Nabata na usoro akụkọ ọhụrụ, oge a gbasara isiokwu nyocha ihe merenụ, ya bụ nyocha malware site na iji nyocha nyocha Check Point. Anyị bipụtara na mbụ
Kedu ihe kpatara mgbochi mgbochi ihe merenụ ji dị mkpa? Ọ ga-adị ka ị nwetala nje a, ọ dịlarị mma, kedu ihe kpatara ya? Dị ka omume na-egosi, ọ bụ ihe amamihe dị na ya ọ bụghị nanị igbochi mwakpo, kamakwa ịghọta kpọmkwem otú o si arụ ọrụ: ihe ntinye ntinye bụ, ihe adịghị ike e ji mee ihe, usoro ndị dị na ya, ma ndekọ ndekọ na faịlụ faịlụ na-emetụta, kedu ezinụlọ. nke nje, ihe nwere ike imebi, wdg. Enwere ike nweta nke a na data ndị ọzọ bara uru site na mkpesa nyocha zuru oke nke Check Point (ma ederede ma eserese). O siri ezigbo ike iji aka nweta akụkọ dị otú ahụ. Ihe data a nwere ike inye aka mee ihe kwesịrị ekwesị ma gbochie mwakpo yiri nke ahụ ka ọ ghara ịga nke ọma n'ọdịnihu. Taa, anyị ga-eleba anya na mkpesa forensics Check Point SandBlast Network.
Netwọk SandBlast
Ojiji nke igbe ájá iji mee ka nchebe nke netwọk netwọk dịkwuo ogologo oge ma bụrụ ihe iwu kwadoro dịka IPS. Na Check Point, agụba egwu egwu egwu, nke bụ akụkụ nke teknụzụ SandBlast (enwekwara ihe egwu egwu), na-ahụ maka ịrụ ọrụ igbe ájá. Anyị ebipụtalarị mbụ
- Ngwa mpaghara SandBlast - etinyere ngwa SandBlast ọzọ na netwọkụ gị, nke ezigara faịlụ maka nyocha.
- Igwe ojii SandBlast - A na-eziga faịlụ maka nyocha na igwe ojii Check Point.
Enwere ike ịtụle igbe ájá dị n'usoro nchebe ikpeazụ na mpaghara netwọk. Ọ na-ejikọta naanị mgbe nyochachara site na oge gboo - antivirus, IPS. Ma ọ bụrụ na ụdị mbinye aka ọdịnala dị otú ahụ adịghị enye nyocha ọ bụla, mgbe ahụ, igbe ájá nwere ike "ịkọ" n'ụzọ zuru ezu ihe kpatara egbochiri faịlụ ahụ na ihe ọ na-eme kpọmkwem. Enwere ike nweta akụkọ nyocha a site na igbe ájá na mpaghara yana igwe ojii.
Lelee mkpesa Forensics
Ka anyị kwuo na gị, dịka ọkachamara nchekwa ozi, bịara ọrụ wee mepee dashboard na SmartConsole. Ngwa ngwa ị ga-ahụ ihe mere n'ime awa 24 gara aga ma uche gị dọtara na emume egwu egwu - mwakpo kachasị egwu nke nyocha mbinye aka egbochighị.
Ị nwere ike 'gbatuo' n'ime mmemme ndị a wee hụ ndekọ niile maka agụba egwu egwu.
Mgbe nke a gasịrị, ị nwekwara ike nyochaa ndekọ ahụ site na ọkwa egwu egwu (Severity), yana site na ọkwa ntụkwasị obi (nkwenye nke nzaghachi):
N'ịgbasawanye mmemme anyị nwere mmasị na ya, anyị nwere ike mata ozi izugbe (src, dst, severity, sender, etc.):
N'ebe ahụ ị nwere ike ịhụ ngalaba Forensik nwere Summary akuko. Ịpị na ya ga-emepe nyocha zuru ezu nke malware n'ụdị ibe HTML mmekọrịta:
(Nke a bụ akụkụ nke ibe.
Site n'otu akụkọ ahụ, anyị nwere ike budata malware mbụ (na ebe nchekwa paswọọdụ echekwara), ma ọ bụ kpọtụrụ ndị otu nzaghachi Check Point ozugbo.
Naanị n'okpuru ị nwere ike ịhụ eserese mara mma nke na-egosi na pasentị nke amatala koodu ọjọọ ihe atụ anyị nwere njikọ (gụnyere koodu n'onwe ya na macro). A na-ebunye nyocha ndị a site na iji mmụta igwe na Check Point Threat Cloud.
Mgbe ahụ ị nwere ike ịhụ kpọmkwem ihe omume dị na igbe ájá mere ka anyị kwubie na faịlụ a dị njọ. N'okwu a, anyị na-ahụ iji usoro ngafe na mbọ ibudata ransomware:
Enwere ike ịmara na na nke a, e mere emulation na sistemụ abụọ (Win 7, Win XP) na ụdị ngwanrọ dị iche iche (Office, Adobe). N'okpuru bụ vidiyo (ihe ngosi mmịfe) nwere usoro imepe faịlụ a n'ime igbe ájá:
Ihe atụ vidiyo:
Na njedebe anyị nwere ike ịhụ n'ụzọ zuru ezu ka mwakpo ahụ si malite. Ma n'ụdị tabular ma ọ bụ eserese:
N'ebe ahụ, anyị nwere ike ibudata ozi a n'ụdị RAW yana faịlụ pcap maka nyocha zuru ezu nke okporo ụzọ emepụtara na Wireshark:
nkwubi
Iji ozi a, ị nwere ike wusie nchedo netwọkụ gị ike nke ukwuu. Gbochie ndị na-ekesa nje virus, nso adịghị ike emegbu emegbu, gbochie nzaghachi enwere ike site na C&C na ọtụtụ ndị ọzọ. E kwesịghị ileghara nyocha a anya.
N'isiokwu ndị na-esonụ, anyị ga-eleba anya n'otu aka ahụ akụkọ nke SandBlast Agent, SnadBlast Mobile, yana CloudGiard SaaS. Ya mere nọrọ na nche (
isi: www.habr.com