<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>7.BM3 藍隊推演情境素材 on Tarragon</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/scenarios/</link><description>Recent content in 7.BM3 藍隊推演情境素材 on Tarragon</description><generator>Hugo -- gohugo.io</generator><language>zh-TW</language><copyright>Tarragon (CC BY 4.0)</copyright><lastBuildDate>Thu, 30 Apr 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/scenarios/index.xml" rel="self" type="application/rss+xml"/><item><title>Identity Support Token Tabletop</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/scenarios/identity-support-token-tabletop/</link><pubDate>Thu, 30 Apr 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/scenarios/identity-support-token-tabletop/</guid><description>&lt;p>本情境的責任是演練支援流程中的身份敏感資料處置。它以 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/okta-support-token-2023-identity-pressure/" data-link-title="Okta 2023 Support Token：身份支援流程壓力" data-link-desc="把 Okta 2023 support system incident 轉成身份供應鏈與支援流程的藍隊案例素材">Okta 2023 support token case&lt;/a> 為來源，轉成中性的 SaaS 支援系統 tabletop。&lt;/p>
&lt;h2 id="scenario-trigger">Scenario Trigger&lt;/h2>
&lt;p>支援系統出現大量附件下載，同一時間有客戶回報管理員 session 異常。SOC 在 identity provider log 中看到高權限 session 從不常見位置延續使用。&lt;/p>
&lt;h2 id="initial-hypothesis">Initial Hypothesis&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>假設&lt;/th>
 &lt;th>驗證資料&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>支援附件含 session token&lt;/td>
 &lt;td>HAR 檔、附件下載紀錄、支援 ticket&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>token 已被重放&lt;/td>
 &lt;td>identity log、session metadata、device fingerprint&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>客戶側先偵測到異常&lt;/td>
 &lt;td>customer report、support timeline、通報紀錄&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="control-surface">Control Surface&lt;/h2>
&lt;p>控制面包含 support workflow、session management、&lt;a href="https://tarrragon.github.io/blog/backend/knowledge-cards/token-revocation/" data-link-title="Token Revocation" data-link-desc="說明事件中如何撤銷 token，縮短可利用窗口">token revocation&lt;/a>、customer communication 與 &lt;a href="https://tarrragon.github.io/blog/backend/knowledge-cards/ownership/" data-link-title="Ownership" data-link-desc="說明 ownership 如何把問題、決策與交接責任固定到可執行角色">ownership&lt;/a>。&lt;/p>
&lt;h2 id="response-route">Response Route&lt;/h2>
&lt;ol>
&lt;li>Triage：確認支援附件是否含敏感 session 資料。&lt;/li>
&lt;li>Severity：依受影響 tenant、權限等級與 token 可用性分級。&lt;/li>
&lt;li>Owner：identity owner 主責，support owner 與 incident commander 協作。&lt;/li>
&lt;li>Containment：撤銷 session、鎖定附件下載、通知受影響客戶。&lt;/li>
&lt;li>Write-back：更新支援附件處理、HAR sanitizer、customer notification 與 runbook。&lt;/li>
&lt;/ol>
&lt;h2 id="evidence-target">Evidence Target&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>證據&lt;/th>
 &lt;th>用途&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>support ticket access log&lt;/td>
 &lt;td>回查誰下載附件&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>identity session log&lt;/td>
 &lt;td>判斷 session 使用範圍&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>customer report timeline&lt;/td>
 &lt;td>對齊外部通報與內部偵測時序&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>token revocation record&lt;/td>
 &lt;td>證明 containment 完成&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="write-back-target">Write-back Target&lt;/h2>
