Internet influence: protection from the attacker's perspective (1)

Internet influence: protection from the attacker's perspective (1)

0 × 01. Preface

I am a cainiao security engineer. I had the honor to have participated in two security competitions, and some people had some personal experience, so I had this article. (You are still familiar with the technology. I hope you will not enjoy it. You are also welcome to come and discuss it with me .)

‍‍‍‍0 × 02. What will attackers do?‍‍‍‍

I have been thinking about the several times of protection. How can I attack an attacker? How can I do this?

A. Step 1: collect information for the target (expand the target)

Subdomain information, Whois information, Ip information, port information, company staff information, company email information, and other information related to the target.

B. Vulnerability Scanning and mining based on the obtained information

For subdomains, we can try to obtain their ip addresses and scan their domain names for vulnerabilities.

For whois information, we can try to get its registered mailbox, and further perform the social worker to get the password for domain name hijacking.

For ip information, we can obtain the port and service corresponding to the ip address, and scan and mine vulnerabilities for the corresponding service. (Ddos attacks can be used directly to prevent you from playing the game .)

Weak social engineering passwords can be used for company staff information and company email information. Check whether you can get the company email address of an employee and go deeper with sensitive information. (If you encounter a key person)

It seems as simple as I write, but it is actually a tough and long process.

In addition to the attacker's technical level, perseverance, and focus on things, it is also related to luck. (Check whether you are dealing with sb management or nb management)

As the defender, what should you do at this time ?? The other party has made a move. You have to catch it! Otherwise, the task to be viewed will fail.

0 × 03. I am doing this for protection.

A. Find and fix (this is actually critical)

Literally, it means "discovering and repairing". Simply put, it means to discover and solve security problems in the system. (The highest level of the doctor is not to treat the disease, but to remove it if the disease does not come, the root cause is the code)

Lead team members to perform security tests on the site, discover security problems, and minimize external security risks. (This can only be said to reduce hidden dangers. The power of a person is limited, the power of a team is limited, and the focus is different .)

As mentioned above, we can only reduce security risks. What should we do when security problems are leaked ?? This has the following.

B. Defend and Defer

Literally, it is "defending and postponing" (this is what Google Translate! It doesn't matter.) Does the protection here only involve some security devices (firewalls, intrusion detection systems, and web application firewalls ??? Of course, these are also indispensable, but not all. Reasonable Things can be put in a reasonable position to produce good results.

In-depth Protection

This mainly involves the use of firewall HA, intrusion detection system, whitelist, CDN and cloud protection.

The traffic goes through the following layers from the outside to the inside:

The first layer must pass through the CDN cloud protection to filter and hide real ip addresses;‍‍

‍‍The second layer must be filtered by the firewall whitelist to only allow cdn traffic;‍‍

‍‍The third layer must be filtered by IDS or IPS to record risky behaviors.

That is to say, even if my server has some security risks, it will be useless if you fail to bypass this filter.

MASTER Firewall

BACKUP Firewall

Here, the firewall's HA is mainly designed to prevent single point of failure (spof) or traffic attacks. For more information about the HA of the firewall, see the following article:

Http://drops.wooyun.org/%E8%BF%90%E7%BB%B4%E5% AE %89%E5%85%A8/4010

Is Security Protection completed here? If someone bypasses your filters (or one of your filters is invalid), can you rest assured? You cannot take it for granted. Everything is possible. Make the worst possible plans.

When hackers bypass heavy filtering and attack the server, can you immediately discover it?

When a hacker finds a Server Vulnerability, bypasses various protections, and obtains a shell, can you immediately learn about the vulnerability and analyze the vulnerability location?

At this time, there will be a layer-4 Monitoring (which should be regarded as relatively failed), and host-based ids (which can be understood as a file monitoring system and naturally become a log analysis system ), theoretically, we can use this to monitor website directories and log files. An alert is reported immediately when the website file changes. However, in practice, I am told through experience that we should not idealize things. Nothing can be turned out and there is a mechanism for them.

Here, the fourth layer uses the ossec software, which monitors files. It also says it fails. The reason for the comparison failure is that you only know how to use it and do not understand what mechanism it uses, resulting in a big problem.

The fifth layer is the worst plan. When the attacker uploads the file and obtains the shell, it bypasses the protection of the first layer. However, when the fourth layer fails, can attackers not roam in your network? This situation cannot be tolerated. At this time, the fifth layer of protection will appear. In professional terms, it is called "Risk Control". The purpose of risk control is to reduce the losses caused by risk events. Install various patches (to prevent Elevation of Privilege) to lower the service operation permission and cancel the execution permission of the upload directory. Even if an attacker obtains the server's shell on a 0day, he cannot do anything, because the permission is very low!

You can now obtain subdomain information, Whois information, company staff information, and company email information. We do not consider the company staff information or company email information for the time being. This can only be done by raising employees' security awareness. The subdomain information and whois information also exist. The domain name information above B is mainly for this, and it will not be mentioned here.

Whois information is often ignored. We can see the registrant's email address (which can be hidden here, let's get it done) for social engineering (now full street library). If you are lucky enough to win it, you will be happy. You can also see the ns server used by the domain name, that is, the cdn used. If the domain name cannot be registered, go to cdn. The effect is similar.

Is Cdn reliable? Even if it depends on it, it is difficult to protect itself. If you discover a hidden danger, you can only say it is a possibility! Think about it. If the mailbox and password on the cdn are leaked and someone else changes it for you, your website will be unable to be opened, and everything in front will be wasted.

I can't see it. Can I perform social engineering on my QQ mailbox? The password may have been fixed.

This is ours. We have changed the nickname. The default is to display the mailbox.

C. Secure at the Source

Personally, the meaning of this sentence should be "security in the source code". This requires the author of the Code to find the answer. That is to say, the above-mentioned high-tech doctors will not make the disease happen, and they will be killed at the source. Many large companies have their "Security Development Process" at this level.

It can reduce many problems and bugs, but it is often not well solved. From the perspective of the author of the Code, it must be easy. I don't want to worry about security issues at all, maybe I don't know. Furthermore, the author's level is also uneven, which leads to Insecure code.