Analysis of the NGTP solution "Rapid Response Group for multiple weapons"
Nowadays, network threats are everywhere. The attack targets, attack methods, attack features, and attack targets are also the modern version of Sun Wukong. As a solution for network protection, as a modern anti-terrorist force, with the changing forms of terrorism, the rapid response team should also have new strain capabilities and launch new forms, that is, the so-called enemy changes to me and changes to the system at random.
All major security vendors are launching their own security protection solutions to promote the ability to defend against unknown threats. However, customers are looking at the real-time and defensive effects of the defense to protect against the loss of property and assets.
Grandpa Deng said that "practice is the only criterion for truth testing" (I am absolutely convinced ). We will use the following cases to learn how the "Rapid Response Group for multiple weapons" in the NGTP solution quickly and efficiently responds to the ever-changing terrorist environment. The NGTP solution is a security protection system that can be added according to the actual environment and cut down modules. It is similar to responding to emergencies for different persons in different terrorist attack organizations. Is a typical NGTP solution:
NGTP Solution
TAC--NSFOCUS Threat Analysis System for static, dynamic detection location unknown. SEG-Email Security Gateway filters out suspicious emails in emails. ESPC-Security Network Management Center.
The following uses representative attack response instances to describe the timeliness of the NGTP solution and provide powerful scalability support for the ngtp solution.
Recently, the locky ransomware, which has had a very serious impact, has left many people miserable. the workflow of the locky ransomware is not the focus here. It is about how NGTP effectively defends against such unknown attacks. Currently, traces of locky ransomware are found in Domestic Coal Company L (which is inconvenient to disclose, let alone to doubt the authenticity of the incident. It took only two minutes for NGTP to discover the attack and implement the protection plan. In the past two minutes, it successfully intercepted the damage of the locky software, within 12 hours, the whole network deployed by NGTP can successfully intercept the terrorist attack of the locky software. This customer does not understand how it takes only two minutes to discover a suspicious attack and successfully intercept a terrorist attack, even if the sample analysis is performed.
This is the strength of NGTP. For attacks against locky software, NGTP uses a "Rapid Response Group" composed of "multiple weapons" for coordinated operations. To understand the essence of coordinated operations in NGTP, let's take a look at the general process of dealing with terrorist attacks in the modern anti-terrorist war:
Rapid Response Process of multiple teams
The first step is to organize intelligence collectors to identify where there may be human bombs, time bombs or terrorists.
Step 2: The intelligence personnel report the information to the intelligence center. The Intelligence Center conducts a preliminary analysis on the intelligence and sends the intelligence to the command center.
Step 3: the Command Center quickly organized a special warfare team, including the demolition experts, blasting experts, and special forces, to handle terrorist incidents in terrorist areas.
Step 4: The Special Warfare team should promptly handle terrorist incidents, including the removal of bombs or brute-force attacks. At the same time, they should learn more information through interrogation and other methods, the intelligence personnel send the information to the Intelligence Center, analyze and summarize the information, learn more potential threats, and report information such as the locations where terrorist organizations are hiding to the command center.
Step 5: the Command Center launches new strategies and organizes a rapid special warfare team to handle terrorist incidents.
Step 6: use an unmanned reconnaissance plane to track and detect hidden locations, take photos, and perform precise attacks to eliminate potential threats.
From the process of responding to terrorist incidents, the incident was handled by intelligence personnel, intelligence analysts, headquarters, demolition experts, blasting experts, special forces, drones, and many other types of defense systems, effectively curb terrorist attacks.
NGTP draws on this "Multi-armed" three-dimensional defense system to effectively defend against terrorist attacks of locky software in real time. Then how does NGTP work? Next, we will map the staffing and division of labor in the war on terrorism with the event handling in the NGTP solution, for example:
Ing
We need to know that different organizations should be established for different terrorist acts in anti-terrorism operations. The NGTP scheme also sets up different models for different network attacks. Because locky is mainly transmitted via email, two defense lines are deployed for the standard solution of the locky attack NGTP. the first line of defense is the SEG email security device, and the second is the use of NGTP modeling to defend against attacks. The coal company did not deploy the first line of defense, but directly deployed the second line of defense. The reason why security protection can be implemented within two minutes is, the full-network protection of NGTP within 12 hours is also attributed to the establishment of a detection model by NGTP Based on the attack behaviors of current malware, such as locky attacks, using a brand new "organization.
