脆弱性対応をこの先生きのこるには

Transcript

1. @ken5scal, 2024/08/07 ੬ऑੑରԠΛ ͜ͷઌੜ͖ͷ͜Δʹ͸

2. Πϯτϩ

3. - ॴଐ - ࡾҪ෺࢈σδλϧɾΞηοτϚωδϝϯτ - ίʔϙϨʔτγεςϜ෦: DevSecOps, Corp Eng౳ -

   LayerX Fintechࣄۀ෦ʢˢʹग़޲ʣ - ݸਓ׆ಈ - िؒχϡʔεϨʔλʔɺPodCastɺಉਓࢽ - དྷྺ - ۚ༥ܥSIer > ࢿ࢈؅ཧɾՈܭ฽ɾձܭSP > ূ݊ձࣾ > ݱ৬ - ͳΜ͔ͩΜͩFintech/ূ݊ܥʹ͍Δ - ࠷ۙ͸σʔλΤϯδχΞϦϯάΛཤमத @ken5scal χϡʔεϨλʔ: https://ken5scal.notion.site/54bda4932da14add9e9911ab3e9a6e5c podcast: https://open.spotify.com/show/73sFeKzUIkSYfCZWVBNO70

4. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

   ݟग़͠ https://speakerdeck.com/layerx/company-deck
5. None
6. None

7. ຊ೔ͷςʔϚ: ੬ऑੑ

8. - ͲͷΑ͏ͳछผͷ੬ऑੑରࡦΛͲΜͳํ਑Ͱݟ͍͔ͯ͘ͱ͍͏࿩ʹͳΓ·͢ɻ - ࣮ࡍͷରԠɾ۩ମతରԠ͸ɺݱ৔ͷऩӹɾച্ߏ଄ɺνʔϜߏ੒ɺ఩ֶʹΑΓҟͳΓ·͢ - ͲΜͳʮ࣠ʯͰݟΔ͔ͱ͍͏࿩ - ݟ͚ͭͨ੬ऑੑͷରԠͷ۩ମతରԠΛฉ͖͍ͨํ͸ͥͻͪ͜ΒͷΠϕϯτʹ - όϧεࡇΓ#10

   | ੬ऑੑ؅ཧͷ࠷લઢʙϦεΫධՁ͔ΒSSVCɺVEXɺAI·Ͱʙ (08/20) - https://vuls-jp.connpass.com/event/327031/ - ※ར֐ؔ܎͸͋Γ·ͤΜ - IPA͞Μͷʮ੬ऑੑରԠʹ͓͚ΔϦεΫධՁख๏ͷ·ͱΊʯ͸·ͩಡΊͯͳ͍Ͱ͢ - SBOMͷ࿩͸ϛϦ΋͠·ͤΜ - ݸਓͰ΍ͬͯΔPodcastͰ࿩ͨ͠ͷͰྑ͚Ε͹ௌ͍͍ͯͩ͘͞ - ʮSBOMʹ͍ͭͯϫΠϫΠ࿩͢ձʯ by ηΩϡΞཱྀஂ͕چϨʔτ͢ΔʮSecure Liaisonʯ લఏ https://www.ipa.go.jp/jinzai/ics/core_human_resource/ fi nal_project/2024/risk-assessment-methods.html https://podcasters.spotify.com/pod/show/secure-fm/episodes/SBOM-e2l42ri

9. ̍ͭҎ্ͷڴҖʹΑͬͯ෇͚ࠐ·ΕΔ Մೳੑͷ͋Δɺࢿ࢈·ͨ͸؅ཧࡦͷऑ ఺ JIS Q27000:2019

10. - ڴҖͱ૊Έ͋Θͬͨ͞ͱ͖ʹɺϦεΫ͕ݦࡏԽ͢Δ Մೳੑ͕͋Δ - ڴҖ:γεςϜ·ͨ͸૊৫ʹଛ֐Λ༩͑ΔՄೳੑ͕͋ Δɺ๬·͘͠ͳ͍ΠϯγσϯτͷજࡏతͳݪҼ - ϦεΫ: ໨తʹର͢Δෆ͔֬͞ͷӨڹ ੬ऑੑͷԿ͕ࠔΔͷ͔

    JIS Q27000:2019

11. https://www.yomiuri.co.jp/pluralphoto/20230727-OYT1I50104/ https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/

12. None

13. HUNTERxHUNTER 27ר

14. - Ұཡදͷ඼࣭͕௿͍ - Մࢹੑ͕ѱ͍ - ৴པੑ͕௿͍ - ໢ཏੑ͕௿͍ - ਂ౓͕ਂ͍

    - Chain͢Δ Whyେม? https://engineering.mercari.com/en/blog/entry/20240722-mapping-the-attack-surface-from-the-inside/