&lt;ul>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/identity-access-boundary/" data-link-title="7.2 身分與授權邊界" data-link-desc="以問題驅動方式整理身分、授權、會話與供應商身分鏈">7.2 身分與授權邊界&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/incident-triage-loop/" data-link-title="7.B6 Incident Triage Loop" data-link-desc="把資安訊號轉成 triage、severity、owner、containment 與 evidence 的回應循環">7.B6 Incident Triage Loop&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/control-owner-pattern/" data-link-title="Control Owner Pattern" data-link-desc="定義高風險控制面如何配置 owner、協作角色、決策角色與升級路徑">Control owner pattern&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/exercise-write-back-pattern/" data-link-title="Exercise Write-back Pattern" data-link-desc="定義 tabletop 與 game day 如何把 finding 回寫成控制更新、runbook 更新與 [tripwire](/backend/knowledge-cards/tripwire/)">Exercise write-back pattern&lt;/a>&lt;/li>
&lt;/ul></description><content:encoded><![CDATA[<p>本情境的責任是演練支援流程中的身份敏感資料處置。它以 <a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/okta-support-token-2023-identity-pressure/" data-link-title="Okta 2023 Support Token：身份支援流程壓力" data-link-desc="把 Okta 2023 support system incident 轉成身份供應鏈與支援流程的藍隊案例素材">Okta 2023 support token case</a> 為來源，轉成中性的 SaaS 支援系統 tabletop。</p>
<h2 id="scenario-trigger">Scenario Trigger</h2>
<p>支援系統出現大量附件下載，同一時間有客戶回報管理員 session 異常。SOC 在 identity provider log 中看到高權限 session 從不常見位置延續使用。</p>
<h2 id="initial-hypothesis">Initial Hypothesis</h2>
<table>
  <thead>
      <tr>
          <th>假設</th>
          <th>驗證資料</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>支援附件含 session token</td>
          <td>HAR 檔、附件下載紀錄、支援 ticket</td>
      </tr>
      <tr>
          <td>token 已被重放</td>
          <td>identity log、session metadata、device fingerprint</td>
      </tr>
      <tr>
          <td>客戶側先偵測到異常</td>
          <td>customer report、support timeline、通報紀錄</td>
      </tr>
  </tbody>
</table>
<h2 id="control-surface">Control Surface</h2>
<p>控制面包含 support workflow、session management、<a href="/blog/backend/knowledge-cards/token-revocation/" data-link-title="Token Revocation" data-link-desc="說明事件中如何撤銷 token，縮短可利用窗口">token revocation</a>、customer communication 與 <a href="/blog/backend/knowledge-cards/ownership/" data-link-title="Ownership" data-link-desc="說明 ownership 如何把問題、決策與交接責任固定到可執行角色">ownership</a>。</p>
<h2 id="response-route">Response Route</h2>
<ol>
<li>Triage：確認支援附件是否含敏感 session 資料。</li>
<li>Severity：依受影響 tenant、權限等級與 token 可用性分級。</li>
<li>Owner：identity owner 主責，support owner 與 incident commander 協作。</li>
<li>Containment：撤銷 session、鎖定附件下載、通知受影響客戶。</li>
<li>Write-back：更新支援附件處理、HAR sanitizer、customer notification 與 runbook。</li>
</ol>
<h2 id="evidence-target">Evidence Target</h2>
<table>
  <thead>
      <tr>
          <th>證據</th>
          <th>用途</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>support ticket access log</td>
          <td>回查誰下載附件</td>
      </tr>
      <tr>
          <td>identity session log</td>
          <td>判斷 session 使用範圍</td>
      </tr>
      <tr>
          <td>customer report timeline</td>
          <td>對齊外部通報與內部偵測時序</td>
      </tr>
      <tr>
          <td>token revocation record</td>
          <td>證明 containment 完成</td>
      </tr>
  </tbody>
</table>
<h2 id="write-back-target">Write-back Target</h2>
<ul>
<li><a href="/blog/backend/07-security-data-protection/identity-access-boundary/" data-link-title="7.2 身分與授權邊界" data-link-desc="以問題驅動方式整理身分、授權、會話與供應商身分鏈">7.2 身分與授權邊界</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/incident-triage-loop/" data-link-title="7.B6 Incident Triage Loop" data-link-desc="把資安訊號轉成 triage、severity、owner、containment 與 evidence 的回應循環">7.B6 Incident Triage Loop</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/control-owner-pattern/" data-link-title="Control Owner Pattern" data-link-desc="定義高風險控制面如何配置 owner、協作角色、決策角色與升級路徑">Control owner pattern</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/exercise-write-back-pattern/" data-link-title="Exercise Write-back Pattern" data-link-desc="定義 tabletop 與 game day 如何把 finding 回寫成控制更新、runbook 更新與 [tripwire](/backend/knowledge-cards/tripwire/)">Exercise write-back pattern</a></li>
