黑猫智能网络信号灯_在网络安全中使用信号智能

The “Cyber Security” (aka InfoSec, CND, IA, etc.) field has to encompass many disciplines and pieces of knowledge in both defensive and offensive practices. When you think about it, Cyber Security practitioners and InfoSec Programs must have skills and aptitude from many disciplinary areas such as computer science, IT knowledge, communication soft skills, and others. Disclaimer: This article,the tools, and techniques that are mentioned are meant to be used for educational purposes only.

“网络安全”(又名InfoSec， CND ， IA等)领域必须包含防御和进攻实践中的许多学科和知识。 考虑到这一点，网络安全从业人员和InfoSec计划必须具有许多学科领域的技能和才能，例如计算机科学，IT知识，通信软技能等。 免责声明：本文，提到的工具和技术仅用于教育目的。

本文将涵盖以下目标： (This article will cover the following objectives:)

• Understanding basic forms of what intelligence and signaling are in terms of a practice and in terms of computing
  从实践和计算方面了解智能和信号传递的基本形式
• A proof of concept (PoC) tool that can demonstrate the use of stealthy signaling to accomplish cyber security related havoc
  概念验证(PoC)工具，可以演示使用隐身信号来完成与网络安全相关的破坏
• Recommendations on how to detect the presence of basic signaling communications on the network
  有关如何检测网络上基本信令通信的建议

Right now, there is great focus around Cyber Threat Intelligence (CTI). Many people think of only common attributes and often limiting identifiers like: IP addresses, GeoIP location, malware samples, and basic incident notification. There is so much more that encompasses a cyber attack and around what our cyber counter-part adversaries are capable of.

目前，人们非常关注网络威胁情报(CTI)。 许多人只想到通用属性，通常会限制标识符，例如：IP地址，GeoIP位置，恶意软件样本和基本事件通知。 围绕网络攻击以及我们的网络对手对手所能提供的功能，还有很多其他功能。

If you think about it, wouldn’t an Advanced Persistent Threat (APT) group also have several lines of businesses buying the same defenses, that we as Security Practitioners have. Couldn’t APT’s use those same tools to determine what vulnerabilities or opportunities they have at advancing their attacks and objectives? Or what about applying practices such as Signals Intelligence (SIGINT) and linguistic cryptography to work?

如果您考虑一下，高级持久威胁(APT)小组也不会像安全从业人员那样有几家公司购买相同的防御。 APT不能使用相同的工具来确定他们在推进其攻击和目标方面存在哪些漏洞或机会吗？ 或者如何应用诸如信号情报(SIGINT)和语言密码学之类的实践工作呢？

Today, the focus is on relatively static indicators of compromise (IOCs) because they’re the easiest to identify. Unfortunately, these IOC’s also have a very short amount of time for realistic and actionable use. Security practitioners know that a good defense has to come in the form of layers. However, we seem to be stuck in almost a “group think” mentality when it comes to CTI, and intelligence in general and we’re not looking towards other disciplinary focuses for detection.

如今，重点是相对静态的危害指标(IOC)，因为它们最容易识别。 不幸的是，这些IOC的时间也很短，无法实际使用。 安全从业人员知道，良好的防御必须以分层的形式进行。 但是，在涉及CTI和一般情报方面，我们似乎几乎陷入了“集体思考”的心理状态，并且我们不希望将其他学科重点放在检测上。

什么是信号？ (What is a Signal?)

A signal is any representation that can be interpreted by someone or some thing that has contextual awareness (codification) to either take an action or not take an action on. Usually signals are combined with timing intervals to help convey or not-convey a message. If you look at a traffic light, you’ll notice that red means stop, yellow means yield, and green means proceed.

信号是可以由具有上下文意识(编码)的某人或某物解释以采取行动或不采取行动的任何表示形式。 通常，信号与定时间隔结合在一起以帮助传送或不传送消息。 如果您看一个交通信号灯，您会注意到红色表示停止，黄色表示屈服，绿色表示继续。

The codification is common interpretation between at least two parties; otherwise known as context. You know red means stop is an example of encoding a signal (the red light itself) into something that results in action or other useful informational meaning. Signals can also represent a change in the status quo. In our example, a light changing from red to green is a change in the baseline or the existing status or condition.

