1.2. Evolution of Network Attack and Defense Technology¶
1.2.1. Historical Development¶
In 1939, Turing cracked Enigma, which ended the war two years ahead of schedule. This was the first time that computer security began to appear in people’s field of vision. At this time, the computing power of computers was limited, and the offensive and defensive methods used by people were relatively primitive.
In 1949, John Von Neumann proposed the design of a self-replicating program, which is considered the world’s first computer virus.
From 1970 to 2009, with the continuous development of the Internet, network security also began to enter people’s field of vision. In the early days of network development, many systems had zero protection, and security awareness was not yet widespread. The design of many systems only considers usability, and not much consideration for security, so at that time, combined with search engines and some integrated penetration testing tools, it was easy to obtain data or permissions.
In 1972, the buffer overflow attack was proposed by the Computer Security Technology Planning Study.
In 1984, Ken Thompson described in Reflections on Trusting Trust how he added a backdoor to his compiler to gain Unix privileges, an earlier supply chain attack.
In 1988, a student at Carnegie Mellon University (CMU) wrote Morris Worm for testing purposes, doing great damage to the internet at the time.
In the same year, CMU’s CERT Coordination Center (CERT-CC) formed the first Computer Emergency Response Team in order to deal with the damage caused by Morris Worm to the Internet. Organizations such as CERT and SRC.
Also in 1988, Professor Barton Miller first proposed the concept of Fuzz Generator in the computer experiment class of the University of Wisconsin to test the robustness of Unix programs, that is, use random data to test the program until it crashes. Therefore, Professor Barton Miller is also called “the father of fuzzing” by most people.
In 1989, CJCherryh published the novel The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, which was adapted from the author’s real experience in retrospecting hacker attacks, and proposed the prototype of honeypot technology in the book.
In 1990, some network firewall products began to appear, which were mainly network-based firewalls at this time, and could handle applications such as FTP.
Since 1993, Jeff Moss has held DEFCON (also written as DEF CON, Defcon, or DC, one of the largest computer security conferences in the world) in Las Vegas, Nevada, USA every year. The format of the CTF (Capture The Flag) competition also originated from DEFCON in 1996.
In July 1993, Windows NT 3.1 was released, which introduced security control mechanisms such as identity authentication, access control and security auditing. Before that, the Windows 9x kernel had almost no security mechanism.
In 1996, Smashing the Stack For Fun and Profit was published, which made pioneering work on the use of stack buffer overflows.
Since 1997, Jeff Moss started to hold Black Hat to conduct information security research exchanges and training from a neutral position. So far, Black Hat will also be held in Europe and Asia.
In December 1998, Jeff Forristal mentioned an example of using SQL injection techniques to attack a website in an article, and SQL injection has been widely discussed since then.
On January 21-22, 1999, at the WorkShop of the 2nd Research with Security Vulnerability Databases, MITRE founders David E. Mann and Steven M. Christey published an article entitled “Towards a Common Enumeration of Vulnerabilities”. The white paper proposed the concept of CVE (Common Vulnerabilities and Exposures, Common Vulnerability Disclosure), and included and disclosed 321 CVE vulnerabilities in that year.
In December 1999, some MSRC engineers discovered some examples of websites being injected with code, and they publicized the attack, dubbed Cross Site Scripting, after collating discussions.
In January 2002, Microsoft launched the “Trustworthy Computing” (Trustworthy Computing) program to help ensure that products and services are inherently high security, availability, reliability and business integrity, SDL (Security Development Lifecycle) is also was raised at this time.
On September 9, 2001, Mark Curphey started the OWASP (Open Web Application Security Project) project, and began to provide some articles, methods and tools of Web attack technology in the community.
After that, concepts such as Responsible disclosure / Full disclosure have also entered people’s field of vision.
On October 4, 2002, The Art of Deception by Kevin Mitnick, who is also credited with social engineering, was published. This book details how social engineering is used in attacks. The originator of the mountain.
On July 25, 2005, the Zero Day Initiative (ZDI) was created to encourage responsible vulnerability disclosure.
In November 2005, based on the accumulation and development of intelligence collection since February 1941, the Director of National Intelligence announced the establishment of the Open Source Center (OSC) to collect open source intelligence, and then the concept of Open-source intelligence (OSINT) continued. recognized by people.
In 2006, the concept of APT (Advanced Persistent Threat, Advanced Persistent Threat) attack was formally proposed to describe covert and persistent cyber-attacks found on U.S. military and government networks from the late 1990s to the early 2000s.
Beginning in 2006, the U.S. Department of Homeland Security (DHS) began holding a “Cyber Storm” series of national cyber event exercises every two years.
With the continuous development of the times, offensive and defensive technologies have undergone great changes, and defense methods and security awareness have also evolved. Before the attack occurs, there are mechanisms such as threat intelligence and blacklist sharing, and the threat can be spread in time. When an attack occurs, there are firewalls based on various mechanisms, such as keyword detection, semantic analysis, and deep learning. Some defense mechanisms can even defend against zero-day attacks to a certain extent. After the attack, some key systems were isolated, and the results of the attack were difficult to expand. Even if the target was obtained, it was difficult to carry out further attacks. Some target honeypots have a high degree of simulation, with normal services and some business data that is difficult to judge whether it is true or false.
After the discovery of Stuxnet in June 2010, supply chain attacks began to emerge as one of the emerging threats to cyberspace security. Subsequent supply chain attacks such as XcodeGhost and CCleaner have had a major impact.
In 2010, analysts at Forrester Research Inc. came up with the conceptual model of “zero trust”.
In January 2012, Gartner proposed the concept of IAST (Interactive Application Security Testing), providing a solution that combines DAST and SAST technologies. In this way, the vulnerability detection rate is high, the false positive rate is low, and API interfaces and code fragments can be located.
In September 2012, Gartner researcher David Cearley proposed the concept of DevSecOps, saying that the DevOps process should include security concepts.
In 2013, MITRE proposed ATT&CK™ (Adversarial Tactics, Techniques, and Common Knowledge, ATT&CK), a model that describes the techniques used in various stages of an attack from an attacker’s perspective.
In 2013, the University of Michigan started the ZMap project, which evolved into Censys in 2015. Since then, cyberspace mapping projects have gradually emerged.
In 2014, at the Gartner Security and Risk Management Summit, the concept of Runtime Application Self-protection (RASP) was proposed for security protection at the application layer.
In 2015, Gartner first proposed the concept of SOAR, and the original definition was Security Operations, Analytics and Reporting, that is, security operations analysis and reporting.
In 2017, Gartner redefined the concept of SOAR: Security Orchestration, Automation and Response, that is, security orchestration, automation and response.