15. Ͱ΋ɺ΍ͬͺΓ ਖ਼͍͠

16. - ૑ۀ5೥໨ - ϑϧΫϥ΢υ - ໌೔ͷΩϟογϡŠƂŘ - ηΩϡϦςΟϚϯઐଐ 0ਓ -

    ࠾༻͸શࣾͷ3%͘Β͍Λ໨ࢦ͢ લఏ: ౰ࣾͷ؀ڥ

17. جຊతͳ౰ࣾͷελϯε IUUQTYDPNLBOJ@CTUBUVT ิ଍: ίʔϙϨʔτΤϯδχΞ΍ ৘γε΋ؚΉ

18. ౰ࣾʢͱ͍͏ࢲʣͷ৺৅෩ܠʢϝϯλϧϞσϧʣ JIS Q27000:2019

19. - 20೥ؒӳࠃαΠόʔηΩϡϦςΟ౰ہ ʢNCSCʣʹ౒ΊɺςΫχΧϧσΟϨΫλʔʹ ͳͬͨํͷୀ৬ϒϩάɻ - ”we’d be able to link

    that work with the graph of the system (and the rich data we have about it) to make sure that we hadn’t missed any attack paths, and that we’d actually built what we thought. It’d be much easier to understand what was going on.” γεςϜΛάϥϑͱͯ͠ଊ͑Δ https://www.ncsc.gov.uk/blog-post/so-long-thanks-for-all-the-bits

20. άϥϑͰଊ͑ͨͱ͖ͷΫϥ΢υ

21. ΤϯυϢʔβʔ

22. ΤϯυϢʔβʔ ੬ऑੑ͸Ͳ͜ʹʁ ੬ऑੑ: ̍ͭҎ্ͷڴҖʹΑͬͯ෇͚ࠐ·ΕΔՄೳੑͷ͋Δɺࢿ࢈·ͨ͸؅ཧࡦͷऑ఺

23. ΤϯυϢʔβʔ

24. ΤϯυϢʔβʔ ϑΟογϯά ઃఆෆඋ ઃఆෆඋ αʔϏε/Ϧϙδ τϦͷઃఆෆඋ GithubActionͷ ੬ऑੑ OSɺϛυϧ΢Σ Ξɺϒϥ΢βͷ੬ऑੑ

    ઃఆෆඋ ઃఆෆඋ ΞϓϦ੬ऑੑ ϛυϧ΢ΣΞ੬ऑੑ ϑΟογϯάɺ ͳΓ͢·͠ ઃఆෆඋ

25. ΤϯυϢʔβʔ αϓϥΠνΣʔϯϦεΫ

26. - ΫϥγοΫͳ੬ऑੑ - ΤϯυϙΠϯτʢMac, Win, Ұ෦Linuxʣ:ɹMicrosoft Defender Vulnerability Management -

    ίʔυ: Dependabot, ೥࣍Web੬ऑੑ਍அ - Ϋϥ΢υ੬ऑੑ - ౷ҰతͳCSPMͳ͠: ΧόϨοδͱίετ͕ݟ߹Θͳ͔ͬͨ - AWS: AWS Con fi g, AWS Security Hub - GCP: Security Command Center Enterprise ݱࡏͷ౰ࣾʢLv̌ʣ

27. - ΫϥγοΫͳ੬ऑੑ - ΤϯυϙΠϯτʢMac, Win, Ұ෦Linuxʣ:ɹMicrosoft Defender Vulnerability Management -

    ίʔυ: Dependabot, ೥࣍Web੬ऑੑ਍அ - Ϋϥ΢υ੬ऑੑ - ౷ҰతͳCSPMͳ͠: ΧόϨοδͱίετ͕ݟ߹Θͳ͔ͬͨ - AWS: AWS Con fi g, AWS Security Hub - GCP: Security Command Center Enterprise ݱࡏͷ౰ࣾʢLv̌ʣ Ͱ͸ɺ࣍ͷϨϕϧ͸Ͳ͜Λ໨ࢦ͢ʁ ੬ऑੑҰཡͷूத؅ཧ͔ɺ ੬ऑੑରԠͷ௥੻͔ɺ ಛఆͷ੬ऑੑͷछผʹಛԽ͢Δ͔ɺ લஈͷࢿ࢈؅ཧͷ޲্͔ɺ Ϣʔβʔ෦໳ʢϓϩμΫτνʔϜʣ΁ͷҕৡ͔ɺ ࠾༻͔