编纂是至少两方之间的共同解释； 否则称为上下文。 您知道红色表示停止是将信号(红灯本身)编码为可导致动作或其他有用的信息含义的示例。 信号也可以代表现状的变化。 在我们的示例中，从红色变为绿色的光是基线或现有状态或条件的变化。

The encoded meaning of the change from red to green means to take action to begin moving through the light. In computers, this is accomplished in the same way. Signal changes and notices are common within computer operating systems to perform different actions.

从红色变为绿色的编码含义是指采取行动以开始在灯光中移动。 在计算机中，这是以相同的方式完成的。 信号更改和通知在计算机操作系统中很常见，可以执行不同的操作。

什么是智力？ (What is intelligence?)

Simply put: intelligence is information that can be derived from the sampling or collection of data or metadata to put into action either (manually or automated) to meet a specific objective. One of the many goals with appropriate use of intelligence is to find or “dig” through information that is otherwise unknown using different methods and other historically known information.

简而言之：智能是指可以从数据或元数据的采样或收集中得出的信息，可以(手动或自动)付诸行动以实现特定目标。 适当使用情报的许多目标之一是通过其他方法或其他历史已知信息来查找或“挖掘”本来未知的信息。

将SIGINT应用于网络安全 (Applying SIGINT to Cyber Security)

Presently, there are many security solutions and tools that are essentially basing their value add and protection or detection capabilities on known intelligence and research made possible by Security Researchers. When you apply known intelligence in the cyber security world; we see this in forms of patches, anti-malware signatures, static access control lists, firewall rules, and even expert-system based tools like SIEM rules (rules not based on heuristics and profiling, but only on “if, then, else” behavior that was programmed in as signatures).

当前，存在许多安全解决方案和工具，其本质上是基于安全研究人员提供的已知情报和研究来实现其增值和保护或检测功能。 当您将已知情报应用于网络安全领域时； 我们会以补丁，反恶意软件签名，静态访问控制列表，防火墙规则，甚至是基于专家系统的工具(例如SIEM规则)的形式看到这些规则(规则不基于启发式和概要分析，而仅基于“如果，那么，否则”被编程为签名的行为)。

The problem is if some attacking group were to utilize a new or unknown form of communication or attack; these known intelligence sources would not have anything to go by. Most people refer to this as “0-day”; but it’s much more than just a technical exploitation of a vulnerability — hypothetically the attacker group could use linguistic stego in communication. Now we have a real problem on our hands: A potential technical application of using human based contextual (encoded) communication means that things like Firewalls, Antivirus, and IDS/IPS even with heuristics won’t understand. Why these technologies won’t understand it is because the communication doesn’t look like a typical technical attack and won’t necessarily be using known “dirty words” (attack, blow-up, exploit, etc.).

问题是某些攻击团体是否要利用一种新的或未知的通信或攻击形式； 这些已知的情报来源将无所作为。 大多数人将其称为“ 0天 ”。 但这不只是对漏洞的技术利用-假设攻击者团体可以在通信中使用语言隐喻 。 现在，我们面临着一个真正的问题：使用基于人的上下文(编码)通信的潜在技术应用意味着即使使用启发式方法，诸如防火墙，防病毒和IDS / IPS之类的东西也无法理解。 这些技术之所以无法理解，是因为通信看起来不像是典型的技术攻击，并且不一定会使用已知的“脏话”(攻击，破坏，利用等)。

After our understanding of basic Signaling and Intelligence. We can utilize concepts like codification and signaling to create new meanings and communications applied to a technical source and destination. Take a remote command that might be detected as malicious like “sc \\victimhost stop mpssvc” which means to stop the built-in Windows based firewall. A network monitoring device may detect this. But, what if you sent a signal codified with a word or phrase like “open the floodgates”? You as a human speaking English (codification) knows what that means. But a computer nor a typical security device monitoring one wouldn’t. All you would need to do is send the victim computer a new codified signal and then have a it run the device “sc stop mpssvc” command locally so it would reduce your chances of being caught.

