In the HW network protection initiative, host security is the core defense position. Once a host is compromised, not only will business operations be affected, but it may also trigger a chain of security risks. Today, we present a highly practical guide for emergency response and traceback countermeasures for HW hosts, covering hardening and inspection techniques for both Windows and Linux systems, as well as key traceback and countermeasure methods to help strengthen the security defenses during network protection efforts!
1. Emergency Response for Windows Hosts
(1) Hardening Recommendations
Close ports such as 135 and 137 when not needed; if they must be kept open, set an access whitelist. Prioritize installing EDR, and if not available, use Huorong or Windows Defender; use different strong passwords for the host and associated applications, and promptly apply security patches; disable management backends for critical applications on the internet side, and clean up internal network password repositories.
(2) Inspection Dimensions
Use corresponding tools to inspect from 7 aspects: check for abnormal network connections and signatures in processes, examine startup items for various types and files, sort files by time and monitor directories, use D Shield to check for anomalies in accounts, focus on RDP and SMB logs, use tools like MRH to eliminate malicious programs, and remain vigilant against phishing.
2. Emergency Response for Linux Hosts
(1) Hardening Recommendations
Close port 22 when not needed; if it must be kept open, set a whitelist; install EDR protection, use strong passwords that are not repeated across different hosts, and try to delete the root account, as well as disable management backends for applications on the internet side.
(2) Inspection Dimensions
Attacks often use “one-shot” methods, focusing on 9 key items: check network connections using commands to view ports and connections, inspect processes for parent processes and file locations, look for scripts and account operation traces in historical commands, check for recently added files in key directories, examine users with UID 0 and cloned users, as well as scheduled tasks, startup items, antivirus scans, and log analysis.
3. Traceback and Countermeasures
(1) Traceback Techniques
The escalation of attack and defense makes IP traceback difficult; IPs from cloud service providers that are not CDN can be blocked, and deploying honeypots can assist in traceback. Information about attackers can be mined through network IDs (Weibo, QQ, etc.), search engines, domain/IP, Telegram, etc., such as phone numbers, emails, companies, etc.
(2) Countermeasure Techniques
The core of countermeasures is to control the opponent’s machine, which can be done through social engineering (adding friends to send undetectable malware), phishing (embedding links or undetectable files in emails), and exploiting vulnerabilities (brute force or utilizing RCE). Sample undetectability is crucial. If business operations are compromised, immediate hardening should be done for 🔶1-388 to 1-395, 1-398 to 1-435🔷.
(3) Case Reference
Detecting the attack IP from SIP, reverse-checking the domain, and then using search engines, GitHub, etc., to mine complete information about the attacker such as QQ, email, name, phone number, etc., to provide a basis for handling.