ã1ãTLPTã®æ義ã¨ä¾¡å¤ãï½ãããã¬ã¼ã·ã§ã³ãã¹ãã®ãã¼ãºå¤åã¨å½¢æ å¤åï½
ã¯ããã«
2018å¹´10æãããéèåéã«ããããµã¤ãã¼ã»ãã¥ãªãã£å¼·åã«åããåçµæ¹éãã®ã¢ãããã¼ããï¼éèåºã®å ±éçºè¡¨è³æã2018å¹´10æ19æ¥ï¼ã«ãããéèæ©é¢ãåãçµãã¹ãæ¹éã«ããè å¨ãã¼ã¹ã®ãããã¬ã¼ã·ã§ã³ãã¹ããï¼Threat Led Penetration Testã以ä¸TLPTï¼ãæè¨ããããã¨ã«ãªãã¾ãããããã«ãããTLPTã¸ã®é¢å¿ãæ¥éã«éã¾ãã¤ã¤ããä¸æ¹ããTLPTã¨ã¯ä½ããããã¾ã¾ã§ã®ãããã¬ã¼ã·ã§ã³ãã¹ãã¨ã©ãéãã®ããã«ã¤ãã¦ã¯ãããããã®å®ç¾©ãããä¸æçãªé¨åãå¤ããè°è«ã®ä½å°ãå¤åã«æ®ããã¦ãã¾ãã
æ¬é£è¼ã§ã¯ãããããã¬ã¼ã·ã§ã³ãã¹ãã®ãã¼ãºå¤åã¨å½¢æ å¤åããã·ããªãªã¨ä½å¶ããTLPTã¨ãã¦ã®è©ä¾¡ï¼ä»®ï¼ãã«ã¤ãã¦è§£èª¬ããã¦ããã¾ããï¼é£è¼ã¯ï¼åç¨åº¦ãäºå®ãã¦ãã¾ããï¼
* ãããã¬ã¼ã·ã§ã³ãã¹ãï¼ãµã¼ãã¼/ãããã¯ã¼ã¯æ©å¨ã«å¯¾ãã¦ä¾µå ¥ã試ã¿ã¦ãèå¼±æ§ããªããã確èªããæ¤æ»ææ³
* TLPTã«ã¤ãã¦ã¯ãç¾å¨ãå¤æ§ãªç¨èªã¨è¡¨ç¾ã§å®ç¾©ããã¦ãã¦ï¼Red Team TestingãThreat Intelligence Penetration Testing ãªã©ã§å¼ç§°ããããã¨ãããã¾ãï¼ãä¸æã«åºå®ããã¦ãã¾ãããæ¬é£è¼ã¯ãä¸ã¤ä¸ã¤ã®ç¨èªãæ¹ãã¦ç²¾æ»ãããã¨ãç®çã§ã¯ãªãããããã¬ã¼ã·ã§ã³ãã¹ããå®éã«è¡ã£ã¦ããæè¡è ã®è¦ç¹ã§ãæ¢åã®ãããã¬ã¼ã·ã§ã³ãã¹ãã®èª²é¡ãæ´çããTLPTã®æ¬è³ªã«è¿«ããã¨ãç®çã¨ãã¦ãã¾ãã
第ï¼åç®ã®ä»åã¯ãããããã¬ã¼ã·ã§ã³ãã¹ãã®ãã¼ãºå¤åã¨å½¢æ å¤åãã«ã¤ãã¦è§£èª¬ãã¾ãã
ãããã¬ã¼ã·ã§ã³ãã¹ãã®ãã¼ãºå¤åã¨å½¢æ å¤å
TLPTã注ç®ãããèæ¯ã«ã¯ããããã¬ã¼ã·ã§ã³ãã¹ãã®ãã¼ãºå¤åã¨å½¢æ å¤åã大ãããããã£ã¦ãã¾ããå³ï¼ããã¼ã¹ã«ã解説ãã¦ããã¾ãã
å³ï¼ ãããã¬ã¼ã·ã§ã³ãã¹ãã®ãã¼ãºå¤åã¨å½¢æ å¤å
