以MITRE ATT&CK分析工具探討公有雲攻擊緩解之研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：95

、訪客IP：3.149.250.65

姓名

陳一銘(Michael Chen) 查詢紙本館藏

畢業系所

資訊管理學系在職專班

論文名稱

以MITRE ATT&CK分析工具探討公有雲攻擊緩解之研究
(A Research on Mitigating Public Cloud Attacks Using the MITRE ATT&CK Framework)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

本研究透過深入分析三個重大資訊外洩案例：SolarWinds 供應鏈攻擊事件、Target 資料外洩事件和 Capital One 銀行個資外洩事件，利用 MITRE ATT&CK 框架和 Cyber Kill Chain 模型對攻擊者的行為模式進行評估，找出這些案例中帳號及憑證管理的共同弱點。研究發現，攻擊者往往利用被竊取的憑證，繞過存取控制機制，非法存取雲端或地端中的敏感資訊。為了緩解此風險，本研究提出了一個適用於 AWS、Azure和GCP等主流公有雲平台的低成本解決方案，在不需要異動現有架構前提下，透過 IP 地址範圍限制來加強帳號和憑證的存取控管。通過在權限管理服務中設定 IP 地址範圍限制策略，可以確保只有來自企業內部網路或其他可信任 IP 範圍的請求才能存取雲端資源。實驗結果證明，此方法可以有效阻止來自企業外部 IP 的非法存取，從而降低了帳號憑證被盜用的風險。
本研究的主要貢獻在於系統性分析了三起重大資訊外洩案例，找出了帳號及憑證管理的共同弱點；提出了一個適用於主流公有雲平台的低成本帳號安全解決方案；詳細介紹三大公有雲平台中實施 IP 範圍限制的具體步驟和配置方法。提出的解決方案具有實際的應用價值，為中小企業提升雲端資源安全性提供了一個成本低廉且可行的途徑。

摘要(英)

This study thoroughly analyzes three major data breach incidents: the SolarWinds supply chain attack, the Target data breach, and the Capital One data breach. Using the MITRE ATT&CK framework and Cyber Kill Chain model, it evaluates attacker behavior and identifies common weaknesses in account and credential management. The research finds that attackers often use stolen credentials to bypass access controls and illegally access sensitive cloud or on-premises information.
To mitigate this risk, the study proposes a low-cost solution for major public cloud platforms like AWS, Azure, and GCP. Without altering existing infrastructure, it enhances account and credential access control through IP address range restrictions. By setting IP range restriction policies in access management services, only requests from the internal corporate network or other trusted IP ranges can access cloud resources. Experimental results show this method effectively blocks unauthorized access from external IPs, reducing the risk of credential theft.
The study′s main contributions include a systematic analysis of three major data breaches to identify common weaknesses in account and credential management, proposing a low-cost security solution for mainstream public cloud platforms, and detailing the steps and configurations for implementing IP range restrictions. This solution offers practical value, providing a cost-effective approach for small and medium-sized enterprises to enhance cloud resource security.

關鍵字(中)

★ 雲端安全
★ 資訊外洩
★ MITRE ATT&CK
★ Cyber Kill Chain
★ 公有雲
★ 存取控制
★ 資安事件分析

關鍵字(英)

★ Cloud security
★ Data Breaches
★ MITRE ATT&CK
★ Cyber Kill Chain
★ Public Cloud
★ Access Control
★ Cybersecurity Incident Analysis.

論文目次

摘要 iii
ABSTRACT iv
誌謝 v
目錄 vi
圖目錄 viii
表目錄 x
第一章緒論 1
1.1 研究背景 1
1.2 研究動機 4
1.3 研究目的 5
1.4 章節結構 6
第二章文獻探討 8
2.1 網路攻擊鏈Cyber Kill Chain 8
2.2 MITRE ATT&CK框架概述 10
2.3 資安案例介紹 12
2.3.1 案例一、SolarWinds供應鏈攻擊事件 12
2.3.2 案例二、Target Data Breach事件 15
2.3.3 案例三、Capital One銀行個資外洩事件 18
2.3.4 案例總結 20
2.4 本章小結 21
第三章研究方法 22
3.1 研究方法 22
3.2 攻擊分析 22
3.2.1 案例一、SolarWinds攻擊事件 22
3.2.2 案例二、Target Data Breach事件 26
3.2.3 案例三、Capital One資訊外洩事件 27
3.2.4 攻擊技術彙整 29
3.3 緩解方法 30
3.3.1 三大公有雲帳號和憑證管理的最佳實踐 31
3.3.2 緩解方法與三大公雲的施作方法 32
第四章實驗操作與結果分析 38
4.1 實驗設計 38
4.2 實驗變數 41
4.3 數據收集與分析 43
第五章結論與建議 51
5.1 研究總結 51
5.2 研究貢獻 51
5.3 緩解方法的局限 51
5.4 未來建議研究 52
參考文獻 1