</ul>
]]></content:encoded></item><item><title>Edge Session Hijack Game Day</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/scenarios/edge-session-hijack-game-day/</link><pubDate>Thu, 30 Apr 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/scenarios/edge-session-hijack-game-day/</guid><description>&lt;p>本情境的責任是演練入口設備修補後的 session 收斂。它以 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/citrix-bleed-2023-edge-session-pressure/" data-link-title="Citrix Bleed 2023：入口曝險與 Session 壓力" data-link-desc="把 Citrix Bleed 轉成入口曝險、session hijack 與修補後 hunting 的藍隊案例素材">Citrix Bleed 2023 edge session case&lt;/a> 為來源，轉成通用 edge gateway game day。&lt;/p>
&lt;h2 id="scenario-trigger">Scenario Trigger&lt;/h2>
&lt;p>外部 advisory 指出 edge gateway 存在已被利用的 session disclosure vulnerability。平台團隊已完成 patch，但 SOC 仍看到部分高權限 session 在異常來源延續。&lt;/p>
&lt;h2 id="initial-hypothesis">Initial Hypothesis&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>假設&lt;/th>
 &lt;th>驗證資料&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>vulnerability 已被利用&lt;/td>
 &lt;td>edge access log、IOC、exploit trace&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>patch 已完成但 session 仍有效&lt;/td>
 &lt;td>patch record、session store、gateway log&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>downstream service 已受影響&lt;/td>
 &lt;td>API access log、admin action、audit log&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="control-surface">Control Surface&lt;/h2>
&lt;p>控制面包含 public entrypoint、patch management、&lt;a href="https://tarrragon.github.io/blog/backend/knowledge-cards/session-invalidation/" data-link-title="Session Invalidation" data-link-desc="說明事件後如何讓既有會話失效，避免被重放或延續利用">session invalidation&lt;/a>、containment、hunting 與 incident severity。&lt;/p>
&lt;h2 id="response-route">Response Route&lt;/h2>
&lt;ol>
&lt;li>Observed：確認 CVE、暴露資產與 patch 狀態。&lt;/li>
&lt;li>Assessed：比對 IOC、session activity 與 high-risk account。&lt;/li>
&lt;li>Mitigated：限縮 gateway access、撤銷 session、提升監控。&lt;/li>
&lt;li>Validated：確認新 session policy、log coverage 與 downstream audit。&lt;/li>
&lt;li>Closed：更新 vulnerability response 與 edge runbook。&lt;/li>
&lt;/ol>
&lt;h2 id="evidence-target">Evidence Target&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>證據&lt;/th>
 &lt;th>用途&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>patch record&lt;/td>
 &lt;td>證明曝險窗口&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>gateway access log&lt;/td>
 &lt;td>判斷 session disclosure 範圍&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>session invalidation record&lt;/td>
 &lt;td>證明 containment 完成&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>downstream audit log&lt;/td>
 &lt;td>判斷服務影響&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="write-back-target">Write-back Target&lt;/h2>