ã対çã®åªå 度ãã¸ã®ãã¼ãºã¨éçãããã¬ã¼ã·ã§ã³ãã¹ã
ã¾ãããããã¬ã¼ã·ã§ã³ãã¹ãã®ãã¼ãºãé«ã¾ã£ãå½åï¼2000年代åé ï¼ã®æ代èæ¯ãã以ä¸ã«åæãã¦ã¿ã¾ãã
- æ»æè ã®å¢å
- æ»æé£æ度ã®ä½ä¸
- æ»æ対象ï¼IPããã¹ãï¼æ°ã®å¢å
- èå¼±æ§ç·æ°ã®å¢å
ãããã®èæ¯ãæãä¸ãã¦ããã¨ãæ»æè ã®è¦ç¹ã§ã¯ãOSã»ã½ããã¦ã§ã¢ã®ãªã¼ãã³ã½ã¼ã¹åãªã©ã«ããè å¨ã®å¢å¤§ãï¼→æ»æè ã®å¢å ãæ»æé£æ度ã®ä½ä¸ï¼ãã·ã¹ãã ãå®ãè¦ç¹ã§ã¯ããããã¯ã¼ã¯åã«ããã¤ã³ã¿ã¼ãããã¸ã®å ¬éããéçºã»éç¨ã·ã¹ãã ã®é«åº¦åã»è¤éåãï¼→æ»æ対象æ°ã®å¢å ãèå¼±æ§ç·æ°ã®å¢å ï¼ã¨ãã£ãå¾åãè¦ãã¦ãã¾ããããã«ãããä¼æ¥ãçµç¹ã¨ãã¦ã¯ãåå¨ãããã¹ã¦ã®è å¨ãèå¼±æ§ã«å¯¾å¿ãããã¨ã¯ç¾å®çã«ä¸å¯è½ã¨ãªããã»ãã¥ãªãã£å¯¾çã®åªå 度ãã¤ããããã®ç¾å®çãªææ¨ãæ±ããããããã«ãªãã¾ããã
ãããã¬ã¼ã·ã§ã³ãã¹ããå®æ½ãããã¨ã«ããã対çã®å¿
è¦æ§ãé«ãè
å¨ã¨èå¼±æ§ãçµãè¾¼ã¿ãèå¼±æ§ã¸ã®å¯¾çåªå
度ãã¤ãããã¨ãå¯è½ã¨ãªãã¾ãã
ç¾å¨ãæ¥æ¬ã«ããã¦ã¯ããããã¬ã¼ã·ã§ã³ãã¹ãã¯å¯¾çåªå
度ããªã¹ã¯ã¢ã»ã¹ã¡ã³ãã®éè¦ãªææ¨ã¨ãã¦æé·ããããã«æ¨æºåãä¾¡æ ¼ç«¶äºãé²ãã§ãã¾ããããã®çµæããããã¬ã¼ã·ã§ã³ãã¹ãã¨ãã¦æä½éå¿
è¦ãªæ¡ä»¶ã¯ã以ä¸ã®ä¸ã¤ã«éç´ããã¦ãã¦ãã¾ãã
- èå¼±æ§èª¿æ»
- èªè¨¼è©¦è¡
- ã¨ã¯ã¹ããã¤ãã³ã¼ãã®è©¦è¡
ä¸æ¹ã§ãå¸è²©ã½ããã¦ã§ã¢ã§ããèå¼±æ§ã¹ãã£ãã¼ãèããé²æ©ãããããä¸è¨ã®æ¡ä»¶ã®ã¿ã§ã¯ããããã¬ã¼ã·ã§ã³ãã¹ãã¨ãã¦ã®ä¾¡å¤ãè²»ç¨å¯¾å¹æãèããã¨ããå°è±¡ãã客ãã¾ã«æããããã¨ãããã¾ãããããã¬ã¼ã·ã§ã³ãã¹ãã¯ä¾µå ¥ãç®çã¨ãã¦ãããããä¾µå ¥ãã§ããªããã°ãèå¼±æ§èª¿æ»ãã®ã¿ãã¢ã¦ããããã¨ãªããçµæçã«èå¼±æ§ã¹ãã£ãã¼ã®ã¬ãã¼ãã¨å·®ãã¤ãã«ããããã§ãã
