I originally thought I would be able to finish coding, but in the end, I did not finish, so I will update later, probably around 1 a.m. Just refresh this section then, alas, it really turns out that saving drafts is very necessary.

Abstract: The situation of organized and purposeful network attacks exploiting cybersecurity vulnerabilities is becoming increasingly apparent. On one hand, the time window for emergency responses is shrinking; on the other hand, the threat knowledge, professional skills, and proficiency levels required for emergency responses are continually increasing. This paper presents a concise process and response steps for emergency responses undertaken by network operators as defenders, providing practical references for related entities.

Keywords: Network security critical information infrastructure attack and defense drills

1 Introduction

As the significance of information technology in societal development grows, cyberspace has become a new battleground for major powers. Network security attack and defense drills, as a means to test the cyber protection of critical information infrastructures and enhance the emergency response levels of network operators, significantly bolster network security protection capabilities through real-life adversarial practice. From the perspective of network operators and using a government website real-world attack and defense drill as an example, this paper briefly describes how defenders conduct their work during the drill, providing experience for organizing responses for related entities.

2 Drill content

A certain entity organized several attack teams consisting of network security professionals to perform a sustained 5-day security attack test on the official websites and business systems of second-level institutions within their jurisdiction, verifying the effectiveness of the target systems' security protection. Each day, a report from the defenders was submitted at a fixed time on a unified drill platform. The entity I belong to, as the operator of the target websites and business systems, must ensure the physical, operational, and data security of the target information systems, minimizing the harm from cybersecurity incidents.

3 Organizational structure

Establishing a Defense Command Center led by the network security manager as the commander-in-chief, with members consisting of leaders from the network security and business system operation departments. Subordinate to the Command Center are the Defense Working Group, Monitoring and Analysis Team, and Judgement and Disposal Team, totaling 20 people.

3.1 Defense Command Center

Coordinate the overall defense work of the drill, responsible for the command, organization, coordination, and process control of the information system attack defense drills; issue critical operation commands for system downtime and recovery, as well as authorization instructions for external information reporting; report progress and summary reports of the drill, ensuring that the drill's objectives are achieved.

3.2 Defense Working Group

Responsible for the specific tasks of the information system emergency drill; setting up and maintaining a concentrated monitoring and disposal environment; analyzing and assessing the impact of information system emergencies on business operations; collecting and analyzing data and records during the information system emergency handling process; reporting the drill progress and situational development to the command center; responsible for leading daily security incident summaries and analyses; compiling, filtering, and submitting defense reports.

3.3 Monitoring and Analysis Team

Responsible for monitoring business systems access and cyberspace security posture during the attack and defense drill, detecting and identifying network attacks, keeping records of the monitoring process, and issuing attack alerts to the Judgement and Disposal Team; promptly patching vulnerabilities in business systems, and conducting system shutdowns and recovery operations.

3.4 Judgement and Disposal Team

During the drill preparation phase, responsible for rectifying identified cybersecurity hazards and implementing various cybersecurity protection measures. During the live drill phase, responsible for purifying network attack traffic to ensure the availability of business systems; dynamically and flexibly deploying technical resources as needed, completing technical analysis and judgement, real-time attack countermeasures, and emergency responses.

4 Drill Implementation

Based on past drill experience, small-scale defense should be organized around three stages: before the drill, during the drill, and after the drill.

