CN117439814A - A network security event linkage processing system and method based on ATT&CK - Google Patents

Abstract

The invention discloses a network security event linkage treatment system and method based on ATT & CK, which relate to the technical field of network security.

Description

A network security incident linkage processing system and method based on ATT&CK

Technical field

The present invention relates to the field of network security technology, in particular to a network security event linkage processing system and method based on ATT&CK.

Background technique

With the rapid development of network technology, network applications have penetrated into every part of our lives. At the same time, network security incidents emerge one after another, affecting the safe and stable operation of our production and life. Therefore, timely detection and handling of security incidents is the key to ensuring network security.

The traditional way of handling security incidents mainly uses different types of security products so that they can function independently. This disposal method ignores the connections and interactions between various safety products and does not give full play to the advantages of various safety products.

Contents of the invention

In view of the problem of lack of linkage between security products in the existing traditional security incident handling methods, the present invention is proposed.

Therefore, the problem to be solved by the present invention is how to provide a security event linkage processing method to achieve effective collaboration between security products, effectively identify and deal with threats, and improve the reliability and efficiency of network security protection.

In order to solve the above technical problems, the present invention provides the following technical solutions:

In the first aspect, embodiments of the present invention provide a network security event linkage processing system based on ATT&CK, which includes a threat intelligence module for collecting threat intelligence information and uploading the threat intelligence information to a network security management platform. Update the new threat intelligence information formed by the analysis of the network security management platform to its own threat intelligence library; the threat intelligence analysis module is used to classify the threat intelligence information according to the ATT&CK matrix to determine the data source to which the threat intelligence belongs, and The data source composition is reported to the data source processing module; the data source processing module is used to receive and analyze the data source composition uploaded by the threat intelligence analysis module to generate a monitoring strategy and control means, and combine the monitoring strategy and the control means Uploaded to the network security management platform; the trusted verification module is used to verify and evaluate assets according to the monitoring strategies, management and control methods generated by the data source processing module and the standard requirements set by security management specifications to generate measurement results, and Upload measurement failure logs to the network management platform; the malicious code monitoring module is used to monitor malicious codes in the system, detect and analyze the detected malicious codes to generate alarm logs, and upload the alarm logs to network security management The platform simultaneously receives the policies and commands issued by the network security management platform, and promptly blocks and stops the harm and damage caused by malicious code to the system; the management and control module is used to execute the control orders issued by the network security management platform, and monitor assets with security risks. Take control measures.

As a preferred solution of the ATT&CK-based network security event linkage processing system of the present invention, the malicious code monitoring module includes an anti-malicious code client management module, an anti-malicious code client, a malicious code traffic monitoring and collection module, and a malicious code Analysis module, the anti-malicious code client management module, is used to centrally manage, configure and upgrade the anti-malicious code client, and at the same time receive the monitoring results of the malicious code client; the anti-malicious code client is used to monitor the terminal Programs and file data resources on the device perform malicious code monitoring to actively prevent malicious codes from accessing, transmitting and running software; the malicious code traffic monitoring and collection module is used to collect malicious code traffic data from the network and transmit the malicious code traffic data to the malicious code analysis module for analysis; the malicious code analysis module is used to conduct in-depth analysis of the collected malicious code traffic data, extract relevant feature information to identify the type and behavior of the malicious code, and generate the corresponding Detection and defense rules.

As a preferred solution of the ATT&CK-based network security event linkage processing system of the present invention, the workflow of the threat intelligence module is as follows: the network security management platform classifies the threat intelligence information according to the received threat intelligence information; Analyze the characteristics and harmfulness of the threat, and classify the threat intelligence information into the corresponding ATT&CK tactical stage; compare the threat information with the technical characteristics in the ATT&CK matrix tactical stage. If the threat information meets the technical characteristics of a certain ATT&CK tactical stage, then Merge this threat information into the technical matrix of the tactical stage; if the threat information meets the technical characteristics of multiple ATT&CK tactical stages, merge the threat information into multiple corresponding technical matrices; gradually accumulate the merge of threat information to form a network Threat intelligence matrix unique to the security management platform; monitoring data sources are determined based on the technical characteristics of the threat intelligence to form threat intelligence data sources.

As a preferred solution of the ATT&CK-based network security incident linkage processing system of the present invention, the ATT&CK tactical phase includes reconnaissance, resource development, initial access, execution, persistence, authority promotion, defense avoidance, credential acquisition, discovery, Lateral movement, collection, command and control, data leakage and impact; threat intelligence data sources include dynamic directory, application logs, certificates, cloud services, cloud storage, commands, containers, domain names, drivers, drivers, files, firewalls, firmware, User group, image, instance, network scan, kernel, session login, malicious knowledge base, module, named pipe, network share, network traffic, masquerade, cluster shared unit, process, scheduled task, script, device health status, service, snapshot , user accounts, storage units, network credentials, Windows registry, and WMI.

As a preferred solution of the ATT&CK-based network security event linkage processing system of the present invention, the workflow of the trusted verification module is as follows: the network security management platform uses the trusted verification module to defend important assets; the root of trust is based on The platform requires monitoring and measurement of the BIOS firmware data source to ensure the integrity and security of the BIOS firmware data during transmission; after passing the trusted root verification, the trusted verification module will load the operating system boot program; after passing the basic trust After the verification of the trusted software base, the trusted verification module loads the operating system and applications, while monitoring and measuring the dynamic directory and application logs; after passing the verification of the trusted software base, the trusted verification module loads the business network and checks the network connection. Security and integrity are checked.

