Retreat to rest or take advantage of others: the focus of the industry under epidemic threat analysis network
During the new crown pneumonia epidemic, health care and online education has become the focus of people's livelihood. In this special period, *** are doing? What are the main objectives aimed at? How to prevent this business? Security platform Tencent Tencent joint team of the Ministry of Atrium desktop security products, cloud Ding lab safety expert advice, cloud security team, choose Tencent cloud on health care and education are two focal sectors, combined with hands-on experience to make security analysis team, and I hope each remote office security threats enterprises to cope with the special period of some help.
First, the overall trend ***: *** in the eyes of days, geography, and
1, years ago, the day January 19, January 22 and so is the company's "close up" period, is *** of "commotion period." Enterprise "close up" the security policy updates timeliness poor than usual, so try to take advantage attracted *** *** reached a peak node.
2, years later, remote office environments, an (dictionary) Manley (authority) certification violence guess solution become the most commonly used technique ***. 31 January (the first month, seventh day) last year started the first day, *** for the medical industry reached a peak of 800,000 in a single day. Windows ecosystem in Remote Desktop Services RDP and database services SQL Server become the absolute bulk of "any punches."
3, during the Spring Festival, but outside *** years, the medical industry for the cloud customer certification violence guess *** more than 70% from 125 foreign countries. US regional tighter control room, making the United States the "unpopular Area" *** sources, India, Russia leapt to the forefront.
4, compared to overseas or domestic *** more inclined to take advantage of high-risk vulnerabilities Nday education sector initiated ***. Because such practices "movement" is small, with the status of domestic resources on the IP dial, dial seconds *** tend to use dynamic IP technologies attempt to deceive, to circumvent the ban.
5, compared with the traditional medical industry, online education industry in business R & D is relatively "aggressive" development of small and medium enterprises to quickly landed bring third-party components abuse, and therefore frequent high-risk vulnerabilities of ThinkPHP, Struts2, RDP become recently *** *** education sector "breakthrough."
6, during the epidemic, a large number of companies relying on the cloud to achieve a remote office, on-line and rapid iteration and information dissemination procedures and other types of small businesses. Enterprises in the cloud enjoy elastic and efficient service delivery to bring the same time, the use of cloud services during improper security configuration, for example, object storage barrels permission, cloud host security group configuration, cloud SSL certificate is valid, cloud load balancing port exposed , but also became *** Key "*** face" for cloud services.
The following are the detailed analysis of threat scenarios for the two sectors health care, education:
1, the medical industry: RDP, SQL Server into any punches
Business during the epidemic in order to facilitate telecommuting employees, often opening up remote service, direct access to sensitive information systems and even the office network. *** So in addition to the most commonly used Web positive breakthrough class ***, certification violence guess solution should be focused.
From the point of view the goals and tactics, *** *** spurt service for Windows, Windows Remote Desktop Services RDP and ecological service database Microsoft SQL Server as the enterprise system privileges and sensitive data entry, naturally became a popular target for 2 a "soft touch" in the amount of *** both peaked.
Certification violence guess objectives: rdp \ sqlserver into a popular target, with the sudden increase in the year to rework tide
*** from the source distribution point of view, the United States VPS VPS vendors or manufacturers tighter control room area in the United States, the constraints of "action" large *** behavior of such a network, so that more resources weapons *** gradual migration to other "unpopular Area."
Certification violence guess that more than half from outside, even during the Tet offensive is not particularly clear downward trend, but can also see some people in the territory of the suspended *** the hands of offshore resources. Correspondingly, conventional Web *** from the source of most of the territory, offensive declined rapidly during the Spring Festival reached a low point.
Certification violence guess *** Source: Foreign hyperactive, into the United States upset Area
Team-based long-term experience in security analysis and threat intelligence tracking area, as sensitive data entry and system privileges under Windows ecosystem, the recent series of outbreaks WannaCry level of vulnerability (BlueKeep, CVE-2020-0618), predictable from warning notices to PoC and then to spread the opposition EXP accelerate the pace of business 0day / 1day response window if more vulnerabilities in hours to calculate the losses.
