<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Incident Learning on Tarragon</title><link>https://tarrragon.github.io/blog/tags/incident-learning/</link><description>Recent content in Incident Learning on Tarragon</description><generator>Hugo -- gohugo.io</generator><language>zh-TW</language><copyright>Tarragon (CC BY 4.0)</copyright><lastBuildDate>Thu, 30 Apr 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://tarrragon.github.io/blog/tags/incident-learning/index.xml" rel="self" type="application/rss+xml"/><item><title>7.BM2 藍隊現場案例素材</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/</link><pubDate>Thu, 30 Apr 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/</guid><description>&lt;p>藍隊現場案例素材的責任是補充防守方在真實事件中的壓力。這一層先保留收錄規則，後續再把來源可靠、細節足夠、能轉成防守決策的案例納入。&lt;/p>
&lt;h2 id="收錄欄位">收錄欄位&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>欄位&lt;/th>
 &lt;th>責任&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>Case source&lt;/td>
 &lt;td>來源與日期&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Defender pressure&lt;/td>
 &lt;td>防守方承受的可見度、時程或協調壓力&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Control gap&lt;/td>
 &lt;td>事件揭露的控制面缺口&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Detection route&lt;/td>
 &lt;td>可觀測訊號與升級路由&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Exercise hook&lt;/td>
 &lt;td>可轉成 tabletop 或 Game Day 的情境&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="收錄優先序">收錄優先序&lt;/h2>
&lt;p>案例收錄優先看防守推演價值。能補足 identity、edge exposure、supply chain、data exfiltration 或 incident coordination 的案例，優先轉成情境卡與控制模式。&lt;/p>
&lt;h2 id="source-first-規則">Source-first 規則&lt;/h2>
&lt;p>現場案例卡的責任是保存可回溯的防守壓力。每張案例卡都要先有公開來源，再抽出 defender pressure、control gap、detection route、exercise hook 與 write-back target。&lt;/p>
&lt;p>來源優先序為官方事件說明、政府或資安機構 advisory、受影響組織 postmortem、受委託調查報告與可信技術分析。若來源只能支撐部分欄位，案例卡需明確標示可引用範圍。&lt;/p>
&lt;h2 id="下一輪案例大綱">下一輪案例大綱&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>案例方向&lt;/th>
 &lt;th>核心壓力&lt;/th>
 &lt;th>預計產出&lt;/th>
 &lt;th>回寫位置&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>Identity abuse field case&lt;/td>
 &lt;td>身份驗證、支援流程與權限回收壓力&lt;/td>
 &lt;td>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/okta-support-token-2023-identity-pressure/" data-link-title="Okta 2023 Support Token：身份支援流程壓力" data-link-desc="把 Okta 2023 support system incident 轉成身份供應鏈與支援流程的藍隊案例素材">Okta support token case&lt;/a>&lt;/td>
 &lt;td>&lt;code>7.2&lt;/code> + &lt;code>7.B12&lt;/code>&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Edge exposure field case&lt;/td>
 &lt;td>對外入口曝險、修補窗口與偵測時差&lt;/td>
 &lt;td>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/citrix-bleed-2023-edge-session-pressure/" data-link-title="Citrix Bleed 2023：入口曝險與 Session 壓力" data-link-desc="把 Citrix Bleed 轉成入口曝險、session hijack 與修補後 hunting 的藍隊案例素材">Citrix Bleed edge case&lt;/a>&lt;/td>
 &lt;td>&lt;code>7.3&lt;/code> + &lt;code>7.B11&lt;/code>&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Supply chain field case&lt;/td>
 &lt;td>build、artifact、第三方工具與 release gate 壓力&lt;/td>
 &lt;td>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/3cx-2023-supply-chain-artifact-pressure/" data-link-title="3CX 2023：供應鏈 Artifact 壓力" data-link-desc="把 3CX supply chain compromise 轉成 build、artifact、來源信任與 release gate 的藍隊案例素材">3CX supply chain case&lt;/a>&lt;/td>
 &lt;td>&lt;code>7.12&lt;/code> + &lt;code>7.22&lt;/code>&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Data exfiltration field case&lt;/td>
 &lt;td>低頻匯出、資料範圍判讀與通報壓力&lt;/td>
 &lt;td>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/moveit-2023-mft-exfiltration-pressure/" data-link-title="MOVEit 2023：MFT 外送與通報壓力" data-link-desc="把 MOVEit Transfer exploitation 轉成資料外送、影響範圍判讀與通報壓力的藍隊案例素材">MOVEit exfiltration case&lt;/a>&lt;/td>