As a preferred solution of the ATT&CK-based network security event linkage processing system of the present invention, the workflow of the malicious code monitoring module is as follows: According to the system security situation and actual needs, the network security management platform determines whether it is necessary to issue control instructions; If the conditions for issuing control instructions are met, the network security management platform issues control instructions to the anti-malicious code client, including scheduled task strategies and library upgrades; the anti-malicious code client management module determines whether the control instructions are received; if the control instructions are received, The anti-malicious code client management module issues scheduled task strategies and library upgrades to the anti-malicious code client, and receives anti-malicious code killing log running information; the malicious code monitoring and collection device determines whether the collection conditions are met; if the collection conditions are met , the malicious code monitoring and collection device collects malicious code traffic data from the network and transmits these data to the malicious code analysis module; the malicious code analysis module determines whether the analysis and processing conditions are met; if the analysis and processing conditions are met, the malicious code analysis module receives The collected traffic data and asset alarm information are further analyzed and processed to generate corresponding alarm logs; based on the alarm information sent by the trusted verification module and malicious code monitoring system, the network security platform issues control commands to the management and control module to Realize the management and control of assets; according to the situation and threat level, the security platform adopts appropriate management and control methods to improve network security.

As a preferred solution of the ATT&CK-based network security event linkage processing system of the present invention, the conditions for satisfying the issuance of control instructions include the following: the network security management platform determines whether it is necessary to issue control instructions based on the real-time monitoring of security threats, If there are high-risk malicious code activities or other security threats, the network security management platform will issue control instructions accordingly; the network security management platform will judge whether it is necessary to issue control instructions based on the security levels and importance of different assets. If an asset is classified If it is determined to be high risk or important, the network security management platform will issue control instructions accordingly; the network security management platform will judge whether it is necessary to issue control instructions based on the established security policies and rules. If the security policies and rules indicate that an asset needs to be Control, the network security management platform will issue control instructions accordingly; the administrator decides whether to issue control instructions based on his or her own judgment and experience and manual intervention. If the administrator determines that control is needed, the network security management platform will issue control instructions based on the administrator's decision. Corresponding control instructions.

In the second aspect, embodiments of the present invention provide a method for jointly processing network security events based on ATT&CK, which includes a threat intelligence module acquiring threat intelligence information from commercial databases, malicious code libraries, self-owned threat intelligence data, and national intelligence sharing sources. , and upload it to the network security management platform; the network security platform classifies and merges the threat intelligence based on the characteristics of the threat intelligence and the tactical and technical descriptions of the ATT&CK matrix to form a threat intelligence matrix; based on the tactics and technical descriptions involved in the threat intelligence technology, refer to the characteristics of ATT&CK matrix data sources to create corresponding threat intelligence data sources; upload the data source composition to the data source processing module, analyze and process the data sources to generate monitoring strategies and control methods, and upload them to Network security platform; the network security platform issues corresponding strategies and control orders to the trusted verification module and malicious code monitoring system based on the uploaded monitoring strategies and control methods; the trusted verification module and malicious code monitoring system will measure failed logs and alarm logs Upload to the network security management platform; the network security management platform comprehensively analyzes measurement logs and alarm logs, discovers new threat intelligence, and transmits it to the threat intelligence system to improve the threat intelligence information; the network security management platform comprehensively analyzes alarm and log information , issue corresponding control orders to the management and control module, and take corresponding measures in a timely manner to dispose of assets with safety problems.

In a third aspect, an embodiment of the present invention provides a computer device, including a memory and a processor. The memory stores a computer program, wherein: when the computer program instructions are executed by the processor, the computer program implements the method described in the first aspect of the present invention. The steps of the network security incident linkage handling system based on ATT&CK.

In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium on which a computer program is stored, wherein: when the computer program instructions are executed by a processor, the ATT&CK-based method as described in the first aspect of the present invention is implemented. Steps of the network security incident linkage handling system.

The beneficial effects of the present invention are: the present invention realizes the linkage of the threat intelligence system, the trusted verification module and the malicious code monitoring system by utilizing the ATT&CK matrix, classifies the threat intelligence information from the perspective of ATT&CK technology, and monitors the data source according to the technical characteristics. A new network security incident handling process is proposed, which can effectively improve the efficiency of threat intelligence processing, identify threat sources, and improve the handling of network security incidents, thereby improving the overall ability of network security protection.

Description of the drawings

In order to explain the technical solutions of the embodiments of the present invention more clearly, the drawings needed to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. Those of ordinary skill in the art can also obtain other drawings based on these drawings without exerting creative efforts.

Figure 1 is the system flow chart of the network security event linkage processing system based on ATT&CK.

Figure 2 is a schematic diagram of the information sources of the threat intelligence system of the network security event linkage processing system based on ATT&CK.

Figure 3 is a schematic diagram of the composition and working principle of the trusted verification module of the network security event linkage processing system based on ATT&CK.

Figure 4 is a schematic diagram of the composition and working principle of the malicious code monitoring module of the network security event linkage processing system based on ATT&CK.

Figure 5 shows the data source monitoring renderings of the network security management platform based on the ATT&CK network security event linkage processing system.

Figure 6 shows the linkage analysis renderings of the network security management platform based on the ATT&CK network security event linkage processing system.

