(ua tsaug rau Sergey G. Brester rau lub npe lub tswv yim )
Cov npoj yaig, lub hom phiaj ntawm tsab xov xwm no yog los qhia cov kev paub dhau los ntawm kev sim ua haujlwm ntev xyoo ntawm chav kawm tshiab ntawm IDS cov kev daws teeb meem raws li kev dag ntxias technologies.
Yuav kom tswj tau qhov kev sib raug zoo ntawm qhov kev nthuav qhia ntawm cov khoom siv, kuv xav tias nws yuav tsum tau pib nrog qhov chaw. Yog li, qhov teeb meem:
- Lub hom phiaj kev tawm tsam yog hom kev tawm tsam txaus ntshai tshaj plaws, txawm tias qhov tseeb tias lawv koom nrog tag nrho cov kev hem thawj tsawg.
- Tsis tau lees paub tias muaj txiaj ntsig zoo ntawm kev tiv thaiv ib puag ncig (lossis txheej txheej ntawm cov txhais tau tias) tseem tau tsim.
- Raws li txoj cai, cov phiaj xwm tawm tsam tshwm sim hauv ntau theem. Kev kov yeej ib puag ncig tsuas yog ib qho ntawm thawj theem, uas (koj tuaj yeem pov pob zeb rau kuv) tsis ua rau muaj kev puas tsuaj ntau rau "tus neeg raug tsim txom", tshwj tsis yog, tau kawg, nws yog DEoS (Kev puas tsuaj ntawm kev pabcuam) nres (encryptors, thiab lwm yam. .). Qhov "mob" tiag tiag pib tom qab, thaum cov khoom raug ntes tau pib siv rau pivoting thiab tsim "qhov tob" tawm tsam, thiab peb tsis pom qhov no.
- Txij li thaum peb pib raug kev puas tsuaj tiag tiag thaum cov neeg tawm tsam thaum kawg ncav cuag lub hom phiaj ntawm kev tawm tsam (kev thov servers, DBMS, cov ntaub ntawv warehouses, repositories, cov ntsiab lus tseem ceeb), nws yog qhov laj thawj uas ib qho ntawm cov haujlwm ntawm kev pabcuam kev ruaj ntseg yog cuam tshuam kev tawm tsam ua ntej. qhov kev nyuaj siab no. Tab sis txhawm rau cuam tshuam ib yam dab tsi, koj yuav tsum xub paub txog nws. Thiab sai dua, qhov zoo dua.
- Raws li, rau kev tswj hwm kev pheej hmoo ua tiav (uas yog, txo kev puas tsuaj los ntawm kev tawm tsam), nws yog ib qho tseem ceeb kom muaj cov cuab yeej uas yuav muab qhov tsawg kawg nkaus TTD (lub sij hawm los ntes - lub sij hawm los ntawm lub sij hawm intrusion mus rau lub sij hawm qhov kev tawm tsam yog pom). Nyob ntawm kev lag luam thiab cheeb tsam, lub sijhawm no nruab nrab yog 99 hnub hauv Teb Chaws Asmeskas, 106 hnub hauv cheeb tsam EMEA, 172 hnub hauv cheeb tsam APAC (M-Trends 2017, A View From the Front Lines, Mandiant).
- Lub khw muaj dab tsi?
- "Sandboxes". Lwm qhov kev tiv thaiv kev tiv thaiv, uas nyob deb ntawm qhov zoo tagnrho. Muaj ntau cov txheej txheem zoo rau kev kuaj xyuas thiab hla cov sandboxes lossis whitelisting daws teeb meem. Cov txiv neej los ntawm "sab tsaus ntuj" tseem yog ib kauj ruam ua ntej ntawm no.
- UEBA (cov txheej txheem rau kev coj tus cwj pwm thiab txheeb xyuas qhov sib txawv) - hauv kev xav, tuaj yeem ua tau zoo heev. Tab sis, hauv kuv lub tswv yim, qhov no yog qee zaum nyob rau yav tom ntej. Hauv kev xyaum, qhov no tseem kim heev, tsis muaj kev ntseeg siab thiab yuav tsum muaj kev paub tab thiab ruaj khov IT thiab cov ntaub ntawv kev ruaj ntseg, uas twb muaj tag nrho cov cuab yeej uas yuav tsim cov ntaub ntawv rau kev soj ntsuam tus cwj pwm.
