跳到主要內容

簡易檢索 / 詳目顯示

回結果列表
研究生: 陳一銘
Michael Chen
論文名稱: 以MITRE ATT&CK分析工具探討公有雲攻擊緩解之研究
A Research on Mitigating Public Cloud Attacks Using the MITRE ATT&CK Framework
指導教授: 陳奕明
口試委員:
學位類別: 碩士
Master
系所名稱: 管理學院 - 資訊管理學系在職專班
Executive Master of Information Management
論文出版年: 2024
畢業學年度: 112
語文別: 中文
論文頁數: 69
中文關鍵詞: 雲端安全資訊外洩MITRE ATT&CKCyber Kill Chain公有雲存取控制資安事件分析
外文關鍵詞: Cloud security, Data Breaches, MITRE ATT&CK, Cyber Kill Chain, Public Cloud, Access Control, Cybersecurity Incident Analysis.
相關次數: 點閱:9下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 本研究透過深入分析三個重大資訊外洩案例:SolarWinds 供應鏈攻擊事件、Target 資料外洩事件和 Capital One 銀行個資外洩事件,利用 MITRE ATT&CK 框架和 Cyber Kill Chain 模型對攻擊者的行為模式進行評估,找出這些案例中帳號及憑證管理的共同弱點。研究發現,攻擊者往往利用被竊取的憑證,繞過存取控制機制,非法存取雲端或地端中的敏感資訊。為了緩解此風險,本研究提出了一個適用於 AWS、Azure和GCP等主流公有雲平台的低成本解決方案,在不需要異動現有架構前提下,透過 IP 地址範圍限制來加強帳號和憑證的存取控管。通過在權限管理服務中設定 IP 地址範圍限制策略,可以確保只有來自企業內部網路或其他可信任 IP 範圍的請求才能存取雲端資源。實驗結果證明,此方法可以有效阻止來自企業外部 IP 的非法存取,從而降低了帳號憑證被盜用的風險。
    本研究的主要貢獻在於系統性分析了三起重大資訊外洩案例,找出了帳號及憑證管理的共同弱點;提出了一個適用於主流公有雲平台的低成本帳號安全解決方案;詳細介紹三大公有雲平台中實施 IP 範圍限制的具體步驟和配置方法。提出的解決方案具有實際的應用價值,為中小企業提升雲端資源安全性提供了一個成本低廉且可行的途徑。

    This study thoroughly analyzes three major data breach incidents: the SolarWinds supply chain attack, the Target data breach, and the Capital One data breach. Using the MITRE ATT&CK framework and Cyber Kill Chain model, it evaluates attacker behavior and identifies common weaknesses in account and credential management. The research finds that attackers often use stolen credentials to bypass access controls and illegally access sensitive cloud or on-premises information.
    To mitigate this risk, the study proposes a low-cost solution for major public cloud platforms like AWS, Azure, and GCP. Without altering existing infrastructure, it enhances account and credential access control through IP address range restrictions. By setting IP range restriction policies in access management services, only requests from the internal corporate network or other trusted IP ranges can access cloud resources. Experimental results show this method effectively blocks unauthorized access from external IPs, reducing the risk of credential theft.
    The study's main contributions include a systematic analysis of three major data breaches to identify common weaknesses in account and credential management, proposing a low-cost security solution for mainstream public cloud platforms, and detailing the steps and configurations for implementing IP range restrictions. This solution offers practical value, providing a cost-effective approach for small and medium-sized enterprises to enhance cloud resource security.

    摘要 iii ABSTRACT iv 誌謝 v 目錄 vi 圖目錄 viii 表目錄 x 第一章 緒論 1 1.1 研究背景 1 1.2 研究動機 4 1.3 研究目的 5 1.4 章節結構 6 第二章 文獻探討 8 2.1 網路攻擊鏈Cyber Kill Chain 8 2.2 MITRE ATT&CK框架概述 10 2.3 資安案例介紹 12 2.3.1 案例一、SolarWinds供應鏈攻擊事件 12 2.3.2 案例二、Target Data Breach事件 15 2.3.3 案例三、Capital One銀行個資外洩事件 18 2.3.4 案例總結 20 2.4 本章小結 21 第三章 研究方法 22 3.1 研究方法 22 3.2 攻擊分析 22 3.2.1 案例一、SolarWinds攻擊事件 22 3.2.2 案例二、Target Data Breach事件 26 3.2.3 案例三、Capital One資訊外洩事件 27 3.2.4 攻擊技術彙整 29 3.3 緩解方法 30 3.3.1 三大公有雲帳號和憑證管理的最佳實踐 31 3.3.2 緩解方法與三大公雲的施作方法 32 第四章 實驗操作與結果分析 38 4.1 實驗設計 38 4.2 實驗變數 41 4.3 數據收集與分析 43 第五章 結論與建議 51 5.1 研究總結 51 5.2 研究貢獻 51 5.3 緩解方法的局限 51 5.4 未來建議研究 52 參考文獻 1

    [1] R. Wang, "Application and Development of Cloud Computing Technology in Computer Data Processing," Journal of Physics: Conference Series, vol. 1992, no. 2, p. 022093, 2021/08/01 2021, doi: 10.1088/1742-6596/1992/2/022093.
