第1章 網(wǎng)絡(luò)安全應(yīng)急響應(yīng)業(yè)務(wù)的發(fā)展簡史 ············································.1
1.1 網(wǎng)絡(luò)安全應(yīng)急響應(yīng)業(yè)務(wù)的由來 ·······························································.1
1.2 國際網(wǎng)絡(luò)安全應(yīng)急響應(yīng)組織的發(fā)展 ·························································.2
1.2.1 FIRST 介紹 ···············································································.2
1.2.2 APCERT 介紹 ············································································.2
1.2.3 國家級 CERT 情況······································································.2
1.3 我國網(wǎng)絡(luò)安全應(yīng)急響應(yīng)組織體系的發(fā)展簡介 ·············································.3
第2章 網(wǎng)絡(luò)安全應(yīng)急響應(yīng)概述 ···························································.5
2.1 網(wǎng)絡(luò)安全應(yīng)急響應(yīng)相關(guān)概念 ··································································.5
2.2 網(wǎng)絡(luò)安全與信息安全 ···········································································.5
2.3 產(chǎn)生網(wǎng)絡(luò)安全問題的原因分析 ·······························································.6
2.3.1 技術(shù)方面的原因 ·········································································.6
2.3.2 管理方面的原因 ·········································································.8
第3章 網(wǎng)絡(luò)安全應(yīng)急響應(yīng)法律法規(guī) ·····················································.9
3.1 我國網(wǎng)絡(luò)安全應(yīng)急響應(yīng)相關(guān)法律法規(guī)、政策 ·············································.9
3.2 《網(wǎng)絡(luò)安全法》的指導(dǎo)意義 ·································································.10
3.2.1 建立網(wǎng)絡(luò)安全監(jiān)測預(yù)警和信息通報制度 ·········································.10
3.2.2 建立網(wǎng)絡(luò)安全風險評估和應(yīng)急工作機制 ·········································.11
3.2.3 制定網(wǎng)絡(luò)安全事件應(yīng)急預(yù)案并定期演練 ·········································.12
3.3 《信息安全技術(shù) 信息安全應(yīng)急響應(yīng)計劃規(guī)范》（GB/T24363—2009） ··················.13
3.3.1 應(yīng)急響應(yīng)需求分析和應(yīng)急響應(yīng)策略的確定 ······································.14
3.3.2 編制應(yīng)急響應(yīng)計劃文檔 ······························································.14
3.3.3 應(yīng)急響應(yīng)計劃的測試、培訓、演練 ···············································.14
3.3.4 應(yīng)急響應(yīng)計劃的管理和維護 ························································.14
3.4 信息安全事件分類分級 ·······································································.15
3.4.1 分類分級規(guī)范的重要意義 ···························································.15
3.4.2 信息安全事件分類原則 ······························································.16
3.4.3 信息安全事件分級原則 ······························································.16
第4章 網(wǎng)絡(luò)安全應(yīng)急響應(yīng)的常用模型 ················································.18
4.1 網(wǎng)絡(luò)殺傷鏈與反殺傷鏈模型 ·································································.18
4.2 鉆石模型 ··························································································.19
4.3 自適應(yīng)安全框架 ················································································.21
4.4 網(wǎng)絡(luò)安全滑動標尺模型 ·······································································.22
第5章 應(yīng)急響應(yīng)處置流程 ·······························································.24
5.1 準備階段 ··························································································.24
5.1.1 準備的目的 ··············································································.24
5.1.2 準備的實施 ··············································································.25
5.2 檢測階段 ··························································································.27
5.2.1 檢測的目的 ··············································································.27
5.2.2 檢測的實施 ··············································································.27
5.3 遏制階段 ··························································································.28
5.3.1 遏制的目的 ··············································································.28
5.3.2 遏制的實施 ··············································································.29
5.4 根除階段 ··························································································.30
5.4.1 根除的目的 ··············································································.30
5.4.2 根除的實施 ··············································································.30
5.5 恢復(fù)階段 ··························································································.31
5.5.1 恢復(fù)的目的 ··············································································.31
5.5.2 恢復(fù)的實施 ··············································································.31
5.6 總結(jié)階段 ··························································································.32
5.6.1 總結(jié)的目的 ··············································································.32
5.6.2 總結(jié)的實施 ··············································································.33
第6章 網(wǎng)絡(luò)安全應(yīng)急響應(yīng)的實施體系 ················································.34
6.1 應(yīng)急響應(yīng)實施體系的研究背景與重要性 ··················································.34
6.1.1 應(yīng)急響應(yīng)實施體系的研究背景 ·····················································.34
6.1.2 應(yīng)急響應(yīng)實施體系的重要性 ························································.34
6.2 應(yīng)急響應(yīng)人員體系 ·············································································.35
6.2.1 應(yīng)急響應(yīng)小組的主要工作及目標 ··················································.35
6.2.2 人員組成 ·················································································.35
6.2.3 職能劃分 ·················································································.36
6.3 應(yīng)急響應(yīng)技術(shù)體系 ·············································································.36
6.3.1 事前技術(shù) ·················································································.37
6.3.2 事中技術(shù) ·················································································.39
6.3.3 事后技術(shù) ·················································································.40
6.4 應(yīng)急響應(yīng)實施原則 ·············································································.40
6.4.1 可行性原則 ··············································································.41
6.4.2 信息共享原則 ···········································································.41
