本书主要针对网络安全专业的从业者、学生、爱好者,概述了网络安全应急响应方面国外的应对举措、以及我国应急响应体系及机构建设、法律法规解读,并对应急响应所涉及的基础理论和关键技术进行了重点研究及阐释,帮助从业人员全面了解国际国内应急响应国家的法律、法规、行业标准及规范、关键技术原理及应用,本书注重理论阐释和实践在操作相结合的原则,通过案例分析和工具使用,一是加强对理论的理解,同时也有助于提高读者的动手操作能力。
刘永刚,男,本科毕业,高级工程师。1984年10月份入伍,1986年9月至1989年7月于中国人名解放军重庆通信学院学习,毕业后被分配61938部队从事网络运行管理。1992年9月至1996年7月在合肥电子工程学院学习。毕业后至今,回原单位先后任工程师、训练室主任、分站副站部长、站长、高级工师等职。2007年被评为总参优秀专业技术人才,并享受部队特殊津贴,现为站专家委员会委员。
第1章 网络安全应急响应业务的发展简史 ············································.1
1.1 网络安全应急响应业务的由来 ·······························································.1
1.2 国际网络安全应急响应组织的发展 ·························································.2
1.2.1 FIRST 介绍 ···············································································.2
1.2.2 APCERT 介绍 ············································································.2
1.2.3 国家级 CERT 情况······································································.2
1.3 我国网络安全应急响应组织体系的发展简介 ·············································.3
第2章 网络安全应急响应概述 ···························································.5
2.1 网络安全应急响应相关概念 ··································································.5
2.2 网络安全与信息安全 ···········································································.5
2.3 产生网络安全问题的原因分析 ·······························································.6
2.3.1 技术方面的原因 ·········································································.6
2.3.2 管理方面的原因 ·········································································.8
第3章 网络安全应急响应法律法规 ·····················································.9
3.1 我国网络安全应急响应相关法律法规、政策 ·············································.9
3.2 《网络安全法》的指导意义 ·································································.10
3.2.1 建立网络安全监测预警和信息通报制度 ·········································.10
3.2.2 建立网络安全风险评估和应急工作机制 ·········································.11
3.2.3 制定网络安全事件应急预案并定期演练 ·········································.12
3.3 《信息安全技术 信息安全应急响应计划规范》(GB/T24363—2009) ··················.13
3.3.1 应急响应需求分析和应急响应策略的确定 ······································.14
3.3.2 编制应急响应计划文档 ······························································.14
3.3.3 应急响应计划的测试、培训、演练 ···············································.14
3.3.4 应急响应计划的管理和维护 ························································.14
3.4 信息安全事件分类分级 ·······································································.15
3.4.1 分类分级规范的重要意义 ···························································.15
3.4.2 信息安全事件分类原则 ······························································.16
3.4.3 信息安全事件分级原则 ······························································.16
第4章 网络安全应急响应的常用模型 ················································.18
4.1 网络杀伤链与反杀伤链模型 ·································································.18
4.2 钻石模型 ··························································································.19
4.3 自适应安全框架 ················································································.21
4.4 网络安全滑动标尺模型 ·······································································.22
第5章 应急响应处置流程 ·······························································.24
5.1 准备阶段 ··························································································.24
5.1.1 准备的目的 ··············································································.24
5.1.2 准备的实施 ··············································································.25
5.2 检测阶段 ··························································································.27
5.2.1 检测的目的 ··············································································.27
5.2.2 检测的实施 ··············································································.27
5.3 遏制阶段 ··························································································.28
5.3.1 遏制的目的 ··············································································.28
5.3.2 遏制的实施 ··············································································.29
5.4 根除阶段 ··························································································.30
5.4.1 根除的目的 ··············································································.30
5.4.2 根除的实施 ··············································································.30
5.5 恢复阶段 ··························································································.31
5.5.1 恢复的目的 ··············································································.31
5.5.2 恢复的实施 ··············································································.31
5.6 总结阶段 ··························································································.32
5.6.1 总结的目的 ··············································································.32
5.6.2 总结的实施 ··············································································.33
第6章 网络安全应急响应的实施体系 ················································.34
6.1 应急响应实施体系的研究背景与重要性 ··················································.34
6.1.1 应急响应实施体系的研究背景 ·····················································.34
6.1.2 应急响应实施体系的重要性 ························································.34
6.2 应急响应人员体系 ·············································································.35
6.2.1 应急响应小组的主要工作及目标 ··················································.35
6.2.2 人员组成 ·················································································.35
6.2.3 职能划分 ·················································································.36
6.3 应急响应技术体系 ·············································································.36
6.3.1 事前技术 ·················································································.37
6.3.2 事中技术 ·················································································.39
6.3.3 事后技术 ·················································································.40
6.4 应急响应实施原则 ·············································································.40
6.4.1 可行性原则 ··············································································.41
