Algorithms da dabaru don amsa abubuwan da suka faru na tsaro na bayanai, abubuwan da ke faruwa a cikin hare-haren yanar gizo na yanzu, hanyoyin da za a binciko leaks ɗin bayanai a cikin kamfanoni, binciken masu bincike da na'urorin hannu, nazarin fayilolin da aka ɓoye, cire bayanan geolocation da nazarin manyan kundin bayanai - duk waɗannan da sauran batutuwa. ana iya yin karatu akan sabbin kwasa-kwasan haɗin gwiwa na Group-IB da Belkasoft. A watan Agusta mu na farko Belkasoft Digital Forensics kwas, wanda ya fara a kan Satumba 9, da kuma samu da yawa yawan tambayoyi, mun yanke shawarar yin magana dalla-dalla game da abin da dalibai za su yi nazari, abin da ilimi, iyawa da kari (!) za a samu daga waɗanda suka samu. kai karshen. Abu na farko da farko.
Biyu Duk a daya
Tunanin riƙe darussan horarwa na haɗin gwiwa ya bayyana bayan mahalarta kwas na Group-IB sun fara tambaya game da kayan aiki wanda zai taimaka musu wajen bincikar tsarin kwamfuta da cibiyoyin sadarwa da suka lalace, da kuma haɗa ayyukan wasu kayan aikin kyauta waɗanda muke ba da shawarar yin amfani da su yayin amsawar lamarin.
A ra'ayinmu, irin wannan kayan aiki na iya zama Cibiyar Shaida ta Belkasoft (mun riga mun yi magana game da shi a ciki Igor Mikhailov "Maɓalli don farawa: mafi kyawun software da hardware don binciken kwamfyuta." Don haka, mu, tare da Belkasoft, mun haɓaka darussan horo guda biyu: Belkasoft Digital Forensics и Jarabawar Amsa Hatsari na Belkasoft.
MUHIMMI: kwasa-kwasan suna kan layi kuma suna da alaƙa! Belkasoft Digital Forensics an sadaukar da shi ga shirin Cibiyar Shaida ta Belkasoft, kuma Belkasoft An ƙaddamar da Jarabawar Amsa Taimako don bincika abubuwan da suka faru ta amfani da samfuran Belkasoft. Wato, kafin yin nazarin kwas ɗin Jarabawar Amsa Hatsari na Belkasoft, muna ba da shawarar kammala karatun Belkasoft Digital Forensics. Idan ka fara nan da nan tare da kwas kan binciken abubuwan da suka faru, ɗalibin na iya samun gibin ilimi mai ban haushi a cikin amfani da Cibiyar Shaida ta Belkasoft, ganowa da bincikar kayan tarihi. Wannan na iya haifar da gaskiyar cewa yayin horo a cikin kwas ɗin Jarrabawar Amsa Hatsari na Belkasoft, ɗalibin ko dai ba zai sami lokacin ƙware da kayan ba, ko kuma zai rage ragowar ƙungiyar wajen samun sabon ilimi, tunda lokacin horon zai ƙare. ta kocin yana bayanin kayan daga kwas ɗin Belkasoft Digital Forensics.
Kwamfuta forensics tare da Belkasoft Evidence Center
Manufar hanya Belkasoft Digital Forensics - Gabatar da ɗalibai zuwa shirin Cibiyar Shaida ta Belkasoft, koya musu yin amfani da wannan shirin don tattara shaidu daga tushe daban-daban (ma'ajiyar girgije, ƙwaƙwalwar ajiyar bazuwar (RAM), na'urorin hannu, kafofin watsa labaru (hard Drive, filasha, da sauransu), master dabarun bincike na yau da kullun da dabaru, hanyoyin binciken bincike na kayan tarihi na Windows, na'urorin hannu, dumps RAM.Za ku kuma koyi ganowa da rubuta kayan tarihi na masu bincike da shirye-shiryen aika saƙon take, ƙirƙirar kwafin bayanai daga tushe daban-daban, cire bayanan geolocation da bincike don jerin rubutu (binciken keyword), yi amfani da hashes lokacin gudanar da bincike, bincika rajistar Windows, ƙware dabarun bincika bayanan SQLite waɗanda ba a san su ba, tushen nazarin fayilolin hoto da bidiyo, da dabarun nazari da aka yi amfani da su yayin bincike.