æ¬é£è¼ã§ã¯ãä¸è¨ã®æ¡ä»¶ã®ã¿ãæºããå¾æ¥ã®ææ³ããéçãªåºæºï¼CVSSã¹ã³ã¢ãã»ãã¥ãªãã£ãã³ãã¼ã®åºå®çãªææåºæºï¼ã§ã®è©ä¾¡ã«ã¨ã©ã¾ããã¨ããããéçãããã¬ã¼ã·ã§ã³ãã¹ããã¨ãã¦åå®ç¾©ãããã¨ã«ãã¾ãã
ãè²»ç¨å¯¾å¹æããæ±ãããã¼ãºã¨åçãããã¬ã¼ã·ã§ã³ãã¹ã
ãããã¬ã¼ã·ã§ã³ãã¹ãã¯å¯¾çåªå 度ããªã¹ã¯ã¢ã»ã¹ã¡ã³ãã®ææ¨ã¨ãã¦å®çãã¦ãã¾ããããã·ã¹ãã ã®å¤§è¦æ¨¡åã®å½±é¿ãããè©ä¾¡å¯¾è±¡ï¼ãµã¼ãã¼ãPCãªã©ï¼ã¯ããã«ççºçã«å¢å¤§ãããã¹ã¦ã®å¯¾è±¡ããã¹ããããã¨ã¯ããããç¾å®çã§ãªããªã£ã¦ãã¾ãããä¸æ¹ã§ããããã¬ã¼ã·ã§ã³ãã¹ãã¯ãã®æ§è³ªä¸ãå¿ ã人ã®æã«ããä½æ¥ãå¿ è¦ã¨ãªããããè©ä¾¡å¯¾è±¡ã®ããªã¥ã¼ã ã«æ¯ä¾ãã¦ä½æ¥æéãå¢ãããã¨ã«ãªãã¾ãã人件費ã®é«é¨°ã®å½±é¿ããããä¾¡æ ¼ç«¶äºãé²ãã§ããã¨ã¯ããããããã¬ã¼ã·ã§ã³ãã¹ãã®ä½ä¾¡æ ¼åã«ã¯éçãã¿ãã¦ãã¾ããã
ããã§ãéçãããã¬ã¼ã·ã§ã³ãã¹ãã«å¯¾ãã¦ãä»å 価å¤ãã¤ãããã³ãã¼ãç¾ããããã«ãªãã¾ããããã®ä»å 価å¤ã¨ã¯ãä¾ãã°ã
- ã客ãã¾ã®ãªã¹ã¯ã¢ã»ã¹ã¡ã³ããè³ç£ä¾¡å¤ã®éã¿ãè©ä¾¡åºæºã«åãè¾¼ã
- ä¾µå ¥æåã®ã´ã¼ã«ãè¨å®ãããã¨ã§ããããªã¢ã«ãªãããã¬ã¼ã·ã§ã³ãã¹ãã®å ±åæ¸ã¨ãã¦ãã
ãªã©ã該å½ãã¾ããä¸è¨ã®ãããªä»å 価å¤ãã¤ãããããã¬ã¼ã·ã§ã³ãã¹ãããæ¬é£è¼ã§ã¯ãåçãããã¬ã¼ã·ã§ã³ãã¹ããã¨å®ç¾©ãããã¨ã«ãã¾ãã
ãã ãéçãããã¬ã¼ã·ã§ã³ãã¹ãã主æµãªç¾å¨ããããã¬ã¼ã·ã§ã³ãã¹ãã®ç´åç©ã¨ãã¦ããªã¹ã¯ã¢ã»ã¹ã¡ã³ããè³ç£ä¾¡å¤ãä¾µå ¥æåã®ã´ã¼ã«ãè©ä¾¡è»¸ã¨ããæåã¯ãã¾ãå®çãã¦ãã¾ããããã®ããã対象é¸å®ã¨ã´ã¼ã«è¨å®ã®ãããªä»å çè©ä¾¡è»¸ã¯ãå¶æ¥æ´»åããã¬ã»ã¼ã«ã¹æ®µéãªã©ç´åç©ã¨ãã¦å®ç¾©ãããªããã§ã¼ãºã§å®æ½ããã¦ãã¾ã£ã¦ããã®ãå®æ ã§ããçµæã¨ãã¦ã対象é¸å®ã¨ã´ã¼ã«è¨å®éç¨ãçµå¶å±¤ã¾ã§å ·ä½çã«ä¼ãããªãè¦å ã®ä¸ã¤ã¨ãèãããã¾ãã