6.4.2 信息共享原则 ···········································································.41
6.4.3 动态性原则 ··············································································.42
6.4.4 可审核性原则 ···········································································.42
6.5 应急响应实施制度 ·············································································.42
6.5.1 实施制度总则 ···········································································.42
6.5.2 日常风险防范制度 ····································································.43
6.5.3 定期演训制度 ···········································································.43
6.5.4 定期会议交流制度 ····································································.43
第7章 重大活动网络安全保障 ·························································.45
7.1 重大活动网络安全保障的研究背景与其独特性 ·········································.45
7.1.1 研究背景 ·················································································.45
7.1.2 重保的独特性 ···········································································.45
7.2 重保体系建设的基础 ··········································································.46
7.2.1 明确重保对象 ···········································································.46
7.2.2 确立重保目标 ···········································································.47
7.2.3 梳理重保资产清单 ····································································.47
7.3 重保体系设计 ···················································································.49
7.3.1 管理体系 ·················································································.49
7.3.2 组织体系 ·················································································.50
7.3.3 技术体系 ·················································································.50
7.3.4 运维体系 ·················································································.50
7.4 重保核心工作 ···················································································.51
7.4.1 风险识别 ·················································································.51
7.4.2 风险评估 ·················································································.52
7.4.3 风险应对计划 ···········································································.52
7.4.4 风险的监控与调整 ····································································.53
7.5 重保实现过程 ···················································································.53
7.5.1 备战阶段 ·················································································.53
7.5.2 临战阶段 ·················································································.53
7.5.3 实战阶段 ·················································································.54
7.5.4 决战阶段 ·················································································.54
第8章 数据驱动的应急响应处理机制 ················································.55
8.1 概念分析 ··························································································.55
8.1.1 数据驱动的产业革命 ·································································.55
8.1.2 数据驱动的应急响应处理机制 ·····················································.56
8.2 需求分析 ··························································································.57
8.2.1 大数据场景中的应急响应处理的特殊要求 ······································.57
8.2.2 无人化战场中的应急响应处理机制的必要选择 ································.60
8.2.3 精细化管理中的应急响应处理机制的有效方法 ································.62
8.3 解决方案 ··························································································.63
8.3.1 数据驱动的事故预防机制 ···························································.63
8.3.2 数据驱动的事故处置机制 ···························································.65
8.3.3 数据驱动的事故寻因机制 ···························································.66
第9章 操作系统加固优化技术 ·························································.68
9.1 简介 ································································································.68
9.2 操作系统加固技术原理 ·······································································.68
9.2.1 身份鉴别 ·················································································.69
9.2.2 访问控制 ·················································································.69
9.2.3 安全审计 ·················································································.70
9.2.4 安全管理 ·················································································.70
9.2.5 资源控制 ·················································································.71
9.3 操作系统加固实际操作 ·······································································.71
9.3.1 系统口令加固 ···········································································.71
9.3.2 系统账户优化 ···········································································.76
9.3.3 系统服务优化 ···········································································.81
9.3.4 系统日志设置 ···········································································.84
9.3.5 远程登录设置 ···········································································.87
9.3.6 系统漏洞修补 ···········································································.90
9.4 经典案例分析与工具介绍 ····································································.92
9.4.1 “一密管天下” ········································································.92
9.4.2 臭名昭著的勒索病毒—WannaCry ·················································.93
9.4.3 主机安全加固软件 ····································································.93
第10章 网络欺骗技术 ·································································.105
10.1 综述 ····························································································.105
10.2 网络欺骗技术 ················································································.105
10.2.1 蜜罐 ···················································································.106
10.2.2 影子服务技术 ·······································································.113
10.2.3 虚拟网络拓扑技术 ·································································.113
10.2.4 蜜标技术 ·············································································.113
