网络安全事件应急响应联动系统研究
摘要
网络安全事件应急响应联动系统的主要目的是协调应急响应组织人力与信息等资源合作应对网络安全事件,目前尚未有广泛接受的模型。本文讨论的是网络安全事件应急响应联动系统一个初步的模型,力图研究一种应急响应组统一组织的模式,以提高业界整体的应急预警和响应能力。
本文共划分了六章。第一章从网络安全事件应急响应技术的特点和发展趋势谈起,讨论了所建立的应急响应联动系统基本模型的背景。第二章详细讲述了PDCERF方法学各阶段的内容。第三章讲述了应急响应组织学与网络安全事件应急响应联动系统基本模型。第四章以PDCERF方法学为线索,用一些建议性的标准来充实前面建立的基本模型。第五章给出一个经笔者整理过的参考的建议和一个具体情况的个案说明。第六章简要探讨了联动系统其他的关键内容。
本文侧重响应的组织与过程,对技术细节并不深究;所提出的联动系统模型并不完美但己经充分考虑了协作响应的关键问题,并着重于适应我国的实际情况,具有一定的可操作性。
With the increasing development on the importance of network, various kinds of dangers concealing in the net become more and more visible. Many security affairs happen one after another such as the Virus, Worm, Trojan Horse, Invade etc. The technique of Anti-Virus, Fire wall, invade examination technique develops fast for this reason. However, by many years’practices, even the most expensive measures for security protection cannot defend themselves against viruses and other internet attacks. Tools for intrusion detection existed today are far from perfection. To perfect the network security system requires Computer Emergency Response System as well as the Protection System in order to reduce and avoid loss of information.
Therefore, the Integrated Emergency Management System came into being. Although the research in this field has already began, there's no Network Security Incident Response Linkage System formed and accepted widely yet. According to the analysis of plentiful references on the Network Security and Emergency Response System and the integrated discussion and comparison of present typical model of Emergency Response Team, the author tries to establish a more perfect Network Security Incident Response Linkage System Model to adapt the worsening trend of network security.
The study of Network Security Incident Response Linkage System begins from the Technique for Emergency Response. Emergency Response function behaves on both sides of taking precautions before suffering a loss and after it. On the one hand, we should make full preparations for Network Security Incidents. On the other hand, we can take measures such as Containment Strategies, Eradication Procedures, Recovery Steps etc.
Emergency Response requires high technique containing lots of practicality and integrity. Due to the complex problems and the lack of function in the Internet Protocol, Emergency Response remains its own characteristics and research method. The key technique of Emergency Response is as follows: Intrusion Detection Technology; event separation and rapid cover of computers; tracknet and localization; Computer Forensics.
The key technique of Computer Emergency Response represents its developing direction, besides, relative technique and tools are struggling to prove the validation, but in fact there are more challenges than results. Consequently, the development of Emergency Response on social organizations becomes another development trend. The function mainly present in two aspects: the laws and Linkage Response.
Methodology is the science that study with the procession of incident response.
Methodology is not the exclusive method. The theory we will introduce in this paper is the widely accepted classical one which is called“PDCERF”. It includes six stages of Preparatory Works, Detection Mechanisms, Containment Strategies, Eradication Procedures, Recovery Steps and Follow-Up Reviews. PDCERF Methodology simply confirms the definition of stages and ideal procession of incident response. Task coordinate of every stage and the man relationship in the procession of incident response are the two important subjects for ever.
The first body of Emergency Response at present is CSIRT (Computer Security Incident Response Team). As the crucial force in the procession, CSIRT is not only the administrator but also the instructor in every stage.
The characteristic of Network Incident lies in its emergency, diversity as well as unpredictability, which can lead to enormous loss in a short time. It results the defense far more difficult than attack in the field of network. Meanwhile, it demands the defender have a good command of integrated knowledge as system, software and network etc., in addition, it even requires the defender himself get some relative knowledge and experiences about the network attack. As a result, it not only require high technique and abundant experience of the defender, more important it requires full use of resources, such as human, materials, information, technique etc., unite and cooperate to deal with security events. The new trend has appeared in the network events that the enlarging/powerful experienced hack teams attack the net more professional and complicated. It’s rather difficult to efficiently apply the diverse network incident according to the unit itself. We have no choice but association.