6.4.3 動態(tài)性原則 ··············································································.42
6.4.4 可審核性原則 ···········································································.42
6.5 應(yīng)急響應(yīng)實施制度 ·············································································.42
6.5.1 實施制度總則 ···········································································.42
6.5.2 日常風險防范制度 ····································································.43
6.5.3 定期演訓制度 ···········································································.43
6.5.4 定期會議交流制度 ····································································.43
第7章 重大活動網(wǎng)絡(luò)安全保障 ·························································.45
7.1 重大活動網(wǎng)絡(luò)安全保障的研究背景與其獨特性 ·········································.45
7.1.1 研究背景 ·················································································.45
7.1.2 重保的獨特性 ···········································································.45
7.2 重保體系建設(shè)的基礎(chǔ) ··········································································.46
7.2.1 明確重保對象 ···········································································.46
7.2.2 確立重保目標 ···········································································.47
7.2.3 梳理重保資產(chǎn)清單 ····································································.47
7.3 重保體系設(shè)計 ···················································································.49
7.3.1 管理體系 ·················································································.49
7.3.2 組織體系 ·················································································.50
7.3.3 技術(shù)體系 ·················································································.50
7.3.4 運維體系 ·················································································.50
7.4 重保核心工作 ···················································································.51
7.4.1 風險識別 ·················································································.51
7.4.2 風險評估 ·················································································.52
7.4.3 風險應(yīng)對計劃 ···········································································.52
7.4.4 風險的監(jiān)控與調(diào)整 ····································································.53
7.5 重保實現(xiàn)過程 ···················································································.53
7.5.1 備戰(zhàn)階段 ·················································································.53
7.5.2 臨戰(zhàn)階段 ·················································································.53
7.5.3 實戰(zhàn)階段 ·················································································.54
7.5.4 決戰(zhàn)階段 ·················································································.54
第8章 數(shù)據(jù)驅(qū)動的應(yīng)急響應(yīng)處理機制 ················································.55
8.1 概念分析 ··························································································.55
8.1.1 數(shù)據(jù)驅(qū)動的產(chǎn)業(yè)革命 ·································································.55
8.1.2 數(shù)據(jù)驅(qū)動的應(yīng)急響應(yīng)處理機制 ·····················································.56
8.2 需求分析 ··························································································.57
8.2.1 大數(shù)據(jù)場景中的應(yīng)急響應(yīng)處理的特殊要求 ······································.57
8.2.2 無人化戰(zhàn)場中的應(yīng)急響應(yīng)處理機制的必要選擇 ································.60
8.2.3 精細化管理中的應(yīng)急響應(yīng)處理機制的有效方法 ································.62
8.3 解決方案 ··························································································.63
8.3.1 數(shù)據(jù)驅(qū)動的事故預(yù)防機制 ···························································.63
8.3.2 數(shù)據(jù)驅(qū)動的事故處置機制 ···························································.65
8.3.3 數(shù)據(jù)驅(qū)動的事故尋因機制 ···························································.66
第9章 操作系統(tǒng)加固優(yōu)化技術(shù) ·························································.68
9.1 簡介 ································································································.68
9.2 操作系統(tǒng)加固技術(shù)原理 ·······································································.68
9.2.1 身份鑒別 ·················································································.69
9.2.2 訪問控制 ·················································································.69
9.2.3 安全審計 ·················································································.70
9.2.4 安全管理 ·················································································.70
9.2.5 資源控制 ·················································································.71
9.3 操作系統(tǒng)加固實際操作 ·······································································.71
9.3.1 系統(tǒng)口令加固 ···········································································.71
9.3.2 系統(tǒng)賬戶優(yōu)化 ···········································································.76
9.3.3 系統(tǒng)服務(wù)優(yōu)化 ···········································································.81
9.3.4 系統(tǒng)日志設(shè)置 ···········································································.84
9.3.5 遠程登錄設(shè)置 ···········································································.87
9.3.6 系統(tǒng)漏洞修補 ···········································································.90
9.4 經(jīng)典案例分析與工具介紹 ····································································.92
9.4.1 “一密管天下” ········································································.92
9.4.2 臭名昭著的勒索病毒—WannaCry ·················································.93
9.4.3 主機安全加固軟件 ····································································.93
第10章 網(wǎng)絡(luò)欺騙技術(shù) ·································································.105
10.1 綜述 ····························································································.105
10.2 網(wǎng)絡(luò)欺騙技術(shù) ················································································.105
10.2.1 蜜罐 ···················································································.106
10.2.2 影子服務(wù)技術(shù) ·······································································.113
10.2.3 虛擬網(wǎng)絡(luò)拓撲技術(shù) ·································································.113