&lt;ul>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/entrypoint-and-server-protection/" data-link-title="7.3 入口治理與伺服器防護" data-link-desc="以問題驅動方式整理對外入口、管理平面與伺服器邊界">7.3 入口治理與伺服器防護&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/vulnerability-response-state-machine/" data-link-title="7.B11 Vulnerability Response State Machine" data-link-desc="把漏洞回應拆成狀態機，建立 observed 到 closed 的可交接流程">7.B11 Vulnerability Response State Machine&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/vulnerability-response-pattern/" data-link-title="Vulnerability Response Pattern" data-link-desc="定義漏洞回應如何從 observed 推進到 assessed、mitigated、patched、validated 與 closed">Vulnerability response pattern&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/evidence-chain-pattern/" data-link-title="Evidence Chain Pattern" data-link-desc="定義事故與演練需要保存的訊號、決策、artifact、timeline 與 retention 證據">Evidence chain pattern&lt;/a>&lt;/li>
&lt;/ul></description><content:encoded><![CDATA[<p>本情境的責任是演練入口設備修補後的 session 收斂。它以 <a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/citrix-bleed-2023-edge-session-pressure/" data-link-title="Citrix Bleed 2023：入口曝險與 Session 壓力" data-link-desc="把 Citrix Bleed 轉成入口曝險、session hijack 與修補後 hunting 的藍隊案例素材">Citrix Bleed 2023 edge session case</a> 為來源，轉成通用 edge gateway game day。</p>
<h2 id="scenario-trigger">Scenario Trigger</h2>
<p>外部 advisory 指出 edge gateway 存在已被利用的 session disclosure vulnerability。平台團隊已完成 patch，但 SOC 仍看到部分高權限 session 在異常來源延續。</p>
<h2 id="initial-hypothesis">Initial Hypothesis</h2>
<table>
  <thead>
      <tr>
          <th>假設</th>
          <th>驗證資料</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>vulnerability 已被利用</td>
          <td>edge access log、IOC、exploit trace</td>
      </tr>
      <tr>
          <td>patch 已完成但 session 仍有效</td>
          <td>patch record、session store、gateway log</td>
      </tr>
      <tr>
          <td>downstream service 已受影響</td>
          <td>API access log、admin action、audit log</td>
      </tr>
  </tbody>
</table>
<h2 id="control-surface">Control Surface</h2>
<p>控制面包含 public entrypoint、patch management、<a href="/blog/backend/knowledge-cards/session-invalidation/" data-link-title="Session Invalidation" data-link-desc="說明事件後如何讓既有會話失效，避免被重放或延續利用">session invalidation</a>、containment、hunting 與 incident severity。</p>
<h2 id="response-route">Response Route</h2>
<ol>
<li>Observed：確認 CVE、暴露資產與 patch 狀態。</li>
<li>Assessed：比對 IOC、session activity 與 high-risk account。</li>
<li>Mitigated：限縮 gateway access、撤銷 session、提升監控。</li>
<li>Validated：確認新 session policy、log coverage 與 downstream audit。</li>
<li>Closed：更新 vulnerability response 與 edge runbook。</li>
</ol>
<h2 id="evidence-target">Evidence Target</h2>
<table>
  <thead>
      <tr>
          <th>證據</th>
          <th>用途</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>patch record</td>
          <td>證明曝險窗口</td>
      </tr>
      <tr>
          <td>gateway access log</td>
          <td>判斷 session disclosure 範圍</td>
      </tr>
      <tr>
          <td>session invalidation record</td>
          <td>證明 containment 完成</td>
      </tr>
      <tr>
          <td>downstream audit log</td>
          <td>判斷服務影響</td>
      </tr>
  </tbody>
</table>
<h2 id="write-back-target">Write-back Target</h2>
<ul>
<li><a href="/blog/backend/07-security-data-protection/entrypoint-and-server-protection/" data-link-title="7.3 入口治理與伺服器防護" data-link-desc="以問題驅動方式整理對外入口、管理平面與伺服器邊界">7.3 入口治理與伺服器防護</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/vulnerability-response-state-machine/" data-link-title="7.B11 Vulnerability Response State Machine" data-link-desc="把漏洞回應拆成狀態機，建立 observed 到 closed 的可交接流程">7.B11 Vulnerability Response State Machine</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/vulnerability-response-pattern/" data-link-title="Vulnerability Response Pattern" data-link-desc="定義漏洞回應如何從 observed 推進到 assessed、mitigated、patched、validated 與 closed">Vulnerability response pattern</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/evidence-chain-pattern/" data-link-title="Evidence Chain Pattern" data-link-desc="定義事故與演練需要保存的訊號、決策、artifact、timeline 與 retention 證據">Evidence chain pattern</a></li>
