ng soc in taiwan
play

NG-SOC in Taiwan The realities , the difficulties and the future - PowerPoint PPT Presentation

Mar 09, 2024 •701 likes •1.11k views

NG-SOC in Taiwan The realities , the difficulties and the future Senior Technical Consultant Jack Chou Who am I : : Incident Response CEH CHFI Palo Alto Network ACE Penetration Testing

  1. NG-SOC in Taiwan The realities , the difficulties and the future Senior Technical Consultant Jack Chou

  2. Who am I 就是一個不長 • 證照 : • 專長 : • Incident Response • CEH CHFI • Palo Alto Network ACE • Penetration Testing & Exploit Research • McAfee Vulnerability Manager • Malware Analysis • Security Solution Implementation • APT Gateway (TM DDI) • 經歷 : • APT Mail (TM DDEI) • 協助調查局偵辦第一銀行盜領案 • APT Endpoint (CounterTack MDR) • 建置企業 APT 防護 • 協助企業資安事件處理 • 犯罪研究及調查 • 司法官律師學分班結業萬惡考生中…

  3. Agenda • What is NG-SOC? • The Realities ( 罪 ) • The Difficulties ( 苦 ) • The Future ( 未來 )

  4. 新一代 SOC-OODA(1) 大人物 (Tactics Techniques and Procedures) • 增加監控可視性 • EDR / EPP • 減少人為疏失及人力 • SOAR http://correlatedsecurity.com/an-ooda-driven-soc- strategy-using-siem-soar-edr/

  5. 新一代 SOC-OODA(2) 包山包海的 CTI http://correlatedsecurity.com/why-cyber-threat- intelligence-informed-security-operations-is-important/

  6. Taiwan SOC Security Operation Center 客戶的期望是甚麼 ???

  7. 罪 在台灣從事資安工作本身就有很多原罪…

  8. SOC 監控共同供應契約 次就是代表不限範圍與目標數 • 低流量 • EPS: 900 • IR: 3 次 • 中流量 • EPS: 2300 • IR: 7 次 • 高流量 • EPS: 4900 • IR: 15 次

  9. 我們都是萬能的資安從業人員… 客戶還有您的老闆對我們的高度期待… https://sansorg.egnyte.com/dl/K0PbjzWWau/

  10. 台灣的威脅情資 資通安全情資分享辦法 • 保留

  11. 苦 身為一個 SOC 商在苦也要盡力滿足客戶的高度期望…

  12. SOC&IR 如何找未知 ??? KPI 用 CTI • 搜尋使用近期 CVE 且 攻擊三家客戶以上… • 甚麼 !!! • 是 大規模預謀攻擊 !!! • 但依然不及友商一年二十幾萬次的情資 回饋分享…

  13. Offensive OSINT Attack Surface Management

  14. Attack Surface Management 來源及方法例舉 Dark Web Monitoring Asset Discovery • Leaked/Stolen Credentials • APIs & Web Services • Pastebin Mentions • Web Applications & Websites • Exposed Documents • Domains & SSL Certificates • Leaked Source Code • Critical Network Services • Breached IT Systems & IoC • IoT & Connected Objects • Phishing Websites & Pages • Public Code Repositories • Fake Accounts in Social Networks • SaaS & PaaS Systems • Unsolicited Vulnerability Reports • Public Cloud & CDN • Trademark Infringements • Mobile Apps • Squatted Domain Names • Databases

  15. Hunting Leaked & Misconfig API • 使用 VTgrep 語法搜尋客戶相關資料外洩 或樣本,發現可能洩漏的帳號密碼 • https://buckets.grayhatwarfare.com

  16. Potential squatting • https://www.immuniweb.com/radar / • https://dnstwist.it/ (phishing domain scanner) • 廠牌名稱 + 客戶域名 +IT 常用關鍵字 (update 、 admin 、 365 、 windows 、 Microsoft…等 ) • Example: • symantecupdates.info • kaspernsky.com • windowsupdate.microsoft.365filtering. com

  17. Leaked/Stolen Credentials Dark Data Discovery( 暗網情資蒐集 ) • https://raidforums. com/ • HUMINT • https://github.com /kevthehermit/Past eHunter • Hunchly Dark Web Report • https://darksearch.i o/ • https://github.com /s-rah/onionscan