參考文獻

[1] R. Wang, "Application and Development of Cloud Computing Technology in Computer Data Processing," Journal of Physics: Conference Series, vol. 1992, no. 2, p. 022093, 2021/08/01 2021, doi: 10.1088/1742-6596/1992/2/022093.
[2] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, "Hey, You, Get off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds," in Proceedings of the 16th ACM conference on Computer and communications security, 2009, pp. 199-212.
[3] Д. Затонацький, В. Маргасова, and Н. Корогод, "Insider Threat Management as an Element of the Corporate Economic Security," Financial and credit activity problems of theory and practice, vol. 1, no. 36, pp. 149-158, 2021, doi: http://dx.doi.org/10.18371/fcaptp.v1i36.227690.
[4] B.-S. Gigler, A. Casorati, and A. Verbeek, Financing the Future of Supercomputing: How to Increase Investment in High Performance Computing in Europe. European Investment Bank, 2018.
[5] IBM, Cost of a Data Breach Report 2023 (IBM Security). 2023.
[6] J. Martínez and J. M. Durán, "Software Supply Chain Attacks, a Threat to Global Cybersecurity: SolarWinds’ Case Study," International Journal of Safety and Security Engineering, vol. 11, no. 5, pp. 537-545, 2021.
[7] "Sources: Target Investigating Data Breach." https://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/ (accessed 04/20, 2024).
[8] 蔡娪嫣. "藝高人膽大？美銀行「Capital One」1億用戶資料外洩，女駭客上網炫耀「傑作」後落網." 風傳媒. https://www.storm.mg/article/1539770?mode=whole (accessed 4/20, 2024).
[9] Daasel. "¿Qué Podemos Aprender Del Ciberataque a Solarwinds?" Daasel. https://daasel.com/que-podemos-aprender-del-ciberataque-a-solarwinds/ (accessed 3/20, 2024).
[10] "SolarWinds Hack Will Alter US Cyber Strategy," Oxford Analytica (2021), 2021-1-29 2021, doi: 10.1108/oxan-db259151.
[11] M. Novinson. "SolarWinds Hack Could Cost Cyber Insurance Firms $90 Million." https://www.crn.com/news/security/solarwinds-hack-could-cost-cyber-insurance-firms-90-million (accessed 3/20, 2024).
[12] K. McCoy. "Target to Pay $18.5M for 2013 Data Breach that Affected 41 Million Consumers." https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/ (accessed 3/20, 2024).
[13] S. Khan, I. Kabanov, Y. Hua, and S. Madnick, "A Systematic Analysis of the Capital One Data Breach: Critical Lessons Learned," ACM Transactions on Privacy and Security, vol. 26, no. 1, pp. 1-29, 2022.
[14] C. One. "Information on the Capital One Cyber Incident." https://www.capitalone.com/digital/facts2019/ (accessed 3/9, 2024).
[15] E. F. a. K. Weise. "Capital One Data Breach Compromises Data of Over 100 Million." https://www.nytimes.com/2019/07/29/business/capital-one-data-breach-hacked.html (accessed 3/15, 2024).
[16] 林妍溱. "美國Capital One銀行個資外洩案遭罰8千萬美元." https://www.ithome.com.tw/news/139316 (accessed 4/20, 2024).
[17] D. Shackleford, "SANS 2019 Cloud Security Survey," SANS Institute Reading Room, SANS Institute, 2019.
[18] E. Chickowski, "Leaky Buckets: 10 Worst Amazon S3 Breaches," in Leaky Buckets: 10 Worst Amazon S3 Breaches vol. 2018, E. Chickowski, Ed., ed: Bitdefender, 2018.
[19] M. Suganya and T. Prabha, "A Comprehensive Analysis of Data Breaches and Data Security Challenges in Cloud Environment," Available at SSRN 4111762, 2022.
[20] C. S. Ranganathan and R. Sampathrajan, "Cloud Migration Meets Targeted Deadlines," in 2023 4th International Conference on Electronics and Sustainable Communication Systems (ICESC), 2023: IEEE, pp. 672-676.
[21] 經濟部及中小及新創企業署, 112年中小企業白皮書 (經濟部及中小及新創企業署). 經濟部及中小及新創企業署: 經濟部及中小及新創企業署, 2023, p. 263.
[22] L. Martin. "The Cyber Kill Chain." https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html (accessed 3/3, 2024).