 &lt;td>&lt;code>7.4&lt;/code> + &lt;code>7.24&lt;/code>&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Incident coordination field case&lt;/td>
 &lt;td>多團隊分級、owner、通訊與證據壓力&lt;/td>
 &lt;td>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/cisa-geoserver-2024-ir-coordination-pressure/" data-link-title="CISA GeoServer 2024：IR 協調壓力" data-link-desc="把 CISA GeoServer incident response lessons learned 轉成修補、EDR、IR plan 與第三方協調壓力素材">CISA GeoServer IR case&lt;/a>&lt;/td>
 &lt;td>&lt;code>7.B6&lt;/code> + &lt;code>08&lt;/code>&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;p>現場案例卡的完成條件是能支撐一張情境卡與一張控制模式卡。每張卡都要留下 detection route、exercise hook 與 write-back target。&lt;/p>
&lt;h2 id="變體案例補強反向驗證">變體案例（補強反向驗證）&lt;/h2>
&lt;p>依 &lt;a href="https://tarrragon.github.io/blog/report/source-library-ratio-supports-scenario-validation/" data-link-title="素材庫比例要支撐主情境的反向驗證" data-link-desc="當文章只展示少量主情境時，素材庫需要保留更多 field cases 或 source cards 來支撐反向驗證、壓力變體與後續擴寫。合理比例是主文章情境 4-5 個、來源素材約 2-3 倍，讓每個主情境背後至少有 2-3 個來源可回查。">素材庫比例設計&lt;/a>，每個主情境背後維持 2-3 個來源。下列案例補強身份、邊界、供應鏈與資料外送的變體壓力。&lt;/p></description><content:encoded><![CDATA[<p>藍隊現場案例素材的責任是補充防守方在真實事件中的壓力。這一層先保留收錄規則，後續再把來源可靠、細節足夠、能轉成防守決策的案例納入。</p>
<h2 id="收錄欄位">收錄欄位</h2>
<table>
  <thead>
      <tr>
          <th>欄位</th>
          <th>責任</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Case source</td>
          <td>來源與日期</td>
      </tr>
      <tr>
          <td>Defender pressure</td>
          <td>防守方承受的可見度、時程或協調壓力</td>
      </tr>
      <tr>
          <td>Control gap</td>
          <td>事件揭露的控制面缺口</td>
      </tr>
      <tr>
          <td>Detection route</td>
          <td>可觀測訊號與升級路由</td>
      </tr>
      <tr>
          <td>Exercise hook</td>
          <td>可轉成 tabletop 或 Game Day 的情境</td>
      </tr>
  </tbody>
</table>
<h2 id="收錄優先序">收錄優先序</h2>
<p>案例收錄優先看防守推演價值。能補足 identity、edge exposure、supply chain、data exfiltration 或 incident coordination 的案例，優先轉成情境卡與控制模式。</p>
<h2 id="source-first-規則">Source-first 規則</h2>
<p>現場案例卡的責任是保存可回溯的防守壓力。每張案例卡都要先有公開來源，再抽出 defender pressure、control gap、detection route、exercise hook 與 write-back target。</p>
<p>來源優先序為官方事件說明、政府或資安機構 advisory、受影響組織 postmortem、受委託調查報告與可信技術分析。若來源只能支撐部分欄位，案例卡需明確標示可引用範圍。</p>
<h2 id="下一輪案例大綱">下一輪案例大綱</h2>
<table>
  <thead>
      <tr>
          <th>案例方向</th>
          <th>核心壓力</th>
          <th>預計產出</th>
          <th>回寫位置</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Identity abuse field case</td>
          <td>身份驗證、支援流程與權限回收壓力</td>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/okta-support-token-2023-identity-pressure/" data-link-title="Okta 2023 Support Token：身份支援流程壓力" data-link-desc="把 Okta 2023 support system incident 轉成身份供應鏈與支援流程的藍隊案例素材">Okta support token case</a></td>
          <td><code>7.2</code> + <code>7.B12</code></td>
      </tr>
      <tr>
          <td>Edge exposure field case</td>
          <td>對外入口曝險、修補窗口與偵測時差</td>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/citrix-bleed-2023-edge-session-pressure/" data-link-title="Citrix Bleed 2023：入口曝險與 Session 壓力" data-link-desc="把 Citrix Bleed 轉成入口曝險、session hijack 與修補後 hunting 的藍隊案例素材">Citrix Bleed edge case</a></td>
          <td><code>7.3</code> + <code>7.B11</code></td>
      </tr>
      <tr>
          <td>Supply chain field case</td>
          <td>build、artifact、第三方工具與 release gate 壓力</td>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/3cx-2023-supply-chain-artifact-pressure/" data-link-title="3CX 2023：供應鏈 Artifact 壓力" data-link-desc="把 3CX supply chain compromise 轉成 build、artifact、來源信任與 release gate 的藍隊案例素材">3CX supply chain case</a></td>
          <td><code>7.12</code> + <code>7.22</code></td>
      </tr>
      <tr>
          <td>Data exfiltration field case</td>
