The most vulnerable part of most organization’s network infrastructure is their browser. This is because it is a gateway to major attacks, primarily through malicious websites. This is also true for a government organization such as NASA.

大多数组织的网络基础结构中最脆弱的部分是其浏览器。 这是因为它是主要通过恶意网站进行主要攻击的网关。 对于诸如NASA之类的政府组织也是如此。

Network Security and Endpoint Security generally both depend heavily on the concept of Assurance. Assurance means enacting the proper Policies, Permissions, and Protections to make browsing safe. In order to gain this assurance and enact effective policies, organizations should have insight into the inner workings of browsers and how they handle code running inside of their application walls.

网络安全和端点安全通常都严重依赖于保证的概念。 保证意味着制定适当的策略，权限和保护以确保浏览安全。 为了获得这种保证并制定有效的策略，组织应该深入了解浏览器的内部工作原理以及如何处理在应用程序墙内运行的代码。

Browser security at NASA is extremely important, but at the same time extremely hard to get right. As an organization, there is a need to be smart about developing Assurance for users by creating Policies and provisioning Privileges that Protect everyone while preserving performance.

NASA的浏览器安全性非常重要，但同时又很难做到正确。 作为一个组织，需要通过创建策略和提供特权来保护用户，同时保护性能的同时保护用户的机敏。

In this article, I’ll be showing you a technical breakdown of how to develop a browser that uses Artificial Intelligence to create dynamic use policies based on real-time threat intelligence. As a user, this dynamic policy creation, provisioning, and enforcement should be seamless.

在本文中，我将向您展示如何开发一种浏览器的技术细分，该浏览器使用人工智能来基于实时威胁情报创建动态使用策略。 作为用户，这种动态的策略创建，设置和执行应该是无缝的。

The browser is code-named Jemison. One of its major benefits is to offer fewer roadblocks in the form of analog permission requests, fewer restrictions on the range of sites you can visit, and overall less worry about visiting suspicious websites. Let’s ride.

该浏览器的代号为Jemison。 它的主要好处之一是以模拟权限请求的形式提供了更少的障碍，对您可以访问的网站范围的限制更少，并且总体上减少了对可疑网站访问的担心。 让我们骑吧。

安全计划的目标是什么 (What Is The Objective Of The Security Plan)

The basic objective of this security plan is to create real-time rules for browser behavior that apply to a wide range of activities. These rules are remotely enforceable and utilize machine learning to make real-time decisions about security. To fully explain the security plan, I’ll:

该安全计划的基本目标是为浏览器行为创建适用于各种活动的实时规则。 这些规则可远程执行，并利用机器学习来做出有关安全性的实时决策。 为了充分说明安全计划，我将：

• Describe the type of threats we need to secure against

  描述我们需要防范的威胁类型

• Investigate how the Chrome Browser works and provide an introduction to the Chromium Open Source Project

  研究 Chrome浏览器的工作方式，并介绍Chromium开源项目

• Outline how we can make a new, safer browser upgrading the Chromium Process Manager

  概述如何制作新的，更安全的浏览器来升级Chromium Process Manager

• Propose ways we can measure success and implement effective threat modeling

  提出我们衡量成功和实施有效威胁建模的方法

This article will primarily focus on the types of threats we need to protect against and how we can engineer a solution. It will not address legal or budget concerns.

本文将主要关注我们需要防范的威胁类型以及如何设计解决方案。 它不会解决法律或预算方面的问题。

安全计划的范围是什么 (What Is The Scope Of The Security Plan)

This security plan will primarily focus on the types of threats we need to protect against and how we can engineer a solution. It will not address legal or budget concerns.

该安全计划将主要关注我们需要防御的威胁类型以及如何设计解决方案。 它不会解决法律或预算方面的问题。

More so, it will have a sharp focus on Chrome and the way it handles browser activity and security. Chrome, one of the most popular browsers, is based on an Open Source Project, Chromium. While the Chrome source code is not open, the code that is used to build it is. This section provides the scope for our security development roadmap.

