In recent years, cyber offensive and defensive drills (often referred to as ‘Red Teaming/Blue Teaming’ or ‘Real-world Combat Drills’) have become increasingly normalized, institutionalized, and large-scale. This trend is driven by national-level emphasis on cybersecurity and data governance. With the implementation of the Cybersecurity Law and the Data Security Law of the People’s Republic of China, combat-readiness requirements and legal compliance responsibilities have been elevated to unprecedented heights.
Consequently, thorough preparation is essential not only for legal compliance but also for securing core business stability. This article conducts a preliminary discussion on how to effectively execute these preparations.
Security Equipment Selection and Deployment Strategy
A robust network environment is the foundation of effective defense. Equipment selection should be closely aligned with an organization’s business scale, risk appetite, compliance requirements, and budgetary constraints. Below are typical configuration recommendations:
| Protection Level | Core Equipment Configuration | Budget | Use Case Description |
|---|---|---|---|
| Baseline | Next-Generation Firewall (NGFW) | 💰 | Small organizations with few systems and low risk. NGFW provides basic access control, stateful inspection, and simple Web protection. |
| Standard | NGFW + Network Traffic Analysis (NTA) Probe (integrated with SOC/SIEM) | 💰💰 | Recommended baseline. NGFW handles perimeter defense; NTA provides full network visibility and deep analysis via traffic mirroring; the platform handles centralized monitoring and threat correlation.。 |
| Advanced | NGFW + NTA + Intrusion Prevention System (IPS) | 💰💰💰 | Focused protection for critical business zones. IPS provides deep packet inspection (DPI) and real-time blocking of known exploits, forming defense-in-depth with the NGFW. |
| Comprehensive | NGFW + NTA + IPS + SWG + Endpoint Detection & Response (EDR) | 💰💰💰💰💰 | Large institutions or high-risk industries. Integrates perimeter, internal monitoring, application-layer defense, endpoint security, and auditing for a “Cloud-Network-Edge-Endpoint” defense-in-depth architecture. |
Focusing on Core Protections
1. Pragmatic Choices for Small-Scale Scenarios:
For small enterprises with limited resources, “stacking” equipment is not necessary. A single, well-configured Next-Generation Firewall (NGFW) can meet fundamental needs. Modern NGFWs integrate several legacy standalone functions:
- Secure Web Gateway (SWG) capabilities: Auditing and controlling internal user web activities.
- Web Application Firewall (WAF) features: Defending against SQL Injection, XSS, and remote command execution.
- Encrypted Tunnel Identification: Detecting and controlling VPNs or hidden proxy channels.
2. The Value of the Standard Configuration: NTA + Situational Awareness (SOC)
In standard configurations, we strongly recommend deploying Network Traffic Analysis (NTA) probes at key network junctions (usually core switching areas) linked to a centralized platform.
- Global Visibility: Probes capture traffic via mirroring, providing a “God’s-eye view” of internal lateral movement that perimeter logs simply cannot see.
- Defense-in-Depth Supplement: While NGFWs have IPS features, their focus is the perimeter. Probes and dedicated IPS units in core zones provide internal lines of defense.
- Objective Evaluation of Endpoint Security: While free security software provides basic malware protection, it lacks centralized management and advanced threat detection. Professional EDR provides deep behavioral monitoring and threat hunting. The value of NTA is that even if endpoint protection is bypassed, it independently captures traces of lateral movement, Command and Control (C2) communication, and data exfiltration at the network layer.
Normalized Security Policies: “Automatic Transmission” for Defense
In large-scale drills, the “Old School” tactics of the Red Team remain largely unchanged: credential stuffing/weak passwords and the exploitation of N-day vulnerabilities. However, do not underestimate automated “script kiddies” who use scanners to bombard targets with PoC (Proof of Concept) exploits. If security policies are misconfigured (e.g., ‘Allow All’), the defense system becomes a VIP pass for attackers.
说实话,见过不少地方的安全设备配置,策略写得那叫一个“大气磅礴”——any to any permit(允许所有流量通行)!这哪是安全设备,简直是给攻击者开的VIP通道嘛。合规是基础,但安全供应商交付时,起码得把那些“高危必杀技”策略给配上并开启吧?特别起码是untrust to trust区域要拒绝掉,这可是基础中的基础!
🛡️ Strategy 1: Enable the “IPS Engine” on your NGFW
Many NGFWs have their Intrusion Prevention System (IPS) capabilities disabled or set to “Detect Only” due to performance concerns. During drills, you must enable “Block” mode for all traffic policies. This acts as the first automated barrier against known exploits and malicious scanning.
🚫 Strategy 2: Harden High-Risk Ports
Minimal exposure is the goal. Use a Whitelist (Specific Trusted Source IPs) whenever possible. If a port must be open to the world, ensure the underlying service is fully hardened. Below is a “Blacklist” of ports that should generally be blocked at the perimeter unless absolutely necessary:
| Port | Service |
|---|---|
| 20-21 | FTP |
| 22 | SSH |
| 23 | Telnet |
| 25 | SMTP |
| 69 | TFTP |
| 135-139 | RPC |
| 161-162 | SNMP |
| 445 | SMB |
| 3389 | RDP |
| 5900-5904 | VNC |
| 6379 | Redis |
| 7001 | WebLogic |
| 8848 | Nacos |
Note: These blocks should be implemented at the Perimeter Firewall to stop threats outside the internal network.
🚫 Strategy 3: Thwart DNSLog Probing
Attackers use public DNSLog services to verify Out-of-Band (OOB) vulnerabilities. You can set domain filtering rules on Perimeter Gateway Devices to block queries to known DNSLog suffixes (e.g., *.dnslog.cn, *.burpcollaborator.net).
Why the Perimeter? To prevent attackers from bypassing internal DNS servers by manually setting their DNS to 8.8.8.8.
This serves as an effective “Noise Reduction” measure, though sophisticated attackers may use custom, private DNSLog domains.