    [2] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, "Hey, You, Get off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds," in Proceedings of the 16th ACM conference on Computer and communications security, 2009, pp. 199-212.
    [3] Д. Затонацький, В. Маргасова, and Н. Корогод, "Insider Threat Management as an Element of the Corporate Economic Security," Financial and credit activity problems of theory and practice, vol. 1, no. 36, pp. 149-158, 2021, doi: http://dx.doi.org/10.18371/fcaptp.v1i36.227690.
    [4] B.-S. Gigler, A. Casorati, and A. Verbeek, Financing the Future of Supercomputing: How to Increase Investment in High Performance Computing in Europe. European Investment Bank, 2018.
    [5] IBM, Cost of a Data Breach Report 2023 (IBM Security). 2023.
    [6] J. Martínez and J. M. Durán, "Software Supply Chain Attacks, a Threat to Global Cybersecurity: SolarWinds’ Case Study," International Journal of Safety and Security Engineering, vol. 11, no. 5, pp. 537-545, 2021.
    [7] "Sources: Target Investigating Data Breach." https://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/ (accessed 04/20, 2024).
    [8] 蔡娪嫣. "藝高人膽大?美銀行「Capital One」1億用戶資料外洩,女駭客上網炫耀「傑作」後落網." 風傳媒. https://www.storm.mg/article/1539770?mode=whole (accessed 4/20, 2024).
    [9] Daasel. "¿Qué Podemos Aprender Del Ciberataque a Solarwinds?" Daasel. https://daasel.com/que-podemos-aprender-del-ciberataque-a-solarwinds/ (accessed 3/20, 2024).
    [10] "SolarWinds Hack Will Alter US Cyber Strategy," Oxford Analytica (2021), 2021-1-29 2021, doi: 10.1108/oxan-db259151.
    [11] M. Novinson. "SolarWinds Hack Could Cost Cyber Insurance Firms $90 Million." https://www.crn.com/news/security/solarwinds-hack-could-cost-cyber-insurance-firms-90-million (accessed 3/20, 2024).
    [12] K. McCoy. "Target to Pay $18.5M for 2013 Data Breach that Affected 41 Million Consumers." https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/ (accessed 3/20, 2024).
    [13] S. Khan, I. Kabanov, Y. Hua, and S. Madnick, "A Systematic Analysis of the Capital One Data Breach: Critical Lessons Learned," ACM Transactions on Privacy and Security, vol. 26, no. 1, pp. 1-29, 2022.
    [14] C. One. "Information on the Capital One Cyber Incident." https://www.capitalone.com/digital/facts2019/ (accessed 3/9, 2024).
    [15] E. F. a. K. Weise. "Capital One Data Breach Compromises Data of Over 100 Million." https://www.nytimes.com/2019/07/29/business/capital-one-data-breach-hacked.html (accessed 3/15, 2024).
    [16] 林妍溱. "美國Capital One銀行個資外洩案遭罰8千萬美元." https://www.ithome.com.tw/news/139316 (accessed 4/20, 2024).
    [17] D. Shackleford, "SANS 2019 Cloud Security Survey," SANS Institute Reading Room, SANS Institute, 2019.
    [18] E. Chickowski, "Leaky Buckets: 10 Worst Amazon S3 Breaches," in Leaky Buckets: 10 Worst Amazon S3 Breaches vol. 2018, E. Chickowski, Ed., ed: Bitdefender, 2018.
    [19] M. Suganya and T. Prabha, "A Comprehensive Analysis of Data Breaches and Data Security Challenges in Cloud Environment," Available at SSRN 4111762, 2022.
    [20] C. S. Ranganathan and R. Sampathrajan, "Cloud Migration Meets Targeted Deadlines," in 2023 4th International Conference on Electronics and Sustainable Communication Systems (ICESC), 2023: IEEE, pp. 672-676.
    [21] 經濟部及中小及新創企業署, 112年中小企業白皮書 (經濟部及中小及新創企業署). 經濟部及中小及新創企業署: 經濟部及中小及新創企業署, 2023, p. 263.