更重要的是，它将重点关注Chrome及其处理浏览器活动和安全性的方式。 Chrome是最流行的浏览器之一，基于Chromium开源项目。 Chrome源代码未打开时，用于构建它的代码已打开。 本节提供了我们的安全开发路线图的范围。

The scope of the security plan is fundamentally classified under the general target, general audience, and affected systems:

安全计划的范围从根本上分类为总体目标，总体受众和受影响的系统：

＃1 一般目标 (#1. General Target)

A browser is an application launchpad, an application container, and the door to data storage. Desktops, laptops, phones, tablets, and even some TVs have browsers. This security plan and the development efforts will include all devices that contain a Browser, or the capabilities to have a browser.

浏览器是应用程序启动板，应用程序容器和数据存储之门。 台式机，笔记本电脑，手机，平板电脑，甚至某些电视都具有浏览器。 此安全计划和开发工作将包括所有包含浏览器或具有浏览器功能的设备。

＃2。 普通观众 (#2. General Audience)

Users operate browsers, and their actions in the browser may cause the organization to be vulnerable to attacks. We need a way to allow most actions but limit the scope of these actions, so mistakes don’t lead breaches. Therefore our security plan will focus on creating smart, dynamic policies around user behavior in the browser, policies that protect users and do not impede their work.

用户操作浏览器，并且他们在浏览器中的操作可能导致组织容易受到攻击。 我们需要一种方法来允许大多数操作，但要限制这些操作的范围 ，因此错误不会导致违规。 因此，我们的安全计划将专注于围绕浏览器中的用户行为创建智能，动态的策略，这些策略可以保护用户并且不会妨碍其工作。

＃3。 受影响的系统 (#3. Affected Systems)

Browser Navigation Rules or decisions about websites users can visit are usually handled by endpoint protection. The components involved in aligning the endpoint security management systems include an operating system, an updated antivirus software, and a Virtual Private Network (VPN) client.

浏览器导航规则或有关用户可以访问的网站的决定通常由 端点保护 。 调整端点安全管理系统所涉及的组件包括操作系统，更新的防病毒软件和虚拟专用网(VPN)客户端。

However, there are many instances when the user intentionally or unintentionally turns VPN and antivirus OFF, breaking most traditional endpoint detection. The solutions discussed here will seek to protect the user, even if these two layers of protection are gone.

但是，在许多情况下，用户有意或无意地关闭了VPN和防病毒功能，从而破坏了大多数传统的端点检测。 即使没有这两层保护，此处讨论的解决方案也将寻求保护用户。

谁是发展的利益相关者？ (Who Are The Development Stakeholders?)

To make this project a reality, there are three tiers of developers, which can be categorized as follows:

为了使该项目成为现实，开发人员分为三层，可以分为以下几类：

• Product Managers from Security Operations will be responsible for creating the product requirements.

  安全运营部门的产品经理将负责创建产品需求。

• System Engineering will be responsible for the technical requirement and the developing solution.

  系统工程将负责技术要求和开发解决方案。

• Quality Assurance will be responsible for developing acceptance criteria and performing UAT.

  质量保证将负责制定验收标准并执行UAT。

构建安全浏览器的技术说明 (Technical Description For Building A Secure Browser)

Chromium development starts with understanding the Chromium codebase. First of all, Chromium is not the Chrome Browser itself. The Chromium Open Source Project, much like the Mozilla Project, is supported by the community. Also, Chromium’s multi-process architecture is a radical departure from other web browsers.