Detailed ways

In order to make the above objects, features and advantages of the present invention more obvious and understandable, the specific implementation modes of the present invention will be described in detail below with reference to the accompanying drawings.

Many specific details are set forth in the following description to fully understand the present invention. However, the present invention can also be implemented in other ways different from those described here. Those skilled in the art can do so without departing from the connotation of the present invention. Similar generalizations are made, and therefore the present invention is not limited to the specific embodiments disclosed below.

Second, reference herein to "one embodiment" or "an embodiment" refers to a specific feature, structure, or characteristic that may be included in at least one implementation of the present invention. "In one embodiment" appearing in different places in this specification does not all refer to the same embodiment, nor is it a separate or selective embodiment that is mutually exclusive with other embodiments.

Example 1

Referring to Figures 1 to 6, a first embodiment of the present invention is provided. This embodiment provides a network security event linkage processing system based on ATT&CK, including:

The threat intelligence module is used to collect threat intelligence information and upload the threat intelligence information to the data source processing module.

Specifically, the network security management platform classifies the threat intelligence information based on the received threat intelligence information; by analyzing the characteristics and harmfulness of the threats, the threat intelligence information is classified into the corresponding ATT&CK tactical stage; the threat information is combined with the ATT&CK matrix tactics Compare the technical characteristics in each stage. If the threat information matches the technical characteristics of a certain ATT&CK tactical stage, then the threat information is merged into the technical matrix of that tactical stage. If the threat information matches the technical characteristics of multiple ATT&CK tactical stages, then Merge the threat information into multiple corresponding technical matrices; gradually accumulate threat information to form a threat intelligence matrix unique to the network security management platform; determine the monitoring data source according to the technical characteristics of the threat intelligence to form a threat intelligence data source .

It should be noted that the ATT&CK tactical phases include reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defense evasion, credential acquisition, discovery, lateral movement, collection, command and control, data leakage and impact, a total of 14 Tactical stage.

Preferably, threat intelligence data sources include dynamic directories, application logs, certificates, cloud services, cloud storage, commands, containers, domain names, drivers, drivers, files, firewalls, firmware, user groups, images, instances, network scans, and kernels. , session login, malicious knowledge base, module, named pipe, network share, network traffic, masquerading, cluster shared unit, process, scheduled task, script, device health, service, snapshot, user account, storage unit, network credentials, Windows There are 37 entries in the registry and WMI.

Specifically, dynamic directory refers to the set of databases and services that allow administrators to manage permissions, access network resources, and store data objects (users, user groups, applications, or devices), including dynamic directory credential requests, dynamic directory object access, and dynamic directory Object creation, dynamic directory object deletion, and dynamic directory object modification. Dynamic directory credential requests refer to dynamic directory credentials requested by users (such as work orders or tokens), which are used to verify and authorize identities. Administrators process these credential requests to enable users to perform corresponding permission operations to satisfy their access to the network. Resources and requirements for performing specific tasks; dynamic directory object creation refers to the initial construction of a new dynamic directory object; dynamic directory object deletion refers to the removal of dynamic directory objects that are no longer needed; dynamic directory object modification refers to the modification of existing Dynamic directory objects are changed.

Further, application logs refer to events collected by third-party services. This data source mainly includes application log content items. Application log content refers to log records, messages and other components provided by third-party services; certificates refer to outstanding Displays digital files such as owner information, used for hierarchical trust of public keys used in network communications. This data source mainly contains certificate registration items. Certificate registration refers to querying or recording information. Highlights current and expired digital certificates. .

Further, cloud services refer to infrastructure, platforms or software provided by third-party suppliers that enable users to use through network connections and/or APIs, mainly including cloud service cessation, cloud service enumeration and cloud service modification; cloud service cessation It refers to deactivating or stopping the cloud service, cloud service enumeration refers to extracting the list of cloud services, and cloud service modification refers to making changes to the cloud service including its settings and/or data.

Preferably, cloud storage is a data object storage infrastructure provided or hosted by a third-party provider that users can use through network connections and/or APIs. The main operations of cloud storage include cloud storage access, cloud storage creation, and cloud storage deletion. , cloud storage enumeration, cloud storage metadata and cloud storage modification; commands are instructions given to computer programs to perform specific tasks. They mainly include command execution items and specify the parameters and options required to execute the command.

Furthermore, a container is a standardized portable unit that contains an application and all its dependencies and configuration information to run quickly and reliably in different computing environments. The container mainly includes container creation, container enumeration and container Enable; the domain name is a readable name used to obtain one or more corresponding IP address information. The domain name mainly includes active DNS, domain name registration and passive DNS.

Further, a driver is a non-volatile data storage device, such as a hard disk drive, floppy disk drive, USB flash drive, etc. It has at least one formatted partition. The main operations of the driver include driver access, driver creation and driver modification. Driver access refers to opening a data storage device that is assigned a drive letter or mount point; driver creation refers to initializing a data storage device and assigning a drive letter or mount point; driver modification refers to assigning a drive letter or mount point to a data storage device. Changes made to the drive letter or mount point.

Further, a driver refers to a computer program that operates or controls a specific type of device connected to the computer. The data source mainly includes driver loading and driver metadata. Driver loading refers to attaching a driver to the system in user or kernel mode; driver metadata refers to contextual data about the driver and its associated activities, such as driver problem reporting or integrity checks.