- SIEM yog ib qho cuab yeej zoo rau kev tshawb nrhiav, tab sis nws tsis tuaj yeem pom thiab qhia qee yam tshiab thiab qub raws sijhawm, vim tias txoj cai sib raug zoo tib yam li kos npe.
- Yog li ntawd, yuav tsum muaj ib lub cuab yeej uas yuav:
- ua tau zoo nyob rau hauv tej yam kev mob ntawm ib tug twb compromised perimeter,
- kuaj pom kev ua tiav kev tawm tsam nyob ze ntawm lub sijhawm tiag tiag, tsis hais cov cuab yeej thiab qhov tsis zoo siv,
- tsis nyob ntawm kev kos npe / cai / ntawv / txoj cai / profile thiab lwm yam zoo li qub,
- tsis xav tau ntau cov ntaub ntawv thiab lawv qhov chaw rau kev tshuaj xyuas,
- yuav tso cai rau kev tawm tsam los txhais tsis yog qee yam kev pheej hmoo-ntaus qhab nia los ntawm kev ua haujlwm ntawm "qhov zoo tshaj plaws hauv lub ntiaj teb, patented thiab yog li kaw lej", uas yuav tsum tau tshawb xyuas ntxiv, tab sis xyaum raws li qhov kev tshwm sim binary - "Yog, peb raug tawm tsam" lossis "Tsis yog, txhua yam yog OK",
- yog universal, ua tau zoo scalable thiab muaj peev xwm mus siv nyob rau hauv tej heterogeneous ib puag ncig, tsis hais lub cev thiab lub ntsiab lus network topology siv.
Yog li hu ua kev dag ntxias daws tam sim no vying rau lub luag haujlwm ntawm cov cuab yeej zoo li no. Ntawd yog, kev daws teeb meem raws li lub tswv yim zoo qub ntawm honeypots, tab sis nrog rau qib sib txawv ntawm kev siv. Lub ntsiab lus no yeej muaj nyob rau tam sim no.
Raws li qhov tshwm sim Kev dag ntxias muaj nyob rau hauv TOP 3 cov tswv yim thiab cov cuab yeej uas pom zoo kom siv.
Raws li tsab ntawv ceeb toom Kev dag ntxias yog ib qho ntawm cov lus qhia tseem ceeb ntawm kev txhim kho IDS Intrusion Detection Systems) kev daws teeb meem.
Ib seem ntawm lub tom kawg , mob siab rau SCADA, yog raws li cov ntaub ntawv los ntawm ib qho ntawm cov thawj coj hauv kev ua lag luam no, TrapX Security (Israel), cov kev daws teeb meem uas tau ua haujlwm hauv peb thaj chaw sim rau ib xyoos.
TrapX Deception Grid tso cai rau koj los them nqi thiab khiav lag luam loj heev ntawm IDS hauv nruab nrab, tsis tas yuav nce cov ntawv tso cai thauj khoom thiab cov cai rau cov khoom siv kho vajtse. Qhov tseeb, TrapX yog tus tsim tsim uas tso cai rau koj los tsim los ntawm cov ntsiab lus ntawm cov khoom siv IT uas twb muaj lawm ib lub tshuab loj rau kev kuaj xyuas kev tawm tsam ntawm kev lag luam thoob ntiaj teb, ib hom kev faib network " tswb."
Kev daws teeb meem
Hauv peb lub chaw soj nstuam peb niaj hnub kawm thiab sim ntau yam khoom tshiab hauv kev ruaj ntseg IT. Tam sim no, txog 50 qhov sib txawv virtual servers tau xa tawm ntawm no, suav nrog TrapX Deception Grid Cheebtsam.
Yog li, los ntawm sab saum toj mus rau hauv qab:
- TSOC (TrapX Security Operation Console) yog lub hlwb ntawm lub cev. Qhov no yog lub hauv paus tswj console los ntawm kev teeb tsa, xa tawm cov kev daws teeb meem thiab kev ua haujlwm txhua hnub. Txij li qhov no yog qhov kev pabcuam hauv lub vev xaib, nws tuaj yeem xa mus rau txhua qhov chaw - ntawm ib puag ncig, hauv huab lossis ntawm MSSP tus kws kho mob.
- TrapX Appliance (TSA) yog virtual server rau hauv uas peb txuas, siv lub cev qhov chaw nres nkoj, cov subnets uas peb xav kom npog nrog kev saib xyuas. Tsis tas li ntawd, tag nrho peb lub network sensors tiag tiag "nyob" ntawm no.
