- 學位論文
從惡意電子郵件攻擊樣本探討未來我國政府機關社交工程演練之方向–以A機關為例
A Study of Government Agencies in Social Engineering Exercise Based on Attacks from Malicious Email Samples: The Case of A Agency
摘要
近年來我國資通訊科技環境發展迅速,相對地資安事件也層出不窮,綜觀過去所發生的資安事件,不僅是民營企業容易遭受駭客入侵,更嚴重的是針對政府機關所發動的「目標式攻擊」;而此類攻擊大多以竊取機敏資料為主要目的,所使用的攻擊方式不僅跳脫傳統的駭客攻擊手法,更提升為結合「社交工程」手法的人性面攻擊,其完美地結合零時差攻擊與人性面的脆弱,巧妙地將惡意檔案以電子郵件夾帶的方式,寄送至所欲攻擊使用者的電子郵件信箱,企圖誘使開啟並執行其中所附加之惡意檔案,以進而成功奪取系統控制權,達到逐步滲透政府機關的意圖。 本研究對象係以某特定A政府機關為例,蒐集該機關2011年所遭受到的惡意電子郵件樣本共173封(該樣本在攻擊當下為新型/未知惡意郵件),並以之為分析基礎,透過本研究所設計的研究設計及二種分析流程,萃取深層資訊後再進行關聯規則分析,並將研究發現之攻擊態樣與特徵,對比現階段A政府機關進行之防範惡意電子郵件社交工程攻擊演練,以提出未來進行社交工程演練時之改善建議及對真實攻擊之管理建議。 本研究發現目前A機關除面臨目標式攻擊外,該攻擊亦符合進階持續性滲透攻擊(APT) 特徵,手法以公務類型惡意電子郵件社交工程攻擊為主。面對此類攻擊,A機關除應改善其防範惡意電子社交工程攻擊演練計畫外;另外在面對真實攻擊時,建議可以針對「人員」及其使用「電腦設備」進行監控,並提出監控 (Monitor)、鑑識 (Forensics)、分析 (Analysis)、記錄 (Record)之MFAR主動防禦概念,希冀有效降低被入侵之機會。
並列摘要
In recent years, information and communication technology (ICT) has developed rapidly in Taiwan. However, information security incidents emerge endlessly. Observing the past incidents in general indicate that not only private enterprises are easy to be invaded by hackers, but government organizations are also victims of “targeted attack.” The main purpose of this kind of attacks is stealing sensitive data not by traditional ways of hacking but by attacking weaknesses in human nature combined with “social engineering.” It perfectly utilizes zero-day attack, in connection with weak aspects of human nature, by skillfully attaching malicious files in e-mail and sending to targeted e-mail boxes. When government users are lured to check out the malicious files, they will lose command ability and hackers can successfully achieve the purpose of gradually infiltrating government organizations. This study took a particular government agency, A, as an example and collected 173 malicious e-mail samples (new/unknown malicious e-mail when attacking) that the agency suffered in 2011 as the basis of analysis. The study, through research design and two analytical processes, extracted deep information and analyzed the information with association rules, and found the attack patterns and characteristics. Furthermore, the study compared the findings with malicious e-mail social engineering exercise in order to improve social engineering exercises and management of malicious e-mail attacks. This study found that A agency was attacked by targeted attacks that conformed with the characteristics of advanced persistent penetration attacks (APT), and most attacks were malicious e-mail social engineering attacks. Facing such attacks, this study suggested A agency should improve its drill program for preventing malicious electronic social engineering attacks; In addition, the study suggests the agency to carefully inspect its “officers” and “the computers used by the officers” and proposes the active defense concept, MFAR (Monitor, Forensics, Analysis, Record), in order to reduce the opportunities of successful invasion.
參考文獻
延伸閱讀
- 張錫鈴(2010)。電子郵件社交工程與資訊安全認知行為之研究探討-以某企業為例〔碩士論文,國立虎尾科技大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0028-1307201016461600
- 林家弘(2015)。光學檢測設備產業客戶服務系統之探討 —以A公司在中國大陸為例〔碩士論文,國立中央大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0031-0412201512042659
- 林信榮(2019)。應用服務藍圖去探討個人資料保護與資訊安全:以某電信公司客服中心為個案〔碩士論文,淡江大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0002-0107201923335600
- 陳波宏(2012)。導入國際會計準則(IFRS)企業對選擇資訊系統決策因子之探討-以A公司為例〔碩士論文,國立中正大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0033-2110201613504605
- 曾彥銘(2010)。An Exploratory Study on Applying Service-Oriented Architecture on the Internal Control Management of the Passive Component Industry〔碩士論文,中原大學〕。華藝線上圖書館。https://doi.org/10.6840/cycu201000203