28. - ੬ऑੑͷछผ - ΤϯυϙΠϯτ - ࣗࣾϓϩμΫτ - αʔυύʔςΟ੡඼ - ਓ

    - ࢿ࢈ঢ়گ - ΠϯλʔωοτϑΣΠγϯά - ੬ऑੑͷใࠂ਺ - KEVର৅ - ؅ཧπʔϧͱͷ࿈ܞঢ়گ - ؅ཧݩ - ਖ਼ࣾһ - ۀ຿ҕୗ - ࢲ༻୺຤ ൑அ࣠ - ڴҖͷछผ - ಺෦ෆਖ਼ - ޡૢ࡞ɾmiscon fi g - ֎෦ΞΫλʔ - ߈ܸͷTactics - Init access, Exec, persistence, privi esc…. - ଞࣾͰൃੜͨ͠ࣄྫ - ۀքͷಈ޲ - ࠃ಺๏ن੍ɾΨΠυϥΠϯରԠ - ࠃࡍతن੍ରԠʢྫ: AML/CFTʣ - ৽ٕज़ඪ४ରԠʢྫ: ύεΩʔʣ - ଞ - νʔϜϝϯόʔͷWillɺεΩϧηοτ - ৽ϓϩμΫτձ্ཱࣾͪ͛ɾM&A - Ϣʔβʔཁ๬

29. - ੬ऑੑͷछผ - ΤϯυϙΠϯτ-> ύονద༻ঢ়ଶͷ௥੻ྗ޲্ - ࣗࣾϓϩμΫτ -> DevSecOpsʹΑΔϓϩμΫτϦϦʔε·Ͱ ͷ҆શੑ֬อ,

    ASMʹΑΔϦϦʔεࡁΈϓϩμΫτͷࣗಈ਍அ - αʔυύʔςΟ੡඼ -> CSPMʹΑΔMiscon fi gൃݟ - ਓ - ࢿ࢈ঢ়گ - ΠϯλʔωοτϑΣΠγϯά -> ASMʹΑΔࢿ࢈؅ཧ޲্ - ੬ऑੑͷධՁ -> CVSS, SSVC, EPSSʹΑΔධՁ - KEVର৅ -> ੬ऑੑରԠͷ༏ઌ౓ΛϦεΫϕʔεʹ - ؅ཧπʔϧͱͷ࿈ܞঢ়گ - ؅ཧݩ - ਖ਼ࣾһ -> ϑΟογϯά܇࿅ - ۀ຿ҕୗ - ࢲ༻୺຤ -> BYODԽʹΑΔࢿ࢈؅ཧର৅ͷ֦େ - ؅ཧ֎ʢΤϯυϢʔβʔʣ ൑அ࣠ - ڴҖͷछผ - ಺෦ෆਖ਼ - ޡૢ࡞ɾmiscon fi g -> - ֎෦ΞΫλʔ - ߈ܸͷTactics - Init access, Exec, persistence, privi esc…. - ଞࣾͰൃੜͨ͠ࣄྫ - ۀքͷಈ޲ - ࠃ಺๏ن੍ɾΨΠυϥΠϯରԠ - ࠃࡍతن੍ରԠʢྫ: AML/CFTʣ - ৽ٕज़ඪ४ରԠʢྫ: ύεΩʔʣ - ଞ - νʔϜϝϯόʔͷWillɺεΩϧηοτ - ৽ϓϩμΫτձ্ཱࣾͪ͛ɾM&A - Ϣʔβʔཁ๬

30. ൑அ࣠ Ͳ͏൑அ࣠Λબ୒͢Δ͔ 1. ϦεΫϕʔε 2. ίϯϓϥϕʔε - ੬ऑੑͷछผ - ΤϯυϙΠϯτ

    - ࣗࣾϓϩμΫτ - αʔυύʔςΟ੡඼ - ਓ - ࢿ࢈ঢ়گ - ΠϯλʔωοτϑΣΠγϯά - ੬ऑੑͷใࠂ਺ - KEVର৅ - ؅ཧπʔϧͱͷ࿈ܞঢ়گ - ؅ཧݩ - ਖ਼ࣾһ - ۀ຿ҕୗ - ࢲ༻୺຤ - ڴҖͷछผ - ಺෦ෆਖ਼ - ޡૢ࡞ɾmiscon fi g - ֎෦ΞΫλʔ - ߈ܸͷTactics - Init access, Exec, persistence, privi esc…. - ଞࣾͰൃੜͨ͠ࣄྫ - ۀքͷಈ޲ - ࠃ಺๏ن੍ɾΨΠυϥΠϯରԠ - ࠃࡍతن੍ରԠʢྫ: AML/CFTʣ - ৽ٕज़ඪ४ରԠʢྫ: ύεΩʔʣ - ଞ - νʔϜϝϯόʔͷWillɺεΩϧηοτ - ৽ϓϩμΫτձ্ཱࣾͪ͛ɾM&A - Ϣʔβʔཁ๬