在我们了解基本的信号和情报之后。 我们可以利用编码和信令等概念来创建应用于技术来源和目的地的新含义和交流方式。 采取可能被检测为恶意的远程命令，例如“ sc \\ victimhost stop mpssvc”，这意味着要停止基于Windows的内置防火墙。 网络监视设备可能会检测到这一点。 但是，如果您发送的信号中包含“打开水闸”之类的单词或短语，该怎么办？ 您作为人类英语(编纂)知道这意味着什么。 但是计算机或监视它的典型安全设备却不会。 您需要做的就是向受害计算机发送一个新的编码信号，然后让它在本地运行设备“ sc stop mpssvc”命令，这样可以减少被抓住的机会。

将Counter-SIGINT应用于网络安全的概念验证 (Proof of Concept in Applying Counter-SIGINT to Cyber Security)

I’ve created a simple two-part tool (client and server side) called SIGC2 which stands for Signaling Command and Control. The client sends a baseline signal to establish that the firewall service running on the local host is up and running. Once anyone stops the firewall, it will send a change signal to say that the firewall service stopped. Once the change signal is successfully sent, the tool will exit so it doesn’t keep chatting on the network (reducing chances of getting caught). I’ve also designed it so that it utilizes only native Powershell 2.x and NT CLI commands which is built into all Windows 7.x and higher versions.

我创建了一个简单的两部分工具(客户端和服务器端)，称为SIGC2 ，它代表信令命令和控制。 客户端发送基线信号以确认本地主机上运行的防火墙服务已启动并正在运行。 一旦有人停止了防火墙，它将发出更改信号说防火墙服务已停止。 成功发送更改信号后，该工具将退出，因此它不会继续在网络上聊天(减少了被抓住的机会)。 我还对其进行了设计，以使其仅使用本机Powershell 2.x和NT CLI命令，这些命令内置于所有Windows 7.x和更高版本中。

If you would like to download a copy to experiment with these yourself visit: https://github.com/dc401/SIGC2/

如果您想下载副本以自己进行试验，请访问： https : //github.com/dc401/SIGC2/

The receiver (server) script runs and listens for both the baseline and change signals. Once the receiver successfully see’s 3 or more “baseline” status up signals, it will also begin monitoring for any “change” signals to let it know that the victim firewall host is down. Once the receiver successfully receives the change signal; it will go out and ping an external domain for instance twice to let the bad guy know the firewall is down. Once both signals are successfully received and the action of notifying the bad-guy is finished: the listener will exit so it reduces the probability of getting caught.

接收器(服务器)脚本运行并侦听基线和更改信号。 一旦接收器成功看到3个或更多“基线”状态上升信号，它也将开始监视任何“变化”信号，以使其知道受害防火墙主机已关闭。 一旦接收器成功接收到更改信号； 它会熄灭并两次对外部域执行ping操作，以使坏人知道防火墙已关闭。 一旦两个信号都被成功接收并且通知坏人的动作完成：侦听器将退出，因此降低了被捕获的可能性。

Both the client and the server have to have the same understanding (codification) of what signal seed word you will give it. It also has a randomization function built in where it will go anywhere from 1–10 seconds between sending signals to make it a little more hard for someone monitoring for a covert timing channel. In our example below, we see a baseline signal word of “foobar” which means the firewall is up. A change signal word “woot” is used to denote when the firewall is down.

客户端和服务器都必须对要提供的信号种子字有相同的理解(编码)。 它还具有内置的随机化功能，从发送信号到发送信号之间的间隔为1-10秒，这使得监视隐蔽定时信道的人变得更加困难。 在下面的示例中，我们看到基准信号字为“ foobar”，这表示防火墙已启动。 更改信号词“ woot”用于表示防火墙何时关闭。

The client script running in PowerShell 2.x (native tools) is showing a status of the “foobar” codified signal sent saying the firewall service is up and running. It’s also set to send “woot” codified signal when the firewall service stops running.

在PowerShell 2.x(本机工具)中运行的客户端脚本显示发送的“ foobar”编码信号的状态，表示防火墙服务已启动并正在运行。 还设置为在防火墙服务停止运行时发送“ woot”编码信号。

Let’s see what the server (receiver) will do when it receives the baseline and change signals:

让我们看看服务器(接收器)在接收到基线并更改信号后将执行的操作：

Receiver using same codified words “foobar” and “woot” (part of it was cut off in the picture, sorry). Once it received the base signal 3 times as a form of authentication (foobar) it also waited for the change signal only once (woot) to perform an action knowing that the client or source sender’s firewall is now down.

接收器使用相同的拼写单词“ foobar”和“ woot”(部分图片被截断，对不起)。 一旦它以身份验证形式(foobar)收到了3次基本信号，它也就只等一次等待更改信号(呜呼)，以执行一项操作，知道客户端或源发送者的防火墙现在已关闭。

So what just happened? We were able to successfully send multiple signals in randomized timing between two computers on the same domain using very basic linguistic encoding and cryptography to denote a status change. The signals also causes a command and control procedure to send a ping message out to an external party to notify an attacker that the firewall service was down. This would not have been caught by typical network security tools because all we sent was “foobar” and “woot”.