10.2.4 蜜標技術(shù) ·············································································.113
10.3 欺騙技術(shù)發(fā)展趨勢 ··········································································.114
10.4 欺騙技術(shù)的工具介紹 ·······································································.114
10.5 欺騙技術(shù)運用原則與案例 ·································································.122
10.5.1 運用原則 ·············································································.122
10.5.2 運用案例 ·············································································.123
第11章 追蹤與溯源 ····································································.126
11.1 追蹤與溯源概述 ·············································································.126
11.1.1 追蹤與溯源的含義及作用 ························································.126
11.1.2 追蹤與溯源的分類 ·································································.126
11.2 追蹤溯源技術(shù) ················································································.127
11.2.1 網(wǎng)絡(luò)流量追蹤溯源技術(shù) ···························································.127
11.2.2 惡意代碼樣本分析溯源技術(shù) ·····················································.129
11.3 追蹤溯源工具及系統(tǒng) ·······································································.135
11.3.1 Traceroute 小程序 ··································································.135
11.3.2 科來網(wǎng)絡(luò)回溯分析系統(tǒng) ···························································.136
11.4 攻擊溯源的常見思路 ·······································································.138
11.4.1 組織內(nèi)部異常操作者 ······························································.138
11.4.2 組織內(nèi)部攻擊者 ····································································.138
11.4.3 組織外部攻擊者 ····································································.139
11.5 溯源分析案例 ················································································.139
第12章 防火墻技術(shù) ····································································.143
12.1 防火墻的定義及功能 ·······································································.143
12.1.1 防火墻的定義 ·······································································.143
12.1.2 防火墻的功能 ·······································································.143
12.2 防火墻的分類 ················································································.144
12.2.1 包過濾防火墻 ·······································································.144
12.2.2 狀態(tài)檢測防火墻 ····································································.145
12.2.3 應(yīng)用代理防火墻 ····································································.146
12.3 防火墻的體系結(jié)構(gòu) ··········································································.146
12.3.1 雙重宿主主機體系結(jié)構(gòu) ···························································.147
12.3.2 主機屏蔽型體系結(jié)構(gòu) ······························································.147
12.3.3 子網(wǎng)屏蔽型體系結(jié)構(gòu) ······························································.149
12.4 防火墻的發(fā)展 ················································································.149
12.4.1 防火墻的應(yīng)用 ·······································································.149
12.4.2 防火墻的發(fā)展趨勢 ·································································.155
第13章 惡意代碼分析技術(shù) ···························································.157
13.1 惡意代碼概述 ················································································.157
13.1.1 惡意代碼的概念 ····································································.157
13.1.2 惡意代碼的分類 ····································································.157
13.1.3 惡意代碼的傳播途徑 ······························································.158
13.1.4 惡意代碼存在的原因分析 ························································.159
13.1.5 惡意代碼的攻擊機制 ······························································.159
13.1.6 惡意代碼的危害 ····································································.160
13.2 惡意代碼分析技術(shù) ··········································································.160
13.2.1 惡意代碼分析技術(shù)概述 ···························································.160
13.2.2 靜態(tài)分析技術(shù) ·······································································.161
13.2.3 動態(tài)分析技術(shù) ·······································································.171
13.3 面對惡意代碼攻擊的應(yīng)急響應(yīng) ···························································.180
13.3.1 應(yīng)急響應(yīng)原則 ·······································································.180
13.3.2 應(yīng)急響應(yīng)流程 ·······································································.181
13.4 實際案例分析 ················································································.182
13.4.1 查看惡意代碼基本信息 ···························································.183
13.4.2 查看惡意代碼的主要行為 ························································.183
13.4.3 工具分析惡意代碼 ·································································.185
13.4.4 應(yīng)急響應(yīng)措施 ·······································································.186
第14章 安全取證技術(shù) ·································································.187
14.1 安全取證技術(shù)基本介紹 ····································································.187
14.1.1 目標 ···················································································.187
14.1.2 特性 ···················································································.187
14.1.3 原則 ···················································································.188
14.1.4 現(xiàn)狀 ···················································································.188
14.1.5 發(fā)展趨勢 ·············································································.188
14.1.6 注意事項 ·············································································.188
14.2 安全取證基本步驟 ··········································································.189
14.2.1 保護現(xiàn)場 ·············································································.189
14.2.2 獲取證據(jù) ·············································································.189
14.2.3 保全證據(jù) ·············································································.189
14.2.4 鑒定證據(jù) ·············································································.190