Chromium开发始于了解Chromium代码库。 首先，Chromium不是Chrome浏览器本身。 与Mozilla项目非常相似， Chromium开源项目得到了社区的支持。 此外， Chromium的多进程体系结构与其他Web浏览器完全不同。

This multi-process architecture makes each tab its own process managed by the Chromium Central Process Manager. Our approach is to leverage this architecture to create dynamic policy enforcement while preserving the user experience and performance. We’ll discuss the fundamental parameters and salient subjects of the development:

这种多进程体系结构使每个选项卡都有自己的进程，由Chromium Central Process Manager管理。 我们的方法是利用这种体系结构创建动态策略实施，同时保留用户体验和性能。 我们将讨论开发的基本参数和突出主题：

＃1 Chrome中央Craft.io经理 (#1. Chromium Central Process Manager)

Separate processes for each tab helps achieve a number of amazing innovations. First, the code running in that tab’s process also has its own thread and its own memory block. Here is an overview of the sandboxing architecture:

每个选项卡的单独流程有助于实现许多惊人的创新。 首先，在该选项卡的进程中运行的代码还具有自己的线程和内存块。 以下是沙盒架构的概述 ：

“Given the renderer is running in a separate process, we have the opportunity to restrict its access to system resources via sandboxing. For example, we can ensure that the renderer’s only access to the network is via its parent browser process. Likewise, we can restrict its access to the filesystem using the host operating system’s built-in permissions.

“鉴于渲染器在单独的进程中运行，我们有机会通过沙盒来限制其对系统资源的访问。 例如，我们可以确保渲染器对网络的唯一访问是通过其父浏览器进程进行的。 同样，我们可以使用主机操作系统的内置权限来限制其对文件系统的访问。

In addition to restricting the renderer’s access to the filesystem and network, we can also place limitations on its access to the user’s display and related objects. We run each render process on a separate Windows “Desktop” which is not visible to the user. This prevents a compromised renderer from opening new windows or capturing keystrokes.”

除了限制渲染器对文件系统和网络的访问之外，我们还可以限制其对用户的显示和相关对象的访问。 我们在用户看不见的单独的Windows“桌面”上运行每个渲染过程。 这样可以防止受感染的渲染器打开新窗口或捕获击键。”

Chromium’s architecture mimics the type of isolation that processes are given when running in a modern Operating System. This type of architecture is ideal for creating and enforcing custom security policies.

Chromium的体系结构模仿了在现代操作系统中运行时给定的隔离类型。 这种类型的体系结构是创建和执行自定义安全策略的理想选择。

If we can actively control the policies used to make decisions in the browsers and dynamically grant permissions to processes running inside tabs, we can do a better job at protecting the users from harming themselves or the organization without impeding access to legitimate sites or slowing down performance.

如果我们可以主动控制用于在浏览器中进行决策的策略并动态授予选项卡内运行的进程的权限，那么我们可以更好地保护用户免受伤害自己或组织，而不会阻止对合法站点的访问或降低性能。

Google built Chromium with security in mind. However, its policy management features are a little outdated, slow, and relatively weak. Google pointed out this weakness in an online comic they used to announce the Chromium project in 2008. The security API is public, however, and they did this with the idea that the community would improve on the design.

Google在构建Chromium时考虑了安全性。 但是，其策略管理功能有些过时，缓慢并且相对较弱。 Google指出了他们在2008年用于宣布Chromium项目的在线漫画中的这一弱点。但是，安全性API是公开的，并且他们这样做的想法是社区会改进设计。

＃2。 现役警察特工AI特工 (#2. Active Police Agent AI Agent)

Our idea is to create an Active Policy Agent AI Agent in the Broker module, one ideally updated by private blockchain like the one in BETA at Oasis Labs. The policies in the browser could be updated from a reliable source in real-time while the AI module makes decisions about safety based on derived variants of the threats before they are found by threat researchers.