Further, a file refers to a computer resource object managed by the I/O system and used to store data (such as images, text, videos, computer programs or other various media). The data source mainly contains files. Access, file creation, file deletion, file metadata, and file modification. A firewall is a network security system that runs as a local terminal or a remote service to monitor and control traffic in and out of the network based on preset rules. The main operations of the firewall include firewall shutdown, firewall enumeration, firewall metadata, and firewall rule modification.

Specifically, firmware refers to computer software that provides low-level control of host devices and hardware, such as BIOS or UEFI/EFI. This data source mainly contains firmware modification items. Firmware modification refers to changes to the firmware, including its settings. and/or data, such as MBR and VBR; a user group refers to a collection of multiple user accounts that share the same access rights to computer and/or network resources and have the same security rights. This data source mainly includes user group enumeration, user Group metadata and user group modification; an image refers to a single file used to deploy a virtual machine/bootable disk to a local or third-party cloud environment. This data source mainly includes image creation, image deletion, image metadata, and images Revise.

Preferably, the instance refers to the virtual server environment running the workload, hosted locally or provided by a third-party cloud provider. The data source includes instance creation, instance deletion, instance enumeration, instance metadata, instance modification, instance startup and The instance is stopped; network scanning refers to obtaining information about various resources and servers connected to the public Internet. This data source includes response content and response metadata. The response content refers to the recorded network traffic response to the scan and displays Protocol header and protocol body content; response metadata refers to contextual data about network resources collected from the scan, such as running services or ports.

Further, the kernel refers to a computer program located at the core of a computer operating system, resident in memory, and used to facilitate the interaction between hardware and software components. This data source mainly includes kernel module add-ons. Kernel module loads are object files that contain code that extends the operating system's running kernel, typically to add support for new hardware (as device drivers) and/or file systems, or to add system calls.

Specifically, the kernel refers to a computer program located at the core of a computer operating system, which resides in memory and is used to facilitate the interaction between hardware and software components. This data source mainly includes kernel module add-ons. Kernel module loads refer to object files that contain code that extends the operating system's running kernel, typically to add support for new hardware (as device drivers) and/or file systems, or to add system calls.

Further, a session login refers to a login that occurs on a system or resource and a user/device gains access after successful authentication and authorization. This data source contains session login creation and session login metadata. Session login creation refers to the initial build of a successful new user login after an authentication attempt. Session login metadata refers to the context data of the login session (such as user name, login method, token acquisition) and related activities under session login.

Preferably, the malicious knowledge base refers to the acquisition of information related to malware used by attackers, and the data source contains malicious content and malicious metadata. Malicious content refers to codes, strings, and other destructive signs in malicious payloads. Malicious metadata refers to contextual data about the malicious payload (such as compilation time, file hash, watermark) or other identifiable configuration information.

Further, a module refers to an executable file composed of one or more shared classes and interfaces, such as a portable PE format binary file/dynamic link library (DLL), an executable and linkable format (ELF) binary file/ Shared libraries as well as MACH-O format binaries/shared libraries, this data source contains module add-ons. Module loading refers to attaching a module into the memory of a process/program, usually to access shared resources/features provided by the module.

Further, a named pipe usually refers to a data source that exists in the form of a file and is attached to a mechanism that allows inter-process communication locally or over a network. The data source contains named pipe metadata. Named pipe metadata refers to the contextual data about the named pipe on the system, including the pipe name and the creation process.

Further, a network share refers to a storage resource (usually a folder or drive) provided from one host to other hosts using network protocols. The data source includes network share access. Network share access refers to opening a network share so that the requester can access the content.

Further, network traffic refers to data transmitted over the network that is either summarized or captured as raw data in an analyzable format. This data source includes network connection creation, network traffic content, and network traffic data streams. Network connection creation refers to the initial construction of a network connection, such as capturing socket information using source/destination IP addresses and ports; network traffic content refers to recording network traffic data and displaying protocol header and protocol body content; network traffic data Flow refers to summarized network packet data, including indicators such as protocol headers and capacity.

Further, disguise refers to a malicious online profile used by an attacker on behalf of a user to social engineer the user or other target victims. The data source includes social media; social media refers to a malicious online profile that is used to create, destroy, or The cluster shared unit obtained in other ways refers to the resource sharing unit in the cluster, which is composed of one or more containers. The data source includes cluster shared unit creation, cluster shared unit enumeration, and cluster shared unit modification; cluster shared unit creation refers to It is to initialize a new cluster shared unit; cluster shared unit enumeration refers to the extracted list of cluster shared units in the cluster; cluster shared unit modification refers to changes to the cluster shared unit, including its settings and/or control data.

Further, a process refers to an instance of a computer program executed by at least one thread. A process has memory space for the process executable file, loaded modules (DLL or shared libraries), and allocated memory areas that contain data from the user. Everything input to application-specific data structures; process includes operating system API execution, process access, process creation, process metadata, process modification, and process termination; operating system API execution refers to the operating system functions performed by the process /Method call; process access refers to the opening of a process by another process, usually to read the target process's memory; process creation refers to the operating system managed executable initialization build, which may involve one or more tasks or threads ; Process metadata refers to contextual data related to a running process, which may include information such as environment variables, image names, users/owners, etc.; Process modification refers to changes to the process or its contents, usually in the target process Writing and/or executing code in memory; process termination refers to exiting a running process.