On the basis of CSIRT (Computer Security Incident Response Team)and Linkage System, We put forward a basic model of Network Security Incident Response Linkage System. Based on full coordinate of resources as human and information in different positions to apply for the Network Security Incidents, the system is developed from the CSIRT (Computer Security Incident Response Team) and its coordinate center. It belongs to organizational form in the later stage of CSIRT’s development.
After generally understanding of the background and basic model of Emergency Response Linkage System, we will keep track of Methodology to perfect the primary establishment of basic model with some suggestive standards. This model lays particular emphasis on management, so we won’t put stress on the concrete response technique involved in the four stages of response procession but both the ends, Preparatory Works and Follow-Up Reviews. Although emergency response is the passive safety technique which takes precautions after suffering a loss, Methodology put more attention on the preparation stage according to the understanding of events and accumulation of experiences.
Information share is the core of linkage system. But how to realize enough share of information still needs to be discussed. At the information explosion time, there’s no actual effect to provide a great deal of unconcerned information,on the contrary,it will reduce the rate of important Information Hiding being discovered.
Therefore we take sharable object and content of the information into a distinction to classify and set permission, and then send the information through multiple Releasing Channels, for instance, website, mail and Private messenger etc. Linkage System highly attaches importance to the technique accumulation because Emergency Response pays attention to experiences. Response Team must hold the file of Vulnerabilities.
Since we have already made clear of the composition, organization, description of the function and the related Reference standard for Network Security Incident Response Linkage System Model, now we can study the operation of system based on it. Here gives a reference proposal coordinated by the author with a detailed case elucidation.
In the end, the author will introduce other important contents including Communication, coordination of Parallel Management of Multi-Cases, Information Share and Privacy Protection, establishment of supporting Laws and Regulations and robustness of the system etc. in addition to each stage of PDCERF.
Compared with the current operation of CSIRT (Computer Security Incident Response Team), this model contains more reasonable operation mode and perfect Information Security cycle model. It pay more attention on the stage of Preparatory Works, moreover, it also takes the efficiency and coordination of applying Network Security Incident into consideration
This frame model needs a lot of perfection and improvement, many contents are not detailed enough, we also didn't take much consideration on technique. In this aspect, we are still carrying on thorough and meticulous research. Response Linkage System had been successfully explored in other fields, thereby Network Security Incident Response Linkage System will definitely show great impact on the security of the internet.
本文共划分了六章。第一章从网络安全事件应急响应技术的特点和发展趋势谈起,讨论了所建立的应急响应联动系统基本模型的背景。第二章详细讲述了PDCERF方法学各阶段的内容。第三章讲述了应急响应组织学与网络安全事件应急响应联动系统基本模型。第四章以PDCERF方法学为线索,用一些建议性的标准来充实前面建立的基本模型。第五章给出一个经笔者整理过的参考的建议和一个具体情况的个案说明。第六章简要探讨了联动系统其他的关键内容。
本文侧重响应的组织与过程,对技术细节并不深究;所提出的联动系统模型并不完美但己经充分考虑了协作响应的关键问题,并着重于适应我国的实际情况,具有一定的可操作性。
With the increasing development on the importance of network, various kinds of dangers concealing in the net become more and more visible. Many security affairs happen one after another such as the Virus, Worm, Trojan Horse, Invade etc. The technique of Anti-Virus, Fire wall, invade examination technique develops fast for this reason. However, by many years’practices, even the most expensive measures for security protection cannot defend themselves against viruses and other internet attacks. Tools for intrusion detection existed today are far from perfection. To perfect the network security system requires Computer Emergency Response System as well as the Protection System in order to reduce and avoid loss of information.
Therefore, the Integrated Emergency Management System came into being. Although the research in this field has already began, there's no Network Security Incident Response Linkage System formed and accepted widely yet. According to the analysis of plentiful references on the Network Security and Emergency Response System and the integrated discussion and comparison of present typical model of Emergency Response Team, the author tries to establish a more perfect Network Security Incident Response Linkage System Model to adapt the worsening trend of network security.
The study of Network Security Incident Response Linkage System begins from the Technique for Emergency Response. Emergency Response function behaves on both sides of taking precautions before suffering a loss and after it. On the one hand, we should make full preparations for Network Security Incidents. On the other hand, we can take measures such as Containment Strategies, Eradication Procedures, Recovery Steps etc.