Kwas ɗin zai kasance da amfani ga ƙwararrun ƙwararrun ƙwararrun ƙwararrun masana ilimin kimiyyar kwamfuta (ƙwararren masaniyar kwamfuta); 'Yan kwararrun fasaha wanda ke tantance dalilan shiga cikin nasara, nazarin sarkar al'amuran da sakamakon hare-hare na yanar gizo; ƙwararrun ƙwararrun fasaha suna ganowa da tattara bayanan satar bayanai (leaks) ta wani mai ciki (mai cin zarafi na ciki); Kwararru na e-Ganowa; SOC da ma'aikatan CERT/CSIRT; ma'aikatan tsaro na bayanai; masu sha'awar ilimin kimiyyar kwamfuta.
Tsarin karatun:
- Cibiyar Shaida ta Belkasoft (BEC): matakan farko
- Ƙirƙirar da sarrafa lokuta a cikin BEC
- Tattara shaidar dijital don binciken bincike tare da BEC
- Amfani da tacewa
- Samar da rahotanni
- Bincike akan Shirye-shiryen Saƙon Nan take
- Binciken Mai Binciken Yanar Gizo
- Binciken Na'urar Waya
- Ciro bayanan wurin wuri
- Neman jerin rubutu a lokuta
- Ciro da nazarin bayanai daga ma'ajiyar girgije
- Yin amfani da alamun shafi don haskaka mahimman shaida da aka samu yayin bincike
- Gwajin fayilolin tsarin Windows
- Windows Registry Analysis
- Binciken bayanan SQLite
- Hanyoyin Farko Data
- Dabaru don nazarin jujjuyawar RAM
- Yin amfani da kalkuleta na hash da bincike na hash a cikin bincike na shari'a
- Binciken fayilolin da aka ɓoye
- Hanyoyi don nazarin hotuna da fayilolin bidiyo
- Amfani da fasahohin nazari a cikin binciken kwakwaf
- Yi atomatik ayyukan yau da kullun ta amfani da ginanniyar yaren shirye-shiryen Belkascripts
- Darussa masu amfani
Darasi: Jarabawar Amsa Hatsari na Belkasoft
Makasudin kwas din shine don koyon tushen binciken kwakwaf na harin intanet da yuwuwar amfani da Cibiyar Shaida ta Belkasoft a cikin bincike. Za ku koyi game da manyan abubuwan da ke haifar da hare-hare na zamani akan hanyoyin sadarwar kwamfuta, koyi rarraba hare-haren kwamfuta dangane da matrix MITER ATT&CK, yi amfani da algorithms bincike na tsarin aiki don tabbatar da gaskiyar sasantawa da sake gina ayyukan maharan, koyan inda kayan tarihi suke. nuna waɗanne fayiloli aka buɗe a ƙarshe, inda tsarin aiki ke adana bayanai game da yadda aka zazzage fayilolin da za a iya aiwatarwa da aiwatar da su, yadda maharan ke tafiya cikin hanyar sadarwa, da koyon yadda ake bincika waɗannan kayan tarihi ta amfani da BEC. Hakanan za ku koyi abubuwan da suka faru a cikin rajistan ayyukan tsarin suna da sha'awa daga mahangar binciken abin da ya faru da gano hanyar shiga nesa, kuma ku koyi yadda ake bincika su ta amfani da BEC.
A hanya za ta zama da amfani ga ƙwararrun fasaha waɗanda suke ƙayyade dalilan shiga cikin nasara, nazarin sarkar abubuwan da ke faruwa da sakamakon harin yanar gizo; masu gudanar da tsarin; SOC da ma'aikatan CERT/CSIRT; ma'aikatan tsaro na bayanai.
