本文探讨了如何识别真正需要关注的安全事件,如端口扫描可能预示后续攻击,以及如何通过网络杀戮链评估优先级。同时强调了减少误报、控制安全漏洞和执行有效事件响应的重要性。
Which Security Events Do I Really Need to Worry About? 我真正需要担心哪些安全事件?
Which security events develop into the type of information security incident that requires my attention now? And… what do I do about it? To help categorize each incident type, align each one against the cyber kill chain to determine appropriate priority and incident response strategy. You can use this table as a start.
哪些安全事件发展成了我现在需要关注的信息安全事件?那我该怎么办呢为了帮助对每个事件类型进行分类,请根据网络杀戮链对每个事件进行调整,以确定适当的优先级和事件响应策略。您可以使用此表作为一个开始。
A Note About Port Scanning:
Even if you’re sure that an attacker is getting no useful information back from their scanning, if they seem to be doing a detailed and comprehensive scan of your external systems, it is reasonable to interpret this as intent to follow-up the recon with attack attempts later on. If the scanning originates from a legitimate organization’s networks, then contacting their security team (if they have one) or network management personnel is usually the best approach.
As a last resort, if no contact details are apparent, try the contact details listed in the WHOIS information for the domain. The email address abuse@domain is often a contact email for this kind of communication, but may not be available for smaller or younger organizations. BTW, blocking the source address may be counterproductive, and merely cause the attacker to use a different source address.
** A Note About False alarms:
We’ve expressed the need to “concentrate on what you know” many times in this guide – much of the work that security monitoring discovers is mundane yet vital.
Controls Failure: Firewall ports that shouldn’t be open to the world, categories of websites that should be blocked at the proxy, hosts that were compromised because they didn’t have endpoint security installed. Incident Response work is best thought of as “quality assurance” for the rest of your security efforts.
Noise Reduction: If security analysis is about finding the ‘needle in a haystack,’ one of the best ways to make the job easier is to make a smaller haystack. Remove unnecessary traffic, unwanted services, outdated client software, and easily-patched vulnerabilities.
Policy Violation: Ideally, you hope to be spending more of your time locating the things happening that put your network at risk, not cleaning up the results of that risk being exploited by a hostile party.
关于端口扫描的注意事项:
即使您确定攻击者没有从扫描中获得任何有用的信息,如果他们似乎正在对您的外部系统进行详细而全面的扫描,则可以合理地将其解释为意图跟进侦察 稍后进行攻击尝试。 如果扫描源自合法组织的网络,那么联系他们的安全团队(如果有)或网络管理人员通常是最好的方法。
作为最后的手段,如果没有明显的联系详细信息,请尝试该域的 WHOIS 信息中列出的联系详细信息。 电子邮件地址滥用@域通常是此类通信的联系电子邮件,但可能不适用于较小或较年轻的组织。 顺便说一句,阻止源地址可能会适得其反,只会导致攻击者使用不同的源地址。
** 关于误报的注意事项:
我们在本指南中多次表示需要“专注于您所知道的”——安全监控发现的大部分工作虽然平凡但至关重要。
控制失败:不应向全世界开放的防火墙端口、应在代理处阻止的网站类别、因未安装端点安全性而受到威胁的主机。 事件响应工作最好被视为其他安全工作的“质量保证”。
降噪:如果安全分析是要“大海捞针”,那么让工作变得更容易的最佳方法之一就是缩小大海捞针。 删除不必要的流量、不需要的服务、过时的客户端软件和易于修补的漏洞。
违反策略:理想情况下,您希望花更多的时间来查找使您的网络面临风险的事件,而不是清理被敌对方利用的风险的结果。
扫一扫
1201
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