Furthermore, scheduled tasks refer to tasks that are automatically executed at a specific time or tasks that repeatedly execute daily tables in the background. The data source includes scheduled task creation, scheduled task metadata, and scheduled task modifications; scripts refer to tasks that allow sequential execution. A file or instruction stream that contains a series of commands. The data source contains script execution. Device health refers to information automatically measured from the host, providing information about system status, errors, or other important functional activities. The data source contains the host. Status. Host status refers to logging, communications, and other artifacts that display the health of the host's sensors.

Further, a service refers to a computer process configured to continuously execute and perform system tasks in the background, in some cases before any user logs in. This data source contains service creation, service metadata, and service modifications; snapshot Refers to the cloud storage unit situation (files, settings, etc.) at a certain point in time that can be created and/or deployed in the cloud environment. Snapshots include snapshot creation, snapshot deletion, snapshot enumeration, snapshot metadata, and snapshot modifications.

Preferably, the user account represents a profile of a user, device, service or application used to authenticate and access resources, and the data source includes user account authentication, user account creation, user account deletion, user account metadata and user account modification. Storage units refer to block object storage hosted by local or third-party providers. They are usually provided to resources as virtualization hardware drivers. This data source includes storage unit creation, storage unit deletion, storage unit enumeration, storage unit metadata, and storage Unit modifications.

Further, network credentials refer to credential materials (such as session cookies or tokens) used for network application and service authentication. This data source includes network credential creation and network credential utilization; Windows registration refers to the WindowsOS hierarchical database, used Used to store most information and settings for software programs, hardware devices, user preferences, and operating system configurations. This data source includes Windows registry access, Windows registry creation, Windows registry deletion, and Windows registry modification; WMI refers to Infrastructure for managing data and operations, which makes it possible to manage Windows PCs and servers locally and remotely, this data source contains WMI creation.

The data source processing module is used to receive and analyze the threat intelligence information uploaded by the threat intelligence module to generate monitoring strategies and control methods.

Further, the threat intelligence data source uploads the composition of the data source to the data source processing module. The data source processing module analyzes and forms monitoring strategies and control methods based on the situation of the data source and uploads them to the network security management platform.

The trusted verification module is used to verify and evaluate assets based on the monitoring strategies and control methods generated by the data source processing module, and generate measurement results.

Furthermore, the network security management platform uses a trusted verification module to defend important assets; the trusted root monitors and measures the BIOS firmware data source according to platform requirements to ensure the integrity and security of the BIOS firmware data during transmission; in After passing the trusted root verification, the trusted verification module will load the operating system boot program; after passing the basic trust base verification, the trusted verification module loads the operating system and applications, while monitoring and measuring the dynamic directory and application logs; after passing the basic trust base verification, After the verification of the trusted software base, the trusted verification module will load the business network and check the security and integrity of the network connection.

It should be noted that the trusted root mainly provides basic services such as password calculation, trusted reference value storage, and policy storage for the trusted verification module. The verification of the trusted root mainly focuses on whether the functions of the trusted root and the cryptographic algorithms used meet national and industry requirements. During the system boot phase, the key files in the system boot program directory (such as kernel files, initial disk files, program files, configuration files, etc.) are statically measured and verified. If the verification passes, the system boot program can be loaded and started normally; If the verification fails, the system will be actively blocked from starting and an audit record will be formed.

Preferably, when a protected system program (system kernel layer program, system file, etc.) is loaded, the trusted verification module should check the correctness of its absolute path, file name, and file content, and perform static measurement and verification on it. If the verification passes, the system program can be loaded and started normally; if the verification fails, the system program will be actively blocked from starting, and an audit record will be formed and an alarm will be generated.

Furthermore, the trusted verification module can identify and proactively block deletion and tampering of protected system programs to form audit records. When a protected application (dynamic library, executable program, etc.) is loaded, the trusted verification module should check the correctness of the application's absolute path, file name, and file content, perform static measurements and verify it. If the verification passes, the application can be loaded and started normally; if the verification fails, the startup of the application is actively blocked, an audit record is formed, and an alarm is generated;

Furthermore, the trusted verification module can identify and proactively block deletion and tampering of protected applications, and form audit records and alerts; systems with Level 3 or above dynamic measurement of all execution links of applications. Measurement objects include program process code segments, memory code segments, read-only data segments, etc. Measurement elements include code segments, data segment length, content, etc. If the measurement passes, the application can continue to run; if the measurement fails, an audit record is formed and an alarm is generated.

Preferably, the trusted verification module provides identity trusted verification to implement verification of data sources such as user groups and user accounts; provides a program to perform trusted verification to implement verification of data sources such as executable files, kernel modules, and scripts; provides Storage trusted verification enables verification of data sources such as certificates and storage units; provides behavioral trusted verification to verify the operational behavior of data sources such as files and processes; and blocks data sources and operations that have not passed verification. , and record alarms and report them to the platform.

A management and control module, configured to take management and control measures for assets with security problems based on the management and control means generated by the data source processing module and the detection results of the malicious code monitoring module.

Furthermore, the malicious code monitoring system is used for defense against other assets controlled by the network security management platform; the malicious code monitoring system mainly consists of an anti-malicious code client management module, an anti-malicious code client, a malicious code traffic monitoring and collection device, and a malicious code analysis module. It consists of four parts and realizes corresponding functions by interacting with the network security management platform.