    [22] L. Martin. "The Cyber Kill Chain." https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html (accessed 3/3, 2024).
    [23] S. H. Rashid and W. D. Abdullah, "Enhanced Website Phishing Detection Based on the Cyber Kill Chain and Cloud Computing," Indonesian Journal of Electrical Engineering and Computer Science, vol. 32, no. 1, pp. 517-529, 2023.
    [24] L. M. Fadzil, S. Manickam, and M. A. Al-Shareeda, "A Review of An Emerging Cyber Kill Chain Threat Model," in 2023 Second International Conference on Advanced Computer Applications (ACA), 2023: IEEE, pp. 157-161.
    [25] A. u. Shehu, M. Umar, and A. Aliyu, "Cyber Kill Chain Analysis Using Artificial Intelligence," Asian Journal of Research in Computer Science, vol. 16, no. 3, pp. 210-219, 2023.
    [26] B. E. Strom, A. Applebaum, D. P. Miller, K. C. Nickels, A. G. Pennington, and C. B. Thomas, "MITRE ATT&CK: Design and Philosophy," in Technical report: The MITRE Corporation, 2018.
    [27] "TECHNIQUES — ENTERPRISE ATT&CK CHANGELOG." https://center-for-threat-informed-defense.github.io/attack-sync/v13.1-v14.0/enterprise-attack/techniques/ (accessed 2/15, 2024).
    [28] R. Al-Shaer, J. M. Spring, and E. Christou, "Learning the Associations of MITRE ATT&CK Adversarial Techniques," in 2020 IEEE Conference on Communications and Network Security (CNS), 2020: IEEE, pp. 1-9.
    [29] A. Georgiadou, S. Mouzakitis, and D. Askounis, "Assessing MITRE ATT&CK Risk Using a Cyber-Security Culture Framework," Sensors, vol. 21, no. 9, p. 3267, 2021.
    [30] M. Ahmed, S. Panda, C. Xenakis, and E. Panaousis, "MITRE ATT&CK-Driven Cyber Risk Assessment," in Proceedings of the 17th International Conference on Availability, Reliability and Security, 2022, pp. 1-10.
    [31] A. Kuppa, L. Aouad, and N.-A. Le-Khac, "Linking CVE’s to MITRE ATT&CK Techniques," in Proceedings of the 16th International Conference on Availability, Reliability and Security, 2021, pp. 1-12.
    [32] B. Ampel, S. Samtani, S. Ullman, and H. Chen, "Linking Common Vulnerabilities and Exposures to the MITRE ATT&CK Framework: A Self-Distillation Approach," arXiv preprint arXiv:2108.01696, 2021.
    [33] R. Kwon, T. Ashley, J. Castleberry, P. Mckenzie, and S. N. G. Gourisetti, "Cyber Threat Dictionary Using MITRE ATT&CK Matrix and Nist Cybersecurity Framework Mapping," in 2020 Resilience Week (RWS), 2020: IEEE, pp. 106-112.
    [34] W. Xiong, E. Legrand, O. Åberg, and R. Lagerström, "Cyber Security Threat Modeling Based on the MITRE Enterprise ATT&CK Matrix," Software and Systems Modeling, vol. 21, no. 1, pp. 157-177, 2022.
    [35] S. Cyber. "SolarWinds SUNBURST Backdoor DGA and Infected Domain Analysis." Cybercrime Magazine. https://cybersecurityventures.com/solarwinds-sunburst-backdoor-dga-and-infected-domain-analysis/ (accessed 2/29, 2024).
    [36] 羅正漢. "臺灣研究人員解析SolarWinds供應鏈攻擊事件,攻擊者善於規避偵測、偽裝並融入環境." iThome. https://www.ithome.com.tw/news/143240 (accessed 3/14, 2024).
    [37] S. Shah. "The Financial Impact of SolarWinds Breach." https://www.bitsight.com/blog/the-financial-impact-of-solarwinds-a-cyber-catastrophe-but-insurance-disaster-avoided (accessed 3/14, 2024).
    [38] D. J. FORTUNE, "Federal Government Continues Its Big Push for Cybersecurity with SEC Action Against SolarWinds and Its CISO," in Bradley vol. 2024, ed: Bradley, 2023/11/27.
    [39] 柯志賢、陳志明、周哲賢. "從SolarWinds事件看供應鏈資安責任共擔." 勤業眾信通訊. https://www2.deloitte.com/tw/tc/pages/audit/articles/solarWinds-information-security-responsibility.html (accessed 03/17, 2024).
