資安協作自動化應變(SOAR)對於企業資安防護之研究-以P公司為例

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：113

、訪客IP：3.141.201.209

姓名

黃智鋒(CHIH-FENG HUANG) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

資安協作自動化應變(SOAR)對於企業資安防護之研究-以P公司為例
(Study on the Impact of Security Orchestration, Automation, and Re-sponse (SOAR) on Enterprise Cybersecurity Protection - A Case Study of Company P)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 (2029-7-1以後開放)

摘要(中)

隨著網際網路的快速發展，勒索軟體攻擊愈發頻繁，這些攻擊往往難以完全阻止。然而企業不僅面臨著日益複雜的資安管理挑戰，同時也遭遇了專業人才的短缺。資安協作自動化應變(SOAR)技術解決方案號稱為能夠改善這些問題，但從企業角度來看，實際驗證SOAR在企業環境中資安防護效益的案例仍然不足，無法讓決策者了解其實際導入效益及評估其導入應用流程。
因此本研究交採用個案研究法，透過分析三個具體的資訊安全應變處理場景，包括TW-ISAC情資應用流程、群組原則設置異常監控應用流程和誘餌檔案異動偵測流程，來實際驗證導入SOAR後的差異與效益。研究結果顯示，應用SOAR系統後，這些場景的處理時間均顯著縮短，從而證明了SOAR技術在整合安全工具及實現流程自動化方面的巨大潛力。透過這些案例分析，本研究不僅證實了SOAR系統在強化企業資安防護和提高安全事件處置效率方面的價值，也為企業資安管理的自動化變革提供了重要的參考。

摘要(英)

With the rapid development of the Internet, ransomware attacks have become increas-ingly frequent and are often difficult to completely prevent. Companies are not only facing increasingly complex cybersecurity management challenges but also encountering a short-age of professional talent. Security Orchestration, Automation, and Response (SOAR) tech-nology solutions are claimed to address these issues. However, from a corporate perspective, there are still insufficient cases verifying the security benefits of SOAR in enterprise envi-ronments, leaving decision-makers unable to understand its actual implementation benefits and evaluate its application processes.
Therefore, this study adopts a case study approach, analyzing three specific cybersecu-rity incident response scenarios: the TW-ISAC intelligence application process, the abnor-mal group policy setting monitoring application process, and the decoy file alteration detec-tion process, to practically verify the differences and benefits after implementing SOAR. The results of the study show that after applying the SOAR system, the processing time for these scenarios was significantly reduced, thereby demonstrating the great potential of SOAR technology in integrating security tools and achieving process automation. Through these case analyses, this study not only confirms the value of the SOAR system in enhancing enterprise cybersecurity protection and improving the efficiency of handling security inci-dents but also provides important references for the automation transformation of corporate cybersecurity management.

關鍵字(中)

★ 企業資安
★ 網路安全
★ 資安協作自動化應變
★ 安全事件檢測與回應
★ 自動化流程

關鍵字(英)

★ enterprise cybersecurity
★ cybersecurity
★ security orchestration automated response
★ incident detection and response
★ process automation
★ SOAR

論文目次

摘要 i
ABSTRACT ii
致謝 iii
目錄 iv
表目錄 vii
圖目錄 viii
第一章緒論 1
1.1 研究背景 1
1.2 研究動機 2
1.3 研究目的 3
1.4 論文架構 5
第二章文獻探討 6
2.1 勒索病毒 (Ransomware) 6
2.1.1 病毒發展背景 6
2.1.2 勒索病毒加密標的 10
2.1.3 勒索病毒偵測機制 10
2.2 資安威脅情資(Threat Intelligence) 11
2.2.1 威脅情資定義及類別 11
2.2.2 資訊分享與分析中心(Information Sharing and Analysis Center, ISAC) 12
2.3 資安協作自動化應變SOAR(Security Orchestration, Automation and Response) 13
2.3.1 SOAR背景及定義 13
2.3.2 SOAR應用與探討 15
2.3.3 SOAR與其他資安工具比較 16
2.4 資安防護框架及安全指標 18
2.4.1 安全防護框架 18
2.4.2 安全關鍵指標MTTD/ MTTR 19
2.5章節小節 20
第三章研究設計 22
3.1 研究方法 22
3.2 研究對象及架構 22
3.2.1 資訊安全應用架構框架 23
3.3 實驗環境 25
3.3.1 SOAR實驗環境配置 25
3.3.2 SOAR環境建置 28
3.4 實驗流程設計 29
3.4.1 設計情境一：TW-ISAC情資應用流程 29
3.4.2 設計情境二：GPO(Group Policy Object)異常監控應用流程 35
3.4.3 設計情境三：誘餌檔案異動偵測流程 41
第四章實驗結果 46
4.1 實驗情境一：TW-ISAC情資應用流程 46
4.1.1偵測及擷取情資通報 46
4.1.2資料檢驗及分類應用流程 49
4.1.3自動阻擋及通報實施流程 50
4.1.4情境一實驗結果 54
4.2 實驗情境二：GPO異常監控應用流程 62
4.2.1 偵測及擷取警報郵件內容 62
4.2.2 資料檢驗及分類應用流程 64
4.2.3 自動阻擋及通報實施流程 68
4.2.4 情境二實驗結果 70
4.3 實驗情境三：誘餌檔案異動偵測流程 76
4.3.1 偵測及擷取警報郵件內容 76
4.3.2 資料檢驗及分類應用流程 78
4.3.3 自動阻擋、查詢及通報實施流程 80
4.3.4 情境三實驗結果 84
4.4 個案情境驗證結果 90
4.5 研究限制 92
第五章結論與未來研究 94
5.1 結論與貢獻 94
5.2 未來研究 95
參考文獻 96

