to analyze the comprehensive information security report from an objective and effective standpoint, which can enhance the team’s sense of trust, security, minimize resource consumption, effective supervision, and penetration attacks against the network domain. , Thorough simulation of hacking techniques and other advantages.

10:攻擊端 20:監控伺服器 21:虛擬平台 22:分析平台 30:觀察端 40:目標網站 50:風險評估端 80:攻擊端 81:資安報告 90:目標網站10: Attack side 20: Monitoring server 21: Virtual Platform 22: Analysis platform 30: Observation end 40: Target website 50: Risk Assessment End 80: Attacker 81: Information Security Report 90: Target website

圖1:本發明之第一較佳實施例電路方塊示意圖。 圖2:本發明之第二較佳實施例電路方塊示意圖。 圖3:習用之資安測試架構示意圖。Figure 1: The circuit block diagram of the first preferred embodiment of the present invention. Figure 2: A schematic block diagram of the circuit of the second preferred embodiment of the present invention. Figure 3: Schematic diagram of conventional information security testing architecture.

10:攻擊端10: Attack side

20:監控伺服器20: Monitoring server

21:虛擬平台21: Virtual Platform

22:分析平台22: Analysis platform

30:觀察端30: Observation end

40:目標網站40: Target website

50:風險評估端50: Risk Assessment End

Claims (10)