31. ίϯϓϥΠϯε vs ڴҖ 1-1 ܦӦͱηΩϡϦςΟͷᓔੵ , CISOͷͨΊͷ৘ใηΩϡϦςΟઓུ

32. ίϯϓϥΠϯεϕʔε 1-1 ܦӦͱηΩϡϦςΟͷᓔੵ , CISOͷͨΊͷ৘ใηΩϡϦςΟઓུ

33. ϦεΫ؅ཧͷΞϓϩʔν 1-1 ܦӦͱηΩϡϦςΟͷᓔੵ , CISOͷͨΊͷ৘ใηΩϡϦςΟઓུ - ISMSͷ؅ཧࡦ: ໿90ۙ͘ - FISCͷج४ɿ໿300ۙ͘

    - ਌ձࣾΨΠυϥΠϯ: ໿230ۙ͘ - ͔͠΋Ұ෦͸ҟͳΔจݴͰඃ͍ͬͯΔɻ

34. ϦεΫ؅ཧͷΞϓϩʔν 1-1 ܦӦͱηΩϡϦςΟͷᓔੵ , CISOͷͨΊͷ৘ใηΩϡϦςΟઓུ - ༏ઌॱҐ͕͚ͭͮΒ͍ - ಘΒΕΔΞ΢τΧϜ͕ɺୡ੒཰xx%͘Β͍ -

    0~100ͷ͏ͪ1Ͱ΋΍͍ͬͯͨΒʮ΍͍ͬͯΔʯͱ Ԡ͑ΒΕΔ (΍͍ͬͯΔײʹؕΓ΍͍͢ʣ

35. ڴҖϕʔεΞϓϩʔν 1-1 ܦӦͱηΩϡϦςΟͷᓔੵ , CISOͷͨΊͷ৘ใηΩϡϦςΟઓུ

36. ϦεΫ؅ཧͷΞϓϩʔν 1-1 ܦӦͱηΩϡϦςΟͷᓔੵ , CISOͷͨΊͷ৘ใηΩϡϦςΟઓུ ←ิ׬ؔ܎ͱΈͳ͠ɺλΠϜϦϛοτ಺ͰՄೳͳݶΓ ࣮γεςϜΛௐ΂ɺجຊɺະରࡦͷ෦෼ʹूதɻߋͳ ΔूதϙΠϯτͱͯ͠ݫબͨ͠ڴҖϕΫτϧΛબఆˠ ϦεΫධՁʹΑΓɺڴҖϕΫτϧͷܦ࿏ʹͳΔࢿ࢈ೋ ूத

37. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    ݟग़͠ ۀ຿ςʔϒϧ ࢒ଘ੬ऑੑςʔϒϧ ڴҖςʔϒϧ ϦεΫධՁςʔϒϧ

38. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    ݟग़͠

39. ྫ: ۀ຿ ྫ: ۀ຿ςʔϒϧ্ͷϑϩʔɹͱɹ࢒ଘ੬ऑੑʢϛεϢʔεʣ

40. ࠓ೔ͷഎܠ ࢛൒ظɾ൒ظɾ೥࣍Ϩϙʔτ౳

41. ͬ͘͟Γ૝ఆڴҖΛܾఆ

42. ରॲ͢΂͖ϦεΫͱܦ࿏ͷબ୒

43. - લऀ͸METIͳͲ΋ʮASMʢAttack Surface ManagementʣಋೖΨΠμϯε ～ ֎෦ ͔Β೺Ѳग़དྷΔ৘ใΛ༻͍ͯࣗ૊৫ͷITࢿ࢈Λൃݟ͠؅ཧ͢Δ ～ ʯΛग़͢ͳͲ -

    ϓϨΠϠʔɾαʔϏεϓϩόΠμʔ΋૿͍͑ͯΔʢҹ৅ʣ - ޙऀ͸ࣗ෼ͨͪͰؤுΔ - ʢࣾ಺ʣϢʔβʔϑΟογϯά܇࿅ - Crown Jewel௚લϊʔυͷϋʔυχϯάɺύονద༻ͳͲ ڴҖͷೖޱͱCrown Jewel௚લͷϊʔυʹूத

44. ←Ԡื ໘ஊˠ ←ࡶஊ DM (X): @ken5scal