參考文獻

[1] H. Orman, "The Morris Worm:A Fifteen-Year Perspective," IEEE Security & Privacy, vol. 1, no. 5, pp. 35-43, 2003, doi: 10.1109/Msecp.2003.1236233.
[2] P. H. Meland, Y. F. F. Bayoumy, And G. Sindre, "The Ransomware-As-A-Service Economy Within The Darknet," Computers & Security, vol. 92, p. 101762, 2020, doi: https://doi.org/10.1016/j.cose.2020.101762.
[3] Check Point, "H1 2023 In Cybersecurity," https://research.checkpoint.com/2023/h1-2023-in-cybersecurity/, (accessed 2024/03/17).
[4] Cyberint, "2023 Ransomware Recap by Cyberint," https://l.cyberint.com/ransomware-recap-2023, (accessed 2024/04/10).
[5] E. Kovacs, "Ransomware Payments Surpassed $1 Billion In 2023:Analysis," https://www.securityweek.com/ransomware-payments-surpassed-1-billion-in-2023-analysis/, (accessed 2024/03/15).
[6] 王宏仁, "【臺灣史上最大資安事件】深度剖析台積產線中毒大當機始末," https://www.ithome.com.tw/news/125098, (accessed 2024/03/17).
[7] 公開資訊觀測站, "重大資安訊息," https://mops.twse.com.tw/mops/web/t05sr01_1, (accessed 2024/03/17).
[8] 金融監督管理委員會, "「公開發行公司建立內部控制制度處理準則」第九條之一、第四十七條修正草案已完成預告程序，將於近期發布施行," https://www.fsc.gov.tw/ch/home.jsp?id=2&parentpath=0&mcustomize=news_view.jsp&dataserno=202112230009&dtable=News, (accessed 2024/03/17).
[9] 行政院, "數位發展部於111年8月27日掛牌成立," https://www.ey.gov.tw/Page/5B2FC62D288F4DB7/3fe103aa-c3f8-4c46-af23-efd5aa133729, (accessed 2024/03/17).
[10] 總統府, "國家資通安全研究院揭牌," https://www.president.gov.tw/News/27301, (accessed 2024/03/17).
[11] 經濟部產業人才發展資訊網, "資安長的職能與人才發展," https://www.italent.org.tw/ePaperD/9/ePaper20230100006, (accessed 2024/03/12).
[12] ISC2, "Cybersecurity Workforce Study," https://www.isc2.org/research, (accessed 2024/03/12).
[13] E. S. Group, "SOC Modernization And The Role Of XDR," https://www.techtarget.com/esg-global/survey-results/esg-complete-survey-results-soc-modernization-and-the-role-of-xdr/, (accessed 2024/02/12).
[14] R. Brewer, "Ransomware Attacks: Detection, Prevention And Cure," Network Security, vol. 2016, no. 9, pp. 5-9, 2016.
[15] A. Young And Y. Moti, "Cryptovirology:Extortion-Based Security Threats And Countermeasures," In Proceedings 1996 IEEE Symposium On Security And Privacy, 6-8 May 1996, pp. 129-140, doi: 10.1109/SECPRI.1996.502676.
[16] Kaspersky, "Ransomware Attacks And Types – How Encryption Trojans Differ," https://www.kaspersky.com/resource-center/threats/ransomware-attacks-and-types, (accessed 2024/03/17).
[17] P. O′Kane, S. Sezer, And D. Carlin, "Evolution Of Ransomware," IET Networks, vol. 7, no. 5, pp. 321-327, 2018, doi:10.1049/iet-net.2017.0207.
[18] H. S. Lallie et al., "Cyber Security In The Age Of COVID-19: A Timeline And Analysis Of Cyber-Crime And Cyber-Attacks During The Pandemic," Computers & Security, vol. 105, p. 102248, 2021/06/01/, doi: https://doi.org/10.1016/j.cose.2021.102248.
[19] Metaage, "勒索病毒如何防範？認識傳播途徑、預防方法，保衛資訊安全！," https://www.metaage.com.tw/news/technology/211, (accessed 2024/03/17).
[20] M. Paquet-Clouston, B. Haslhofer, And B. Dupont, "Ransomware Payments In The Bitcoin Ecosystem," Journal Of Cybersecurity, vol. 2024/03/17, no. 1, p. tyz003, 2019, doi: 10.1093/cybsec/tyz003.
[21] V. Szücs, G. Arányi, And Á. Dávid, "Introduction Of The ARDS—Anti-Ransomware Defense System Model—Based On The Systematic Review of Worldwide Ransomware Attacks," Applied Sciences, vol. 11, no. 13, p. 6070, 2021, doi: 10.3390/app11136070.