</ul>
]]></content:encoded></item><item><title>Supply Chain Artifact Drill</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/scenarios/supply-chain-artifact-drill/</link><pubDate>Thu, 30 Apr 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/scenarios/supply-chain-artifact-drill/</guid><description>&lt;p>本情境的責任是演練 artifact provenance 與 release gate。它以 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/3cx-2023-supply-chain-artifact-pressure/" data-link-title="3CX 2023：供應鏈 Artifact 壓力" data-link-desc="把 3CX supply chain compromise 轉成 build、artifact、來源信任與 release gate 的藍隊案例素材">3CX 2023 supply chain case&lt;/a> 為來源，轉成通用軟體供應鏈 artifact drill。&lt;/p>
&lt;h2 id="scenario-trigger">Scenario Trigger&lt;/h2>
&lt;p>客戶回報桌面客戶端或 agent 版本觸發 EDR alert。內部比對發現公開下載 artifact、build record 與簽章證據之間存在偏移。&lt;/p>
&lt;h2 id="initial-hypothesis">Initial Hypothesis&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>假設&lt;/th>
 &lt;th>驗證資料&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>artifact 在 build 後被替換&lt;/td>
 &lt;td>checksum、registry log、publish log&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>build environment 受影響&lt;/td>
 &lt;td>CI log、runner image、credential use&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>upstream dependency 或工具引入污染&lt;/td>
 &lt;td>dependency provenance、developer endpoint evidence&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="control-surface">Control Surface&lt;/h2>
&lt;p>控制面包含 &lt;a href="https://tarrragon.github.io/blog/backend/knowledge-cards/artifact-provenance/" data-link-title="Artifact Provenance" data-link-desc="說明交付物的來源、完整性與簽章關聯如何建立信任">artifact provenance&lt;/a>、CI pipeline、release gate、release freeze、rollback 與 customer advisory。&lt;/p>
&lt;h2 id="response-route">Response Route&lt;/h2>
&lt;ol>
&lt;li>Freeze：暫停 affected artifact 發佈與自動更新。&lt;/li>
&lt;li>Scope：比對 artifact hash、download log、customer version distribution。&lt;/li>
&lt;li>Validate：重建 clean build、驗證簽章與 provenance。&lt;/li>
&lt;li>Rollback：提供 clean artifact、uninstall 或 rollback route。&lt;/li>
&lt;li>Write-back：更新 release gate、build isolation 與 artifact evidence policy。&lt;/li>
&lt;/ol>
&lt;h2 id="evidence-target">Evidence Target&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>證據&lt;/th>
 &lt;th>用途&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>build provenance record&lt;/td>
 &lt;td>判斷 artifact 是否可追溯&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>signing log&lt;/td>
 &lt;td>判斷簽章流程是否被濫用&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>customer download log&lt;/td>
 &lt;td>判斷 downstream impact&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>release freeze record&lt;/td>
 &lt;td>證明風險放行被暫停&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="write-back-target">Write-back Target&lt;/h2>