ã¾ãããããã¬ã¼ã·ã§ã³ãã¹ãã®ç¾å ´ã«ããã¦ããé¸å®éç¨ãã´ã¼ã«è¨å®ãæ確ã§ãªããã°ãæ¤æ»è ããªã¢ã«ãªä¾¡å¤è¦³ã§è©ä¾¡ãããã¨ã¯å°é£ã¨ãªãã¾ããã客ãã¾ã¸å ±åãããéã«ããé¸å®éç¨ãã´ã¼ã«è¨å®ãæ確ã§ãªããã°ãå¹æçãªã»ãã¥ãªãã£å¯¾çã¸ã®ææ¡ã¯é£ãããªãã¾ãã
ãè å¨ã®é«åº¦åã¸ã®å¯¾å¿ãã被害ç¯å²ã®è¦ããåãã¸ã®ãã¼ãºã¨TLPT
æ¥æ¬ãããå¤æ§ãªè å¨ã«ãããããæ©ããããããã¬ã¼ã·ã§ã³ãã¹ããæ®åãã¦ãã欧米諸å½ã§ã¯ãéçãããã¬ã¼ã·ã§ã³ãã¹ããåçãããã¬ã¼ã·ã§ã³ãã¹ãã¸ã®èª²é¡ãããæ°ãããããã¬ã¼ã·ã§ã³ãã¹ãããTLPTããåºã¾ãã¤ã¤ããã¾ãã
TLPTã®ãã¼ãºã®ä¸ã¤ã¯ããè å¨ã®é«åº¦åã¸ã®å¯¾å¿ãã«ããã¾ããæ¨çåæ»æãAPTï¼Advanced Persistent Threatï¼åæ»æãªã©ã¨å¼ã°ããæ»æã®ç¹å¾´ã¯ãåä¸ã®ãµã¼ãã¼ãåä¸ã®ã·ã¹ãã ã®ææ¡ãçããã¨ãç®çã§ã¯ãªãããæ©å¯æ å ±ã®å¥ªåãããç¶ç¶çãªæ½ä¼ããç®çã§ãããã¨ã§ããã¤ã¾ãããè å¨ã®é«åº¦åãã¨ã¯ãæ»æææ³ãã®ãã®ã®å¤åã§ã¯ãªããæ»æè ã®ç®çï¼ã¨æ»æè ã®èæ¯ï¼ã®å¤åãæå³ãã¦ãã¾ãã
ããä¸ã¤ã®ãã¼ãºã¯ããããã¬ã¼ã·ã§ã³ãã¹ãã®ææã¨ãã¦ã®ã被害ç¯å²ã®è¦ããåãã§ãããããã¬ã¼ã·ã§ã³ãã¹ããå®æ½ããã«ããããçµå¶å±¤ã¯ãçµå±ã®ã¨ããããããã¬ã¼ã·ã§ã³ãã¹ãã®çµæããã¸ãã¹ã¨ãã¦ã©ã®ããã被害ãåããå¯è½æ§ãããã®ããã¨ããç¹ã«ãæãé¢å¿ãããã¾ãããã©ã®ãããã®è¢«å®³ãããããããè©ä¾¡ããããã«ã¯ããã©ã®ãããæ»æãåããããããã¨ããéçãããã¬ã¼ã·ã§ã³ãã¹ããåçãããã¬ã¼ã·ã§ã³ãã¹ãã®ææ¨ã¯ãã¡ããã®ãã¨ããã©ã®ããã被害ãåããããã¨ãã被害ã«å¯¾ããæ¤ç¥ãäºå¾èª¿æ»ã«ã¤ãã¦ã®è©ä¾¡ãå®æ½ããå¿ è¦ãããã¾ãã