    [40] F. Pigni, M. Bartosiak, G. Piccoli, and B. Ives, "Targeting Target with a 100 million dollar data breach," Journal of Information Technology Teaching Cases, vol. 8, no. 1, pp. 9-23, 2018.
    [41] S. Kashmiri, C. D. Nicol, and L. Hsu, "Birds of a Feather: Intra-Industry Spillover of the Target Customer Data Breach and the Shielding Role of IT, Marketing, and CSR," Journal of the Academy of Marketing Science, vol. 45, pp. 208-228, 2017.
    [42] X. Shu, K. Tian, A. Ciambrone, and D. Yao, "Breaking the Target: An Analysis of Target Data Breach and Lessons Learned," arXiv preprint arXiv:1701.04940, 2017.
    [43] 黃智勤. "Capital One併同業成美信用卡龍頭 Visa腳軟." https://www.moneydj.com/kmdj/news/newsviewer.aspx?a=2eecca31-4f1e-4ae1-87ce-f4674f2d9f30 (accessed 3/21, 2024).
    [44] P. Release. "Capital One Completes Acquisition of Hudson’s Bay Company’s Credit Card Portfolio." 2024. https://web.archive.org/web/20170505165219/http://press.capitalone.com/phoenix.zhtml?c=251626&p=irol-newsArticle&ID=1858657 (accessed 3/20, 2024).
    [45] D. Henry. "Capital One Customer Data Breach Rattles Investors." https://www.reuters.com/article/us-capital-one-fin-cyber-amazon-com-idUSKCN1UP1LD/ (accessed 3/28, 2024).
    [46] J. Reeves. "Capital One Breach Shows Value of Cyber Insurance." https://www.lawyersmutualnc.com/blog/capital-one-breach-shows-value-of-cyber-insurance (accessed 3/28, 2024).
    [47] N. Novaes Neto, S. Madnick, M. G. de Paula, and N. Malara Borges, "A Case Study of the Capital One Data Breach," Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (January 1, 2020), 2020.
    [48] K. Al-talak and O. Abbass, "Detecting Server-Side Request Forgery (SSRF) Sttack by Using Deep Learning Techniques," Int. J. Adv. Comput. Sci. Appl, vol. 12, no. 12, 2021.
    [49] W. Feuer. "Sens. Warren and Wyden urge FTC to Investigate Amazon’s Role in Capital One Hack." CNBC. https://www.cnbc.com/2019/10/24/senators-urge-investigation-of-amazons-role-in-capital-one-hack.html (accessed 3/25, 2024).
    [50] M. ATT&CK. "SolarWinds Compromise, Campaign C0024 | MITRE ATT&CK®." https://attack.mitre.org/campaigns/C0024/ (accessed 3/20, 2024).
    [51] S. Schuetz, P. B. Lowry, and J. Thatcher, "Defending Against Spear-Phishing: Motivating Users Through Fear Appeal Manipulations," in 20th Pacific Asia Conference on Information Systems (PACIS 2016), Chiayi, Taiwan, June, 2016.
    [52] T. D. Breach, "A “Kill Chain” Analysis of the 2013 Target Data Breach," 2014.
    [53] M. ATT&CK. "Valid Accounts, Technique T1078 - Enterprise | MITRE ATT&CK®." https://attack.mitre.org/techniques/T1078/ (accessed 3/20, 2024).
    [54] R. S. Sandhu, "Role-Based Access Control," in Advances in computers, vol. 46: Elsevier, 1998, pp. 237-286.
    [55] AWS. "Security Best Practices in IAM." https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html (accessed 3/20, 2024).
    [56] Azure. "Azure Identity Management and Access Control Security Best Practices." https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices (accessed 3/20, 2024).
    [57] G. Cloud. "13 Best Practices for User Account, Authentication, and Password Management." https://cloud.google.com/blog/products/identity-security/account-authentication-and-password-management-best-practices (accessed 3/20, 2024).
    [58] V. Fuller and T. Li, "Classless Inter-Domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan," 2070-1721, 2006.
    [59] AWS. "AWS: Denies Access to AWS Based on the Source IP." https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html (accessed 3/1, 2024).
    [60] Azure. "New name for Azure Active Directory." https://learn.microsoft.com/en-us/entra/fundamentals/new-name (accessed 05/19, 2024).
    [61] 陳一銘. "資安議題研究實驗環境建置 Script." https://github.com/gitmich/cloud-account-mitigation-solution (accessed 5/20, 2024).
    [62] E. Kovacs. "AMD Investigating Breach Claims After Hacker Offers to Sell Data." https://www.securityweek.com/amd-investigating-breach-claims-after-hacker-offers-to-sell-data/ (accessed 7/5, 2024).

    QR CODE
    :::