我们的想法是在Broker模块中创建一个Active Policy Agent AI Agent ，最好由私有区块链(如Oasis Labs中的BETA中的一个)进行更新。 可以从可靠来源实时更新浏览器中的策略，而AI模块可以在威胁研究人员发现威胁之前，根据派生的威胁变体做出安全决策。

The Active Policy AI Agent operates under the basic principles of Threat Hunting. It is updated by a trusted source using Private BlockChain Smart Contracts, and it relays Threat Intelligence using BlockChain back to the security team for analysis, alerts, and actions. When I described some new ideas of this system to a classmate, their initial response was:

主动策略AI代理根据威胁搜寻的基本原理进行操作。 它由使用私有BlockChain 智能合约的受信任来源更新，并使用BlockChain将威胁情报中继回安全团队以进行分析，警报和操作。 当我向同班同学介绍该系统的一些新想法时，他们的最初React是：

With the Active Policy AI Agent and a system that relays the behavior of users back to the Security Team, there would be no need for “pitchforks and torches.” Making decisions about a particular Chinese website, or a certain version of the Flash Player based on real-time threat intelligence and the actual processes running in the tabbed sandbox of a user’s browser eliminates the need for most analog “permission granting.”

有了Active Policy AI代理和将用户的行为传递回安全团队的系统，就不需要“干草叉和火把”了。 基于实时威胁情报以及用户浏览器的选项卡式沙箱中运行的实际流程，对特定的中文网站或Flash Player的特定版本进行决策，从而无需进行大多数模拟“权限授予”。

Using Oasis Labs Testnet and a fork of the Chromium Project, I’ve started the development of an Active Policy Agent AI.

使用Oasis Labs Testnet和Chromium项目的一个分支，我开始了Active Policy Agent AI的开发。

＃3。 密码 (#3. Passwords)

The Active Policy AI Agent doesn’t just need to scan for malicious code or suspicious websites; it can be configured to ensure that passwords are strong and memorable. The best passwords are long, include several different types of characters and most importantly, can be remembered. Forcing users to pick long passwords that they can’t remember leads to a much worse CyberSecurity no-no, saving them in a file called “passwords.” Quoting myself:

Active Policy AI代理不仅需要扫描恶意代码或可疑网站。 可以对其进行配置，以确保密码安全可靠。 最好的密码很长，包括几种不同类型的字符，最重要的是可以记住 。 强迫用户选择他们不记得的长密码会导致更严重的Cyber​​Security不行，将其保存在名为“ passwords”的文件中。 自我报价：

“We all remember lyrics from songs, or lines from movies, or famous quotes. If we intersperse these with numbers and special characters, we can make a pretty strong password. For instance, many people know this quote: “Hello, my name is Inigo Montoya. You killed my father, prepare to die.” What if we converted that to HmniIMykmfPTD747#! … Here I just used the first letter of each word in the phrase and capitalized the Hello, Inigo Montoya and Prepare To Die, then added 747, hash, bang.”

“我们都记得歌曲中的歌词，电影中的台词或著名的名言。 如果我们使用数字和特殊字符来插入这些密码，则可以设置一个非常强大的密码。 例如，很多人都知道这句话：“你好，我叫Inigo Montoya。 你杀了我父亲，准备死。” 如果我们将其转换为HmniIMykmfPTD747＃，该怎么办！ ……在这里，我只用了短语中每个单词的首字母，然后将Hello，Inigo Montoya和Prepare To Die大写，然后加上747，哈希，爆炸。

The Active Policy AI Agent will sense when the user is picking or using a password and can provide prompts that help the user create a strong password using the method above, almost like an Alexa service.

Active Policy AI代理将检测用户何时选择或使用密码，并可以提供提示，帮助用户使用上述方法创建强密码，就像Alexa服务一样。

Policy Agent: “Looks like you are choosing a password, would you like some help?”

策略代理 ： “您好像在选择密码，您需要帮助吗？”

User: Sure.

用户 ：好的。

Policy Agent: “Great, think of a line from your favorite movie or song. Don’t write it down, just think of it. Choose something you know like the back of your hand”

政策代理 ： “太好了，想想您喜欢的电影或歌曲中的一段话。 不要写下来，只想想看。 选择像手背一样的东西”

User: Ok, got it.