2, the education sector: popular target ThinkPHP, Struts2, RDP into
New education industry is relatively traditional and conservative medical profession, in business R & D tend to be more "aggressive" rapid iterative development of small and medium-paced, difficult to avoid bringing large-scale use of 3rd party open source components. It collected a large number of opponents 1Day, *** Nday vulnerabilities, likely after an asset fingerprinting, to launch a large-scale spying even use.
From the point of view the goals and tactics, ThinkPHP as a framework to quickly build a popular website, Struts2 MVC framework as popular in the ecological Java Web, are the next two languages ecological frequent high-risk vulnerabilities on behalf of the framework is very easy to become a *** break goal, the absence of timely patching, using its education industry will face greater threats.
The recent outbreak ago Windows RDP BlueKeep still many loopholes to be exploited spying, especially in the move that is likely to soon open the service in the remote office, was quickly get the server permissions ***.
High-risk Nday exploit: ThinkPHP, Struts2, RDP into a popular target
*** from the source distribution point of view, there are high-risk Nday exploits mostly from the territory, a few from the United States and India and other regions, guess due to the "movement" of such practices to be issued by smaller, often only issued once a request target to verify or use.
Nday high-risk vulnerabilities *** Source: Domestic active, relatively few foreign
In addition, due to the focus on domestic seconds dial, *** tend to use such technology to spy on Whole fast service, while taking advantage of the random transformation contracting client characteristics (such as User-Agent, unrelated parameters, etc.) IP pool resources to circumvent the traditional ban policy.
Second, during the remote office to enterprise security recommendations
1、企业在特殊时期更需重视安全策略的响应效率,避免对止损时效性的人为松懈或客观限制。除具备实时网络流量分析能力外,企业应重视实时阻断网络***能力建设,降低依赖人为运营变更策略的时间差风险。
2、***迁徙成本低,时刻往对发起***有利的环境且看似“冷门”的位置转移。企业应开始审视掌握的威胁情报数据,维度丰富性和更新时效性,避免安全分析落入盲区。
3、远程办公是企业网络边界模糊时期,企业需提早预知对外暴露的脆弱点,对打通网络边界认证入口的全面布控,阻断网络异常行为。实时资产盘点能力尤为重要,网络流量除了可监控网络***外,也是帮助企业实时测绘资产关联与盘点资产指纹的利器。
4、利用云战场中安全防护经验和多维度威胁情报大数据的优势,对AI模型的长期训练与调优,是安平天幕团队多次在重保战场中精准发现各类***绕过手法(秒拨IP技术,新型***变种)的关键原因。安全团队在持续对抗的战场中利用AI算法结合大数据训练,补齐传统策略泛化能力的先天不足,才能紧跟***技术的演化。
5、漏洞情报在国内渠道披露相对滞后,近期使用非HTTP协议组件的漏洞频发。仅具备传统Web层面防护的企业容易被针对打击。企业应重视漏洞威胁情报的时效性,选择支持网络层虚拟热补丁的NIPS产品,为业务代码级修复争取时间。
6, for the relevant service deployment on the cloud, build cloud-native "CMDB" , doing business infrastructure assets in real-time automated inventory , and cloud offerings native security configuration automation of regular inspection and timely reinforcement , narrow cloud. " ***surface". For the cloud frequently changing environment, to establish the threat of incident response automation platform to improve the response to the threat of disposal. Enterprises should establish a cloud-native security operations platform , open up the isolation of data and processes, to achieve "beforehand - something in the - after the" safety and security of the whole process, and by the security visualization capabilities to enhance the threat perception, response handling and safety management efficiency.
7, special period three companies need to focus on security issues online digital services: unauthorized access to classes, class information leakage and data encryption class, particular need to focus on the latest security threat intelligence, timely repair of common components recently disclosed vulnerabilities, such as Apache Tomcat, etc., and upgrade IDS, IPS product rule base, while the component update to the latest version.