&lt;ul>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/supply-chain-integrity-and-artifact-trust/" data-link-title="7.12 供應鏈完整性與 Artifact 信任" data-link-desc="定義 build provenance、artifact 信任與交付鏈風險問題">7.12 供應鏈完整性與 Artifact 信任&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/security-risk-in-release-gate/" data-link-title="7.22 資安風險如何進入 Release Gate" data-link-desc="把資安風險、例外與驗證證據納入 release gate，建立可稽核的放行判準">7.22 資安風險如何進入 Release Gate&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/detection-lifecycle-pattern/" data-link-title="Detection Lifecycle Pattern" data-link-desc="定義偵測規則如何管理來源、邏輯、測試事件、誤報與退場">Detection lifecycle pattern&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/exercise-write-back-pattern/" data-link-title="Exercise Write-back Pattern" data-link-desc="定義 tabletop 與 game day 如何把 finding 回寫成控制更新、runbook 更新與 [tripwire](/backend/knowledge-cards/tripwire/)">Exercise write-back pattern&lt;/a>&lt;/li>
&lt;/ul></description><content:encoded><![CDATA[<p>本情境的責任是演練 artifact provenance 與 release gate。它以 <a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/3cx-2023-supply-chain-artifact-pressure/" data-link-title="3CX 2023：供應鏈 Artifact 壓力" data-link-desc="把 3CX supply chain compromise 轉成 build、artifact、來源信任與 release gate 的藍隊案例素材">3CX 2023 supply chain case</a> 為來源，轉成通用軟體供應鏈 artifact drill。</p>
<h2 id="scenario-trigger">Scenario Trigger</h2>
<p>客戶回報桌面客戶端或 agent 版本觸發 EDR alert。內部比對發現公開下載 artifact、build record 與簽章證據之間存在偏移。</p>
<h2 id="initial-hypothesis">Initial Hypothesis</h2>
<table>
  <thead>
      <tr>
          <th>假設</th>
          <th>驗證資料</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>artifact 在 build 後被替換</td>
          <td>checksum、registry log、publish log</td>
      </tr>
      <tr>
          <td>build environment 受影響</td>
          <td>CI log、runner image、credential use</td>
      </tr>
      <tr>
          <td>upstream dependency 或工具引入污染</td>
          <td>dependency provenance、developer endpoint evidence</td>
      </tr>
  </tbody>
</table>
<h2 id="control-surface">Control Surface</h2>
<p>控制面包含 <a href="/blog/backend/knowledge-cards/artifact-provenance/" data-link-title="Artifact Provenance" data-link-desc="說明交付物的來源、完整性與簽章關聯如何建立信任">artifact provenance</a>、CI pipeline、release gate、release freeze、rollback 與 customer advisory。</p>
<h2 id="response-route">Response Route</h2>
<ol>
<li>Freeze：暫停 affected artifact 發佈與自動更新。</li>
<li>Scope：比對 artifact hash、download log、customer version distribution。</li>
<li>Validate：重建 clean build、驗證簽章與 provenance。</li>
<li>Rollback：提供 clean artifact、uninstall 或 rollback route。</li>
<li>Write-back：更新 release gate、build isolation 與 artifact evidence policy。</li>
</ol>
<h2 id="evidence-target">Evidence Target</h2>
<table>
  <thead>
      <tr>
          <th>證據</th>
          <th>用途</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>build provenance record</td>
          <td>判斷 artifact 是否可追溯</td>
      </tr>
      <tr>
          <td>signing log</td>
          <td>判斷簽章流程是否被濫用</td>
      </tr>
      <tr>
          <td>customer download log</td>
          <td>判斷 downstream impact</td>
      </tr>
      <tr>
          <td>release freeze record</td>
          <td>證明風險放行被暫停</td>
      </tr>
  </tbody>
</table>
<h2 id="write-back-target">Write-back Target</h2>
<ul>
<li><a href="/blog/backend/07-security-data-protection/supply-chain-integrity-and-artifact-trust/" data-link-title="7.12 供應鏈完整性與 Artifact 信任" data-link-desc="定義 build provenance、artifact 信任與交付鏈風險問題">7.12 供應鏈完整性與 Artifact 信任</a></li>
<li><a href="/blog/backend/07-security-data-protection/security-risk-in-release-gate/" data-link-title="7.22 資安風險如何進入 Release Gate" data-link-desc="把資安風險、例外與驗證證據納入 release gate，建立可稽核的放行判準">7.22 資安風險如何進入 Release Gate</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/detection-lifecycle-pattern/" data-link-title="Detection Lifecycle Pattern" data-link-desc="定義偵測規則如何管理來源、邏輯、測試事件、誤報與退場">Detection lifecycle pattern</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/exercise-write-back-pattern/" data-link-title="Exercise Write-back Pattern" data-link-desc="定義 tabletop 與 game day 如何把 finding 回寫成控制更新、runbook 更新與 [tripwire](/backend/knowledge-cards/tripwire/)">Exercise write-back pattern</a></li>