用户 ：好的，知道了。

Policy Agent: “Ok, now use the first letter of each word in that phrase to create your password, capitalizing words like names or key points … then add a small number and a special character that you can remember. For example: ‘Show me the Money!’ -Jerry Maguire … would be ‘SmtM!JM747#!’”

策略代理 ： “好吧，现在使用该短语中每个单词的第一个字母创建密码，将名称或关键点之类的单词大写……然后添加一个小数字和一个可以记住的特殊字符。 例如：“给我钱！” - 杰里 ·马奎尔 ( Jerry Maguire)……将是 SmtM！JM747＃！ '”

如何对系统进行故障排除 (How To Troubleshoot The System)

Troubleshooting in this security plan means uncovering threats before they happen and avoiding false positives. Nobody wants to use a Browser that is constantly impeding their browsing experience, and yet the security team wants to stay two steps ahead of attackers.

此安全计划中的故障排除意味着在威胁发生之前就发现它们并避免误报。 没有人愿意使用会持续阻碍其浏览体验的浏览器，但是安全团队希望在攻击者面前保持两步。

By adopting the Threat Hunt Model, we can analyze browser activity and use the findings to enforce policies for users across the organization. However, threat hunting is not enough. To be successful, we need to create standards around communication and make the threat hunt model a mindset.

通过采用“威胁搜寻”模型，我们可以分析浏览器活动并使用调查结果为整个组织的用户实施策略。 但是，仅仅寻找威胁是不够的。 为了获得成功，我们需要围绕通信建立标准，并使威胁搜寻模型成为一种思维模式。

The traditional definition of Threat Hunting is “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.” The problem in most modern security plans is that the threat hunters, system engineers, and help desk agents don’t communicate.

威胁 搜寻的传统定义是“主动和迭代地搜索网络以检测和隔离逃避现有安全解决方案的高级威胁的过程。” 大多数现代安全计划中的问题是威胁搜寻者，系统工程师和服务台代理之间无法进行通信。

If we imagine each of these positions as a part of the human body, white blood cells, red blood cells, and the sensory system respectively, we can imagine how the lack of communication can lead to massive dysfunction.

如果我们将这些位置分别想象为人体，白细胞，红细胞和感觉系统的一部分，我们可以想象缺乏沟通会如何导致严重的功能障碍。

By integrating AI into the browser as a policy agent, we are effectively making the browser a threat hunt agent, which is powerful. However, if we fail to communicate across teams, we will still fail to take action when it is most needed.

通过将AI作为策略代理集成到浏览器中，我们有效地使浏览器成为功能强大的威胁搜寻代理 。 但是，如果我们无法在团队之间进行沟通，那么在最需要的时候我们仍将无法采取行动。

Developing the capacity to troubleshoot the system and its effectiveness involves a radical paradigm shift. If all of the people described above take on the mentality of a threat hunter, the level of organizational vigilance is raised exponentially.

开发对系统进行故障排除的能力及其有效性涉及根本的范式转换。 如果上述所有人员都具有威胁猎人的心态，则组织的警惕程度将成倍提高。

There is broad agreement in the Threat Hunting community that effective classification leads to better data analysis. As a former Pandora engineer, I agree. Proper classification makes predictive systems exponentially stronger, much like a twined rope.

威胁狩猎社区已达成广泛共识，即有效的分类可以带来更好的数据分析。 作为前潘多拉(Pandora)工程师，我同意。 正确的分类可以使预测系统成倍增强，就像缠绕绳子一样。

实施威胁搜寻故障排除的过程和策略 (Procedures And Policies To Implement Threat Hunting Troubleshooting)

Here are some concrete actions, policies, and procedures we can take to improve troubleshooting in the threat hunt paradigm:

以下是我们可以采取的一些具体措施，策略和步骤，以改进威胁搜寻范例中的故障排除：

＃1。 服务台票证交叉分析 (#1. Help Desk Ticket Cross Analysis)

This will help us understand a user’s request in context. A simple request for privileges, or access to a site can be harmless when evaluated in isolation. Help Desk Agents should have access to the real-time analysis captured by the Active Policy Agent AI and use this data to make better decisions about access and permissions.