Emergency Response requires high technique containing lots of practicality and integrity. Due to the complex problems and the lack of function in the Internet Protocol, Emergency Response remains its own characteristics and research method. The key technique of Emergency Response is as follows: Intrusion Detection Technology; event separation and rapid cover of computers; tracknet and localization; Computer Forensics.
The key technique of Computer Emergency Response represents its developing direction, besides, relative technique and tools are struggling to prove the validation, but in fact there are more challenges than results. Consequently, the development of Emergency Response on social organizations becomes another development trend. The function mainly present in two aspects: the laws and Linkage Response.
Methodology is the science that study with the procession of incident response.
Methodology is not the exclusive method. The theory we will introduce in this paper is the widely accepted classical one which is called“PDCERF”. It includes six stages of Preparatory Works, Detection Mechanisms, Containment Strategies, Eradication Procedures, Recovery Steps and Follow-Up Reviews. PDCERF Methodology simply confirms the definition of stages and ideal procession of incident response. Task coordinate of every stage and the man relationship in the procession of incident response are the two important subjects for ever.
The first body of Emergency Response at present is CSIRT (Computer Security Incident Response Team). As the crucial force in the procession, CSIRT is not only the administrator but also the instructor in every stage.
The characteristic of Network Incident lies in its emergency, diversity as well as unpredictability, which can lead to enormous loss in a short time. It results the defense far more difficult than attack in the field of network. Meanwhile, it demands the defender have a good command of integrated knowledge as system, software and network etc., in addition, it even requires the defender himself get some relative knowledge and experiences about the network attack. As a result, it not only require high technique and abundant experience of the defender, more important it requires full use of resources, such as human, materials, information, technique etc., unite and cooperate to deal with security events. The new trend has appeared in the network events that the enlarging/powerful experienced hack teams attack the net more professional and complicated. It’s rather difficult to efficiently apply the diverse network incident according to the unit itself. We have no choice but association.
On the basis of CSIRT (Computer Security Incident Response Team)and Linkage System, We put forward a basic model of Network Security Incident Response Linkage System. Based on full coordinate of resources as human and information in different positions to apply for the Network Security Incidents, the system is developed from the CSIRT (Computer Security Incident Response Team) and its coordinate center. It belongs to organizational form in the later stage of CSIRT’s development.
After generally understanding of the background and basic model of Emergency Response Linkage System, we will keep track of Methodology to perfect the primary establishment of basic model with some suggestive standards. This model lays particular emphasis on management, so we won’t put stress on the concrete response technique involved in the four stages of response procession but both the ends, Preparatory Works and Follow-Up Reviews. Although emergency response is the passive safety technique which takes precautions after suffering a loss, Methodology put more attention on the preparation stage according to the understanding of events and accumulation of experiences.
Information share is the core of linkage system. But how to realize enough share of information still needs to be discussed. At the information explosion time, there’s no actual effect to provide a great deal of unconcerned information,on the contrary,it will reduce the rate of important Information Hiding being discovered.
Therefore we take sharable object and content of the information into a distinction to classify and set permission, and then send the information through multiple Releasing Channels, for instance, website, mail and Private messenger etc. Linkage System highly attaches importance to the technique accumulation because Emergency Response pays attention to experiences. Response Team must hold the file of Vulnerabilities.
Since we have already made clear of the composition, organization, description of the function and the related Reference standard for Network Security Incident Response Linkage System Model, now we can study the operation of system based on it. Here gives a reference proposal coordinated by the author with a detailed case elucidation.
In the end, the author will introduce other important contents including Communication, coordination of Parallel Management of Multi-Cases, Information Share and Privacy Protection, establishment of supporting Laws and Regulations and robustness of the system etc. in addition to each stage of PDCERF.
Compared with the current operation of CSIRT (Computer Security Incident Response Team), this model contains more reasonable operation mode and perfect Information Security cycle model. It pay more attention on the stage of Preparatory Works, moreover, it also takes the efficiency and coordination of applying Network Security Incident into consideration
This frame model needs a lot of perfection and improvement, many contents are not detailed enough, we also didn't take much consideration on technique. In this aspect, we are still carrying on thorough and meticulous research. Response Linkage System had been successfully explored in other fields, thereby Network Security Incident Response Linkage System will definitely show great impact on the security of the internet.