Furthermore, the workflow of the malicious code monitoring module is as follows: Based on the system security situation and actual needs, the network security management platform determines whether it is necessary to issue control instructions; if the conditions for issuing control instructions are met, the network security management platform will issue a request to the anti-malicious code client Issuing control instructions includes scheduled task strategies and library upgrades; the anti-malicious code client management module determines whether the control instructions are received; if the control instructions are received, the anti-malicious code client management module issues scheduled task strategies and The library is upgraded and receives the killing log running information from the anti-malicious code client; the malicious code monitoring and collection device determines whether the collection conditions are met; if the collection conditions are met, the malicious code monitoring and collection device collects the malicious code traffic data from the network and sends it These data are sent to the malicious code analysis module; the malicious code analysis module determines whether the analysis and processing conditions are met; if the analysis and processing conditions are met, the malicious code analysis module receives the collected traffic data and asset alarm information, and conducts further analysis and processing to generate Corresponding alarm logs; based on the alarm information sent by the trusted verification module and malicious code monitoring system, the network security platform issues management and control commands to the management and control module to achieve asset management and control; based on the actual situation and threat level, the security platform adopts appropriate Control measures to improve network security.

It should be noted that the conditions for issuing control instructions include the following: The network security management platform determines whether to issue control instructions based on real-time monitoring of security threats. If there are high-risk malicious code activities or other security threats, the network security management platform Control instructions will be issued accordingly; the network security management platform will determine whether it is necessary to issue control instructions based on the security levels and importance of different assets. If an asset is classified as high risk or important, the network security management platform will issue it accordingly. Management and control instructions; the network security management platform determines whether it is necessary to issue control instructions based on the established security policies and rules. If the security policies and rules indicate that an asset needs to be controlled, the network security management platform will issue control instructions accordingly; the administrator will issue control instructions according to his or her own Judgment and experience, manual intervention is used to decide whether to issue control instructions. If the administrator determines that control is needed, the network security management platform will issue corresponding control instructions based on the administrator's decision.

It should be noted that the specific collection conditions will vary according to the settings, strategies and needs of the malicious code monitoring and collection device.

It should be noted that the judgment of analysis and processing conditions includes but is not limited to the following situations: the analysis module determines whether the analysis and processing conditions are met based on predefined sample classification rules; the analysis module determines whether the analysis and processing conditions are met based on preset malicious behavior characteristics, such as file modification, system intrusion, Network communication, etc., to determine whether the analysis and processing conditions are met; the analysis module determines whether the analysis and processing conditions are met based on the network communication ability of the sample; the analysis module determines whether the analysis and processing conditions are met based on the importance and priority of the sample.

Among them, the malicious code traffic monitoring and collection device mainly collects and analyzes data source information such as network traffic and session logins. The anti-malicious code mainly discovers asset anomalies through comparison of data sources such as malicious knowledge bases.

Further, based on the alarm information sent by the trusted verification module and the malicious code monitoring system, the network security platform issues management and control commands to the management and control module to realize the management and control of assets; according to the situation and threat level, the security platform adopts appropriate management and control methods. Improve network security, such as link blocking, network connection blocking, network card blocking, process blocking, file isolation, and removable disk ejection, to prevent the spread and impact of threats.

Furthermore, this embodiment also provides a joint processing method for network security events based on ATT&CK, including the threat intelligence module obtaining threat intelligence information from commercial databases, malicious code libraries, self-owned threat intelligence data and national intelligence sharing sources, and uploading it to the network security management platform; the network security platform classifies and merges threat intelligence to form a threat intelligence matrix based on the characteristics of the threat intelligence and the tactics and technical descriptions referring to the ATT&CK matrix; according to the tactics and technologies involved in the threat intelligence, refer to the ATT&CK matrix Characteristics of data sources, create corresponding threat intelligence data sources; upload the data source composition to the data source processing module, analyze and process the data sources to generate monitoring strategies and control methods, and upload them to the network security platform; Network The security platform issues corresponding strategies and control orders to the trusted verification module and malicious code monitoring system based on the uploaded monitoring strategies and control methods; the trusted verification module and malicious code monitoring system upload measurement failure logs and alarm logs to network security management platform; the network security management platform comprehensively analyzes measurement logs and alarm logs, discovers new threat intelligence, and transmits it to the threat intelligence system to improve the threat intelligence information; the network security management platform comprehensively analyzes alarms, logs and other information, and reports it to the management and control module Issue corresponding control orders and take timely measures to dispose of assets with safety issues.

This embodiment also provides a computer device, which is suitable for a network security incident linkage processing system based on ATT&CK, including a memory and a processor; the memory is used to store computer executable instructions, and the processor is used to execute computer executable instructions, to implement the following: The ATT&CK-based network security event linkage processing system proposed in the above embodiments.

The computer device may be a terminal, and the computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected through a system bus. Wherein, the processor of the computer device is used to provide computing and control capabilities. The memory of the computer device includes non-volatile storage media and internal memory. The non-volatile storage medium stores operating systems and computer programs. This internal memory provides an environment for the execution of operating systems and computer programs in non-volatile storage media. The communication interface of the computer device is used for wired or wireless communication with external terminals. The wireless mode can be implemented through WIFI, operator network, NFC (Near Field Communication) or other technologies. The display screen of the computer device may be a liquid crystal display or an electronic ink display. The input device of the computer device may be a touch layer covered on the display screen, or may be a button, trackball or touch pad provided on the computer device shell. , it can also be an external keyboard, trackpad or mouse, etc.

This embodiment also provides a storage medium on which a computer program is stored. When the program is executed by the processor, the ATT&CK-based network security event linkage processing system is implemented as proposed in the above embodiment.

