Network security starts from intrusion information collection

In general, network intrusion detection is divided into two departments: one is the collection of intrusion information; the other is the analysis of relevant data based on the collection of information. Then our network administrator takes corresponding measures based on the relevant results. It can be seen that data collection is the basis for intrusion detection and improving enterprise network security. It is a necessary stage.

The security of the network depends largely on the accuracy of the information we collect. Because illegal intrusion is becoming increasingly tricky, and it will not leave any marks in the system. During the attack, they often adopt some concealed means or delete some information after the attack is completed, such as replacing the subroutine called by the program, Recording files and other tools. After their adjustment of relevant information, the system logs can be similar to the normal ones. Therefore, with the deepening of hacker technology, it is also difficult to collect information. Next, I will talk about my thoughts on the collection of intrusion information.

Step 1: Collect System logs and network log files.

As the saying goes, Yan has made a speech and people have made a pass. No matter how high the hacker is, Before intruding into the enterprise network, it will certainly leave some clues in the system or network logs, but it is not obvious difference. Therefore, the network administrator needs to pay special attention to the system logs and network logs.

For example, some system or network access failure logs will record some unusual or non-cost access records. For example, if an account attempts to access the file management system using an administrator account multiple times and the password attempts are incorrect three times, the access information is recorded in the file server system, including the access time and IP address. When our network administrator collects this information, it is important to note that someone may be paying attention to this file server. We can find the attacked host based on this IP address. However, it is very likely that this host is not the initiator, but a zombie. After we see this information, we need to set a complicated administrator password for the file server.

Another example is that some application systems have an "account activity" log. This log records the operations performed by this account in the system. Including when to use the role to log on to the system and what operations are performed, and some necessary authentication information for this account will be recorded. Through this information, we can promptly detect signs of system intrusion. If the system administrator finds that an administrator account has logged on to the application system at a certain time, he did not log on at that time. Or if the account of an ordinary employee is logged on multiple times during non-working hours, it indicates that the information application system may have been cracked. They secretly steal information from the system when we don't pay attention to it. To this end, we must take some measures to find this illegal attacker, or promptly change the user name and password to prevent further losses.

In short, the related log information records an invalid user's attempts to log on to a system multiple times, and records the attempts of an invalid user to access an unauthorized file or system multiple times. This information is the basis for us to take preventive measures in the future. Therefore, the first step in information collection is to pay attention to the relevant log information. In these log files, attackers can find clues.

Step 2: Abnormal directories and abnormal files.

After a hacker successfully obtained an administrator account, in order to further reinforce his or her achievements, some folders, directories, or files will be set in the system for further attacks. Some attackers may create a folder in the system to upload Trojans after obtaining the account and password of the system administrator. And set the relevant task scheduling plan, when a specific time, run the program in this folder and so on. Therefore, if we can detect abnormal folders and file information as soon as possible, we can detect signs of attacks as soon as possible and take relevant measures in a timely manner.

Therefore, unusual changes to directories, files, and folders in the operating system and application software, including addition, deletion, and modification, especially restricted access folders and abnormal directory changes, it is probably an indication or signal generated by intrusion.

In general, there are several situations.

First, the execution path of the application has changed. For example, some enterprises use MSN to contact users. When an illegal attack invades the enterprise network and obtains the administrator password of a host, the path of the MSN program icon on the user's desktop can be changed. When you double-click to open this program, it does not open the original MSN program, but may be a MSN program bound with a Trojan, which can steal user chat records, account names and passwords.

Second, suspicious folders. After attackers obtain the Administrator's username and password, they can remotely log in using the TELENT program, create folders on the host, and upload Trojans or other illegal software, then, run the program in the folder at a specific time through the task scheduling command of the operating system. This is a common measure by attackers. Therefore, if we can promptly discover these suspicious Folder Information, we can detect attack behavior as soon as possible to reduce the resulting losses, and so on. In general, we can collect this information with some detection software.

Third, illegal modification of log files. As we have said above, after an illegal attacker visits an enterprise's network host, it will certainly leave clues in system or network logs. After the attack, they will try their best to replace the relevant content in the system logs to hide their performance in the system and trace the attack. To this end, if the information can be collected in a timely manner, even if they change the content in the log, we can detect it early and take corresponding measures.

Step 3: Abnormal program running information.

If hackers attack enterprise network information, it is usually not as easy as obtaining administrator permissions. They attacked the system for the purpose of stealing related information, such as passwords, or using the enterprise's network host as a zombie as a springboard to attack other networks. For whatever purpose, unless you steal files from your computer, you usually need to run some programs, such as the keyrecord tool software, on the background of the attacked host, to achieve a similar purpose.

Therefore, timely collection of abnormal program running information can detect early signs of attacks on the enterprise network. In general, to collect these abnormal programs is to collect some process information.

Because the programs executed on each system are implemented by one or several processes. In addition, the execution behavior of a process is represented by the operations executed during its running. Operations are executed in different ways, and the use of system resources is different. If a process that we do not want to see appears in the system process, or a process that is not expected by our network administrator, for example, attackers try to add illegal information to the registry, such as creating an invisible account.

If we feel that the network speed is obviously slow, we can view the system process to learn the relevant information. However, it is unrealistic to manually collect the process information. On the one hand, the workload is relatively large, and on the other hand, these illegal processes will not always run. After executing a certain task, he will exit quickly to prevent us from discovering it. Therefore, we need some tools to collect the process information in real time. In this way, we can quickly find the traces of intruders and eliminate them before they cause greater damage.

In short, the collection of intrusion information is a complex system. It is necessary to collect information between different network segments and hosts in a computer network system. This is mainly for comprehensive understanding of related intrusion information. Moreover, attackers are often good at finding weak links in the enterprise network. Therefore, the collection of network intrusion information requires a comprehensive approach.

However, it usually takes a lot of work to fully collect network intrusion information. It is unrealistic to simply collect the information by hand. The workload is heavy and it is easy to miss out. Therefore, we need some tools to help us collect the content. Some intrusion detection tools on the market now provide the collection function of such information. It is assumed that these tools can analyze the information and generate possible intrusion results only based on the information.

In addition, some systems also provide the automatic warning function to automatically send suspicious information to our network security administrator. If someone tries to log on to the vro using the Administrator account multiple times and the password is incorrect three times, an email is automatically sent to the network security administrator, remind them of this abnormal logon event. Let's determine if this is normal. This is also a very practical function, but it requires additional resources, so this function is not enabled by default. If necessary, manual configuration is required by the Administrator. We recommend that you enable this function for some important network devices.