这将帮助我们了解上下文中的用户请求。 在单独评估时，简单的特权请求或对网站的访问可能不会造成伤害。 帮助台代理应有权访问由Active Policy Agent AI捕获的实时分析，并使用此数据做出有关访问和权限的更好决策。

＃2。 威胁建模 (#2. Threat Modeling)

This is a well-known practice, but the results of this research are not always distilled down to policies that can be consumed by machine learning engines. As a part of increasing the effectiveness of the Active Policy Agent AI, the security team will work hand in hand with Data Science to train new models as they surface in the threat landscape.

这是一种众所周知的做法，但是这项研究的结果并不总是精简为机器学习引擎可以使用的策略。 作为提高Active Policy Agent AI有效性的一部分，安全团队将与Data Science携手合作，在出现威胁威胁时培训新模型。

＃3。 定期联合网络安全汇报 (#3. Regular Joint Cyber Security Debriefing)

There should be regular joint cybersecurity briefing with representatives from SecOps, Engineering, Human Resources. And each Business Unit (Research, Finance, Operations, etc.) should be held on a bi-weekly basis. The purpose of the meeting should be to share information about threats and help reinforce CyberSecurity principles.

应与SecOps，工程，人力资源部门的代表定期举行联合网络安全简报。 每个业务部门(研究，财务，运营等)应每两周举行一次。 会议的目的应该是共享有关威胁的信息并帮助加强网络安全原则。

＃4。 反馈机制 (#4. Feedback Mechanisms)

The feedback mechanisms in the browser should be at the ready and easy to use. When users have problems with the browser, they should be able to quickly report issues. This will also include crash reporting. The best feedback mechanism only requires a few clicks, captures the user sentiment and relays a snapshot of the browser’s log back to the Engineering Team.

浏览器中的反馈机制应随时可用且易于使用。 当用户使用浏览器遇到问题时，他们应该能够快速报告问题。 这还将包括崩溃报告。 最好的反馈机制仅需单击几下，即可捕获用户情绪，并将浏览器日志的快照传递回工程团队。

我推荐的SecOps供应商 (My Recommended SecOps Vendor)

ExtraHop is one of my favorite SecOps Vendors. It has an amazing dashboard that allows SecOp Engineers to see threat intelligence from several different perspectives with a few clicks. As a NASA employee, I was able to demo the software and see the way their dashboard helps organize the flood of information coming from the myriad of devices on the network.

ExtraHop是我最喜欢的SecOps供应商之一。 它具有令人惊叹的仪表板，使SecOp工程师只需单击几下即可从几个不同的角度查看威胁情报。 作为NASA的一名员工，我能够演示该软件，并了解其仪表板如何帮助组织来自网络上众多设备的大量信息。

It’s no wonder SecOps Engineers are overwhelmed. Without the proper tools, it is literally impossible to make sense of the activity happening within an organization’s network.

难怪SecOps工程师不知所措。 没有适当的工具，从根本上不可能理解组织网络内正在发生的活动。

“The core of ExtraHop technology is a passive network appliance that uses a network tap or port mirroring to receive network traffic, and then performs real-time full-stream reassembly to extract application-level protocol metrics and other custom-specified information contained in the transaction payload.

“ ExtraHop技术 的核心 是无源网络设备，该设备使用网络分路器或端口镜像接收网络流量，然后执行实时全流重组，以提取应用程序级协议指标和包含在服务器中的其他自定义信息。交易有效负载。

A subset of these metrics is sent to the cloud where they are used as machine learning features to detect anomalous behavior that could indicate a data breach, for example.”

这些指标的子集被发送到云，在那里它们被用作机器学习功能，以检测异常行为，例如，该异常行为可能指示数据泄露。”

Almost like the Alexa device sitting in our kitchen, ExtraHop is always listening, trying to understand if what it hears is normal or anomalous. This type of constant listening is pretty useless without tools that will make sense of the data.