Shows the model:
1. IPS automatically learns the IP addresses that are often used to access the Internet. The IP addresses used to access the Internet over the Intranet vary according to the IP data and types in different industries. For example, in this case, the IP addresses commonly used by coal enterprises are over 5000 Internet IP addresses, add to this IP address frequently accessed list.
2. after the Locky software is started, it will link a new IP address. IPS judges that the IP address is a new IP address, and marks it as a suspicious network behavior for the first time. The weight is assigned to X, at the same time, IPS judges that the network behavior request is a PE file, and the second tag weight is Y.
3. After the link returns data, we can see that the file size is smaller than 1 MB (90% of malware is smaller than 1 MB), and the third mark weight is Z. Send the sample to TAC for intelligence analysis.
4. A link will be established with the server or external host based on malware. If there is a link to the Internet IP address or a new IP address within half an hour, the weight is M.
5. If f (X, Y, Z, M) is greater than a threshold value, it can be determined that it is a network attack that blocks connections from external IP addresses or new IP addresses.
IP Address link
6. the locky software starts from X. the X.37.175 address is used to download a PE file smaller than 1 MB, and the PE file runs quickly (45 seconds) from a new IP address X. x.87.106 requests the public KEY. Based on this detection model, NGTP successfully intercepts the terrorist attack of the locky software within two minutes.
7. in order to mine more information, the analysts will further analyze the PE by combining the TAC analysis to analyze the attack source, attack behavior, attack means, and network features and sample fingerprints, the analysis results are generated within 4 hours, and an emergency response rule upgrade package is developed. Within 12 hours, the virus database and rule upgrade package are upgraded throughout the NGTP network.
The NGTP protection solution for this attack officially adopted the "Rapid Multi-weapon response" idea, using automated learning, machine processing, manual participation, intelligence analysis, task delivery, and other means, successfully intercepts terrorist attacks and finds the attack source. The process is as follows:
Step 1 IPS (Intelligence Officers) collect network behavior (where there may be human bombs, time bombs, or terrorists ).
Step 2 IPS (intelligence personnel) provides network behavior (intelligence) to modeling (Intelligence Center), where the modeling (Intelligence Center) conducts data analysis (Intelligence Analysis) on network behavior (intelligence ), process and send suspicious network behavior characteristics (intelligence) to the Policy Center (command center ).
Step 3: The Strategy Center (command center) organizes New Rules (fast-forward special warfare team demolition experts, brute-force experts, special forces, etc.) to respond to the incident (handle the incident ).
Step 4: The new rule (quick battle Team) blocks or warns of events in a timely manner. Meanwhile, TAC or researcher (Intelligence Center) uses data analysis (interrogation, etc) learn more about network behavior (intelligence), summarize network behavior (intelligence), analyze and learn more about potential threats and attack sources (hiding terrorist organizations ), then, the attack features and network behavior (intelligence) are fed back to the Strategy (command center ).
Step 5: The policy center organizes New Rules (quick battle Team) to handle attack events.
Step 6: Use the situational awareness platform (drone) to track and locate the attack source (hiding location) (detect and take photos), and then implement precise attacks to eliminate potential threats.
Situational awareness
Situation Awareness (drone) investigation confirmed that the attack was a joint terrorist attack launched by Turkey's largest port city, Istanbul, and the capital of Latvia, Riga. The virus came from Turkey, to obtain the key, you need to connect to the server in Latvia.
The NGTP solution establishes multiple detection and defense models for different attack forms through the establishment of a "Rapid Multi-weapon Response Team", and adopts a three-dimensional defense system around the clock, quickly track and locate potential threats and effectively defend against potential attacks.