Bayanin Darasi
Cyber Kill Chain ya bayyana manyan matakan kowane hari na fasaha akan kwamfutocin wanda aka azabtar (ko cibiyar sadarwar kwamfuta) kamar haka:
Ayyukan ma'aikatan SOC (CERT, tsaro na bayanai, da sauransu) suna da nufin hana masu kutse samun damar bayanan kariya.
Idan maharan sun kutsa cikin kayayyakin more rayuwa da aka kayyade, to ya kamata mutanen da ke sama su yi kokarin rage barnar da maharan ke yi, da tantance yadda aka kai harin, da sake gina al'amura da jerin ayyukan maharan a cikin tsarin bayanan da ba su dace ba, sannan su dauka. matakan hana irin wannan hari a nan gaba.
Za'a iya samun nau'ikan alamomi masu zuwa a cikin ƙayyadaddun kayan aikin bayanai, wanda ke nuna cewa an lalata hanyar sadarwa (kwamfuta):
Ana iya samun duk irin waɗannan alamun ta amfani da shirin Cibiyar Shaida ta Belkasoft.
BEC tana da tsarin "Binciken Bala'i", inda, lokacin da ake nazarin kafofin watsa labaru na ajiya, ana sanya bayanai game da kayan tarihi waɗanda zasu iya taimakawa mai binciken lokacin binciken abubuwan da suka faru.
BEC tana goyan bayan gwajin manyan nau'ikan kayan aikin Windows waɗanda ke nuna aiwatar da fayilolin aiwatarwa akan tsarin da ake bincike, gami da Amcache, Userassist, Prefetch, fayilolin BAM/DAM, , nazarin abubuwan da suka faru na tsarin.
Ana iya gabatar da bayanai game da alamun da ke ƙunshe da bayani game da ayyukan mai amfani a cikin tsarin da ba a daidaita ba a cikin tsari mai zuwa:
Wannan bayanin, a tsakanin wasu abubuwa, ya haɗa da bayani game da gudanar da fayilolin aiwatarwa:
Bayani game da gudanar da fayil ɗin 'RDPWinst.exe'.
Ana iya samun bayanai game da kasancewar maharan a cikin tsarin da ba su dace ba a cikin maɓallan fara rajista na Windows, ayyuka, ayyukan da aka tsara, rubutun Logon, WMI, da sauransu. Ana iya ganin misalan gano bayanai game da maharan da aka makala zuwa tsarin a cikin wadannan hotunan kariyar kwamfuta:
Ƙuntata maharan ta yin amfani da mai tsara ɗawainiya ta hanyar ƙirƙirar ɗawainiya da ke gudanar da rubutun PowerShell.
Ƙaddamar da maharan ta amfani da Kayan Gudanar da Windows (WMI).
Ƙarfafa maharan ta amfani da rubutun Logon.
Ana iya gano motsin maharan a cikin hanyar sadarwar kwamfuta da aka lalata, alal misali, ta hanyar nazarin rajistan ayyukan Windows (idan maharan suna amfani da sabis na RDP).
Bayani game da hanyoyin haɗin RDP da aka gano.
Bayani game da motsin maharan a fadin hanyar sadarwa.
Don haka, Cibiyar Shaida ta Belkasoft za ta iya taimaka wa masu bincike su gano kwamfutoci da aka lalata a cikin hanyar sadarwar kwamfuta da aka kai hari, gano alamun ƙaddamar da malware, alamun gyarawa a cikin tsarin da motsi a cikin hanyar sadarwa, da sauran alamun ayyukan maharan akan kwamfutocin da aka lalata.
Yadda ake gudanar da irin wannan bincike da gano kayan tarihi da aka kwatanta a sama an bayyana su a cikin kwas ɗin horar da Amsoshin Takardun Hatsari na Belkasoft.