  18. Defensive OSINT 攻擊者視角

  19. Digital Discovery • Open Service & Unrestricted Web • https://www.immuniweb.com/webs ec/ • https://www.immuniweb.com/mobil e/ • https://www.immuniweb.com/ssl/ • https://github.com/jack51706/Leak Looker-X

  20. Outbound Hunting 連線 metadata https://blog.binaryedge.io/2019/07/08/guest-post-panda- • banker/ https://www.fireeye.com/blog/threat- • research/2020/07/scandalous-external-detection-using- network-scan-data-and-automation.html https://app.binaryedge.io/services/query?filter=MALWARE • https://www.shodan.io/search?query=category%3Amalwar • e https://blog.fox-it.com/2019/02/26/identifying-cobalt- • strike-team-servers-in-the-wild/ https://censys.io/blog/hunting-mirai • https://censys.io/blog/tracking-roamingmantis-mobile- • banking-threat https://censys.io/blog/hunting-for-threats-coinhive- • cryptocurrency-miner https://censys.io/blog/finding-hacked-web-servers • Infiltrate C&C • Backdoor Reversing •

  21. Intelligence-Driven Incident Response and Threat Hunting 問世間 情資是何物…

  22. Pivot and Threat Attribution Make Enrichment Great Again Sample Infrastructure • Unique Strings • Passive DNS • Network Communication/Encryption • TLS certificate tracking Algorithm • Correlation through metadata (web • Code / Strings Reuse server version, hosting provider, HTTP headers, Whois …) • Metadata(filename, description, version, title, author name) • Search of domain names/IP addresses on public sandboxes • Mutexes results • Behavior • HTTP static content tracking • Network flow https://github.com/threatresearch-issdu/ITHOME2020

  23. 情資蒐集方法及來源 • IR • VIRUSTOTAL Yara Hunting • Event Hunting • OSINT • 客戶提供之不明樣本分析及後續關聯 • Honeypot( Open Proxy 、 Tor node) • 主動木馬檢測 ( 資安健診 ) • 客戶資產監控 • https://www.one- tab.com/page/BQ9hxrRER9GYDMd 5d_v09Q • 多來源交叉關聯查證

  24. CTI Lifecycle Pivot Enrichment Attribution  IPS Detection  VT  IP / DN Block  similar-to:  Sample(175+) AV  VT Block  code- similar-to:  CTI platform HTTP_PlugX_Trojan Deliver & Response VT Hunting & _CnC Crowdstrike 185.161.209.234 185.161.209.234 Enrichment 追蹤與分析  https://www.carbonblac k.com/2020/02/20/threa  VT: t-analysis-active-c2- discovery-using-  tag:winnti protocol-emulation-  Infra enrichment part2-winnti-4-0/  該 IP 經追蹤後可關聯到 VMWARE 提出的威脅情資 報告  該入侵源頭標記為 Winnti4.0  該文章可取得樣本共 19 隻

  25. Attack Surface Management Commercial • https://cyberint.com/solutions/ • https://www.immuniweb.com/ • https://www.riskiq.com/illuminate- platform/

  26. Human-Intelligence Network Anomaly Detection 工人智慧

  27. SOC&IR 如何找未知 設備 RULE • TM DDI Rule: • Executable requested from root directory of web server

  28. AI Network Anomaly Detection ExtraHop & DarkTrace • 圖論權重可視化 • 協定流量統計分析 • 攻擊途徑階段統計分析 • 資產屬性統計分析 • Network artifact metadata

  29. SOC&IR 如何找未知 連線 metadata • PASTEBIN • GITHUB • Vultr.com • 頻率 + 過濾資料比對 + Dest IP/DN 不在 Alexa TOP 100M • DDNS

  30. SOC&IR 如何找未知 防毒 RULE • 偵測到駭客工具 (TM OfficeScan) (HKTL_DUMP*) • 偵測到駭客工具 (TM OfficeScan) (HKTL_PASS*) • 偵測到駭客工具 (SEP) (Hacktool) • 防毒不是沒用,只是要看怎麼用跟看

