Jimm Wayans

Offensive and Defense Exercise Preparation | How to build an effective corporate security defense system

After the epidemic, work and life gradually returned to normal. For the network security industry, offensive and defensive drills are once again on the agenda. In the new year, how do companies prepare for defense? Let us find the answer from the review and reflection in 2019/20.

In 2019/20, offensive and defensive exercises once became a buzzword in the security circle, and such activities of all sizes continued. After the experience, many companies will re-examine their own security defense capabilities, and even the protection capabilities of their partners. The essence of offensive and defensive exercises is to verify the effectiveness of corporate security defense capabilities from the attacker’s perspective. Therefore, this article will introduce from the attacker’s perspective to provide some practical suggestions for companies facing offensive and defensive exercise needs or wishing to build an effective defense system.

Recurring attack chain

When it comes to attacks, we have to mention the “Cyber ​​Kill Chain”. According to the attacking methods that have appeared in actual offensive and defensive exercises in recent years, we have drawn the “attack chain” as shown in the following figure:

Cyber Kill Chain

Attack chain in offensive and defensive exercises

Everything is difficult at the beginning. The first problem that the attacker encounters after selecting the attack target is often find a breakthrough. Most of them will combine domain name, IP and other asset scanning to step on and infiltrate the target business system. At this time, the Web is still the main one. Breakthrough. In the past, web vulnerabilities have emerged endlessly. Attackers can use web servers to implant variants of Webshell and then invade further, gain server permissions, and continue to collect intranet information to expand their results. Many companies have problems with lack of defense or bypass of defense in Web security. Many web assets have not been effectively discovered, or WAF defenses have been bypassed, so how to formulate effective WAF rules in the first time has become the primary problem that enterprises urgently need to solve, which is to block the entrance of attackers.

By discovering and exploiting vulnerabilities in border servers, attackers often gain the first entry point of intrusion, such as Webshell, and even directly gain control of the server. Server control is the main battlefield of offensive and defensive confrontation. The business, data, and core assets of the enterprise are all on the server. The attacker’s goal is often to obtain the data of core assets or control the business of core assets to further penetrate. On the infiltrated server, the attacker uses a variant of Webshell such as “ice scorpion”, etc., and even Rootkit further controls the server. After invading the internal network, they often continue to collect data and information on the internal network and install multiple backdoors to achieve further control. These backdoors often use DNS tunnel communication, C&C communication, etc. to connect to the control end. Some high-level attackers Logs are often erased or even fake logs are created to confuse the defender.

The attack process is a dynamic process of continuous correction. A good attacker often combines the information he has obtained to continuously infiltrate and analyze the target.

The defender will become passive or even anxious in this offensive and defensive exercise. How to effectively detect the attacker and block them in time has become an urgent problem to be solved. Common protection methods include blocking the attacker’s IP, setting protection strategies, combining existing security product strategies with continuous analysis, and operating and revising existing protection strategies.

Constructing the defensive quadrant

Combining the attacker’s attack chain and demand urgency, I constructed a set of defense quadrants based on offensive and defensive confrontation. The quadrant not only includes products, but also includes operations and services, hoping to help the defender deploy a security system quickly and effectively. Good protection.


Defensive quadrant

1. The defense quadrant

The defense quadrant is the most important quadrant. It contains the bottom-line products of enterprise protection. The products are mainly capable of preventing and blocking hacker attacks. In the real-world offensive and defensive confrontation, they can resist most attackers. Here is an introduction. WAF, FW, HIPS. WAF can withstand most of the intrusions from the Web, especially the programmable WAF. When faced with new vulnerabilities in offensive and defensive exercises, it can be blocked by writing scripts for the first time. The new generation of WAF also has semantic analysis technology. , Which can effectively reduce false alarms and improve the defense capability of the defender against unknown threats. The firewall can effectively control the assets at the border and detect and block malicious communication behaviors in the network. As for the key targets of hacker attacks such as assets on the server, HIPS installed in the server operating system can detect attacks such as Webshell, Rootkit, and hacking actions (rebound shell, brute force cracking, privilege escalation, etc.) in the first time. Features and executes interception and protection to improve the level of defense against core assets.

2. Detection quadrant

The detection quadrant focuses on the detection and trapping of hackers. Products in this quadrant can quickly detect intrusion, detect hacker attacks and trap and profile them, such as HIDS, NTA, and Honeypot. Here we focus on NTA and Honeypot. NTA products are called Network Traffic Analysis, but I prefer to understand it as Network Threat Analysis, that is, through traffic modeling and analysis of network threats, real-time perception and early warning, this type of products compared to traditional IPS in traffic Coverage and threat modeling are more complete and comprehensive. Honeypot (Honeypot) is a very good tool for detecting hacker intrusions. In a real network environment, the defender will not trigger the honeypot, and the attacker IP found through the honeypot can be directly linked to the firewall for blocking, and Its unique JSONP probe can perform attack profile on hackers, so as to grasp the hacker intrusion activities in the first time. The profile function plays a vital role in tracing the source of the attack.

3. Safe Operation Quadrant

The security operations quadrant is a combined quadrant, which is a combination of the previous two. Here, we recommend the product to cooperate with the security analyst model. In the past few years, penetration testing engineers have become very popular, which is caused by many projects that are result-oriented and push back corporate security construction. With the emergence of security vulnerabilities and the increase in the number of hacking incidents, security analysts will become more important in the future. They can analyze the effectiveness of various security product configuration strategies and deployment locations that have been deployed by the defender, and adjust them to the best level. Security incidents are investigated and traced to assist enterprises in solving the last mile problem of safety. Product tools can choose SOAR for security orchestration and automated response. They can combine the strategy orchestration of security analysts with the APIs of various systems to adjust protection and response strategies to achieve unified analysis, centralized display, and rapid processing to achieve a secure closed loop.

4. Threat Intelligence Quadrant

Intelligence work in the Threat Intelligence Quadrant is divided into two categories. The first type is the collection and analysis of real-time intelligence. In the process of offensive and defensive exercises, especially in large-scale offensive and defensive exercises, intelligence becomes extremely important. The defender should continue to collect attack intelligence, such as the attack method of the attacking team, the attacker’s source IP, common tools, and other information, and add this intelligence to the product operation and maintenance of the defense quadrant in a timely manner. The second category belongs to passive intelligence collection. Take scanner products as an example. The new generation of scanners often have the ability to quickly analyze assets and detect vulnerabilities. Considering the attacker’s methods, the vulnerability detection here should be based on Web vulnerabilities. , And also covers system vulnerability scanning support. This type of scanner can help security analysts quickly detect assets during the protection period in real time, and actively or passively scan for vulnerabilities in order to resolve security issues as soon as possible.


The security products in the above four quadrants combined with security analysis services can quickly improve the defense capabilities of the defender to a higher level in actual offensive and defensive exercises. The essence of offensive and defensive confrontation is to fully expose problems and verify the effectiveness of existing protection methods, while continuously correcting hidden problems that have been discovered. This will be a continuous process. The defender also needs to continue to master its own asset dynamics, vulnerability updates, and vulnerabilities. Threat intelligence and other information are comprehensively used to achieve sufficient defensive effects.

It is hoped that each defender can quickly and reasonably complement the shortcomings in the offensive and defensive exercises according to their actual conditions, combined with effective security analysis and operational strategies, to detect and block more attackers as soon as possible from their own defense gates.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

× Need my services?