10.3 欺骗技术发展趋势 ··········································································.114
10.4 欺骗技术的工具介绍 ·······································································.114
10.5 欺骗技术运用原则与案例 ·································································.122
10.5.1 运用原则 ·············································································.122
10.5.2 运用案例 ·············································································.123
第11章 追踪与溯源 ····································································.126
11.1 追踪与溯源概述 ·············································································.126
11.1.1 追踪与溯源的含义及作用 ························································.126
11.1.2 追踪与溯源的分类 ·································································.126
11.2 追踪溯源技术 ················································································.127
11.2.1 网络流量追踪溯源技术 ···························································.127
11.2.2 恶意代码样本分析溯源技术 ·····················································.129
11.3 追踪溯源工具及系统 ·······································································.135
11.3.1 Traceroute 小程序 ··································································.135
11.3.2 科来网络回溯分析系统 ···························································.136
11.4 攻击溯源的常见思路 ·······································································.138
11.4.1 组织内部异常操作者 ······························································.138
11.4.2 组织内部攻击者 ····································································.138
11.4.3 组织外部攻击者 ····································································.139
11.5 溯源分析案例 ················································································.139
第12章 防火墙技术 ····································································.143
12.1 防火墙的定义及功能 ·······································································.143
12.1.1 防火墙的定义 ·······································································.143
12.1.2 防火墙的功能 ·······································································.143
12.2 防火墙的分类 ················································································.144
12.2.1 包过滤防火墙 ·······································································.144
12.2.2 状态检测防火墙 ····································································.145
12.2.3 应用代理防火墙 ····································································.146
12.3 防火墙的体系结构 ··········································································.146
12.3.1 双重宿主主机体系结构 ···························································.147
12.3.2 主机屏蔽型体系结构 ······························································.147
12.3.3 子网屏蔽型体系结构 ······························································.149
12.4 防火墙的发展 ················································································.149
12.4.1 防火墙的应用 ·······································································.149
12.4.2 防火墙的发展趋势 ·································································.155
第13章 恶意代码分析技术 ···························································.157
13.1 恶意代码概述 ················································································.157
13.1.1 恶意代码的概念 ····································································.157
13.1.2 恶意代码的分类 ····································································.157
13.1.3 恶意代码的传播途径 ······························································.158
13.1.4 恶意代码存在的原因分析 ························································.159
13.1.5 恶意代码的攻击机制 ······························································.159
13.1.6 恶意代码的危害 ····································································.160
13.2 恶意代码分析技术 ··········································································.160
13.2.1 恶意代码分析技术概述 ···························································.160
13.2.2 静态分析技术 ·······································································.161
13.2.3 动态分析技术 ·······································································.171
13.3 面对恶意代码攻击的应急响应 ···························································.180
13.3.1 应急响应原则 ·······································································.180
13.3.2 应急响应流程 ·······································································.181
13.4 实际案例分析 ················································································.182
13.4.1 查看恶意代码基本信息 ···························································.183
13.4.2 查看恶意代码的主要行为 ························································.183
13.4.3 工具分析恶意代码 ·································································.185
13.4.4 应急响应措施 ·······································································.186
第14章 安全取证技术 ·································································.187
14.1 安全取证技术基本介绍 ····································································.187
14.1.1 目标 ···················································································.187
14.1.2 特性 ···················································································.187
14.1.3 原则 ···················································································.188
14.1.4 现状 ···················································································.188
14.1.5 发展趋势 ·············································································.188
14.1.6 注意事项 ·············································································.188
14.2 安全取证基本步骤 ··········································································.189
14.2.1 保护现场 ·············································································.189
14.2.2 获取证据 ·············································································.189
14.2.3 保全证据 ·············································································.189
14.2.4 鉴定证据 ·············································································.190
14.2.5 分析证据 ·············································································.190
