Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


lighthouse lab · technology salon (phase 5) - lighthouse lab

Posted by loope at 2020-03-05

The theme of this salon is "capacity building of cyberspace shooting range". The discussion topics will focus on virtualization technology, network simulation technology, test data collection and evaluation technology, as well as the application prospect of shooting range in attack defense confrontation, security evaluation and training. The lighthouse security salon adheres to the concept of open discussion and free sharing, and encourages all participants to share their technical opinions and experiences, regardless of style and form. This salon activity was held in Zhulu teahouse, Haidian District, Beijing on October 14, 2017. The following is a summary of the guests' topics in the salon.

Jarolan from the national industrial information security development research center shared the team's technical development direction and business operation mode for the global network shooting range. In particular, in-depth analysis is made on the development characteristics and phased achievements of NCR, FCR, starbed, caselab and other national network shooting ranges. In addition, Cisco cyberrange and Ixia breaking are also shared Application fields and business operation modes of commercial shooting range platforms such as point and cyberbit, an Israeli security company.

Tao song, project leader of Lighthouse laboratory shooting range, shared the team's experience in this field. The network security of ICS / SCADA system in the field of industrial control network shooting range is a core hot issue. The network shooting range and test-bed for ICS / SCADA system can be used as an important means for vulnerability and threat analysis of low-cost ICS / SCADA system. This salon lighthouse laboratory shared the practical experience of network shooting range construction technology based on ICS environment, including the technical framework, design principles and problems encountered in the actual deployment process of ICs network shooting range, and the application direction exploration based on the ICs network shooting range. Finally, it introduces the technical framework and design scheme of Lighthouse laboratory in the next ICs network shooting range construction.

The difference between ICs network shooting range and traditional network shooting range is that the main content of simulation and Simulation of ICs network shooting range is based on industry. The salon lighthouse laboratory z-0ne shared the practice of ICs network shooting range in the construction of ICs resources. Including network resources and industrial control resources. In terms of industrial control resources, the paper introduces the physical and virtual mainstream ICs software and hardware resources of ICs network shooting range, such as RTU, HMI, PLC and other real equipment access networking and virtual simulation path. In addition, it also includes the mainstream SCADA software, PLC programming software and historical database integration. These industrial control resources and network resources jointly construct a large number of scene simulation of industrial enterprise environment, such as: Scene Simulation of natural gas pipe network, wind power, tobacco, heating, sewage treatment, street lamp, automobile manufacturing, etc. these scenes combined with attack and defense resources together constitute the resource construction of current ICs network shooting range. Finally, it introduces the idea of continuous construction of resources in the next ICs network shooting range construction.

According to the laboratory's technical research and breakthrough in the field of shooting range network, Dr. Liu HongRi of Network Technology Research Institute of Harbin University of Technology (Weihai) shared the research status, method, implementation scheme and simulation fidelity evaluation with you from three aspects of user behavior simulation, network background traffic simulation and network service simulation. In addition, it also shares the different application characteristics of the network shooting range and the industrial control shooting range, as well as the thinking about the reuse of the network shooting range simulation technology in the industrial control shooting range.

Dr. Sheng Chuan from the team of listening to Northeast University shared the team's practice in honeypot data analysis. The analysis was conducted in three dimensions: information query, tracking and traceability, and flow monitoring. The analysis contents ranged from macro network characteristics to micro access characteristics. Threat data analysis ranges from simple threat basic data to IP dimension behavior and tool fingerprint analysis. It is worth mentioning that the listening team has a unique analysis method of the mainstream industrial control scanning tools, and gives different characteristics of different network scanning tools in communication behavior. Finally, the calculation method and rating standard of IP threat profile are given. Listening team's data analysis practice also has guiding significance for the construction of shooting range platform.

Xu Wen, a researcher from adlab Lab of Qiming star, based on her long-term experience in the transformation of achievements in the attack and defense platform and her understanding of external customer needs, shared her own unique insights from the changes of demand scenarios, models, user needs and application scenarios. It is mentioned that the attack and defense platform has transitioned from the traditional school education industry training to the industry-specific needs training, and the product mode has transitioned from the virtualization training platform to the virtual reality combined simulation shooting range; the application mode has transitioned from the virtual machine mode to the virtual reality combined simulation mode, and finally the sharing theme has been summarized from the training, competition and shooting range construction.

Su Chang, a teacher from North China Electric Power University, introduced the research ideas and current achievements of Huadian in the industrial control security simulation platform from the aspects of the requirements of the attack and defense drill of the power monitoring system, the functions and logical framework of the attack and defense platform, and the sharing of application experience. It is worth thinking that Huadian divides the range platform into training range and confrontation range according to the different ways of use. The confrontation range is connected to the special hardware in the loop simulation function module of electric power to provide users with a near real electric power simulation environment. In addition, the shooting range platform mainly includes the power specific sensing and monitoring mechanism, which perfectly applies the industrial control data collection and situation awareness technology to the simulation platform. As the basic platform of EICS + industrial control system information security attack and defense competition in 2015 and 2016, the drill platform provides objective scientific basis for information security evaluation and protection of water system and gas system of industrial control system.

Luo Yuanxing, deputy general manager of Beijing yunwangxin Information Technology Co., Ltd., shared personal and team experience in industrial control system safety assessment. Mr. Luo started from the difference between industrial control security and traditional information security services, and then talked about the most core issue in industrial control security services - how to ensure the minimum impact on the business system during the test process, and shared how to obtain the trust of industrial enterprise customers on the security team. Then, combined with the example of penetration service in the rail transit industry, the paper discusses how to break through the heavily protected industrial network system through "Qiaojin" in the technical implementation level. Most of all, president Luo put forward constructive suggestions for the construction of shooting range based on the experience of industrial control safety.

From the perspective of information security, Xia Jie, anbai technology, analyzes personal technical opinions in log analysis. First of all, from the disadvantages of the traditional log analysis method, this paper introduces the view of log analysis engineering. After that, it explains in detail how log analysis engineering works from exploration to practice and then to advanced level, and puts forward which specific indicators need to be extracted from log analysis platform for statistics, analysis and display to bring the most direct value to customers. Then it introduces how to engineering attack traceability against log data. In this part, he talks about the threat indicators that can be extracted from the log by traceability work, how to combine internal and external threat intelligence data for association analysis and how to engineer threat classification for data. Finally, we share the thinking about the data analysis machine learning algorithm and how to analyze the log data on the shooting range platform.

Zhu Wenzhe, an independent industrial control security researcher, is mainly engaged in the vulnerability mining of industrial control equipment and software. Mainly focuses on protocol fuzzy testing and embedded system security analysis. This salon mainly shared the icssploit platform that the individual is maintaining. This platform is an industrial control vulnerability exploitation framework similar to Metasploit written based on python. The platform includes industrial control protocol module, client module, device scanning module and vulnerability utilization module, which can facilitate the vulnerability analysis and vulnerability verification of industrial control security researchers. In addition, through the combination of industrial control protocol module and Kitty framework, the existing industrial control protocol package format can be directly used to quickly generate targeted test cases for the target Equipment and software carry out fuzzy test. At last, it demonstrates how to mine and analyze the vulnerabilities through the platform.