[22] SonicWall, "Number Of Ransomware Attempts Per Year 2022," https://www.statista.com/statistics/494947/ransomware-attempts-per-year-worldwide/, (accessed 2024/03/17).
[23] C. Sausalito, "Ransomware Will Strike Every 2 Seconds By 2031," In Cybercrime Magazine, ed, 2022.
[24] A. T. Tunggal, "17 Ransomware Examples & How They Occurred," https://www.upguard.com/blog/ransomware-examples, (accessed 2024/03/17).
[25] N. J. Palatty, "2024 年 100 多個勒索軟體攻擊統計：趨勢與成本 --- 100+ Ransomware Attack Statistics 2024: Trends & Cost," https://www.getastra.com/blog/security-audit/ransomware-attack-statistics/#The_number_of_ransomware_attacks_per_year, (accessed 2024/03/17).
[26] A. Jackson, "Top 10 Ransomware Attacks," https://cybermagazine.com/articles/top-10-ransomware-attacks, (accessed 2024/03/17).
[27] 趨勢科技, "十大知名勒索病毒," https://blog.trendmicro.com.tw/?p=72601, (accessed 2024/03/17).
[28] IThome,"資安專區," https://www.ithome.com.tw/security, (accessed 2024/03/17).
[29] Y.-S. Lin And C.-F. Lee, "Ransomware Detection And Prevention Through Strategically Hidden Decoy File," International Journal of Network Security, vol. 25, no. 2, pp. 212-220, 2023, doi: 10.6633/ijns.202303_25(2).04.
[30] Q. Chen And R. A. Bridges, "Automated Behavioral Analysis Of Malware: A Case Study Of WannaCry Ransomware," 2017, doi: 10.1109/icmla.2017.0-119.
[31] S. Mehnaz, A. Mudgerikar, And E. Bertino, "RWGuard:A Real-Time Detection System Against Cryptographic Ransomware," Springer International Publishing, 2018, pp. 114-136.
[32] C. Moore, "Detecting Ransomware With Honeypot Techniques," in 2016 Cybersecurity And Cyberforensics Conference (CCC), 2-4 Aug. 2016, pp. 77-81, doi:10.1109/CCC.2016.14.
[33] A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, And E. Kirda, "Cutting The Gordian Knot:A Look Under The Hood Of Ransomware Attacks," Springer International Publishing, 2015, pp. 3-24.
[34] A. O. Almashhadani, M. Kaiiali, S. Sezer, And P. O′Kane, "A Multi-Classifier Network-Based Crypto Ransomware Detection System: A Case Study Of Locky Ransomware," IEEE Access, vol. 7, pp. 47053-47067, 2019, doi:10.1109/access.2019.2907485.
[35] O. M. K. Alhawi, J. Baldwin, And A. Dehghantanha, "Leveraging Machine Learning Techniques For Windows Ransomware Network Traffic Detection," Springer International Publishing, 2018, pp. 93-106.
[36] T. D. Wagner, K. Mahbub, E. Palomar, And A. E. Abdallah, "Cyber Threat Intelligence Sharing： Survey And Research Directions," Computers & Security, vol. 87, p. 101589, 2019/11/01/, doi: https://doi.org/10.1016/j.cose.2019.101589.
[37] Solutionary, "Threat Intelligence Defined,." White Paper, 2015, pp. 6–13.
[38] M. Bromiley, "Threat Intelligence:What It Is, And How To Use It Effectively," SANS Institute InfoSec Reading Room, vol. 15, p. 172, 2016.
[39] S. E. Jasper, "U.S. Cyber Threat Intelligence Sharing Frameworks," International Journal Of Intelligence And CounterIntelligence, vol. 30, no. 1, pp. 53-65, 2017/01/02, doi: 10.1080/08850607.2016.1230701.
[40] J. D. Moteff, S. Resources, And I. Division, "Critical Infrastructures:Background, Policy, And Implementation," 2007: Congressional Research Service, Library Of Congress.
[41] C. McCarthy, K. Harnett, A. Carter, And C. Hatipoglu, "Assessment Of The Information Sharing And Analysis Center Model," 2014.