14.2.6 进行追踪 ·············································································.190
14.2.7 出示证据 ·············································································.190
14.3 安全取证技术介绍 ··········································································.190
14.3.1 安全扫描 ·············································································.190
14.3.2 流量采集与分析 ····································································.193
14.3.3 日志采集与分析 ····································································.194
14.3.4 源码分析 ·············································································.201
14.3.5 数据收集与挖掘 ····································································.201
14.4 安全取证工具介绍 ··········································································.202
14.4.1 工具概况 ·············································································.202
14.4.2 工具介绍 ·············································································.203
14.4.3 厂商研制工具 ·······································································.217
14.5 安全取证案例剖析 ··········································································.217
14.5.1 勒索病毒爆发 ·······································································.217
14.5.2 网络攻击 ·············································································.219
第15章 计算机病毒事件应急响应 ··················································.222
15.1 计算机病毒事件处置 ·······································································.222
15.1.1 计算机病毒分类 ····································································.222
15.1.2 计算机病毒检测与清除 ···························································.224
15.1.3 计算机病毒事件应急响应 ························································.226
15.2 计算机病毒事件处置工具示例 ···························································.228
15.2.1 常用系统工具 ·······································································.228
15.2.2 计算机病毒分析工具 ······························································.229
15.2.3 计算机病毒查杀工具 ······························································.235
15.2.4 系统恢复及加固工具 ······························································.237
15.3 计算机病毒事件应急响应处置思路及案例 ···········································.240
15.3.1 计算机病毒事件应急响应思路 ··················································.240
15.3.2 勒索病毒处置案例 ·································································.240
15.3.3 某未知文件夹病毒处置案例 ·····················································.242
第16章 分布式拒绝服务攻击事件应急响应 ······································.243
16.1 DDOS攻击介绍 ··············································································.243
16.1.1 DoS 攻击 ·············································································.243
16.1.2 DDoS 攻击 ···········································································.243
16.1.3 DDoS 攻击分类 ·····································································.244
16.1.4 DDoS 攻击步骤 ·····································································.248
16.2 DDOS攻击应急响应策略 ··································································.249
16.2.1 预防和防范(攻击前) ···························································.249
16.2.2 检测和过滤(攻击时) ···························································.250
16.2.3 追踪和溯源(攻击后) ···························································.252
16.3 DDOS攻击事件处置相关案例 ····························································.252
16.3.1 GitHub 攻击(2018 年) ·························································.252
16.3.2 Dyn 攻击(2016 年) ·····························································.254
16.3.3 Spamhaus 攻击(2013 年) ······················································.255
16.4 DDOS常见检测防御工具 ··································································.257
16.4.1 DDoS 攻击测试工具 ·······························································.257
16.4.2 DDoS 监测防御工具 ·······························································.260
第17章 信息泄露事件处置策略 ·····················································.266
17.1 信息泄露事件基本概念和理论 ···························································.266
17.2 信息防泄露技术介绍 ·······································································.267
17.2.1 信息存储防泄露技术介绍 ························································.267
17.2.2 信息传输防泄露技术介绍 ························································.267
17.2.3 信息使用防泄露技术介绍 ························································.268
17.2.4 信息防泄露技术趋势分析 ························································.268
17.3 信息防泄露策略分析 ·······································································.269
17.3.1 立法 ···················································································.270
17.3.2 管控 ···················································································.270
17.3.3 技术 ···················································································.271
第18章 高级持续性威胁 ······························································.273
18.1 APT攻击活动 ················································································.273
18.1.1 活跃的 APT 组织 ···································································.273
18.1.2 典型的 APT 攻击案例 ·····························································.275
18.2 APT概述 ······················································································.276
18.2.1 APT 含义与特征 ····································································.276
18.2.2 APT 攻击流程 ·······································································.277
18.2.3 APT 技术手段 ·······································································.278
18.3 APT攻击的检测与响应 ····································································.280
18.4 APT行业产品和技术方案 ·································································.281
18.4.1 绿盟威胁分析系统 ·································································.282
18.4.2 天融信高级威胁检测系统 ························································.285
参考文献 ····················································································.287