引文
[1]段海新等(译).网络安全事件响应.北京:人民邮电出版社,2002.第 1-237 页
[2]段海新.计算机网络安全的应急响应.电信技术.2002,12.第 10 页
[3] R.Shirey.RFC2828. Network Working Group. 2000,5
[4]佚名.计算机信息系统应急预案制定和内容.IT 网络视野.第 22-27 页
[5] BrownIee,N.,Guttman E. “Expectations for Computer Security Incident Response”. RFC2350. 1998,6
[6] Fraser,B. "Site Security Handbook".RFC2196. 1997,9
[7] Malkin,G. "Internet Users' Glossary". RFC1983. 1996,8
[8] Responding to Intrusions. http://www.cert.org/security-improvement/modules/m06.html
[9] Responding to Computer Security Incidents:Guidelines for Incident Handling. http://ftp. cert. dfn. de/pub/docs/csir/docs/ihg. ps. gz
[10] Forming an Incident Response Team. http://ftp.cert.dfn.de/pub/csirldocslforming.an.irt,ps.gz
[11] Creating a Computer Security Incident Response Team: A Process for Getting Started. http://www.cert.org/csirts/Creating-A-CS1RT.html
[12] Detecting Signs of Intrusion. http://www.cert.org/security-improvement/moduleslm09.html
[13] Collect and protect information associated with an intrusion. http://www.cert.org/security-improvement/practices/p048.htm1
[14] CERT/CC Steps for Recovering from a UNIX or NT System Compromise. http://www.cert.org/tech tips/win-UNIX-system_ compromise.html
[15]常晓波(译).应急响应:计算机犯罪调查.北京:清华大学出版社.2002,3
[16]方滨兴.建设网络应急体系一保障网络安全空间.通信学报,2002
[17]方滨兴.谈计算机网络应急处理体系.计算机安全
[18]李卫,刘小刚,李国栋等网络安全管理及安全联动响应的研究.计算机工程与应用. 2003,2
[19]魏忠,卿昊,叶铭.基于策略的信息安全应急响应机制的研究.信息技术.2003,2
[20]黄遵国,任剑勇,胡光明.一种信息安全事件的快速响应与恢复((r-RR)框架研究.计算机工程与科学. 2001,6
[21]丁常福,方敏.防火墙与网络入侵检测联动系统研究.航空计算技术.2003, 3
[22]明杨,梁群.专家系统在应急响应系统中的应用.信息网络安全.2003,8
[23]入侵管理技术与应急响应体系.信息安全与通信保密.2003,10
[24]戴英侠,连一峰,王航.系统安全与入侵检测.北京:清华大学出版社.2002,3
[25]卿斯汉,刘文清,刘海峰.操作系统安全导论.北京:科学出版社,2003.第 218-235 页56 网络安全事件应急响应联动系统研究
[26]康博(译).Windows Internet 黑客防范与安全策略.北京:清华大学出版社.2002,3
[27]动态网络安全体系结构. http://www.hub.cetin.net.cn/info/commentnew.asp?infoid=4111
[28]北京启明星晨信息技术有限公司.如何实现动态网络安全数据通信.2002. 2
[29]张广龙.安全响应服务.中国计算机报.2001, 1076
[30]段海新.网络安全应急响应及发展方向.网络安全技术与应用,2002. 10
[31]谭小彬,王卫平,奚宏生.计算机系统入侵检测的隐马尔可夫模型.计算机研究与发展, 2003. 40(2)
[32]廉育功,立体防护体系的新手段—联动防火墙.电脑知识与技术.2002,6.第 48-50 页
[33]左晓栋,赵战生.美国《信息系统保护国家计划》简析.中国金融电脑. 2001,4.第 4-7页
[34]姬宪辉,王晓晖.局域网路由设备故障应急方案分析.工业控制计算机.2002. 5 第 15,16, 25 页
[35]王果明试论黑客行为的法律性质及处罚原则.电脑.1997. 5
[36]龙敏敏,黄健强,赵勤燕等.剖析黑客突破网络安全系统的基本手段—堵住安全漏洞,防止不必要的损失.微型电脑应用.1998. 6
[37]蒋建春,黄著,卿斯汉黑客攻击机制与防范.计算机工程.2002. 7
[38]王晓明.黑客攻击网站的方式及应对措施.信息化建设.2003. 1
[39]电信基础网络应急处理协调流程/方案.2002
[40] CNCERT 发展规划处.应急体系发展规划.2002
[41] CNNIC.IP 地址自治系统号码分配. http: //www.cnnic.com.cnlip&as/index.shtml