[42] 國家資通安全研究院, "本院簡介," https://www.nics.nat.gov.tw/about/introduction/, (accessed 2024/03/17).
[43] 台灣電腦網路危機處理暨協調中心, "TWCERT/CC中心簡介," https://www.twcert.org.tw/tw/cp-24-72-b31f4-1.html, (accessed 2024/03/17).
[44] Gartner, "Innovation Insight For Security Orchestration, Automation And Response," https://www.gartner.com/en/documents/3834578, (accessed 2024/03/17).
[45] S. Shea, "What Is SOAR (Security Orchestration, Automation And Response)? | Definition From TechTarget," https://www.techtarget.com/searchsecurity/definition/SOAR, (accessed 2024/03/17).
[46] A. Sridharan And V. Kanchana, "SIEM Integration With SOAR," In 2022 International Conference On Futuristic Technologies (INCOFT), 25-27 Nov. 2022, pp. 1-6, doi: 10.1109/INCOFT55651.2022.10094537.
[47] iThome, "【關鍵資安議題】新世代資安指揮中心來了！提供更強大洞察力與執行力," https：//www.ithome.com.tw/article/139571, (accessed 2024/03/17).
[48] 洪羿漣, "SOAR統整異質平台預建流程自動執行回應," https://www.netadmin.com.tw/netadmin/zh-tw/trend/F6E7E0CFB2F14E06ACCA8F67DE1330C9, (accessed 2024/03/17).
[49] B. Adetoye And R. C.-w. Fong, "Building A Resilient Cybersecurity Workforce: A Multidisciplinary Solution To The Problem Of High Turnover Of Cybersecurity Analysts," In Cybersecurity In The Age Of Smart Societies:Proceedings Of The 14th International Conference On Global Security, Safety And Sustainability, London, September 2022, 2023:VSpringer, pp. 61-87.
[50] K. L. McLaughlin, " Defense Is The Best Offense: The Evolving Role Of Cybersecurity Blue Tvvveams And The Impact Of Soar Technologies," Edpacs, vol. 67, no. 6, pp. 35-41, 2023/06/03, doi: 10.1080/07366981.2023.2212484.
[51] Y. Zhao And Y. Guo, "Playbook-Centric Scalable SOAR System Architecture," In ICETIS 2022; 7th International Conference On Electronic Technology And Information Science, 21-23 Jan. 2022, pp. 1-5.
[52] J. Kinyua And L. Awuah, "AI/ML In Security Orchestration, Automation And Response: Future Research Directions," Intelligent Automation & Soft Computing, vol. 28, no. 2, 2021.
[53] C. Leite, J. den Hartog, D. Ricardo Dos Santos, And E. Costante, "Actionable Cyber Threat Intelligence For Automated Incident Response," In Nordic Conference On Secure IT Systems, 2022:Springer, pp. 368-385.
[54] C. Islam, M. A. Babar, And S. Nepal, "Architecture-Centric Support For Integrating Security Tools In A Security Orchestration Platform," In Software Architecture: 14th European Conference, ECSA 2020, L′Aquila, Italy, September 14–18, 2020, Proceedings 14, 2020: Springer, pp. 165-181.
[55] R. Vast, S. Sawant, A. Thorbole, And V. Badgujar, "Artificial Intelligence Based Security Orchestration, Automation And Response System," In 2021 6th International Conference For Convergence In Technology (I2CT), 2021: IEEE, pp. 1-5.
[56] R. C. Leland And Michael, "Understanding The Difference Between EDR, SIEM, SOAR, And XDR," https://www.sentinelone.com/blog/understanding-the-difference-between-edr-siem-soar-and-xdr/, (accessed 2024/03/02).
[57] Heimdalsecurity, "XDR vs SIEM vs SOAR: A Comparison," https://heimdalsecurity.com/blog/xdr-vs-siem-vs-soar-a-comparison/, (accessed 2024/03/02).
[58] A. Mellen, "XDR Defined: Giving Meaning To Extended Detection And Response," https://www.forrester.com/blogs/xdr-defined-giving-meaning-to-extended-detection-and-response/, (accessed 2024/03/02).