那到底发生了什么？ 我们能够使用非常基本的语言编码和加密技术在同一域中的两台计算机之间以随机时序成功发送多个信号，以表示状态变化。 这些信号还导致命令和控制过程向外部方发送ping消息，以通知攻击者防火墙服务已关闭。 典型的网络安全工具不会捕获到此错误，因为我们发送的只是“ foobar”和“ woot”。

We didn’t send anything that looked like a command, code, or even what a log message might say. Not only that, both sides cut communication with each other after the successful signaling was received and action taken and we’ve randomized the timing of the communication to throw off basic timing pattern matching and analysis.

我们没有发送任何看起来像命令，代码甚至日志消息可能会说的东西。 不仅如此，在收到成功的信号并采取措施后，双方都中断了彼此的通信，我们随机化了通信的时序，以摆脱基本的时序模式匹配和分析。

Granted, this was a very simple example of just pinging out to the google.com domain: But what if we had more complex messages and signals that also executed multiple commands and even exfiltrated data by word substitution to be reconstructed on the attacker’s side? What if we also increased the randomization of the timing and also not chose to encode the words in ASCII US-English, but elected to utilize a different language or character-set not easily interpreted? We’ve successfully introduced counter-signals intelligence into the a theoretical cyber-attack that would more than likely go unnoticed.

当然，这只是一个简单的示例，它只是探查到google.com域：但是，如果我们有更复杂的消息和信号，它们还执行多个命令，甚至通过单词替换渗入数据，以在攻击者方面进行重构，该怎么办？ 如果我们还增加了时间的随机性，又没有选择用ASCII US-English对单词进行编码，而是选择使用不易解释的另一种语言或字符集怎么办？ 我们已经成功地将反信号情报引入了理论上的网络攻击中，这种攻击很可能不会引起注意。

使用信令检测的建议 (Recommendations for the use of Signaling Detection)

Learning from our proof of concept tool and what you gathered from earlier sections in the article; you now recognize that it would be more difficult to detect certain attack vectors if considerations for signals intelligence processing weren’t taken into consideration (or at least linguistics signaling in our example). Additionally, even if you manage to manually detect and observe recognizable patterns that you correlated you would have to write a static signature and then the signals may disappear or change dynamically.

从我们的概念验证工具中学习，以及您从本文前面的部分中学到了什么； 您现在认识到，如果不考虑信号智能处理(或至少在我们的示例中是语言学信号)的话，检测某些攻击媒介将更加困难。 此外，即使您设法手动检测并观察与您相关的可识别模式，也必须编写静态签名，然后信号可能会消失或动态变化。

One recommendation for detection is to utilize true historical profiling of traffic between machines in this case. You would have to monitor and utilize statistical functions to locate “outliers” or other anomalies that aren’t typically seen in the profiled traffic content between the two hosts or even just one of the hosts. To automate this, you would need a SIEM-like tool that supports the use of mathematical functions in deriving statistical correlation and other outliers to look for patterns out of the ordinary over an extended period of time. This is different than how traditional SIEM’s work today (which rely on known behavior (if-then-else based static signatures).

一种检测建议是在这种情况下利用机器之间流量的真实历史分析。 您将必须监视并利用统计功能来定位“异常值”或其他异常，这通常在两台主机甚至一台主机之间的分析流量内容中通常看不到。 要自动执行此操作，您将需要一个类似于SIEM的工具，该工具支持使用数学函数来推导统计相关性和其他异常值，以在很长一段时间内寻找与众不同的模式。 这与当今传统SIEM的工作方式不同(后者依靠已知行为(基于if-then-else的静态签名))。

Remember that Cyber Security on defense and offensive sides rely on multiple disciplines of knowledge that can be used as tools when applied. It’s not only about stopping what you or others know. It’s also about detecting and stopping the unknown.

请记住，防御和攻击方面的网络安全都依赖于多种知识学科，这些学科可以在应用时用作工具。 这不仅仅是停止您或其他人所知道的。 这也与检测和阻止未知信息有关。

Find out about more ways to bolster your cyber defense operations at: www.scissecurity.com

在www.scissecurity.com上找到有关增强网络防御运营的更多方法的信息。