一種滲透測試監控系統,包含:一攻擊端,用以對一目標網站執行一駭客攻擊演習,並根據對該目標網站攻擊後的結果產生一第一攻擊報告;一監控伺服器,電性連接該目標網站以及該攻擊端,且包含一虛擬平台及一分析平台,其中該虛擬平台搭載了該攻擊端執行該駭客攻擊演習時所使用之軟體工具,並提供一虛擬帳戶,該攻擊端登入該虛擬帳戶後透過該虛擬平台對該目標網站執行該駭客攻擊演習;該分析平台電性連接該虛擬平台,用以紀錄該攻擊端在該虛擬平台上執行的該駭客攻擊演習以及接收該第一攻擊報告;一觀察端,電性連接該監控伺服器及該攻擊端,用以監測該攻擊端以及收集該目標網站被攻擊後的結果產生一第二攻擊報告,並將該第二攻擊報告傳送至該分析平台。 A penetration test monitoring system, including: an attacker, used to execute a hacking exercise on a target website, and generate a first attack report based on the result of the attack on the target website; a monitoring server, electrical connection The target website and the attacker include a virtual platform and an analysis platform. The virtual platform is equipped with software tools used by the attacker to execute the hacking exercise, and provides a virtual account. The attacker logs in The virtual account then executes the hacking exercise on the target website through the virtual platform; the analysis platform is electrically connected to the virtual platform to record the hacking exercise performed by the attacker on the virtual platform and receive the The first attack report; an observation terminal, which is electrically connected to the monitoring server and the attack terminal, is used to monitor the attack terminal and collect the results after the target website is attacked to generate a second attack report, and to report the second attack The report is sent to the analysis platform. 如請求項1所述之滲透測試監控系統,該虛擬平台包含一個以上的虛擬機器,該攻擊端透過該虛擬帳戶登入該一個以上的虛擬機器後對該目標網站執行該駭客攻擊演習。 According to the penetration test monitoring system of claim 1, the virtual platform includes more than one virtual machine, and the attacker logs in the more than one virtual machine through the virtual account and executes the hacking exercise on the target website. 如請求項2所述之滲透測試監控系統,更包含一風險評估端,該風險評估端電性連接該觀察端,用以根據該分析平台的該第一攻擊報告、該第二攻擊報告以及該駭客攻擊演習的結果進行一檢討程序,並依據該檢討程序的結果產生一綜合資安報告。 The penetration test monitoring system according to claim 2, further comprising a risk assessment terminal, the risk assessment terminal is electrically connected to the observation terminal, and is used according to the first attack report, the second attack report and the analysis platform A review procedure is performed on the results of the hacking exercise, and a comprehensive information security report is generated based on the results of the review procedure. 如請求項3所述之滲透測試監控系統,該綜合資安報告係由該風險評估端根據該第一攻擊報告、該第二攻擊報告及一紀錄資訊綜合分析後產生,其中該紀錄資訊由該虛擬平台在攻擊期間所使用的網路傳輸內容彙整之後所產生。 For the penetration testing monitoring system described in claim 3, the comprehensive information security report is generated by the risk assessment terminal based on the comprehensive analysis of the first attack report, the second attack report, and a piece of record information, wherein the record information is generated by the The virtual platform is generated after consolidating the network transmission content used during the attack. 如請求項4所述之滲透測試監控系統,該觀察端設置於該監控伺服器中。 For the penetration testing monitoring system described in claim 4, the observation terminal is set in the monitoring server. 如請求項5所述之滲透測試監控系統,該第二攻擊報告係由該觀察端根據一安全協定資訊進行封包側錄及分析後產生。 For the penetration test monitoring system described in claim 5, the second attack report is generated by the observation terminal after packet recording and analysis according to a security protocol information. 一種滲透測試監控伺服器,電性連接一目標網站、一該攻擊端及一觀察端;該滲透測試監控伺服器包含:一虛擬平台,該虛擬平台搭載了該攻擊端執行該駭客攻擊演習時所使用之軟體工具,並提供一虛擬帳戶,該攻擊端登入該虛擬帳戶後透過該虛擬平台對該目標網站執行該駭客攻擊演習;一分析平台,其中該分析平台電性連接該虛擬平台,用以紀錄該攻擊端在該虛擬平台上執行的該駭客攻擊演習以及接收該第一攻擊報告;其中該觀察端,電性連接該滲透測試監控伺服器及該攻擊端,用以監測該攻擊端以及收集該目標網站被攻擊後的結果產生一第二攻擊報告,並將該第二攻擊報告傳送至該分析平台。 A penetration test monitoring server is electrically connected to a target website, an attacker, and an observation end; the penetration test monitoring server includes: a virtual platform that carries the attacker to execute the hacking exercise The software tool used and a virtual account are provided. The attacker logs in to the virtual account and executes the hacking exercise on the target website through the virtual platform; an analysis platform in which the analysis platform is electrically connected to the virtual platform, Used to record the hacking exercise performed by the attacker on the virtual platform and receive the first attack report; wherein the observation end is electrically connected to the penetration test monitoring server and the attacker to monitor the attack And collecting the result of the target website being attacked to generate a second attack report, and transmit the second attack report to the analysis platform. 如請求項7所述之滲透測試監控伺服器,該虛擬平台包含一個以上的虛擬機器,該攻擊端透過該虛擬帳戶登入該一個以上的虛擬機器後對該目標網站執行該駭客攻擊演習。 For the penetration test monitoring server described in claim 7, the virtual platform includes more than one virtual machine, and the attacker logs in the more than one virtual machine through the virtual account and executes the hacking exercise on the target website. 如請求項8所述之滲透測試監控伺服器,更透過該觀察端電性連接一風險評估端,該風險評估端用以根據該分析平台的該第一攻擊報告、該第二攻擊報告以及該駭客攻擊演習的結果進行一檢討程序,並依據該檢討程序的結果產生一綜合資安報告。 For example, the penetration test monitoring server described in claim 8 is further electrically connected to a risk assessment terminal through the observation terminal, and the risk assessment terminal is used for analyzing the first attack report, the second attack report, and the A review procedure is performed on the results of the hacking exercise, and a comprehensive information security report is generated based on the results of the review procedure. 如請求項9所述之滲透測試監控伺服器,該檢討程序的流程係包含:第一步驟:透過該攻擊端、該觀察端與該目標網站三方獨立作業後所產生相關記錄報告,互相確認攻擊成功的部分在彼此之間的內容是否不同;接著 記錄該攻擊端在哪些資安弱點領域進行攻擊,並比對該目標網站在上述資安弱點領域是否有遭受攻擊的風險;第二步驟:根據第一步驟的資料檢視該目標網站的安全性與資訊事件管理與資安監控中心資訊相關資訊是否充足且有效。 For the penetration test monitoring server described in claim 9, the review process includes: the first step: through the independent operation of the attacker, the observer, and the target website, the relevant record reports are generated to mutually confirm the attack Whether the content of the successful part is different from each other; then Record the areas of information security weaknesses in which the attacker is attacking, and compare whether the target website is at risk of being attacked in the aforementioned areas of information security weaknesses; the second step: check the security and security of the target website based on the data in the first step Whether information related to information incident management and information security monitoring center information is sufficient and effective.
TW108136439A 2019-10-08 2019-10-08 Penetration test monitoring server and system TWI738078B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW108136439A TWI738078B (en) 2019-10-08 2019-10-08 Penetration test monitoring server and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW108136439A TWI738078B (en) 2019-10-08 2019-10-08 Penetration test monitoring server and system