[59] Airbus, "Cybersecurity Jargon Busting: MDR, SOC, EDR, XDR, SOAR And SIEM," https://www.protect.airbus.com/blog/cybersecurity-jargon-busting-mdr-soc-edr-xdr-soar-and-siem/, (accessed 2024/03/02).
[60] CrowdStrike, "XDR vs. SIEM vs. SOAR: What′s The Difference? - CrowdStrike," https://www.crowdstrike.com/cybersecurity-101/what-is-xdr/xdr-vs-siem-vs-soar/, (accessed 2024/03/02).
[61] Gartner, "Best Endpoint Detection And Response Solutions Reviews 2024 | Gartner Peer Insights," https://www.gartner.com/market/endpoint-detection-and-response-solutions, (accessed 2024/03/02).
[62] Microsoft, "什麼是 XDR？ | Microsoft 安全性," https://www.microsoft.com/zh-tw/security/business/security-101/what-is-xdr, (accessed 2024/03/02).
[63] Nomios, "EDR, NDR, XDR, MDR - Different Concepts Of Detection & Response," https://www.nomios.com/news-blog/edr-ndr-xdr-mdr/, (accessed 2024/03/02).
[64] Trend Micro, "何謂 XDR？," https://www.trendmicro.com/zh_tw/what-is/xdr.html, (accessed 2024/03/02).
[65] NIST, "Cybersecurity Framework," https://www.nist.gov/cyberframework, (accessed 2024/03/17).
[66] A. Hochstein, R. Zarnekow, And W. Brenner, "ITIL As Common Practice Reference Model For IT Service Management: Formal Assessment And Implications For Practice," In 2005 IEEE International Conference On E-Technology, E-Commerce And e-Service, 2005: IEEE, pp. 704-710.
[67] B. Filkins, D. Wylie, And A. Dely, "Sans 2019 State Of OT/OCS Cybersecurity Survey," SANS™ Institute, 2019.
[68] R. Odarchenko, M. Iavich, G. Iashvili, S. Fedushko, And Y. Syerov, "Assessment Of Security KPIs For 5G Network Slices For Special Groups Of Subscribers," Big Data And Cognitive Computing, vol. 7, no. 4, p. 169, 2023. [Online]. Available: https://www.mdpi.com/2504-2289/7/4/169.
[69] S. Udipi, "The Event Data Management Problem: Getting The Most From Network Detection And response," Network Security, vol. 2021, no. 1, pp. 12-14, 2021.
[70] H. Wang And P. Liu, "Modeling And Evaluating The Survivability Of An Intrusion Tolerant Database System," In Computer Security–ESORICS 2006: 11th European Symposium On Research In Computer Security, Hamburg, Germany, September 18-20, 2006. Proceedings 11, 2006: Springer, pp. 207-224.
[71] R. K. Yin, "Discovering The Future Of The Case Study. Method In Evaluation Research," Evaluation Practice, vol. 15, no. 3, pp. 283-290, 1994.
[72] Quadrant Knowledge Solutions, "SPARK Matrix™: Security Orchestration, Automation, And Response (SOAR) Q2, 2023," https://quadrant-solutions.com/market-research/spark-matrix-security-orchestration-automation-and-response-soar-q2-2023-2883, (accessed 2024/03/17).
[73] G. Inc, "Best Security Orchestration, Automation And Response Solutions Reviews 2024 | Gartner Peer Insights," https://www.gartner.com/market/security-orchestration-automation-and-response-solutions, (accessed 2024/03/17).
[74] Paloalto, "Cortex XSOAR System Requirements • Cortex XSOAR Installation Guide • Reader • Palo Alto Networks documentation portal," https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Installation-Guide/Cortex-XSOAR-System-Requirements, (accessed 2024/03/17).
[75] Paloalto, "External Dynamic List," https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list, (accessed 2024/05/02).

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2024-7-23

推文