[2]段海新.计算机网络安全的应急响应.电信技术.2002,12.第 10 页
[3] R.Shirey.RFC2828. Network Working Group. 2000,5
[4]佚名.计算机信息系统应急预案制定和内容.IT 网络视野.第 22-27 页
[5] BrownIee,N.,Guttman E. “Expectations for Computer Security Incident Response”. RFC2350. 1998,6
[6] Fraser,B. "Site Security Handbook".RFC2196. 1997,9
[7] Malkin,G. "Internet Users' Glossary". RFC1983. 1996,8
[8] Responding to Intrusions. http://www.cert.org/security-improvement/modules/m06.html
[9] Responding to Computer Security Incidents:Guidelines for Incident Handling. http://ftp. cert. dfn. de/pub/docs/csir/docs/ihg. ps. gz
[10] Forming an Incident Response Team. http://ftp.cert.dfn.de/pub/csirldocslforming.an.irt,ps.gz
[11] Creating a Computer Security Incident Response Team: A Process for Getting Started. http://www.cert.org/csirts/Creating-A-CS1RT.html
[12] Detecting Signs of Intrusion. http://www.cert.org/security-improvement/moduleslm09.html
[13] Collect and protect information associated with an intrusion. http://www.cert.org/security-improvement/practices/p048.htm1
[14] CERT/CC Steps for Recovering from a UNIX or NT System Compromise. http://www.cert.org/tech tips/win-UNIX-system_ compromise.html
[15]常晓波(译).应急响应:计算机犯罪调查.北京:清华大学出版社.2002,3
[16]方滨兴.建设网络应急体系一保障网络安全空间.通信学报,2002
[17]方滨兴.谈计算机网络应急处理体系.计算机安全
[18]李卫,刘小刚,李国栋等网络安全管理及安全联动响应的研究.计算机工程与应用. 2003,2
[19]魏忠,卿昊,叶铭.基于策略的信息安全应急响应机制的研究.信息技术.2003,2
[20]黄遵国,任剑勇,胡光明.一种信息安全事件的快速响应与恢复((r-RR)框架研究.计算机工程与科学. 2001,6
[21]丁常福,方敏.防火墙与网络入侵检测联动系统研究.航空计算技术.2003, 3
[22]明杨,梁群.专家系统在应急响应系统中的应用.信息网络安全.2003,8
[23]入侵管理技术与应急响应体系.信息安全与通信保密.2003,10
[24]戴英侠,连一峰,王航.系统安全与入侵检测.北京:清华大学出版社.2002,3
[25]卿斯汉,刘文清,刘海峰.操作系统安全导论.北京:科学出版社,2003.第 218-235 页56 网络安全事件应急响应联动系统研究
[26]康博(译).Windows Internet 黑客防范与安全策略.北京:清华大学出版社.2002,3
[27]动态网络安全体系结构. http://www.hub.cetin.net.cn/info/commentnew.asp?infoid=4111
[28]北京启明星晨信息技术有限公司.如何实现动态网络安全数据通信.2002. 2
[29]张广龙.安全响应服务.中国计算机报.2001, 1076
[30]段海新.网络安全应急响应及发展方向.网络安全技术与应用,2002. 10
[31]谭小彬,王卫平,奚宏生.计算机系统入侵检测的隐马尔可夫模型.计算机研究与发展, 2003. 40(2)
[32]廉育功,立体防护体系的新手段—联动防火墙.电脑知识与技术.2002,6.第 48-50 页
[33]左晓栋,赵战生.美国《信息系统保护国家计划》简析.中国金融电脑. 2001,4.第 4-7页
[34]姬宪辉,王晓晖.局域网路由设备故障应急方案分析.工业控制计算机.2002. 5 第 15,16, 25 页
[35]王果明试论黑客行为的法律性质及处罚原则.电脑.1997. 5
[36]龙敏敏,黄健强,赵勤燕等.剖析黑客突破网络安全系统的基本手段—堵住安全漏洞,防止不必要的损失.微型电脑应用.1998. 6
[37]蒋建春,黄著,卿斯汉黑客攻击机制与防范.计算机工程.2002. 7
[38]王晓明.黑客攻击网站的方式及应对措施.信息化建设.2003. 1
[39]电信基础网络应急处理协调流程/方案.2002
[40] CNCERT 发展规划处.应急体系发展规划.2002
[41] CNNIC.IP 地址自治系统号码分配. http: //www.cnnic.com.cnlip&as/index.shtml