In summary, the present invention realizes the linkage of the threat intelligence system, trusted verification module and malicious code monitoring system by using the ATT&CK matrix, classifies the threat intelligence information from the perspective of ATT&CK technology, and monitors the data source according to the technical characteristics, and proposes a new A network security incident handling process can effectively improve the efficiency of threat intelligence processing, identify threat sources, and improve the handling of network security incidents, thereby improving the overall capabilities of network security protection.

Example 2

Referring to Figures 1 to 6, a second embodiment of the present invention is provided. This embodiment provides a network security event linkage processing system based on ATT&CK. In order to verify the beneficial effects of the present invention, scientific calculations and simulation experiments are conducted through economic benefit calculations. Argument.

Specifically, taking a company's pilot application of this system as an example, the amount of information and other data collected by the system reaches tens of millions. Without adding additional equipment, the accuracy and speed of alarms have been significantly improved, which is helpful for network security management. personnel to discover and deal with existing network security risks in a timely manner.

Furthermore, the company's core business system is also connected to the network security management platform in this solution to prevent business systems from being attacked. The platform first collects a large amount of logs, events and other data during the operation and maintenance of business systems. This huge amount of data improves the accuracy of the platform's threat intelligence analysis.

Preferably, the platform can generate more accurate security risk warnings through correlation analysis of data sources, such as a certain correlation between abnormal account login locations and data leakage events. At the same time, with the support of large amounts of data, the platform uses machine learning algorithms to train a threat detection model specific to the business system, further improving the accuracy of threat alerts.

Further, these alarms are centrally displayed to network security administrators through the platform. The platform performs clustering and correlation analysis based on event correlations to assist network security administrators in identifying threats contained in events. If a certain workstation is found to have generated a large number of connection requests to multiple business systems and other workstations in a short period of time, it can be reasonably suspected. The workstation has a security risk and is undergoing a security incident with IP port scanning, which reduces the workload of the network security administrator and allows him to respond more quickly.

Furthermore, by applying this solution, the company has realized the automation of business system security protection, effectively guaranteed the quality of alarms despite a large amount of data, and improved the company's overall network security defense capabilities.

It should be noted that the above embodiments are only used to illustrate the technical solution of the present invention rather than to limit it. Although the present invention has been described in detail with reference to the preferred embodiments, those of ordinary skill in the art should understand that the technical solution of the present invention can be carried out. Modifications or equivalent substitutions without departing from the spirit and scope of the technical solution of the present invention shall be included in the scope of the claims of the present invention.

Claims (10)

1. An ATT & CK based network security event linkage handling system, characterized in that: comprising the steps of (a) a step of,

the threat information module is used for collecting threat information, uploading the threat information to the network security management platform, and updating the new threat information formed by the analysis of the network security management platform to a threat information library of the threat information module;

the threat information analysis module is used for classifying the threat information according to the ATT & CK matrix to determine a data source to which the threat information belongs, and reporting the data source composition to the data source processing module;

The data source processing module is used for receiving and analyzing the data source composition uploaded by the threat information analysis module to generate a monitoring strategy and a management and control means, and uploading the monitoring strategy and the management and control means to a network security management platform;

the trusted verification module is used for verifying and evaluating the assets according to the monitoring strategy, the management and control means and the standard requirements set by the safety management specification requirements generated by the data source processing module so as to generate measurement results, and uploading measurement failure logs to the network management platform;

the malicious code monitoring module is used for monitoring malicious codes in the system, detecting and analyzing the monitored malicious codes to generate an alarm log, uploading the alarm log to the network security management platform, and simultaneously receiving strategies and commands issued by the network security management platform, and timely blocking and stopping damage and destruction of the malicious codes to the system;

and the management and control module is used for executing a management and control command issued by the network security management platform and taking management and control measures on the assets with security risks.

2. The ATT & CK based network security event coordinated handling system of claim 1, wherein: the malicious code monitoring module comprises an anti-malicious code client management module, an anti-malicious code client, a malicious code flow monitoring and collecting module and a malicious code analyzing module,

The malicious code prevention client management module is used for centrally managing, configuring and upgrading the malicious code prevention client and receiving monitoring results of the malicious code client;

the malicious code prevention client is used for monitoring malicious codes of programs and file data resources on the terminal equipment and actively preventing the malicious codes from accessing, transmitting and running software;

the malicious code flow monitoring and collecting module is used for collecting malicious code flow data from a network and transmitting the malicious code flow data to the malicious code analysis module for analysis;

the malicious code analysis module is used for carrying out deep analysis on collected malicious code flow data, extracting relevant characteristic information to identify the type and behavior of the malicious code, and generating corresponding detection and defense rules.

3. The ATT & CK based network security event coordinated handling system of claim 1, wherein: the workflow of the threat intelligence module is as follows,

the network security management platform classifies threat information according to the received threat information;

by analyzing the characteristics and the harmfulness of the threat, threat information is classified into corresponding ATT & CK tactical stages;

The threat information is compared with the technical features in the ATT & CK matrix tactical phase,

if the threat information accords with the technical characteristics of a certain ATT & CK tactical stage, merging the threat information into a technical matrix of the tactical stage;

if the threat information accords with the technical characteristics of a plurality of ATT & CK tactical stages, merging the threat information into a plurality of corresponding technical matrixes;

gradually accumulating the merging of threat information to form a threat information matrix specific to the network security management platform;

and determining a monitoring data source according to the technical characteristics of the threat information so as to form the threat information data source.

