绿盟 2019年安全事件响应观察报告

2019 安全事件响应观察报告 Cybersecurity Incident Response Insights i g u th 5 b m o .c 关于绿盟科技北京神州绿盟信息安全科技股份有限公司（简称绿盟科技）成立于 2000 年 4 月，总部位于北京。在国内外设有 30 多个分支机构，为政府、运营商、金融、能源、互联网以及教育、医疗等行业用户，提供具有核心竞争力的安全产品及解决方案，帮助客户实现业务的安全顺畅运行。基于多年的安全攻防研究，绿盟科技在网络及终端安全、互联网基础安全、合规及安全管理等领域，为客户提供入侵检测 / 防护、抗拒绝服务攻击、远程安全评估以及 Web 安全防护等产品以及专业安全服务。北京神州绿盟信息安全科技股份有限公司于 2014 年 1 月 29 日起在深圳证券交易所创业板上市交易。股票简称：绿盟科技　股票代码：300369 u th i g 特别声明 5 b 为避免合作伙伴及客户数据泄露，所有数据在进行分析前都已经过匿名化处理，不会在中间环节出现泄露，任何与客户有关的具体信息，均不会出现在本报告中。 m o .c 2019 年安全事件响应观察报告目录 CONTENTS 目录 1. 前言 ······································································································································································1 2. 网络安全形势分析 ················································································································································4 2.1 国家级安全演练效果明显 ·························································································································································· 5 2.2 关键基础设施成为黑客攻击的重点目标 ·································································································································· 7 m o .c 2.3 经济利益是黑客攻击主要驱动力 ············································································································································ 10 2.4 勒索软件即服务势头迅猛 ························································································································································ 11 2.4.1 完善的产业链 ····························································································································································································11 2.4.2 低风险高收益 ····························································································································································································14 5 b 2.4.3 建议 ············································································································································································································15 2.5 黑链暗链事件的爆发式增长 ···················································································································································· 15 2.5.1 现状 ············································································································································································································16 u th 2.5.2 利益链 ········································································································································································································17 2.5.3 建议 ············································································································································································································18 2.6 恶意程序隐藏技术在革新发展 ················································································································································ 19 i g 2.7 入侵事件平均潜伏时间高达 359 天 ······································································································································· 20 2.8 人和管理成为主要入侵突破口 ················································································································································ 23 3. 安全漏洞变化趋势 ··············································································································································27 3.1 高危漏洞 PoC 公开数量增多 ··················································································································································· 28 3.1.1 微软远程桌面服务远程代码执行漏洞（CVE-2019-0708） ···············································································································29 3.1.2 Confluence SSRF 及远程代码执行漏洞 ················································································································································30 3.1.3 WinRAR 代码执行漏洞 ············································································································································································31 3.2 0day 漏洞频繁爆发 ···························································································································