[23] S. H. Rashid and W. D. Abdullah, "Enhanced Website Phishing Detection Based on the Cyber Kill Chain and Cloud Computing," Indonesian Journal of Electrical Engineering and Computer Science, vol. 32, no. 1, pp. 517-529, 2023.
[24] L. M. Fadzil, S. Manickam, and M. A. Al-Shareeda, "A Review of An Emerging Cyber Kill Chain Threat Model," in 2023 Second International Conference on Advanced Computer Applications (ACA), 2023: IEEE, pp. 157-161.
[25] A. u. Shehu, M. Umar, and A. Aliyu, "Cyber Kill Chain Analysis Using Artificial Intelligence," Asian Journal of Research in Computer Science, vol. 16, no. 3, pp. 210-219, 2023.
[26] B. E. Strom, A. Applebaum, D. P. Miller, K. C. Nickels, A. G. Pennington, and C. B. Thomas, "MITRE ATT&CK: Design and Philosophy," in Technical report: The MITRE Corporation, 2018.
[27] "TECHNIQUES — ENTERPRISE ATT&CK CHANGELOG." https://center-for-threat-informed-defense.github.io/attack-sync/v13.1-v14.0/enterprise-attack/techniques/ (accessed 2/15, 2024).
[28] R. Al-Shaer, J. M. Spring, and E. Christou, "Learning the Associations of MITRE ATT&CK Adversarial Techniques," in 2020 IEEE Conference on Communications and Network Security (CNS), 2020: IEEE, pp. 1-9.
[29] A. Georgiadou, S. Mouzakitis, and D. Askounis, "Assessing MITRE ATT&CK Risk Using a Cyber-Security Culture Framework," Sensors, vol. 21, no. 9, p. 3267, 2021.
[30] M. Ahmed, S. Panda, C. Xenakis, and E. Panaousis, "MITRE ATT&CK-Driven Cyber Risk Assessment," in Proceedings of the 17th International Conference on Availability, Reliability and Security, 2022, pp. 1-10.
[31] A. Kuppa, L. Aouad, and N.-A. Le-Khac, "Linking CVE’s to MITRE ATT&CK Techniques," in Proceedings of the 16th International Conference on Availability, Reliability and Security, 2021, pp. 1-12.
[32] B. Ampel, S. Samtani, S. Ullman, and H. Chen, "Linking Common Vulnerabilities and Exposures to the MITRE ATT&CK Framework: A Self-Distillation Approach," arXiv preprint arXiv:2108.01696, 2021.
[33] R. Kwon, T. Ashley, J. Castleberry, P. Mckenzie, and S. N. G. Gourisetti, "Cyber Threat Dictionary Using MITRE ATT&CK Matrix and Nist Cybersecurity Framework Mapping," in 2020 Resilience Week (RWS), 2020: IEEE, pp. 106-112.
[34] W. Xiong, E. Legrand, O. Åberg, and R. Lagerström, "Cyber Security Threat Modeling Based on the MITRE Enterprise ATT&CK Matrix," Software and Systems Modeling, vol. 21, no. 1, pp. 157-177, 2022.
[35] S. Cyber. "SolarWinds SUNBURST Backdoor DGA and Infected Domain Analysis." Cybercrime Magazine. https://cybersecurityventures.com/solarwinds-sunburst-backdoor-dga-and-infected-domain-analysis/ (accessed 2/29, 2024).
[36] 羅正漢. "臺灣研究人員解析SolarWinds供應鏈攻擊事件，攻擊者善於規避偵測、偽裝並融入環境." iThome. https://www.ithome.com.tw/news/143240 (accessed 3/14, 2024).
[37] S. Shah. "The Financial Impact of SolarWinds Breach." https://www.bitsight.com/blog/the-financial-impact-of-solarwinds-a-cyber-catastrophe-but-insurance-disaster-avoided (accessed 3/14, 2024).
[38] D. J. FORTUNE, "Federal Government Continues Its Big Push for Cybersecurity with SEC Action Against SolarWinds and Its CISO," in Bradley vol. 2024, ed: Bradley, 2023/11/27.
[39] 柯志賢、陳志明、周哲賢. "從SolarWinds事件看供應鏈資安責任共擔." 勤業眾信通訊. https://www2.deloitte.com/tw/tc/pages/audit/articles/solarWinds-information-security-responsibility.html (accessed 03/17, 2024).
[40] F. Pigni, M. Bartosiak, G. Piccoli, and B. Ives, "Targeting Target with a 100 million dollar data breach," Journal of Information Technology Teaching Cases, vol. 8, no. 1, pp. 9-23, 2018.
[41] S. Kashmiri, C. D. Nicol, and L. Hsu, "Birds of a Feather: Intra-Industry Spillover of the Target Customer Data Breach and the Shielding Role of IT, Marketing, and CSR," Journal of the Academy of Marketing Science, vol. 45, pp. 208-228, 2017.