Publications (2)

Publication Number Publication Date
TW202115597A TW202115597A (en) 2021-04-16
TWI738078B true TWI738078B (en) 2021-09-01

Family

ID=76604384

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108136439A TWI738078B (en) 2019-10-08 2019-10-08 Penetration test monitoring server and system

Country Status (1)

Country Link
TW (1) TWI738078B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104200167A (en) * 2014-08-05 2014-12-10 杭州安恒信息技术有限公司 Automatic penetration testing method and system
CN106462709A (en) * 2014-01-27 2017-02-22 克洛诺斯赛博科技有限公司 Automated penetration testing device, method and system
US20180309747A1 (en) * 2011-08-09 2018-10-25 CloudPassage, Inc. Systems and methods for providing container security
US20190065754A1 (en) * 2017-08-31 2019-02-28 Microsoft Technology Licensing, Llc Off node scanning
US20190180035A1 (en) * 2017-12-07 2019-06-13 Virtual Forge GmbH Method for detecting vulnerabilities in software

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180309747A1 (en) * 2011-08-09 2018-10-25 CloudPassage, Inc. Systems and methods for providing container security
CN106462709A (en) * 2014-01-27 2017-02-22 克洛诺斯赛博科技有限公司 Automated penetration testing device, method and system
CN104200167A (en) * 2014-08-05 2014-12-10 杭州安恒信息技术有限公司 Automatic penetration testing method and system
US20190065754A1 (en) * 2017-08-31 2019-02-28 Microsoft Technology Licensing, Llc Off node scanning
US20190180035A1 (en) * 2017-12-07 2019-06-13 Virtual Forge GmbH Method for detecting vulnerabilities in software

Also Published As

Publication number Publication date
TW202115597A (en) 2021-04-16

Similar Documents

Publication Publication Date Title
CN114978584A (en) Network security protection safety method and system based on unit cell
Boyer et al. Ideal based cyber security technical metrics for control systems
CN108040070A (en) A kind of network security test platform and method
US10839703B2 (en) Proactive network security assessment based on benign variants of known threats
Dahbul et al. Enhancing honeypot deception capability through network service fingerprinting
Kheirkhah et al. An experimental study of ssh attacks by using honeypot decoys
AlYousef et al. Dynamically detecting security threats and updating a signature-based intrusion detection system’s database
CN113114647A (en) Network security risk detection method and device, electronic equipment and storage medium
CN113411295A (en) Role-based access control situation awareness defense method and system
KR20170091989A (en) System and method for managing and evaluating security in industry control network
Murphy Comparing the performance of intrusion detection systems: Snort and Suricata
US11108806B2 (en) System for managing information security attack and defense planning
US11108800B1 (en) Penetration test monitoring server and system
TWI738078B (en) Penetration test monitoring server and system
CN115694928A (en) Cloud honeypot of whole-ship computing environment, attack event perception and behavior analysis method
TWI663523B (en) Management system for information security offensive and defensive planning
JP6847460B2 (en) A system that manages information security attack and defense plans
JP6987406B2 (en) Penetration test monitoring server and system
Maciel et al. Impact assessment of multi-threats in computer systems using attack tree modeling
Softić et al. Impact of Vulnerability Assesment and Penetration Testing (VAPT) on Operating System Security
Le Quality trade-offs in self-protecting system
Kaur et al. Emerging Trends in Cybersecurity Challenges with Reference to Pen Testing Tools in Society 5.0
LanFang et al. A Research of Behavior-Based Penetration Testing Model of the Network
Falguni et al. 'E-SPY': DETECTION AND PREDICTION OF WEBSITE ATTACKS.
Subramaniam Govindaraj Joint Honeypot Networks and Hybrid Intrusion Detection System for Mobile Cloud Computing