Peb lub chaw kuaj mob muaj ib qho TSA xa tawm (mwsapp1), tab sis qhov tseeb tuaj yeem muaj ntau. Qhov no tej zaum yuav tsim nyog nyob rau hauv cov tes hauj lwm loj uas tsis muaj L2 kev sib txuas ntawm ntu (ib qho piv txwv yog "Tuav thiab cov koom haum" lossis "Bank head office thiab ceg") lossis yog tias lub network muaj cov ntu cais, piv txwv li, cov txheej txheem tswj cov txheej txheem. Hauv txhua ceg / ntu, koj tuaj yeem xa koj tus kheej TSA thiab txuas mus rau ib qho TSOC, qhov twg tag nrho cov ntaub ntawv yuav raug ua haujlwm hauv nruab nrab. Qhov kev tsim qauv no tso cai rau koj los tsim cov kev saib xyuas kev faib tawm yam tsis tas yuav hloov kho lub network lossis cuam tshuam cov segmentation uas twb muaj lawm.
Tsis tas li, peb tuaj yeem xa daim qauv ntawm cov tsheb khiav mus rau TSA ntawm TAP / SPAN. Yog tias peb txheeb xyuas kev sib txuas nrog cov botnets paub, cov lus txib thiab tswj cov servers, lossis TOR ntu, peb kuj yuav tau txais qhov tshwm sim hauv console. Network Intelligence Sensor (NIS) yog lub luag haujlwm rau qhov no. Hauv peb ib puag ncig, qhov kev ua haujlwm no yog siv rau ntawm lub firewall, yog li peb tsis siv nws ntawm no.
- Daim Ntawv Cuam Tshuam (Full OS) - ib txwm muaj honeypots raws li Windows servers. Koj tsis xav tau ntau ntawm lawv, txij li lub hom phiaj tseem ceeb ntawm cov servers no yog muab cov kev pabcuam IT rau cov txheej txheem tom ntej ntawm cov sensors lossis ntes cov kev tawm tsam ntawm cov ntawv thov kev lag luam uas yuav raug xa mus rau hauv ib puag ncig Windows. Peb muaj ib lub server zoo li no tau teeb tsa hauv peb chav kuaj (FOS01)
- Emulated ntxiab yog cov ntsiab lus tseem ceeb ntawm cov kev daws teeb meem, uas tso cai rau peb, siv ib lub tshuab virtual, tsim kom muaj qhov ntom ntom "minefield" rau cov neeg tawm tsam thiab ua kom lub lag luam network, tag nrho nws cov vlans, nrog peb cov sensors. Tus neeg tawm tsam pom xws li lub sensor, lossis phantom host, raws li lub Windows PC tiag tiag lossis server, Linux server lossis lwm yam khoom siv uas peb txiav txim siab los qhia nws.
Rau qhov zoo ntawm kev lag luam thiab rau kev xav paub, peb tau siv "ib khub ntawm txhua tus tsiaj" - Windows PCs thiab servers ntawm ntau yam versions, Linux servers, ATM nrog Windows embedded, SWIFT Web Access, network printer, Cisco hloov, lub koob yees duab Axis IP, MacBook, PLC -device thiab txawm tias lub teeb ci ntse. Tag nrho muaj 13 hosts. Feem ntau, tus neeg muag khoom pom zoo kom xa cov sensors hauv qhov tsawg kawg yog 10% ntawm cov tswv tsev tiag tiag. Sab saum toj bar yog qhov chaw nyob muaj.Lub ntsiab lus tseem ceeb yog tias txhua tus tswv tsev no tsis yog lub tshuab virtual uas muaj peev xwm xav tau cov peev txheej thiab cov ntawv tso cai. Qhov no yog decoy, emulation, ib tug txheej txheem ntawm TSA, uas muaj ib tug txheej ntawm tsis thiab ib tug IP chaw nyob. Yog li ntawd, nrog kev pab los ntawm ib tug TSA, peb muaj peev xwm saturate lub network nrog pua pua ntawm xws li phantom hosts, uas yuav ua hauj lwm raws li sensors nyob rau hauv lub tswb system. Nws yog qhov thev naus laus zis no uas ua rau nws muaj peev xwm ua kom tau txais txiaj ntsig zoo ntawm lub tswv yim honeypot hla txhua lub lag luam loj.