ããã§ãç¾å¨ã欧米諸å½ã§å®æ½ããã¦ããTLPTãèªã¿è§£ãã¦ã¿ãã¨ãäºã¤ã®éè¦ãªãã¼ã¯ã¼ãããã·ããªãªãï¼→ã·ããªãªä¸»å°åãããã¬ã¼ã·ã§ã³ãã¹ãï¼ã¨ãè å¨ã¤ã³ããªã¸ã§ã³ã¹ãï¼→è å¨ã¤ã³ããªã¸ã§ã³ã¹ä¸»å°åãããã¬ã¼ã·ã§ã³ãã¹ãï¼ãæµ®ãã³ä¸ãã£ã¦ãã¾ãã
* æ¬é£è¼ã§ã¯ãä¸è¨ã©ã¡ãããæºããTLPTããåºç¾©ã®TLPTãã両æ¹ãæºããTLPTããç義ã®TLPTãã¨å¼ç§°ãããã¨ã«ãã¾ãã
ã·ããªãªä¸»å°åãããã¬ã¼ã·ã§ã³ãã¹ã
ã·ããªãªä¸»å°åãããã¬ã¼ã·ã§ã³ãã¹ãã®æ大ã®ç¹å¾´ã¯ããã·ããªãªããç´åç©ã«å«ã¾ãããã¨ã«ããã¾ããã·ããªãªã«ã¯ã以ä¸ã®è¦ç´ ãå¿ è¦æ¡ä»¶ã¨ãªãã¾ãã
• è
å¨ãã¤ã¾ãã»ãã¥ãªãã£ãè
ãã主ä½ãæ確ã«ãã
• è
å¨ãå®éã«ã»ãã¥ãªãã£ã侵害ããããã¼ãã¹ããããæ確ã«ãã
• è
å¨ãæ»æ対象ã¨ããè³ç£ãç¹å®ãã
• ä¸è¨ãã¹ã¦ãå«ã¾ããã·ããªãªããå ±åæ¸ã¨åçã®éã¿ããã¤ç´åç©ã¨ãã¦å®ç¾©ããã
ã·ããªãªã®ä¸ã§å®ç¾©ãããããã¼ãã¹ãããã¯ãå¿ ãããé£ç¶ãã¦æ»æãæåããå¿ è¦ã¯ãªãã¨ãããã¨ããéçãããã¬ã¼ã·ã§ã³ãã¹ããåçãããã¬ã¼ã·ã§ã³ãã¹ãã¨ã®å¤§ããªéãã§ããä¾ãã°ã
- ãããã¯ã¼ã¯çµç±ã§ã®ä¾µå ¥ãæåãããã©ããã®ã·ããªãª
- ä¾µå ¥æåå¾ã®æ¨©éææ ¼ã®ã·ããªãª
- 権éææ ¼å¾ã®éè¦æ å ±å¥ªåã®ã·ããªãª
ã¨ãã¦ã·ããªãªãåããå¾ã«ä¸ã¤ã®å¤§ããªã·ããªãªã¨ãã¦è©ä¾¡ãããã¨ã§ãç·åçãªè©ä¾¡ã¨ãããã¨ãå¯è½ã¨ãªãã¾ããåããã¼ãã¹ãããã§æ»æå¯è½æ§ã®å®è¨¼ï¼Proof of Conceptï¼ã確èªã§ããã°ããã®ããã·ããªãªä¸»å°åãããã¬ã¼ã·ã§ã³ãã¹ãã®ç¹å¾´ã¨ããã¾ãã
è å¨ã¤ã³ããªã¸ã§ã³ã¹ä¸»å°åãããã¬ã¼ã·ã§ã³ãã¹ã
æ¨ä»ã®è å¨ã¤ã³ããªã¸ã§ã³ã¹*1ã®éèããããªã¼ãã³ã½ã¼ã¹ãããã¯æºãªã¼ãã³ã½ã¼ã¹ã®èå¼±æ§æ å ±ãææ©çã«éç´ããå種ã»ãã¥ãªãã£å¯¾çã«é©ç¨ããåããçã¾ãã¦ãã¦ãã¾ããããã«ä¼´ãããããã¬ã¼ã·ã§ã³ãã¹ããã¤ã³ã·ãã³ãã¬ã¹ãã³ã¹ã®ä¸çã§ããè å¨ã¤ã³ããªã¸ã§ã³ã¹ã¯å¤§ããªãã¼ãã®ä¸ã¤ã¨ãªã£ã¦ãã¦ãã¾ããè å¨ã¤ã³ããªã¸ã§ã³ã¹ä¸»å°åãããã¬ã¼ã·ã§ã³ãã¹ãã§ã¯ãè å¨ã¤ã³ããªã¸ã§ã³ã¹ããããã¬ã¼ã·ã§ã³ãã¹ãã«é©ç¨ãããã¨ã§ã以ä¸ã®å¹æãæå¾ ã§ãã¾ãã