[42] X. Shu, K. Tian, A. Ciambrone, and D. Yao, "Breaking the Target: An Analysis of Target Data Breach and Lessons Learned," arXiv preprint arXiv:1701.04940, 2017.
[43] 黃智勤. "Capital One併同業成美信用卡龍頭 Visa腳軟." https://www.moneydj.com/kmdj/news/newsviewer.aspx?a=2eecca31-4f1e-4ae1-87ce-f4674f2d9f30 (accessed 3/21, 2024).
[44] P. Release. "Capital One Completes Acquisition of Hudson’s Bay Company’s Credit Card Portfolio." 2024. https://web.archive.org/web/20170505165219/http://press.capitalone.com/phoenix.zhtml?c=251626&p=irol-newsArticle&ID=1858657 (accessed 3/20, 2024).
[45] D. Henry. "Capital One Customer Data Breach Rattles Investors." https://www.reuters.com/article/us-capital-one-fin-cyber-amazon-com-idUSKCN1UP1LD/ (accessed 3/28, 2024).
[46] J. Reeves. "Capital One Breach Shows Value of Cyber Insurance." https://www.lawyersmutualnc.com/blog/capital-one-breach-shows-value-of-cyber-insurance (accessed 3/28, 2024).
[47] N. Novaes Neto, S. Madnick, M. G. de Paula, and N. Malara Borges, "A Case Study of the Capital One Data Breach," Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (January 1, 2020), 2020.
[48] K. Al-talak and O. Abbass, "Detecting Server-Side Request Forgery (SSRF) Sttack by Using Deep Learning Techniques," Int. J. Adv. Comput. Sci. Appl, vol. 12, no. 12, 2021.
[49] W. Feuer. "Sens. Warren and Wyden urge FTC to Investigate Amazon’s Role in Capital One Hack." CNBC. https://www.cnbc.com/2019/10/24/senators-urge-investigation-of-amazons-role-in-capital-one-hack.html (accessed 3/25, 2024).
[50] M. ATT&CK. "SolarWinds Compromise, Campaign C0024 | MITRE ATT&CK®." https://attack.mitre.org/campaigns/C0024/ (accessed 3/20, 2024).
[51] S. Schuetz, P. B. Lowry, and J. Thatcher, "Defending Against Spear-Phishing: Motivating Users Through Fear Appeal Manipulations," in 20th Pacific Asia Conference on Information Systems (PACIS 2016), Chiayi, Taiwan, June, 2016.
[52] T. D. Breach, "A “Kill Chain” Analysis of the 2013 Target Data Breach," 2014.
[53] M. ATT&CK. "Valid Accounts, Technique T1078 - Enterprise | MITRE ATT&CK®." https://attack.mitre.org/techniques/T1078/ (accessed 3/20, 2024).
[54] R. S. Sandhu, "Role-Based Access Control," in Advances in computers, vol. 46: Elsevier, 1998, pp. 237-286.
[55] AWS. "Security Best Practices in IAM." https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html (accessed 3/20, 2024).
[56] Azure. "Azure Identity Management and Access Control Security Best Practices." https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices (accessed 3/20, 2024).
[57] G. Cloud. "13 Best Practices for User Account, Authentication, and Password Management." https://cloud.google.com/blog/products/identity-security/account-authentication-and-password-management-best-practices (accessed 3/20, 2024).
[58] V. Fuller and T. Li, "Classless Inter-Domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan," 2070-1721, 2006.
[59] AWS. "AWS: Denies Access to AWS Based on the Source IP." https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html (accessed 3/1, 2024).
[60] Azure. "New name for Azure Active Directory." https://learn.microsoft.com/en-us/entra/fundamentals/new-name (accessed 05/19, 2024).
[61] 陳一銘. "資安議題研究實驗環境建置 Script." https://github.com/gitmich/cloud-account-mitigation-solution (accessed 5/20, 2024).
[62] E. Kovacs. "AMD Investigating Breach Claims After Hacker Offers to Sell Data." https://www.securityweek.com/amd-investigating-breach-claims-after-hacker-offers-to-sell-data/ (accessed 7/5, 2024).

指導教授

陳奕明

審核日期

2024-7-24

推文