4.1 Before the Attack and Defense Drill

Prior to the drill, establish a comprehensive support team. Set up a monitoring and early warning system from a safety technology perspective, and build a notification, early warning, and feedback mechanism at the safety policy level. Conduct a detailed risk assessment and security reinforcement of the information systems within the scope of this guarantee, formulate the "Network Security Attack and Defense Drill Implementation Plan," and educate related personnel on information security awareness. 4.1.1 Asset Inventory. Carry out an inventory of informatization assets, primarily including, but not limited to: inventory of internet applications released externally; inventory of internet export and the devices and security measures used for the export; inventory of network architecture (network topology); inventory of important or key information systems, application systems, and the topology of servers; inventory of network security devices and network protection; inventory of SSLVPN and IPSecVPN access. 4.1.2 Risk Assessment. Security experts, together with the results from the inventory of informatization assets, perform a security risk assessment. Security experts can use methods such as surveys, employee interviews, and security techniques (penetration testing, vulnerability scanning, baseline reviews, etc.) through secure tools or manually, to perform a security risk assessment from dimensions such as network security risks, application security risks, host security risks, endpoint security risks, and data security risks, with each part referring to the following. (1) Network Security Risk Assessment: Network architecture risk assessment employs manual and instrumental methods to delve deeper into current threats and risks in the network from technical, strategic, and managerial aspects. Vulnerability and security baseline risk assessment, which uses scanning tools to scan and comprehensively inspect network devices. Weak password risk assessment, strictly prohibiting all accounts from using weak or empty passwords. Account and privileges risk assessment, inspecting administrator accounts and privileges, closing unnecessary accounts, canceling unreasonable account privileges; ensure password strength meets the security baseline requirements. Remote login whitelist risk assessment restricts IPs that can remotely manage, disabling remote management via Telnet. Configuration backup risk assessment ensures all network devices have good configuration backups and confirm backups are effective and restorable. (2) Application Security Risk Assessment: Authentication risk assessment assesses the identity recognition and authentication settings and configuration of application systems, and how these systems handle various user logins, such as login failure and timeout. Access control risk assessment, which evaluates the setup of the application system's access control function, such as the access control policies, and permissions settings. Security audit risk assessment evaluates the security audit configuration, such as the scope of coverage, items, and content recorded. Asset exposure risk assessment simulates hackers to collect information, obtain detailed asset information (program name, version), open dangerous ports, business management backends, etc. Application vulnerability risk assessment includes Web services like Apache, WebSphere, Tomcat, IIS, as well as other programs like SSH, FTP, etc., for missing patches or version vulnerabilities. Penetration testing uses appropriate testing methods to uncover security vulnerabilities in the information system's authentication and authorization, code review, etc., reproduces the damage that could be caused by exploiting these vulnerabilities, and provides specific improvement or reinforcement measures to avoid or defend against such threats, risks, or vulnerabilities. (3) Host Security Risk Assessment: WebShell risk assessment investigates backdoor WebShells in systems providing Web services, verifies server security, and ensures the removal of any backdoors left from possible past breaches. Malicious file risk assessment uses professional zombie trojan detection tools to inspect the operating system for malicious files and conducts behavior analysis on these files to identify the virus family and its dangers. Weak password risk assessment, strictly prohibiting all accounts' use of weak or empty passwords. Port and service risk assessment only opens ports related to the services provided by the server and closes unnecessary ports and external services. Server firewall risk assessment, by default, prohibits all active outbound access, and if necessary, strict access control policies must be formulated to implement a server outbound access whitelist. System vulnerability scan risk assessment, which scans the operating system, databases, and common applications and protocols for vulnerabilities. (4) Endpoint Security Risk Assessment: Security baseline risk assessment checks the endpoint's operating system for security configuration baselines to ensure endpoints' security. Weak password risk assessment, strictly prohibiting all accounts' use of weak or empty passwords. Antivirus software risk assessment checks whether endpoints have antivirus software installed and whether security policies are activated. Illegal external link risk assessment checks whether endpoints are equipped with dual network cards, whether they are open or connected to hotspots. Patch update risk assessment inspects the status of patch updates. (5) Data Security Risk Assessment: Security baseline risk assessment checks the database's operating system for security configuration baselines to ensure database system security. Data access control risk assessment evaluates data access and permissions settings. Data backup risk assessment checks data backup strategies and disaster recovery situations. 4.1.3 Security Reinforcement. Through assessment and inspection, analyze the cybersecurity vulnerabilities and risks of informatization assets and critical information systems and conduct targeted security reinforcement. Network issues such as network devices, security devices, and security systems are the responsibility of the Basic Network Operation Department; host and application layer issues such as existing vulnerabilities, code logic errors, administrator weak passwords, middleware vulnerabilities, etc., are the responsibility of the relevant system heads to reinforce, guided and advised by security experts to address the technical security issues found during the security assessment, optimize system security configurations, and eliminate weaknesses due to improper system configurations. 4.1.4 Security Training. To enhance the security technical abilities of security personnel and the information security awareness of non-security personnel, the Defense Working Group customizes training course content using related textbooks and practical case materials to help relevant personnel strengthen security awareness and enhance information security knowledge in attack and defense, so as to better respond to cyberattacks during the drill process effectively. Main training content: For security technical personnel and security administrators, training covers security awareness, security basics, Web composition, common vulnerabilities, hot 0Day events, intrusion processes, malicious software phenomena, and defensive techniques; for non-security technical personnel, training intensifies security awareness concerning personal computer security, email security, mobile security, and daily work and life. 4.1.5 Simulated Attack and Defense. After security reinforcement, to test the results of security reinforcement and examine the robustness and effectiveness of the security defense system, it is necessary to organize simulated attack and defense drills to test security capabilities. Invite security companies' attack teams to conduct attack drills on the target unit's 정보화 sistem from the outside to test the system's defensive ability and examine the collaborative security ability of the drill defense team. The attack team's methods should not affect the normal business operations of the target unit, including, but not limited to penetration testing, system vulnerab...