就像坐在我们厨房里的Alexa设备一样，ExtraHop总是在听，试图了解所听到的声音是正常还是异常。 如果没有能够理解数据的工具，这种持续的监听就毫无用处。

Threat Modeling and Classification is an important part of the ExtraHop value proposition, but it may be hard to believe. However, knowing that threats are never one dimensional helps software like ExtraHop detect threads of activity that may represent malicious behavior.

威胁建模和分类是ExtraHop价值主张的重要组成部分，但可能难以置信。 但是，知道威胁绝不是一维的，可以帮助ExtraHop等软件检测可能代表恶意行为的活动线程。

In the case of the breach at the DNC, there were several clues discovered in hindsight that would have tripped alarms: logins from strange locations within impossible timeframes, the elevation of user privileges followed by large movements of data. Yes, malware unlocked the door but breaking the lock alone was not the point of the breach. Network analysis, like the type offered by ExtraHop, could have stopped the hackers from getting the goods.

在这种情况下 在DNC发生违规行为时 ，事后发现有一些线索可能会触发警报：在不可能的时间范围内从陌生位置登录，提升用户特权以及大量数据移动。 是的，恶意软件打开了门，但是单独打破锁并不是破坏的重点。 网络分析(如ExtraHop提供的类型)可能阻止了黑客获取商品。

The screen above shows a visual network mapping of an event and how it has propagated through a network.

上面的屏幕显示事件的可视网络映射以及事件如何通过网络传播。

This screen shows aggregated data analysis that classified a chain of events as an attack.

该屏幕显示汇总的数据分析，该分析将一系列事件分类为攻击。

为什么在组织中需要安全的浏览器？ (Why Do You Need A Secure Browser In Your Organization?)

Web Browsers are a popular surface for attacks because they may provide an open door to the World Wide Web. Most can execute code in a powerful Virtual Machine, and yet their regular use tends to lull users into a relaxed state, one in which they lower their guard.

Web浏览器是受到攻击的流行表面，因为它们可能为万维网打开了大门。 大多数人都可以在功能强大的虚拟机中执行代码，但是它们的常规使用往往会使用户陷入一种放松的状态，在这种状态下，他们会降低警惕。

Even the most vigilant user can miss most of the I/O happening in the browser’s ecosystem, i.e. cookies, cache, files sitting in the downloads folder, and more. Most of the software that protects endpoints does so by trying to intercept URLs but cannot protect against code that executes in a browser session once the user is already on a site.

即使是最警惕的用户也可能会错过浏览器生态系统中发生的大多数I / O，例如cookie，缓存，位于downloads文件夹中的文件等等。 大多数保护端点的软件都是通过尝试拦截URL来实现的，但是一旦用户已经在站点上，就无法防范在浏览器会话中执行的代码。

Safe Browsing means more than just avoiding malicious websites. Threat actors can attack the browser from many different vectors. Security in the browser involves thinking about all the areas where user data is held and how this data is managed.

安全浏览不仅仅意味着避免恶意网站。 威胁参与者可以从许多不同的媒介攻击浏览器。 浏览器的安全性涉及考虑保存用户数据的所有区域以及如何管理这些数据。

It involves understanding how scripts run while visiting a site, and understanding how a site verifies its authenticity. It further involves managing the user’s ability to install plugins to the browser or use the browser to run outside applications.

它涉及了解脚本在访问网站时如何运行以及了解网站如何验证其真实性。 它还涉及管理用户将插件安装到浏览器或使用浏览器运行外部应用程序的能力。

The Diamond Intrusion Model describes how to understand threats beyond two-dimensional ideas that only look at an intruder and a victim. Instead, the author challenges us to understand the entire kill chain and how threats develop.