Los ntawm tus neeg tawm tsam qhov kev xav, cov tswv tsev no ntxim nyiam vim tias lawv muaj qhov tsis zoo thiab zoo li cov hom phiaj yooj yim. Tus neeg tawm tsam pom cov kev pabcuam ntawm cov tswv thiab tuaj yeem cuam tshuam nrog lawv thiab tawm tsam lawv siv cov cuab yeej txheem thiab cov txheej txheem (smb/wmi/ssh/telnet/web/dnp/bonjour/Modbus, etc.). Tab sis nws tsis tuaj yeem siv cov tswv cuab no los tsim kev tawm tsam lossis khiav koj tus kheej cov cai.
- Kev sib xyaw ua ke ntawm ob lub thev naus laus zis no (FullOS thiab emulated ntxiab) tso cai rau peb kom ua tiav qhov muaj txiaj ntsig zoo tshaj plaws uas tus neeg tawm tsam yuav sai dua lossis tom qab ntsib qee lub ntsiab lus ntawm peb lub network teeb liab. Tab sis yuav ua li cas peb thiaj paub tseeb tias qhov tshwm sim no ze li 100%?
Lub thiaj li hu ua Deception tokens nkag mus rau hauv kev sib ntaus sib tua. Ua tsaug rau lawv, peb tuaj yeem suav tag nrho cov PCs uas twb muaj lawm thiab cov servers ntawm kev lag luam hauv peb cov IDS faib. Tokens tau muab tso rau ntawm cov neeg siv lub PC tiag. Nws yog ib qho tseem ceeb kom nkag siab tias tokens tsis yog cov neeg sawv cev uas siv cov peev txheej thiab tuaj yeem ua rau muaj kev tsis sib haum xeeb. Tokens yog cov ntaub ntawv tsis txaus ntseeg, ib hom "breadcrumbs" rau sab tawm tsam uas coj nws mus rau hauv lub ntxiab. Piv txwv li, mapped network drives, bookmarks rau fake web admins hauv browser thiab khaws cov passwords rau lawv, khaws tseg ssh/rdp/winscp zaug, peb cov ntxiab nrog cov lus hauv hosts cov ntaub ntawv, lo lus zais khaws cia hauv nco, ntawv pov thawj ntawm cov neeg siv tsis muaj nyob, chaw ua haujlwm cov ntaub ntawv, qhib uas yuav ua rau lub system, thiab ntau ntxiv. Yog li, peb tso tus neeg tawm tsam nyob rau hauv qhov chaw tsis sib haum xeeb, saturated nrog cov vectors tawm tsam uas tsis ua rau peb muaj kev hem thawj rau peb, tab sis qhov txawv. Thiab nws tsis muaj txoj hauv kev los txiav txim siab qhov twg cov ntaub ntawv muaj tseeb thiab qhov twg yog qhov tsis tseeb. Yog li, peb tsis tsuas yog xyuas kom ceev nrooj nrhiav kev tawm tsam, tab sis kuj tseem ua rau nws qhov kev nce qib zuj zus.
Ib qho piv txwv ntawm kev tsim lub cuab yeej network thiab teeb tsa tokens. Tus phooj ywg interface thiab tsis muaj phau ntawv kho ntawm configs, scripts, thiab lwm yam.
Hauv peb ib puag ncig, peb tau teeb tsa thiab tso ntau tus tokens ntawm FOS01 khiav Windows Server 2012R2 thiab ib qho kev sim PC khiav Windows 7. RDP tab tom khiav ntawm cov tshuab no thiab peb ib ntus "dai" lawv hauv DMZ, qhov twg peb cov sensors ntau. (emulated ntxiab) kuj tshwm sim. Yog li peb tau txais cov kwj deg tas li ntawm qhov xwm txheej, ib txwm hais lus.
Yog li, ntawm no yog qee qhov kev txheeb xyuas ceev rau lub xyoo:
56 - xwm txheej kaw,
2 - qhov chaw nres tsheb tau kuaj pom.
Sib tham sib, clickable nres daim ntawv qhia
Nyob rau tib lub sijhawm, kev daws teeb meem tsis tsim qee yam mega-log lossis kev tshwm sim pub, uas yuav siv sijhawm ntev los nkag siab. Hloov chaw, qhov kev daws teeb meem nws tus kheej faib cov xwm txheej los ntawm lawv hom thiab tso cai rau cov ntaub ntawv kev ruaj ntseg pab neeg tsom mus rau qhov txaus ntshai tshaj plaws - thaum tus neeg tawm tsam sim nce kev tswj hwm (kev sib cuam tshuam) lossis thaum binary payloads (kab mob) tshwm sim hauv peb txoj kev tsheb.
