Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Tdohconf 2017-ncku

1,409 views

Published on

TDOH CONF 2017 @ 成功大學

Published in: Internet
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Tdohconf 2017-ncku

  1. 1. 那些年失守的 類比家園
  2. 2. Jack ChouTDOH Conf @ NCKU 數聯資安-滲透鑑識工程師 法務部調查局 -外聘資安顧問 麟銳科技-資深工程師 宏碁商軟-雲端商業應用顧問 CEH CHFI MVM PA 2
  3. 3. Agenda 1. 資安事 件分類與 分享 2. 事件調 查思路、 工具及資 料分享 3.反調查 及分析 3
  4. 4. 1. 資安事件分類 與案例分享 4
  5. 5. 系統入侵 系統異常、RDP爆破、 SSH爆破、主機漏洞 5
  6. 6. Web入侵 與資料外 洩 Webshell 6
  7. 7. Web入侵與資料外洩 親身案例… 你只值新台幣二十二萬三千的故事: × 故事背景 × 兩組人馬 × 車手轄區 × 攝影機死角 × 法律問題 × 沒事就打通電話回家給長輩吧… 7
  8. 8. APT TWITTER C&C 8
  9. 9. APT遠控(RAT)、後門 9
  10. 10. 病毒木馬 雲端主機中勒索軟體 10
  11. 11. 電商勒索 DDOS 撈庫 11
  12. 12. 澳門首家線上賭場 上線啦~ 12
  13. 13. 13 民意型 DDOS…
  14. 14. 2. 事件調查思路、 工具及資料分 享 14
  15. 15. 資安事故應變與處理 (Incident Response and Handling) 資安事故(incident)是指對組織資訊作業具有負面影響的事件(event), 例如系統當機、分散式阻斷攻擊(Distributed Denial of Services,簡 稱DDoS)、非授權使用系統、非授權存取資料、執行帶有惡意程式檔 案等類型。 × 一、準備(Preparation)階段 × 二、偵測與分析(Detection & Analysis)階段 × 三、控制移除與復原(Containment, Eradication & Recover )階 段 × 四、後續活動(Post-Incident Activity)階段 15
  16. 16. Locard exchange principle 「凡兩個物體接觸, 必會產生轉移現象」 Dr. Edmond Locard (13 December 1877 – 4 April 1966)16
  17. 17. 資安事件調查思路 有什麼異常?(What): × 請回憶前面的案例 受害對象是誰?(Who): × 請回憶前面案例的主角 受害對象在哪?(Where) : × XX網段? 誰能管理? …等 如何受害?(How) : × 設想所有可能 Timeline Analysis: × 羅卡定理與時間的愛情故事 盡調查之能事!!! 17
  18. 18. "The cyber adversary's tactics flow like water, seeking the path of least resistance. Plan accordingly.” The Art of Cyber War 孫子兵法 網戰篇… 18
  19. 19. 網站駭侵調查思路 有LOG: × 網頁平台記錄檔 × 網頁主機其餘服務存取記錄檔 × 檔案時間軸分析 沒LOG: × 用入侵網站的思維作研判 × 請參考右圖黑站思路 19
  20. 20. IR Training Resource × https://ppt.cc/fwcwpx 20
  21. 21. 調查思路-工具使用 OSINT: × 域名列舉、SCAN、OSINT × https://www.threatcrowd.org/ (情資) × https://www.threatminer.org/ (情資) × https://community.riskiq.com/home (passivetotal) × http://www.t1shopper.com/tools/port-scan/ (SCAN) × https://exchange.xforce.ibmcloud.com/ (情資) × https://www.hybrid-analysis.com/advanced-search (找樣本) × https://koodous.com/ (APK樣本) × http://mxtoolbox.com/EmailHeaders.aspx (爬Email) 受害單位架構圖MAPPING: × 研判可行的入侵路徑? 調查收斂論: × XX網段? 誰能管理? …等 21
  22. 22. 企業分析DNS 情資方法: × https://github.com/mlsecproject/combine × https://github.com/stamparm/maltrail × https://github.com/keithjjones/hostintel × https://github.com/QTek/QRadio × https://github.com/1aN0rmus/TekDefense-Automater 白名單: × Alexa Top 1 Million Download and Lookups × https://scans.io/series/alexa-dl-top1mil 22
  23. 23. IR Tool with Powershell LRUP.PS1: × https://ppt.cc/fMRChx × https://github.com/Invoke-IR/PowerForensics Live Response Using PowerShell - SANS Institute: https://www.sans.org/reading-room/whitepapers/forensics/live- response-powershell-34302 23
  24. 24. Loki Simple IOC and Incident Response Scanner: × https://www.bsk-consulting.de/loki-free-ioc-scanner/ × https://github.com/Neo23x0/Loki/releases/download/v0.24.2 /loki_0.24.2.zip 24
  25. 25. Brimorlabs Live Response Live Response Collection – Bambiraptor Build: × Automated tool that collects volatile data from × Windows × OSX × *nix × based operating systems × https://www.brimorlabs.com/Tools/LiveResponseCollection- Bambiraptor.zip 25
  26. 26. Brimorlabs Live Response 26
  27. 27. PESTUDIO Malware Initial Assessment 27
  28. 28. LINUX IR LINUX IR 好文匯整: https://www.one-tab.com/page/3tLqOfx8T8qkCDp4dDm6_Q 28
  29. 29. macOS IR TOOL: × KnockKnock × TaskExplorer × Dylib Hijack Scanner × https://objective-see.com/products.html 29
  30. 30. 3. 反調查及分析 Anti! Anti! Anti! 30
  31. 31. "The competent cyber warrior learns from their mistakes. The cyber master learns from the mistakes & knowhow of others." The Art of Cyber War 孫子兵法 網戰篇… 31
  32. 32. Place your screenshot here 32 ClearEventLog 望文生義 就是那個意思…
  33. 33. Place your screenshot here 33 Master Boot Record 當然啦 放勒索軟體也是可以的...
  34. 34. Place your screenshot here 34 Sdelete -p X > 6
  35. 35. Place your screenshot here 35 軟體保護方案 保護太多可能被防毒直接警告…
  36. 36. Anti Analysis × https://github.com/a0rtega/pafish × https://github.com/AlicanAkyol/sems/ × https://github.com/google/sandbox-attacksurface- analysis-tools × https://github.com/LordNoteworthy/al-khaser × https://github.com/marcusbotacin/Anti.Analysis × https://github.com/ricardojrdez/anti-analysis-tricks "Cyber deterrence creates the next decade's malware problem." - Sun Tzu, The Art of Cyber War 36
  37. 37. ATT&CK Matrix × https://attack.mitre.org/wiki/Main_Page × https://github.com/redcanaryco/atomic-red- team 37
  38. 38. NG-PT × https://ppt.cc/f0lonx 38
  39. 39. Threat Hunting × https://ppt.cc/fs5kGx 39
  40. 40. Red Team Tips × https://ppt.cc/f0tn5x × 持續更新中… 40
  41. 41. 駭客技術就像一把雙面刃 41
  42. 42. 42
  43. 43. 43
  44. 44. 維繫類比家園的安全… 44
  45. 45. 資電作戰指揮部 網路戰大隊 × 覺得防守很無趣嗎? × 請洽會場內的國軍招募單位!!! 45
  46. 46. 46
  47. 47. Thanks! Any questions? You can find me at: https://www.facebook.com/jack.chou.351 jackzzsh11235813800626@gmail.com https://twitter.com/jackchou51706 https://github.com/jack51706 https://www.linkedin.com/in/keyboard007/ 47

×