  31. Endpoint Visibility and Response

  32. 傳統端點偵測應處 EVTX 分析 • https://github.com/sans-blue- team/DeepBlueCLI • https://github.com/sbousseaden/EVTX- ATTACK-SAMPLES • https://www.malwarearchaeology.com/cheat- sheets • https://github.com/mvelazc0/Oriana/wiki/Hu nting-Analytics • https://github.com/0Kee-Team/WatchAD • https://github.com/JPCERTCC/LogonTracer • https://blogs.jpcert.or.jp/en/2017/12/research -report-released-detecting-lateral-movement- through-tracking-event-logs-version-2.html • https://github.com/NVISO-BE/ee-outliers

  33. 滅證 人工 IR 的極限 • Sdelete • ClearEventLog • https://github.com/Rizer0/Log-killer • https://github.com/hlldz/Invoke-Phant0m • Clear MBR • Ransomware

  34. 端點偵測應處 EDR Hunting Hypothesis • Office 0 day • 產生 Powershell 執行緒 (Fileless) • 中繼站連線 ( 網路連線行為 ) • 以客制 Threat Hunting 規則,即時發現並進 行處置 (process_name:winword.exe OR • process_name:excel.exe OR process_name:powerpnt.exe) AND netconn_count:[1 TO *] AND childproc_name:powershell.exe • APT VPN Lateral Movement ERS20191125 cb.urlver=1&q=file_desc:PacketiX •

  35. 未來 如何在客戶高度期待下…

  36. SOAR 如果有東西把前面講的一堆手工方法半自動化… • Security Orchestration Use Case: Automating Threat Hunting • Playbook (436) • Detonate • Enrichment • Extract • Hunting • Investigation • Integration (569) • Automation (677) • Script (617)

  37. ISSDU 新世代 SOC 架構 + =

  38. Thank You

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Examining Taiwan Weekly Rainfall Examining Taiwan Weekly Rainfall Examining Taiwan Weekly

Examining Taiwan Weekly Rainfall Examining Taiwan Weekly Rainfall Examining Taiwan Weekly

Conference on East Asia and Western Pacific Meteorology and Climate cum 25th Anniversary of Hong Kong Meteorological Society (HKMMS25) Examining Taiwan Weekly Rainfall Examining Taiwan Weekly Rainfall Examining Taiwan Weekly Rainfall Examining

548 views • 17 slides
Development of Earthquake Early Warning System in Taiwan Nai-Chi Hsiao 1 , Yih-Min Wu 2 , Dayi

Development of Earthquake Early Warning System in Taiwan Nai-Chi Hsiao 1 , Yih-Min Wu 2 , Dayi

Development of Earthquake Early Warning System in Taiwan Nai-Chi Hsiao 1 , Yih-Min Wu 2 , Dayi Chen 1 , and Tzay-Chyn Shin 1 1. Central Weather Bureau (CWB), Taiwan 2. National Taiwan University, Taiwan April 22, 2009 Outline Introduction

540 views • 22 slides
Bilateral Trade Between India and Taiwan and Area of Cooperation Taiwan and Area of Cooperation

Bilateral Trade Between India and Taiwan and Area of Cooperation Taiwan and Area of Cooperation

Bilateral Trade Between India and Taiwan and Area of Cooperation Taiwan and Area of Cooperation Chung-Hua Institutetion For Economic Research Taiwan WTO Center Yu-Yin Wu Outlines Bilateral Trade between Taiwan and India Direct Investment

374 views • 19 slides
ALMA in Taiwan Yu-Nung Su (ASIAA) on behalf of ALMA-Taiwan ALMA/45m/ASTE Users Meeting December

ALMA in Taiwan Yu-Nung Su (ASIAA) on behalf of ALMA-Taiwan ALMA/45m/ASTE Users Meeting December

ALMA in Taiwan Yu-Nung Su (ASIAA) on behalf of ALMA-Taiwan ALMA/45m/ASTE Users Meeting December 26 - 27, 2017 Photo Credit: Wei-Hao Wang ALMA in Taiwan ASIAA CASA Development Center (ACDC, @ ASIAA) Taiwan ARC Node (@ ASIAA) Scientific and

187 views • 16 slides
Evolution of Taiwan Corporate Bond Market - Ideas from Taiwan for Development of Other Regional

Evolution of Taiwan Corporate Bond Market - Ideas from Taiwan for Development of Other Regional

