Enterprise security ideology 101

Different needs lead to different markets and products, but a strong voice is here. To vouch for products and devices, and put the subsequent delivery aside. It is like buying medical equipment at home, which cannot burst into the fireworks that belong to it. -------- sec875

Security needs to be built

Self-cultivate and invest in a security team or outsource security business

Security is not marketing, and it does not make money but spends money. Organizations with insufficient funds cannot operate. It is not about spending money to ensure safety, but to invest in building security.

It needs to be considered: the improvement of product security is also an indirect way to sell the product itself. It may be more effective than marketing words: 'We serve everything, with better results.

It needs to be considered: it is not about spending money to solve security issues, but to raise the knowledge-based threshold for malicious intrusions.

There is no silver bullet

Every defensive mindset has its weaknesses: or too much funding or insufficient resources or difficult to implement

It needs to be considered: there is no perfect solution or device in this world, but there is also no perfect intrusion crime.

Therefore, business data needs to be backed up, and disaster recovery facilities need to be invested in to prevent catastrophic events.

All events, component logs need to be forwarded and backed up. Provide data support in the evidence analysis of important events.

Devices need to be used

Security has far from formed a closed loop in the present. All problems are in exploration. Each security incident and handling method are different. Not every alarm is 100% positive.

It needs to be considered: the rules of the device itself and the visibility of alerts. This visibility is closely related to the protection of the core product's intellectual property rights. However, no matter how, the rules themselves need to be verified and observed. Whether to improve, judge the false positives, or add new feature values.

It needs to be considered: we do not know where the attack originates from, whether it is internal or external. Therefore, devices need to be operational. Employees need to slowly get accustomed to and observe them.

Do not immerse yourself in work without raising your head.

Security requires the full participation of the organization and joint operations of departments.

It needs to be considered: not all devices and assets are based on one person's hands. Many processes, firewall, whitelist addition, deletion, modification, and query rely on others.

Knowledge base

I dare to guarantee that everything is done just by relying on the brain, without any resources, materials, or network. It feels difficult to type even a single command for sqlmap. The problem does not lie in years of work experience, but in the unnecessary daily repetition to form muscle memory. It is a waste of resources and time. There are more important things you need to do. The importance is not to memorize the use of tools.

Need to think: Experience a real attack or defense combat, then back up the notes for future reference and implementation. Do not force a person to do everything manually.

Need to think: The stone from another mountain can be used to attack jade, do not reinvent the wheel.

Major security communities offer security construction courses, purchase them and grow with employees. For example, the SANS community's security courses: https://www.sans.org/

• Need to think: Security knowledge, implementation, technology, and the foundational tools they depend on are all massive amounts of information. The construction of a joint knowledge base within the organization is also a highly valuable manifestation.

Security perspective and vulnerability perspective

From the perspective of vulnerability, this may not meet the standard of vulnerability harm or may not be a vulnerability. However, from a security perspective, the situation is not the same.

Need to think: The increase in defensive equipment intercepts some attack traffic of vulnerabilities, but this does not mean that the product itself has no vulnerabilities. If the traffic path bypasses the defensive equipment from internal attacks or other side paths, the product itself will collapse.

Need to think: White-hat hackers have found a problem but cannot exploit it. It is not to examine whether their attack capabilities can defeat the defensive equipment, but to take over the security issues they have found and further improve the product, which is more valuable and meaningful than examining whether they can complete the exploitation. It is great to find a problem, and it is even better to help them locate and build security together.

Need to think: The functionality of the business itself may not be a vulnerability. However, from a security perspective, the data returned itself is too explicit or the data returned is used for other purposes, which can already be used by black-hat activities. It must be emphasized and prevented. Our product is not a social engineering database, and cannot be searched for by anyone.

About zero trust

Security and workflow must be a teeter-totter that needs to be balanced

Need to think: The introduction of a security system may cause difficulties for employees in various departments to carry out their work smoothly, then this system must be problematic. It requires people to balance, or approve or authenticate and authorize.

Need to think: The value of the protected system itself. If your system is a single-machine game or OA office system, introducing zero trust for them is no less than buying a ten million yuan device to protect an object worth ten thousand yuan.

Human and equipment services

Bringing medical equipment home cannot bring out its value. It also requires human services.

Need to think: The purchase of the device, who will use it, and how to bring out its value and capabilities.

Strategic and tactical plans

After introducing the device, it is necessary to gradually build the attack scenario and incident response plan.

Need to think: Increasing accountability and review processes in themselves cannot solve the problem. The issue lies in offense and defense, and offensive and defensive simulation exercises need to be carried out to understand them, observe them, think about them, and innovate them.

Need to think: Can I simulate an ATT&CK attack scenario? How systematic is the response to the traffic and activities I simulate on the device, have everyone seen it?