Tag nrho cov ntaub ntawv hais txog cov xwm txheej yog nyeem tau thiab nthuav tawm, hauv kuv lub tswv yim, hauv daim ntawv yooj yim nkag siab txawm tias tus neeg siv nrog kev paub yooj yim hauv kev ruaj ntseg cov ntaub ntawv.
Feem ntau ntawm cov xwm txheej kaw yog sim tshuaj xyuas peb cov tswv lossis ib qho kev sib txuas.
Los yog sim brute yuam passwords rau RDP
Tab sis kuj tseem muaj cov xwm txheej nthuav dav ntxiv, tshwj xeeb tshaj yog thaum cov neeg tawm tsam "tswj" los twv tus password rau RDP thiab nkag mus rau hauv lub network.
Tus neeg tawm tsam sim ua cov lej siv psexec.
Tus neeg tawm tsam pom qhov kev cawmdim, uas coj nws mus rau hauv lub ntxiab hauv daim ntawv ntawm Linux server. Tam sim ntawd tom qab sib txuas, nrog rau ib qho kev npaj ua ntej ntawm cov lus txib, nws tau sim ua kom puas tag nrho cov ntaub ntawv teev npe thiab cov kab ke sib txawv.
Tus neeg tawm tsam sim ua SQL txhaj tshuaj ntawm lub honeypot uas ua raws li SWIFT Web Access.
Ntxiv rau qhov kev tawm tsam "natural" no, peb kuj tau ua ntau qhov kev sim peb tus kheej. Ib qho kev nthuav tawm tshaj plaws yog kuaj lub sijhawm kuaj pom ntawm tus kab mob network ntawm lub network. Txhawm rau ua qhov no peb siv lub cuab yeej los ntawm GuardiCore hu ua . Qhov no yog kab kab network uas tuaj yeem nyiag Windows thiab Linux, tab sis tsis muaj "them nyiaj them".
Peb tau xa ib lub chaw hais kom ua hauv zos, tau pib thawj zaug ntawm tus kab mob ntawm ib lub tshuab, thiab tau txais thawj qhov kev ceeb toom hauv TrapX console hauv tsawg dua ib feeb thiab ib nrab. TTD 90 vib nas this piv rau 106 hnub ntawm qhov nruab nrab ...
Ua tsaug rau lub peev xwm los koom ua ke nrog lwm cov chav kawm ntawm cov kev daws teeb meem, peb tuaj yeem txav los ntawm kev tshawb xyuas sai sai kom tau txais kev teb rau lawv.
Piv txwv li, kev koom ua ke nrog NAC (Network Access Control) cov tshuab lossis nrog CarbonBlack yuav tso cai rau koj txiav txim siab txiav PCs los ntawm lub network.
Kev koom ua ke nrog sandboxes tso cai rau cov ntaub ntawv koom nrog hauv kev tawm tsam kom raug xa mus rau kev tshuaj xyuas.
McAfee kev koom ua ke
Cov tshuaj kuj muaj nws tus kheej built-in kev tshwm sim correlation system.
Tab sis peb tsis txaus siab rau nws lub peev xwm, yog li peb muab nws nrog HP ArcSight.
Lub built-in ticketing system pab tag nrho lub ntiaj teb no tiv thaiv kev hem thawj.
Txij li thaum cov kev daws teeb meem tau tsim "los ntawm qhov pib" rau cov kev xav tau ntawm tsoomfwv cov koom haum thiab cov koom haum loj, nws ib txwm siv lub luag haujlwm ntawm kev nkag mus rau tus qauv, kev koom ua ke nrog AD, ib qho kev tsim cov ntaub ntawv qhia thiab ua rau (kev ceeb toom xwm txheej), orchestration rau loj tuav cov qauv los yog MSSP cov chaw muab kev pab.
Es tsis txhob rov pib dua
Yog hais tias muaj xws li ib tug saib xyuas system, uas, piv txwv li, hais lus, npog peb sab nraub qaum, ces nrog kev sib haum xeeb ntawm ib puag ncig txhua yam yog pib xwb. Qhov tseem ceeb tshaj plaws yog tias muaj lub sijhawm tiag los daws cov xwm txheej kev nyab xeeb, thiab tsis txhob cuam tshuam nrog lawv qhov tshwm sim.
Tau qhov twg los: www.hab.com