4. The ATT & CK based network security event coordinated handling system of claim 3, wherein: the ATT & CK tactical stage comprises reconnaissance, resource development, initial access, execution, persistence, authority improvement, defense avoidance, credential acquisition, discovery, lateral movement, collection, command and control, data leakage and influence;

the threat intelligence data sources include dynamic directories, application logs, certificates, cloud services, cloud storage, commands, containers, domain names, drivers, files, firewalls, firmware, user groups, images, instances, network scans, kernels, session logins, malicious repositories, modules, named pipes, network shares, network traffic, disguises, cluster sharing units, processes, planning tasks, scripts, device health status, services, snapshots, user accounts, storage units, network credentials, windows registry, and WMIs.

5. The ATT & CK based network security event coordinated handling system of claim 1, wherein: the working flow of the trusted verification module is as follows:

the network security management platform adopts a trusted verification module to defend important assets;

the trusted root monitors and measures the BIOS firmware data source according to the platform requirement so as to ensure the integrity and the safety of the BIOS firmware data in the transmission process;

after passing the root of trust verification, the trust verification module will load the operating system boot program;

after passing the verification of the basic trust base, the trusted verification module loads an operating system and an application program, and monitors and measures the dynamic catalogue and the application log at the same time;

after verification by the trusted software base, the trusted verification module will load the service network and check the security and integrity of the network connection.

6. The ATT & CK based network security event coordinated handling system of claim 1, wherein: the workflow of the malicious code monitoring module is as follows:

according to the system security condition and the actual demand, the network security management platform judges whether a management and control instruction needs to be issued;

if the condition of issuing the control instruction is met, the network security management platform issues the control instruction to the malicious code prevention client, wherein the control instruction comprises a timing task strategy and library upgrading;

The malicious code prevention client management module judges whether a management and control instruction is received or not;

if a control instruction is received, the anti-malicious code client management module issues a timing task strategy and library upgrading to the anti-malicious code client and receives search and kill log operation information from the anti-malicious code;

the malicious code monitoring and collecting device judges whether the collecting condition is met;

if the acquisition conditions are met, the malicious code monitoring and acquisition device acquires malicious code flow data from the network and transmits the data to the malicious code analysis module;

the malicious code analysis module judges whether analysis processing conditions are met;

if the analysis processing conditions are met, the malicious code analysis module receives the collected flow data and the asset alarm information, and further analyzes and processes the collected flow data and the asset alarm information to generate a corresponding alarm log;

according to the alarm information sent by the trusted verification module and the malicious code monitoring system, the network security platform issues a management and control command to the management and control module so as to realize management and control of the asset;

according to the situation and threat level, the security platform adopts a proper control means to improve the network security.

7. The ATT & CK based network security event coordinated handling system of claim 6, wherein: the condition for satisfying the issuing control instruction comprises the following contents:

The network security management platform judges whether a management control instruction needs to be issued according to the security threat situation monitored in real time, and if the high-risk malicious code activity or other security threats exist, the network security management platform correspondingly issues the management control instruction;

the network security management platform judges whether a management control instruction needs to be issued according to the security level and the importance of different assets, and if a certain asset is defined as high risk or has importance, the network security management platform correspondingly issues the management control instruction;

the network security management platform judges whether a management and control instruction needs to be issued according to the formulated security policy and rule, and if the security policy and rule indicate that a certain asset needs to be managed and controlled, the network security management platform correspondingly issues the management and control instruction;

the administrator decides whether to issue a control instruction according to his own judgment and experience by manual intervention, and if the administrator decides that control is required, the network security management platform issues a corresponding control instruction according to the administrator's decision.

8. An ATT & CK based network security event linkage handling method, based on the ATT & CK based network security event linkage handling system of any one of claims 1-7, characterized in that: also included is a method of manufacturing a semiconductor device,

The threat information module acquires threat information from a commercial database, a malicious code base, self threat information data and a national level information sharing source and uploads the threat information to the network security management platform;

the network security platform classifies and merges threat information according to the characteristics of the threat information and tactics and technical specifications of the reference ATT & CK matrix to form a threat information matrix;

according to tactics and technologies related to threat information, referring to characteristics of ATT & CK matrix data sources, and creating corresponding threat information data sources;

uploading the data source composition to a data source processing module, analyzing and processing the data source to generate a monitoring strategy and a management and control means, and uploading the monitoring strategy and the management and control means to a network security platform;

the network security platform issues corresponding strategy and control commands to the trusted verification module and the malicious code monitoring system according to the uploaded monitoring strategy and control means;

the trusted verification module and the malicious code monitoring system upload logs and alarm logs with failed measurement to a network security management platform;

the network security management platform comprehensively analyzes the measurement log and the alarm log, discovers new threat information and transmits the new threat information into a threat information system so as to perfect threat information;

The network security management platform comprehensively analyzes the alarm and log information, issues corresponding management and control commands to the management and control module, and timely takes corresponding measures to treat the assets with security problems.

9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that: the steps of implementing the ATT & CK based network security event coordinated handling system of any one of claims 1 to 7 when the processor executes the computer program.

10. A computer-readable storage medium having stored thereon a computer program, characterized by: the computer program when executed by a processor implements the steps of the ATT & CK based network security event coordinated handling system of any of claims 1 to 7.