Tsarin karatun:
- Abubuwan da ke faruwa na cyberattack. Fasaha, kayan aiki, burin maharan
- Yin amfani da ƙirar barazana don fahimtar dabarun maharan, dabaru, da kuma matakai
- Sarkar kisa ta Cyber
- Algorithm martani na aukuwa: ganowa, ganowa, tsarar abubuwa, bincika sabbin nodes masu kamuwa da cuta
- Binciken tsarin Windows ta amfani da BEC
- Gano hanyoyin kamuwa da cuta na farko, yada cibiyar sadarwa, haɓakawa, da ayyukan cibiyar sadarwar malware ta amfani da BEC
- Gano tsarin kamuwa da cuta kuma dawo da tarihin kamuwa da cuta ta amfani da BEC
- Darussa masu amfani
FAQIna ake gudanar da kwasa-kwasan?
Ana gudanar da darussa a hedkwatar Rukuni-IB ko a wurin waje (cibiyar horo). Yana yiwuwa mai koyarwa ya yi tafiya zuwa rukunin yanar gizo tare da abokan cinikin kamfanoni.
Wanene ke gudanar da azuzuwan?
Masu horarwa a Rukunin-IB ƙwararru ne waɗanda ke da gogewar shekaru masu yawa wajen gudanar da bincike na shari'a, binciken kamfanoni da kuma amsa abubuwan da suka faru na tsaro na bayanai.
Ana tabbatar da cancantar masu horarwa ta takaddun shaida na duniya da yawa: GCFA, MCFE, ACE, EnCE, da sauransu.
Masu horar da mu cikin sauƙin samun harshe gama gari tare da masu sauraro, suna bayyana a sarari har ma da batutuwa masu rikitarwa. Dalibai za su koyi bayanai da yawa masu dacewa da ban sha'awa game da binciken abubuwan da suka faru na kwamfuta, hanyoyin ganowa da magance hare-haren kwamfuta, da samun ingantaccen ilimin da za su iya amfani da su nan da nan bayan kammala karatunsu.
Shin kwasa-kwasan za su ba da ƙwarewa masu amfani waɗanda ba su da alaƙa da samfuran Belkasoft, ko kuwa waɗannan ƙwarewar ba za su iya amfani da ita ba tare da wannan software ba?
Kwarewar da aka samu yayin horon za su yi amfani ba tare da amfani da samfuran Belkasoft ba.
Menene ya haɗa a gwajin farko?
Gwaji na farko gwaji ne na sanin abubuwan da ke tattare da binciken kwamfyuta. Babu wani shiri don gwada ilimin Belkasoft da samfuran Group-IB.
A ina zan iya samun bayanai game da kwasa-kwasan ilimi na kamfanin?
A matsayin wani ɓangare na darussan ilimi, Ƙungiyar-IB tana horar da ƙwararrun ƙwararru akan martanin da ya faru, binciken malware, ƙwararrun bayanan sirri na yanar gizo (Treat Intelligence), ƙwararrun ƙwararrun da za su yi aiki a Cibiyar Ayyukan Tsaro (SOC), ƙwararrun farautar barazanar farauta (Treat Hunter), da sauransu. . Ana samun cikakken jerin kwasa-kwasan darussa na rukunin-IB .
Wadanne kari ne daliban da suka kammala kwasa-kwasan hadin gwiwa tsakanin Group-IB da Belkasoft suke samu?
Wadanda suka kammala horo a kwasa-kwasan hadin gwiwa tsakanin Group-IB da Belkasoft za su samu:
- takardar shaidar kammala karatun;
- biyan kuɗin wata-wata kyauta zuwa Cibiyar Shaida ta Belkasoft;
- 10% rangwame akan siyan Cibiyar Shaida ta Belkasoft.
Muna tunatar da ku cewa za a fara karatun farko a ranar Litinin. 9 watan Satumba, - kar a rasa damar samun ilimi na musamman a fagen tsaro na bayanai, binciken kwamfyuta da martanin da ya faru! Rajista don kwas .
SourcesA cikin shirya labarin, mun yi amfani da gabatarwar ta Oleg Skulkin "Yin amfani da bincike-bincike na tushen rundunar don samun alamun sasantawa don cin nasarar martanin da ya faru da hankali."
source: www.habr.com