钻石入侵模型描述了如何理解仅以入侵者和受害者为对象的二维概念之外的威胁。 相反，作者向我们提出挑战，要求他们了解整个杀伤链以及威胁如何发展。

“In its simplest form (Figure 1), the model describes that an adversary deploys a capability over some infrastructure against a victim. These activities are called events and are atomic features. Analysts or machines populate the model’s vertices as events are discovered and detected.

“模型以最简单的形式(图1)描述，对手在某些基础架构上针对受害者部署了一项功能。 这些活动称为事件，是原子特征。 当发现和检测到事件时，分析师或机器会填充模型的顶点。

The vertices are linked with edges highlighting the natural relationship between the features. By pivoting across edges and within vertices, analysts expose more information about adversary operations and discover new capabilities, infrastructure, and victims.”

顶点与边缘链接在一起，突出显示要素之间的自然关系。 通过跨边界和在顶点内进行枢纽分析，分析师可以揭示有关敌方行动的更多信息，并发现新的功能，基础架构和受害者。”

If we accept the assertions of the Diamond Model, it is easy to understand why traditional methods of browser security are inadequate. Adversaries are not the malware we find in our networks or the vulnerabilities we uncover in software.

如果我们接受“钻石模型”的主张，那么很容易理解为什么传统的浏览器安全方法不足。 对手不是我们在网络中发现的恶意软件，也不是我们在软件中发现的漏洞。

Adversaries are people who develop capabilities. Whether these capabilities include exploitation of a software flaw is not of a major consequence. Sometimes exploiting software is not necessary as the user can be seduced into using the software in the wrong ways. Quoting the Diamond Model again:

对手是发展能力的人。 这些功能是否包括对软件缺陷的利用并不重要。 有时无需开发软件，因为诱使用户以错误的方式使用软件。 再次引用钻石模型：

“…an adversary does not operate in a single event against a victim, but rather in a chain of causal events within a set of ordered phases in which, generally, each phase must be executed successfully to achieve their intent.”

“……对手并非在针对受害者的单一事件中行动，而是在一系列有序阶段内的一系列因果事件中运作，通常，每个阶段都必须成功执行以实现其意图。”

Overcoming traditional antivirus or finding a hole in the firewall is akin to jumping a fence and finding an unlocked window. The breach event is not the objective, and it was not achieved without understanding the environment.

克服传统的防病毒软件或在防火墙中发现漏洞，类似于跳过篱笆并找到未锁定的窗口。 违规事件不是目标，如果不了解环境就无法实现。

By delivering and positioning AI at the frontline, inside the browser, we effectively empower the “unlocked window” to lock itself because it recognizes that the family is asleep every evening by 10 pm. Also, the smartphones of the owners that are usually always in their pockets are on their chargers (not outside of the house), and nobody has ever approached the window from the outside at 2 am in the history of recorded events.

通过在浏览器内部的第一线交付和定位AI，我们可以有效地使“解锁窗口” 锁定自身，因为它认识到家人每天晚上10点钟都在睡觉。 而且，通常总是放在口袋里的所有者的智能手机都放在充电器上(不在屋子外面)，而且在记录的事件历史上，从凌晨2点以来没有人从外面接近窗户。

This smart decision making pushed to the edges of the network represents the future of security not just for Browsers but for IoT devices as well. Pushing this smart decision making into the engine that runs the browser is a good first step.

这种明智的决策推到了网络的边缘，不仅代表了浏览器的安全性，还代表了物联网设备的安全性。 将这个明智的决策推入运行浏览器的引擎是一个很好的第一步。

结论 (Conclusion)

A secure browser is totally achievable using Chromium open source development. But it doesn’t stop at developing a security plan. The users must also adhere to the security policies set in the organizations to ensure that they don’t give room for malicious attacks of any sort.

使用Chromium开源开发完全可以实现安全的浏览器。 但这并不仅限于制定安全计划。 用户还必须遵守组织中设置的安全策略，以确保他们不给任何形式的恶意攻击留出空间。