Evolution of Taiwan Corporate Bond Market - Ideas from Taiwan for Development of Other Regional Bond Markets Albert S.T. Ding Executive Vice President, Fixed Income KGI Securities Corp. Content I. Taiwan Bond Market Overview II. Evolution of

299 views • 18 slides
Taiwan SIP/ENUM Trial Taiwan SIP/ENUM Trial Jeff Yeh <jeff@twnic.net.tw> Taiwan Network

Taiwan SIP/ENUM Trial Taiwan SIP/ENUM Trial Jeff Yeh <jeff@twnic.net.tw> Taiwan Network

Taiwan SIP/ENUM Trial Taiwan SIP/ENUM Trial Jeff Yeh <jeff@twnic.net.tw> Taiwan Network Information Center (TWNIC) Aug 25, APAN ENUM BoF AGENDA AGENDA SIP/ ENUM in Taiwan Objectives Milestones Noteworthy

487 views • 26 slides
Cast Resin LV Busway (IP68) Taiwan Busway Company TBC Company Overview Taiwan Busway

Cast Resin LV Busway (IP68) Taiwan Busway Company TBC Company Overview Taiwan Busway

Cast Resin LV Busway (IP68) Taiwan Busway Company TBC Company Overview Taiwan Busway Company, Ltd. Est. 2002; located in Taipei Brand: TBC Busway market leader in Taiwan, presence in China, Germany/ Europe, USA. Now

408 views • 22 slides
Challenges and Opportunities of Taiwan Far Sea Fisheries Kwang-Ming Liu Institute of Marine

Challenges and Opportunities of Taiwan Far Sea Fisheries Kwang-Ming Liu Institute of Marine

Challenges and Opportunities of Taiwan Far Sea Fisheries Kwang-Ming Liu Institute of Marine Affairs and Resources Management National Taiwan Ocean University 1 Introduction Taiwan has one of the largest far sea fishing fleets in the

727 views • 35 slides
5G Dr. Yeali S. Sun ( , Commissioner Taiwan National

5G Dr. Yeali S. Sun ( , Commissioner Taiwan National

5G Dr. Yeali S. Sun ( , Commissioner Taiwan National Communications Commission (NCC) , August 12, 2020 Outline 5G developments in Taiwan 5G Security Issues Concluding

374 views • 33 slides
Chang Chun Group www.ccp.com.tw Corporate Profile 1949 No.2 Founded in Taiwan In Taiwan

Chang Chun Group www.ccp.com.tw Corporate Profile 1949 No.2 Founded in Taiwan In Taiwan

Chang Chun Group www.ccp.com.tw Corporate Profile 1949 No.2 Founded in Taiwan In Taiwan Three founders: M. K. Liao, Su Hon Lin, Second Largest Chemical Company S. Y. Tseng $ 8.3 bn Sales 34 12,000+ Companies Employees Within the Group

150 views • 13 slides
Agenda Compare and contrast US and Taiwan Standards on Guardianship Financial Decision

Agenda Compare and contrast US and Taiwan Standards on Guardianship Financial Decision

4/14/2014 Standards on Guardianship Financial Decision Making Two Views Taiwan & The United States Presented by: Sieh-chuen Huang, National Taiwan University Lee Anke, Prudent Investors Network Michelle R. Hollister, Esq., Law Offices of

288 views • 10 slides
Grid Activities in Taiwan Eric Yen ASGC, Taiwan ISGC 2006 2 May 2006 Academia Sinica Grid

Grid Activities in Taiwan Eric Yen ASGC, Taiwan ISGC 2006 2 May 2006 Academia Sinica Grid

Grid Activities in Taiwan Eric Yen ASGC, Taiwan ISGC 2006 2 May 2006 Academia Sinica Grid Computing Centre (ASGC) One of the major high performance computing and communication centers in Taiwan Provides Grid-based infrastructure,

440 views • 43 slides
Spin Hall Effect Guang-Yu Guo ( ) Physics Dept, National Taiwan University, Taiwan (

Spin Hall Effect Guang-Yu Guo ( ) Physics Dept, National Taiwan University, Taiwan (

Spin Hall Effect Guang-Yu Guo ( ) Physics Dept, National Taiwan University, Taiwan ( ) (A Colloquium Talk in Department of Physics, National Taiwan University, 22 April 2014) Plan of this Talk I.