Need to think about: Without the simulation of web security and penetration testing, people will become more and more unfamiliar with defense devices.

Need to think about: Asset information cannot solely rely on scanner automatic collection. Assets are essentially the total of various departments within an organization. You need to have an internal account book for the organization, not relying on others to help you make this account book ten years later. If even the people inside cannot count it clearly, then all external tools or products are very difficult, and they even cannot cover all terminals. This internal statistics can be allocated to each department and entered into the system.

Where can I find attack strategies, tactical simulation detection scenarios?

Atomic Red Team, ATT&CK, etc.

Basic Penetration or High-end Penetration?

0day belongs to national strategic knowledge. Every 0day that enters the market can buy several houses. If you think about buying penetration testing to conduct internal investigation, the expected value may not be as you wish. High-end penetration organizations are supported by a large number of experts. It costs a huge amount of money to have them conduct penetration testing, some even costing millions of US dollars.

Do basic penetration testing first, and then invite experts at the end.

Need to think about: Have all the basic components' public library poc in the basic penetration testing been tested once or several times?

Need to think about: Have commercial vulnerability scanning tools been used once or several times?

Need to think about: If you have purchased high-end penetration testing, but they come to count how many weak passwords there are, it is very frustrating.

Establishment of Baselines for Various Environments

The baseline values for different organizations and scenarios are different, and it is necessary to adapt to local conditions. Are there any examples or references? There are.

• https://www.cisecurity.org/cis-benchmarks/

Risk Management

Does the organization have a management system similar to OA for recording discovered risk issues and tracking them?

• Need to think about: Which IP assets have weak passwords or other risks, and where are the progress and tracking of risk issues?

Endpoint Protection

Effective endpoint protection can not only prevent but also detect abnormal activities and record them.

• Need to think about: Not all attack activities are in the feature values of rule alerts. Sometimes, it is a new type of attack; sometimes, it belongs to a high-dimensional knowledge-based attack; sometimes, it is a 0day. After the defense equipment is compromised, we still have data records to discover these anomalies.

Training and Awareness

Users must know who to contact when they observe abnormal situations.

• Need to think about: Can I feel its normality or abnormality for each event and abnormal situation observed? Can I resolve it directly on the scene? Do I need to contact anyone else? The government? ISP operators? And other internal and external organizations?

Network Protection

Lateral isolation, deep defense. Hold back the enemy's attack pace, and gain time for defense evidence collection.

Need to think about: Are different departments within the organization's internal network isolated? Have other defensive measures from different perspectives been introduced to extend the defense line?

Event Response Establishment and Handling

Are there any examples of incident response implementation for reference? Yes.

NIST 800-61 series: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

Financial industry

Are there any references for compliance and security in the financial industry? Yes, there are.

https://www.pcisecuritystandards.org/

YARA

If I observe specific feature values, can I write rules based on text or binary to search for them? Yes. Learn about yara technology.

https://github.com/virustotal/yara

Threat intelligence community

If I find a suspicious IP or domain, does it have a problem? Where can I judge? Go to the threat intelligence community to judge. Suppose I find an IP today, and then it is found in the threat intelligence community's database that it has also carried out other attack activities. I think you are already very clear about whether this IP has a problem.

https://otx.alienvault.com/

https://www.misp-project.org/

Security operations and monitoring tools

Commercial tools are suitable for corporate organizations. However, open-source and free tools are not bad either. These tools, whether they are device or software deployment, hardware deployment, single-machine deployment, or joint server deployment, are divided into various granularity tools (network, file, process, registry, etc.) for monitoring from the system perspective and network perspective. Regardless of the implementation method, the aim is to monitor assets, generate alerts, and forward logs to a unified monitoring platform for auditing.

For example: sysinternals, suricata, OSquery, Splunk, Graylog, OpenEDR, and more

Full traffic monitoring

We do not know whether the threat comes from the outside or inside. Therefore, we need this full traffic monitoring to support post-event observation, trace evidence collection, and analysis.

Multi-factor authentication for important systems

We need to perform multi-factor authentication for important systems or functional points. Specifically, it can be verification codes or hardware such as SMS, email, APPs.

About DevSecOps

SDLC is a set of methodologies described around corporate security coding application and secure deployment. It aims to reduce vulnerabilities in application development itself, and fundamentally strengthen the product. How should I learn about it? Are there any reference resources? Yes, there are.

https://github.com/hahwul/DevSecOps

Conclusion

All aspects of attack and defense are applicable to corporate security. This article cannot cover all the content. They include static and dynamic analysis, secure coding, exploitation development, and more.

Every knowledge and direction can be explored deeply and go a long way.

Thank you, masters, for your patience in reading this far.

We will meet again.

Encouragement to all.