</ul>
]]></content:encoded></item><item><title>Low-frequency Exfiltration Tabletop</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/scenarios/low-frequency-exfiltration-tabletop/</link><pubDate>Thu, 30 Apr 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/scenarios/low-frequency-exfiltration-tabletop/</guid><description>&lt;p>本情境的責任是演練低頻資料外送的範圍判讀與通報。它以 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/moveit-2023-mft-exfiltration-pressure/" data-link-title="MOVEit 2023：MFT 外送與通報壓力" data-link-desc="把 MOVEit Transfer exploitation 轉成資料外送、影響範圍判讀與通報壓力的藍隊案例素材">MOVEit 2023 MFT exfiltration case&lt;/a> 為來源，轉成通用 MFT 與資料出口 tabletop。&lt;/p>
&lt;h2 id="scenario-trigger">Scenario Trigger&lt;/h2>
&lt;p>外部 advisory 指出受管檔案傳輸系統存在已被利用漏洞。內部稽核發現 MFT 上有異常 web shell indicator 與多筆低頻大量下載。&lt;/p>
&lt;h2 id="initial-hypothesis">Initial Hypothesis&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>假設&lt;/th>
 &lt;th>驗證資料&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>MFT 被植入 web shell&lt;/td>
 &lt;td>file integrity、web access log、IOC&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>特定資料集已被外送&lt;/td>
 &lt;td>download log、object access、database audit&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>通報義務已被觸發&lt;/td>
 &lt;td>data classification、customer mapping、legal review&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="control-surface">Control Surface&lt;/h2>
&lt;p>控制面包含 data classification、MFT ownership、audit trail、incident communication、forensic preserve 與 &lt;a href="https://tarrragon.github.io/blog/backend/knowledge-cards/retention/" data-link-title="Retention" data-link-desc="說明資料或事件保留多久，以及保留期限如何影響重放與成本">retention&lt;/a>。&lt;/p>
&lt;h2 id="response-route">Response Route&lt;/h2>
&lt;ol>
&lt;li>Contain：隔離 MFT、保留 forensic image、暫停高風險傳輸。&lt;/li>
&lt;li>Scope：建立資料集、客戶、時間窗與存取主體映射。&lt;/li>
&lt;li>Notify：讓 legal、customer success 與 incident commander 對齊通報節奏。&lt;/li>
&lt;li>Recover：修補 MFT、輪替 credential、驗證 log coverage。&lt;/li>
&lt;li>Write-back：更新資料出口控制、retention 與 low-frequency exfiltration detection。&lt;/li>
&lt;/ol>
&lt;h2 id="evidence-target">Evidence Target&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>證據&lt;/th>
 &lt;th>用途&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>MFT access log&lt;/td>
 &lt;td>判斷資料外送時間窗&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>data classification map&lt;/td>
 &lt;td>判斷通報與影響等級&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>customer mapping&lt;/td>
 &lt;td>判斷受影響對象&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>forensic preserve record&lt;/td>
 &lt;td>支撐調查與法務回查&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="write-back-target">Write-back Target&lt;/h2>
&lt;ul>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/data-protection-and-masking-governance/" data-link-title="7.4 資料保護與遮罩治理" data-link-desc="以問題驅動方式整理資料分級、遮罩、匯出與備份治理">7.4 資料保護與遮罩治理&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/security-incident-write-back-to-product-and-architecture/" data-link-title="7.24 資安事故如何回寫產品與架構" data-link-desc="把事故教訓回寫到產品決策、架構控制與知識網，建立持續改進閉環">7.24 資安事故如何回寫產品與架構&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/evidence-chain-pattern/" data-link-title="Evidence Chain Pattern" data-link-desc="定義事故與演練需要保存的訊號、決策、artifact、timeline 與 retention 證據">Evidence chain pattern&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/exercise-write-back-pattern/" data-link-title="Exercise Write-back Pattern" data-link-desc="定義 tabletop 與 game day 如何把 finding 回寫成控制更新、runbook 更新與 [tripwire](/backend/knowledge-cards/tripwire/)">Exercise write-back pattern&lt;/a>&lt;/li>