- å°é家ã§ã®ã¿å®çµãã¦ããéãªã¼ãã³ãªæè¡çå¶ã¿ã«ã客観ç俯ç°çãªæ ¹æ ãä¸ãã
- ä¸è¨ã®ã·ããªãªä¸»å°åãããã¬ã¼ã·ã§ã³ãã¹ãã«è å¨ã¤ã³ããªã¸ã§ã³ã¹ãå«ãããã¨ã§ãã·ããªãªã«å¯¾ããçµå¶å±¤ã¸ã®èª¬å¾åãåä¸ããã
- æ¥çã顧客ãã¨ã«ãªã¢ã«ãªã·ããªãªã¨ãªããã¨ã§ãç¾å®çãªã»ãã¥ãªãã£å¯¾çãæ¤è¨ãããã¨ãã§ãã
ã¨ã¯ãããç¾å¨ã®æ¥æ¬ã«ãããè å¨ã¤ã³ããªã¸ã§ã³ã¹å¸å ´ã¯ãå¸å ´ã¨ãã¦ã¾ã çºå±éä¸ã§ãããè å¨ã¤ã³ããªã¸ã§ã³ã¹å¸å ´ã®ä¾¡å¤ã¨èªç¥åº¦ãåä¸ããã¦ãããã¨ãä»å¾ã®èª²é¡ã¨ãªã£ã¦ãã¾ãã
ããã¾ã§ããTLPTã¨ã¯ä½ããã¨ãããã¼ãã®ãã¡ãããããã¬ã¼ã·ã§ã³ãã¹ãã®ãã¼ãºå¤åã¨å½¢æ å¤åãã«ã¤ãã¦è§£èª¬ãã¦ãã¾ããã次åã¯ãå¼ãç¶ããTLPTã¨ã¯ä½ããããã¼ãã¨ãã¦ããã·ããªãªã¨ä½å¶ãã«ã¤ãã¦è§£èª¬ããã¦ããã¾ãã
åèãªã³ã¯
-
ãéèåéã«ããããµã¤ãã¼ã»ãã¥ãªãã£å¼·åã«åããåçµæ¹éãã®ã¢ãããã¼ãã«ã¤ãã¦
https://www.fsa.go.jp/news/30/20181019-cyber.html -
諸å¤å½ã®ãè
å¨ãã¼ã¹ã®ãããã¬ã¼ã·ã§ã³ãã¹ã(TLPT)ãã«é¢ããå ±åæ¸ã®å
¬è¡¨ã«ã¤ãã¦
https://www.fsa.go.jp/common/about/research/20180516.html -
è
å¨ãã¼ã¹ã®ãããã¬ã¼ã·ã§ã³ãã¹ãã«é¢ãã G7 ã®åºç¤çè¦ç´ ï¼ä»®è¨³ï¼
https://www.fsa.go.jp/inter/etc/20181015/02.pdf -
*1: è
å¨ã¤ã³ããªã¸ã§ã³ã¹ã使ã£ã¦ä¼æ¥ã®ã»ãã¥ãªãã£ãé«ãã
https://diamond.jp/articles/-/147168
Writer Profile
ã»ãã¥ãªãã£äºæ¥é¨
ã»ãã¥ãªãã£è¨ºææ
å½ ãã¼ãã¨ã³ã¸ãã¢
æ¸
æ°´ æ£ä¸
Tweet