Last month, due to strange reasons, I participated in four consecutive cybersecurity offensive and defensive drills, including the Ministry of Public Security, the Municipal Government and the Ministry of Industry and Information Technology.
Among the four offensive and defensive drills, although we also participated in the two offensive and defensive drills initiated by the municipal government, since the time overlapped with the other two, we could actually ignore them.
In the actual attack, how do we find the attacker?
If you use conventional methods to trace a network hacker,that will be very difficult。
Because the attackers are all using new computers and new IPs issued by the organizers, it is basically impossible to know the identity of the attackers through normal channels.
Through actual traceability and information exchange with friends, I have roughly summarized the following traceability methods.
1、
First of all, we need a lot of honeypots with jsonp technology deployed, to imitate the honeypot as real business as possible, so that the attacker can spend as much time as possible in the honeypot.
Here we use a company's commercial honeypot.
A careless attacker will log in to social networking sites on the computer, such as QQ, Baidu Tieba, etc. Here, we can use jsonp to get the attacker's mobile phone number (the middle four are blocked by the operator) and the attacker's social account.
Once we get the attacker's social networking site id, we can go to the social networking site to find his speech record. If it goes well, we can find his mobile phone number through the speech record, and then use the social engineering database to find his personal information (educational information, family information), and then use the workplace communication software to search for the mobile phone number to obtain the attacker's current occupation information.
2、
If the attacker did not leave information in our honeypot, but we want to find this person.
At this time, it is necessary to use some illegal means (of course, the means of using the social engineering library above are also illegal). For example, the attacker uses the ip of Alibaba Cloud to attack, and you are an employee of Alibaba Cloud or you know Alibaba Cloud. The person with the relevant operation authority.
At this time, you can obtain the attacker's information by some means, and then go to the social engineering library to find more information about the attacker, and end.
3、
If the attacker uses a proxy host of a cloud service provider that is not in mainland China to attack.
At this time, you need a higher authority to check the traffic. For example, the ip x.x.x.x attacked me, and this ip belongs to a foreign country. At this time, I need a privileged account that can search the traffic of the national backbone network, or an account with such Friends with authority, find out which domestic IP has recently accessed this foreign IP, and then you can find the domestic IP of this person. After finding it, use step 2 to find the true identity of the attacker.
This is the method of tracing the source of some hackers that may be used in offensive and defensive drills.
没有评论:
发表评论