摘要 隨著網際網路的普及,網路攻擊入侵的事件也層出不窮,因而造成社會、企業組織及大眾的困擾與恐懼。而持續演進的攻擊手法,對於組織所造成的損失也越趨嚴重。然而許多入侵活動與特權帳號管理息息相關,特權帳號若被盜用則易造成組織的內部威脅。因此對特權帳號進行妥善管理是必需的,對於其使用行為亦須加以監控,以避免異常使用行為的發生而對企業組織造成傷害。 本研究以某組織的特權帳號管理機制為研究對象,透過強化其「特權帳號管理」作業模式,並結合「資安事件管理平台系統 ( SIEM )」的紀錄管理及即時告警之功能,探討如何透過系統整合建立一套工具,對特權帳號使用行為能有效即時監控各種登入行為樣態,且具有即時自動告警機制,針對特權帳號異常登入行為發生時能即時通知管理人員,使其可在第一時間掌握情況並採取因應策略,以避免或減少入侵行為對於企業組織的危害。 本研究以常見之特權帳號登入成功行為之樣態種類,建立了十二種樣態組合之關聯分析規則,可供SIEM作為前述異常行為檢核之用,並經測試驗證此十二項規則皆能有效即時偵測特權帳號異常登入行為,因此運用於企業組織將強化其防禦能力,當遭遇到資訊安全攻擊時能透過本研究之即時監測機制早期發現,並快速因應以大幅降低損失及傷害。;Abstract With the rise in popularity of the Internet, the events of cyber attacks have also emerged endlessly, causing troubles and fears of society, enterprise organizations and the public. The continually evolving attack methods have also caused the losses of the organization to become more serious. However, many intrusions are related to privileged account management. If a privileged account is stolen, it is likely to cause internal threats to the organization. Therefore, proper management of privileged accounts is necessary. It is also need to monitor the usage behavior of their privileged accounts to avoid damage to the organization caused by abnormal use. This study is based on an organization′s privileged account management mechanism. It strengthens its "privileged account management" operation mode and combines the functions of the " security information and event management (SIEM) " records and logs management and instant alarms to explore how to through the system integration to establish a mechanism for effective monitoring and real-time analysis of various privileged account login behaviors, and have an automatic alert function. When an abnormal login behavior occurs, the privileged account administrator can be notified immediately, so that the administrator can grasp the situation and take countermeasures in the first time to avoid or reduce the harm of the intrusion to the organization. Through the common privileged account login success behavior type, the correlation rules of twelve patterns are developed, which can be used by SIEM as the aforementioned abnormal behavior check in this study. It has been tested and verified that these twelve correlation rules can instantly detect abnormal login behavior of privileged accounts, so the application to enterprise organizations will strengthen their immediate defense capabilities. When an organization encounters information security attacks, it can achieve early detection through the instant monitoring mechanism of this research, and quickly respond to significantly reduce losses and injuries.