4.2 During the cybersecurity exercise

The Defense Working Group directed the Monitoring and Analysis Team and the Judgement and Disposal Team to defend against cyberattacks from any attacker with the utmost effort during the cybersecurity exercise, to monitor the cyberattack situation on the target system in real time; to immediately notify the Defense Command Center in the event of a cybersecurity incident, to keep abreast of the exercise's progress, to conduct analysis and judgement on security incidents, and to prepare analytical and disposal reports for submission. 4.2.17×24-hour monitoring and early warning. The Monitoring and Analysis Team accomplishes centralized monitoring of website security through business system access logs, website security monitoring, cybersecurity management centers, and cyberspace situational awareness and other early warning platforms. A designated person in the cloud is assigned to consistently analyze and verify the security events of monitored websites in real time, and to immediately report to the on-site Judgement and Disposal Team whenever a security incident occurs. All monitoring tasks are assigned to personnel, and all detected security events must retain event logs, maintain system backups, keep detailed records of faults, and conduct preliminary diagnoses. 4.2.2 Technical analysis. During the cybersecurity exercise, the number of cyberattacks grows exponentially. Traditional security threat detection methods based on black and white lists, signatures, and rules are no longer sufficient to deal with the continually evolving and targeted cyber threats during the exercise. Therefore, when the internet security monitoring platform and cyberspace situational awareness detect a security incident, the Monitoring and Analysis Team must immediately analyze the security incident, pinpoint the problem, and trace its origins. Once confirmed not to be false alarms, details such as the attack path and attacker IP are reported back to the Judgement and Disposal Team and the Defense Working Group for further reporting. Combining fault descriptions and diagnoses to pinpoint security issues, based on the situation, proposed solutions are generated and feedback is provided to the Judgement and Disposal Team. Issues that can't be pinpointed or analyzed are directly referred to the Defense Working Group. 4.2.3 Expert judgement and real-time attack response. The greatest security risk during the cybersecurity exercise comes from the attackers, particularly those who are targeted and persistent. Early detection and containment of targeted and persistent attacks are effective means of mitigating external threats. The exercise period is also when illegal hacker organizations are most active. Hacker organizations might disguise themselves as an Attack Team to attack Defense Units, thus the Monitoring and Analysis Team and the Judgement and Disposal Team must continuously judge security incidents in real time, based on characteristics of the events, and add appropriate protective strategies in intrusion defense systems, Web application firewalls, and other security devices, to categorize and confront illegal attack incidents in real time. 4.2.4 Emergency response and business recovery. The key to successfully handling an emergency response swiftly is to solve the security incidents that have occurred in an orderly manner based on predetermined processes, to ensure minimizing the damage caused by security incidents and reducing the risks in emergency handling. The Judgement and Disposal Team, upon receiving the early warning report from the Monitoring and Analysis Team, directly tackles identified problems (such as availability).

If you find any errors ( broken links, non-standard content, etc.. ), Please let us know < report chapter > so we can fix it as soon as possible.