883 views • 48 slides
of Taiwan into a Smart City. Far Eastone Fort Provintia (Tainan City) Tainan is the

of Taiwan into a Smart City. Far Eastone Fort Provintia (Tainan City) Tainan is the

Tainan City , the fantastic City in Taiwan Turning the Cultural Capital Dr. Hau Chen Mike Lee Executive Vice President of Taiwan into a Smart City. Far Eastone Fort Provintia (Tainan City) Tainan is the cradle of Taiwan s

173 views • 13 slides
ALMA-Taiwan Status Report Yu-Nung Su (ASIAA) on behalf of ALMA-Taiwan ALMA/45m/ASTE Users Meeting

ALMA-Taiwan Status Report Yu-Nung Su (ASIAA) on behalf of ALMA-Taiwan ALMA/45m/ASTE Users Meeting

ALMA-Taiwan Status Report Yu-Nung Su (ASIAA) on behalf of ALMA-Taiwan ALMA/45m/ASTE Users Meeting December 26 - 27, 2018 Photo Credit: Wei-Hao Wang Engineering and Developmental Projects - completed - East-Asia Front End Integration Center

445 views • 22 slides
Governing e- -participation: participation: Governing e the case of Taiwan the case of Taiwan

Governing e- -participation: participation: Governing e the case of Taiwan the case of Taiwan

Taiwan e-Governance Research Center Taiwan e-Governance Research Center Governing e- -participation: participation: Governing e the case of Taiwan the case of Taiwan Dr. Don-yun Chen Director, Taiwan e-Governance Research Center Professor,

592 views • 29 slides
INF5620: Numerical Methods for Partial Differential Equations Hans Petter Langtangen Simula

INF5620: Numerical Methods for Partial Differential Equations Hans Petter Langtangen Simula

5mm. INF5620: Numerical Methods for Partial Differential Equations Hans Petter Langtangen Simula Research Laboratory, and Dept. of Informatics, Univ. of Oslo Last update: April 29, 2011 INF5620: Numerical Methods for Partial Differential

2k views • 148 slides
Multimedia Communications @CS.NCTU Lecture 1: Networking Overview Instructor: Kate Ching-Ju Lin (

Multimedia Communications @CS.NCTU Lecture 1: Networking Overview Instructor: Kate Ching-Ju Lin (

Multimedia Communications @CS.NCTU Lecture 1: Networking Overview Instructor: Kate Ching-Ju Lin ( ) Slides modified from Computer Networking: A Top-Down Approach 6th Edition Outline Whats the Internet? Whats a

1.19k views • 71 slides
Time and Space Complexity of P Systems And Why They Matter Alberto Leporati Universit

Time and Space Complexity of P Systems And Why They Matter Alberto Leporati Universit

CMC 19 International Conference on Membrane Computing Dresden, 4 7 September 2018 Time and Space Complexity of P Systems And Why They Matter Alberto Leporati Universit degli Studi di Milano Bicocca Dip. di Informatica,

766 views • 47 slides
Home Network and Home Network and Its Related Service Its Related Service 2005.2.21 Lee,

Home Network and Home Network and Its Related Service Its Related Service 2005.2.21 Lee,

Home Network and Home Network and Its Related Service Its Related Service 2005.2.21 Lee, Yeong-Ro Email: lyr@nca.or.kr Network Overview Home Network Overview Home Concept of Digital Home Remote Medical Treatment Remote Medical Treatment

759 views • 29 slides
AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach

AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach

AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach (zaddach@eurecom.fr) Luca Bruno, Aurlien Francillon, Davide Balzarotti Outline Introduction AVATAR overview Framework components

1.09k views • 44 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School

Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School

Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School of Computer Science, University of Manchester The 1st Vampire Workshop Reger,G How to play with AVATAR 1 / 26 Overview Introduction 1

1.1k views • 43 slides
Will there ever be a market for signing avatars? Some observations on the past and future of our

Will there ever be a market for signing avatars? Some observations on the past and future of our

Will there ever be a market for signing avatars? Some observations on the past and future of our field Thomas Hanke University of Hamburg State of the union instead of a research paper. More to initiate a discussion than anything else SLTAT

872 views • 44 slides

More recommend