14.2.5 分析證據(jù) ·············································································.190
14.2.6 進行追蹤 ·············································································.190
14.2.7 出示證據(jù) ·············································································.190
14.3 安全取證技術(shù)介紹 ··········································································.190
14.3.1 安全掃描 ·············································································.190
14.3.2 流量采集與分析 ····································································.193
14.3.3 日志采集與分析 ····································································.194
14.3.4 源碼分析 ·············································································.201
14.3.5 數(shù)據(jù)收集與挖掘 ····································································.201
14.4 安全取證工具介紹 ··········································································.202
14.4.1 工具概況 ·············································································.202
14.4.2 工具介紹 ·············································································.203
14.4.3 廠商研制工具 ·······································································.217
14.5 安全取證案例剖析 ··········································································.217
14.5.1 勒索病毒爆發(fā) ·······································································.217
14.5.2 網(wǎng)絡(luò)攻擊 ·············································································.219
第15章 計算機病毒事件應(yīng)急響應(yīng) ··················································.222
15.1 計算機病毒事件處置 ·······································································.222
15.1.1 計算機病毒分類 ····································································.222
15.1.2 計算機病毒檢測與清除 ···························································.224
15.1.3 計算機病毒事件應(yīng)急響應(yīng) ························································.226
15.2 計算機病毒事件處置工具示例 ···························································.228
15.2.1 常用系統(tǒng)工具 ·······································································.228
15.2.2 計算機病毒分析工具 ······························································.229
15.2.3 計算機病毒查殺工具 ······························································.235
15.2.4 系統(tǒng)恢復(fù)及加固工具 ······························································.237
15.3 計算機病毒事件應(yīng)急響應(yīng)處置思路及案例 ···········································.240
15.3.1 計算機病毒事件應(yīng)急響應(yīng)思路 ··················································.240
15.3.2 勒索病毒處置案例 ·································································.240
15.3.3 某未知文件夾病毒處置案例 ·····················································.242
第16章 分布式拒絕服務(wù)攻擊事件應(yīng)急響應(yīng) ······································.243
16.1 DDOS攻擊介紹 ··············································································.243
16.1.1 DoS 攻擊 ·············································································.243
16.1.2 DDoS 攻擊 ···········································································.243
16.1.3 DDoS 攻擊分類 ·····································································.244
16.1.4 DDoS 攻擊步驟 ·····································································.248
16.2 DDOS攻擊應(yīng)急響應(yīng)策略 ··································································.249
16.2.1 預(yù)防和防范（攻擊前） ···························································.249
16.2.2 檢測和過濾（攻擊時） ···························································.250
16.2.3 追蹤和溯源（攻擊后） ···························································.252
16.3 DDOS攻擊事件處置相關(guān)案例 ····························································.252
16.3.1 GitHub 攻擊（2018 年） ·························································.252
16.3.2 Dyn 攻擊（2016 年） ·····························································.254
16.3.3 Spamhaus 攻擊（2013 年） ······················································.255
16.4 DDOS常見檢測防御工具 ··································································.257
16.4.1 DDoS 攻擊測試工具 ·······························································.257
16.4.2 DDoS 監(jiān)測防御工具 ·······························································.260
第17章 信息泄露事件處置策略 ·····················································.266
17.1 信息泄露事件基本概念和理論 ···························································.266
17.2 信息防泄露技術(shù)介紹 ·······································································.267
17.2.1 信息存儲防泄露技術(shù)介紹 ························································.267
17.2.2 信息傳輸防泄露技術(shù)介紹 ························································.267
17.2.3 信息使用防泄露技術(shù)介紹 ························································.268
17.2.4 信息防泄露技術(shù)趨勢分析 ························································.268
17.3 信息防泄露策略分析 ·······································································.269
17.3.1 立法 ···················································································.270
17.3.2 管控 ···················································································.270
17.3.3 技術(shù) ···················································································.271
第18章 高級持續(xù)性威脅 ······························································.273
18.1 APT攻擊活動 ················································································.273
18.1.1 活躍的 APT 組織 ···································································.273
18.1.2 典型的 APT 攻擊案例 ·····························································.275
18.2 APT概述 ······················································································.276
18.2.1 APT 含義與特征 ····································································.276
18.2.2 APT 攻擊流程 ·······································································.277
18.2.3 APT 技術(shù)手段 ·······································································.278
18.3 APT攻擊的檢測與響應(yīng) ····································································.280
18.4 APT行業(yè)產(chǎn)品和技術(shù)方案 ·································································.281
18.4.1 綠盟威脅分析系統(tǒng) ·································································.282
18.4.2 天融信高級威脅檢測系統(tǒng) ························································.285
參考文獻 ····················································································.287