&lt;/ul></description><content:encoded><![CDATA[<p>本情境的責任是演練低頻資料外送的範圍判讀與通報。它以 <a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/moveit-2023-mft-exfiltration-pressure/" data-link-title="MOVEit 2023：MFT 外送與通報壓力" data-link-desc="把 MOVEit Transfer exploitation 轉成資料外送、影響範圍判讀與通報壓力的藍隊案例素材">MOVEit 2023 MFT exfiltration case</a> 為來源，轉成通用 MFT 與資料出口 tabletop。</p>
<h2 id="scenario-trigger">Scenario Trigger</h2>
<p>外部 advisory 指出受管檔案傳輸系統存在已被利用漏洞。內部稽核發現 MFT 上有異常 web shell indicator 與多筆低頻大量下載。</p>
<h2 id="initial-hypothesis">Initial Hypothesis</h2>
<table>
  <thead>
      <tr>
          <th>假設</th>
          <th>驗證資料</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>MFT 被植入 web shell</td>
          <td>file integrity、web access log、IOC</td>
      </tr>
      <tr>
          <td>特定資料集已被外送</td>
          <td>download log、object access、database audit</td>
      </tr>
      <tr>
          <td>通報義務已被觸發</td>
          <td>data classification、customer mapping、legal review</td>
      </tr>
  </tbody>
</table>
<h2 id="control-surface">Control Surface</h2>
<p>控制面包含 data classification、MFT ownership、audit trail、incident communication、forensic preserve 與 <a href="/blog/backend/knowledge-cards/retention/" data-link-title="Retention" data-link-desc="說明資料或事件保留多久，以及保留期限如何影響重放與成本">retention</a>。</p>
<h2 id="response-route">Response Route</h2>
<ol>
<li>Contain：隔離 MFT、保留 forensic image、暫停高風險傳輸。</li>
<li>Scope：建立資料集、客戶、時間窗與存取主體映射。</li>
<li>Notify：讓 legal、customer success 與 incident commander 對齊通報節奏。</li>
<li>Recover：修補 MFT、輪替 credential、驗證 log coverage。</li>
<li>Write-back：更新資料出口控制、retention 與 low-frequency exfiltration detection。</li>
</ol>
<h2 id="evidence-target">Evidence Target</h2>
<table>
  <thead>
      <tr>
          <th>證據</th>
          <th>用途</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>MFT access log</td>
          <td>判斷資料外送時間窗</td>
      </tr>
      <tr>
          <td>data classification map</td>
          <td>判斷通報與影響等級</td>
      </tr>
      <tr>
          <td>customer mapping</td>
          <td>判斷受影響對象</td>
      </tr>
      <tr>
          <td>forensic preserve record</td>
          <td>支撐調查與法務回查</td>
      </tr>
  </tbody>
</table>
<h2 id="write-back-target">Write-back Target</h2>
<ul>
<li><a href="/blog/backend/07-security-data-protection/data-protection-and-masking-governance/" data-link-title="7.4 資料保護與遮罩治理" data-link-desc="以問題驅動方式整理資料分級、遮罩、匯出與備份治理">7.4 資料保護與遮罩治理</a></li>
<li><a href="/blog/backend/07-security-data-protection/security-incident-write-back-to-product-and-architecture/" data-link-title="7.24 資安事故如何回寫產品與架構" data-link-desc="把事故教訓回寫到產品決策、架構控制與知識網，建立持續改進閉環">7.24 資安事故如何回寫產品與架構</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/evidence-chain-pattern/" data-link-title="Evidence Chain Pattern" data-link-desc="定義事故與演練需要保存的訊號、決策、artifact、timeline 與 retention 證據">Evidence chain pattern</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/exercise-write-back-pattern/" data-link-title="Exercise Write-back Pattern" data-link-desc="定義 tabletop 與 game day 如何把 finding 回寫成控制更新、runbook 更新與 [tripwire](/backend/knowledge-cards/tripwire/)">Exercise write-back pattern</a></li>
</ul>
]]></content:encoded></item></channel></rss>