How to establish effective security policies

How to establish effective security policies
Speaking of attack and defense confrontation, we are very familiar with the saying that "attacks can be handled with only one click, while defenses must be fully defended ". In most cases, the defender is passive. When both sides of the attack and defense are active in the same dimension, attackers may perform many attacks, and the defensive strategy must be constantly stacked to block them, so they are often exhausted. With the limited human resources of the security team of Internet companies, the method of accumulating signatures like anti-virus software or various ips/ids requires years of effort and the results may not be good, therefore, it is very undesirable.

 

In fact, the defender also has his own advantages. For example, common attack methods are targeted at the target web or host system layer. However, the operating system and network devices of the entire battlefield are defended by the defender. Theoretically, the defender can build security products and formulate security policies in any dimension, relatively speaking, attack behavior is in a low-dimension field.
 

For how to understand this dimension, see Figure 1:

Figure 1. Battlefield depth View

High-dimensional defense
 

Yuange often mentions the completeness of security policies (systems). Generally, security policies are bypassed because they are incomplete. How can we make the policies sufficiently complete? The author believes that the system-based mechanism, CGI and protocol specifications are more effective, and it is more reliable than the continuous use of new policies to "patch" previous policies. Because all the basic functions/basic logic required for Attack and Defense come from this.
 

From figure 1, we can see that no matter what intrusion behavior, it actually corresponds to a higher level of support for system functions and capabilities. At the defender's home site, do not leave these favorable conditions unnecessary. It is wise to confront maimang with the attacker in a low dimension as if he has suffered a "Dimensionality Reduction attack" in "three bodies.

 

 

DIMENSION ANALYSIS
 

Take"Webshell upload "this intrusion scenario is used as an example,Before formulating a defensive strategy, analyze the events that occur in each dimension, as shown in figure 2.

Figure 2. Webshell upload events in various dimensions

Policy practices
 

The technical details of the "webshell upload" scenario in various dimensions are clarified.Policy that is not easy to bypassIt is relatively easy.
 

LNetwork Layer: detects CGI uploads that comply with RFC1867 standards

No matter what the vulnerability or the type of nasty attack, he always needs to comply with the HTTP protocol. Starting with the high-dimensional HTTP protocol, you do not need to consider protection rules such as "XXeditor Upload Vulnerability" and "XXCMS Upload Vulnerability", as shown in figure 3.

 

Figure 3. An HTTP upload behavior data packet conforming to RFC 1867
 

LCGI Layer: DetectionWhether API events such as fopen are creating CGI files

Regardless of the CGI vulnerability, the vulnerability Code uses fopen and other file writing operations, as shown in figure 4.

 

Figure 4. Monitoring of file write events on the CGI Layer
 

LSystem User status:Checks whether the system-level API calling is creating a CGI File.

Unless websvr is directly started by root and can load arbitrary code, attackers can hardly bypass detection, as shown in Figure 5.

 

Figure 5. User State monitoring CGI file creation event
 

LSystem Kernel Status:Discover CGI creation behavior through kernel inotify event

At this layer, we do not even worry about the possible escape behavior caused by loading malicious code by the websvr initiated by the root user. At least before the subsequent attacks are completed, the suspicious behavior of creating CGI files will be discovered, see Figure 6.

 

Figure 6. Inotify monitoring of CGI File Creation events
 

The higher the dimension policy, the less difficult it is to bypass, and the more accurate it is to link up. The above rule detection models are summarized as shown in figure 7.

 

Figure 7. high-latitude defense that can be done by uploading webshells

 

Two Trojan Detection Cases
 

As we have seen above, what vulnerabilities that attackers can exploit or attack channels can do is usually limited. The observation and detection of events by the defender makes it difficult for the attacker to escape. Detailed analysis of intrusion/vulnerability scenarios andExtracting Key Links in intrusion scenarios is the key to policy formulation.Otherwise, the system will be stuck in the embarrassing situation of Constantly patching the old policy.
 

To solve an intrusion scenario, make sufficient analysis andRefining its core technical points makes it very effective to develop strategies close to this feature.And cannot be bypassed. The following describes two common Trojan scenarios and cases in linux.
 

Those familiar with malicious code forensics should be aware of common anti-connection Trojans. the 'core' code is generally like this:

The defender's detection is very simple. Usually a bash process will not have network connections, so the detection strategy is

connect(sockfd, (struct sockaddr *)&cliaddr, sizeof(struct sockaddr));dup2(sockfd, 1); dup2(sockfd, 2);execve("/bin/sh","sh",envp);

If bash STDIN/STDOUT is bound with a socket, It is a trojan.
 

 

Figure 8. General linux anti-connection shell detection ideas

Some sophisticated Trojan code is not so lazy, such as mod_rootme. To reuse the listening port of apache and the shell with the root permission, mod_rootme has made many exquisite combinations in the Code logic, making the detection not as convenient as a common Trojan. TSRC official micro once shared how to find mod_rootme such a very concealed backdoor (http://t.qq.com/p/t/330573116082464 ).
 

However, the tricky backdoor is also different from the normal behavior of the system, for example, mod_rootme may have httpd processes with more than 2 root permissions, and apache processes may open multiple pipelines and use pseudo terminals (see Weibo for details ),Establishing a policy based on abnormal behaviors is a more reliable detection method than signature features..

 

Figure 9. mod_rootme detection logic, which is determined based on the httpd process, MPs queue, and Pseudo Terminal with root permission

Summary
 

Security devices and detection systems can be placed in a very favorable position in a proper dimension. At the same time, as far as possible, extracting the key links of intrusion scenarios is the essence of detection ideas.

I believe that Party A's security team should try its best to avoid developing personalized protection policies for each vulnerability and hacker attack method. This seems as big and comprehensive, but it is difficult to cite similar scenarios and maintain them.

Analyze the main risks and formulate targeted policies based on the business characteristics. It is more desirable and efficient to apply limited resources to clear risk scenarios.