          <td>低頻匯出、資料範圍判讀與通報壓力</td>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/moveit-2023-mft-exfiltration-pressure/" data-link-title="MOVEit 2023：MFT 外送與通報壓力" data-link-desc="把 MOVEit Transfer exploitation 轉成資料外送、影響範圍判讀與通報壓力的藍隊案例素材">MOVEit exfiltration case</a></td>
          <td><code>7.4</code> + <code>7.24</code></td>
      </tr>
      <tr>
          <td>Incident coordination field case</td>
          <td>多團隊分級、owner、通訊與證據壓力</td>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/cisa-geoserver-2024-ir-coordination-pressure/" data-link-title="CISA GeoServer 2024：IR 協調壓力" data-link-desc="把 CISA GeoServer incident response lessons learned 轉成修補、EDR、IR plan 與第三方協調壓力素材">CISA GeoServer IR case</a></td>
          <td><code>7.B6</code> + <code>08</code></td>
      </tr>
  </tbody>
</table>
<p>現場案例卡的完成條件是能支撐一張情境卡與一張控制模式卡。每張卡都要留下 detection route、exercise hook 與 write-back target。</p>
<h2 id="變體案例補強反向驗證">變體案例（補強反向驗證）</h2>
<p>依 <a href="/blog/report/source-library-ratio-supports-scenario-validation/" data-link-title="素材庫比例要支撐主情境的反向驗證" data-link-desc="當文章只展示少量主情境時，素材庫需要保留更多 field cases 或 source cards 來支撐反向驗證、壓力變體與後續擴寫。合理比例是主文章情境 4-5 個、來源素材約 2-3 倍，讓每個主情境背後至少有 2-3 個來源可回查。">素材庫比例設計</a>，每個主情境背後維持 2-3 個來源。下列案例補強身份、邊界、供應鏈與資料外送的變體壓力。</p>
<table>
  <thead>
      <tr>
          <th>主情境</th>
          <th>變體案例</th>
          <th>補強角度</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Identity</td>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/storm-0558-2023-cloud-signing-key-pressure/" data-link-title="Storm-0558 2023:雲端簽章金鑰壓力" data-link-desc="把 Microsoft Storm-0558 MSA signing key 事件轉成雲端身份信任、key rotation 與 tenant boundary 壓力素材">Storm-0558 cloud signing key</a></td>
          <td>雲端身份信任根、key rotation</td>
      </tr>
      <tr>
          <td>Identity</td>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/mgm-2023-helpdesk-social-engineering-pressure/" data-link-title="MGM 2023:Helpdesk 社交工程壓力" data-link-desc="把 MGM Resorts 2023 事件轉成 helpdesk 驗證、IdP 高權限保護與營運中斷壓力素材">MGM helpdesk pressure</a></td>
          <td>helpdesk 驗證與 IdP 高權限保護</td>
      </tr>
      <tr>
          <td>Edge exposure</td>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/ivanti-connect-secure-2024-edge-mass-exploitation/" data-link-title="Ivanti Connect Secure 2024:邊界設備批量利用壓力" data-link-desc="把 Ivanti Connect Secure 零日鏈式利用轉成邊界設備、emergency directive 與 integrity check 壓力素材">Ivanti Connect Secure mass exploitation</a></td>
          <td>批量利用、emergency directive、integrity check</td>
      </tr>
      <tr>
          <td>Supply chain</td>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/xz-utils-2024-open-source-maintainer-pressure/" data-link-title="XZ Utils 2024:開源維護者信任壓力" data-link-desc="把 XZ Utils backdoor 轉成開源維護者信任、pre-release 偵測與 distro 回應壓力素材">XZ Utils maintainer pressure</a></td>
          <td>開源維護者信任、pre-release 偵測</td>
      </tr>
      <tr>
          <td>Data exfiltration</td>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/snowflake-2024-credential-reuse-pressure/" data-link-title="Snowflake 2024:SaaS Credential 重用壓力" data-link-desc="把 Snowflake UNC5537 事件轉成 SaaS data platform credential、MFA 與 network allow list 壓力素材">Snowflake credential reuse</a></td>
          <td>SaaS 平台 credential、MFA、network boundary</td>
      </tr>
      <tr>
          <td>Incident coordination</td>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/materials/field-cases/change-healthcare-2024-recovery-and-dependency-pressure/" data-link-title="Change Healthcare 2024:復原與外部依賴壓力" data-link-desc="把 Change Healthcare 事件轉成關鍵服務復原、外部依賴與通報協調壓力素材">Change Healthcare recovery</a></td>
          <td>長時間復原、外部依賴、監管通報</td>
      </tr>
  </tbody>
</table>
]]></content:encoded></item></channel></rss>