æ
å ±ã»ãã¥ãªãã£ã®è
åšã® 95% ã¯æ¢ç¥ã§ããããŠã€ã«ã¹å¯Ÿçããã¡ã€ã¢ãŠã©ãŒã«ãIDSãWAF ãªã©ã®åŸæ¥ã®æ段ã䜿çšããŠãããã®è
åšãã身ãå®ãããšãã§ããŸãã æ®ãã® 5% ã®è
åšã¯æªç¥ã§ãããæãå±éºã§ãã ããããæ€åºããããšã¯éåžžã«å°é£ã§ããããŸããŠããããããä¿è·ããããšã¯éåžžã«å°é£ã§ããããããããã¯äŒæ¥ã®ãªã¹ã¯ã® 70% ãå ããŸãã äŸ
ãµã€ããŒæ»æãç¶ç¶çã«é²åããã«ã¯ãç¶ç¶çãªæ€åºãšå¯Ÿçãå¿
èŠã§ãããæçµçã«ã¯æ»æè
ãšé²åŸ¡è
ã®éã§çµããã®ãªãè»æ¡ç«¶äºãèµ·ããããšãèããããŸãã åŸæ¥ã®ã»ãã¥ãªã㣠ã·ã¹ãã ã¯ãç¹å®ã®ã€ã³ãã©ã¹ãã©ã¯ãã£ã«åãããŠä¿®æ£ããããšãªãããªã¹ã¯ã®ã¬ãã«ãäŒæ¥ã®äž»èŠãªææš (çµæžãæ¿æ²»ãè©å€) ã«åœ±é¿ãäžããªãã蚱容å¯èœãªã¬ãã«ã®ã»ãã¥ãªãã£ãæäŸã§ããªããªããŸããããäžè¬ã«ã次ã®ãããªãã®ã®äžéšãã«ããŒããŸãããªã¹ã¯ã çŸä»£ã®ã»ãã¥ãªã㣠ã·ã¹ãã ã¯ãã§ã«å®è£
ãšæ§æã®éçšã«ãããè¿œãã€ã圹å²ãæãããŠãããæ°ããæ代ã®èª²é¡ã«å¯Ÿå¿ããå¿
èŠããããŸãã
è åšãã³ãã£ã³ã°æè¡ã¯ãæ å ±ã»ãã¥ãªãã£ã®å°é家ã«ãšã£ãŠçŸä»£ã®èª²é¡ã«å¯Ÿããçãã® XNUMX ã€ã«ãªãå¯èœæ§ããããŸãã Threat HuntingïŒä»¥äžãTHïŒãšããèšèã¯æ°å¹Žåã«ç»å ŽããŸããã ãã®ãã¯ãããžãŒèªäœã¯éåžžã«èå³æ·±ããã®ã§ãããäžè¬çã«åãå ¥ããããŠããæšæºãã«ãŒã«ã¯ãŸã ãããŸããã ãŸããæ å ±æºãå€æ§ã§ããããšãšããã®ãããã¯ã«é¢ãããã·ã¢èªæ å ±æºãå°ãªãããšãåé¡ãè€éã«ããŠããŸãã ããã«é¢ããŠãç§ãã¡ LANIT-Integration ã¯ããã®ãã¯ãããžãŒã®ã¬ãã¥ãŒãæžãããšã«ããŸããã
é¢é£æ§
TH ãã¯ãããžãŒã¯ã€ã³ãã©ã¹ãã©ã¯ãã£ç£èŠããã»ã¹ã«äŸåããŠããŸãã
äž¡æ¹ã®ã¿ã€ãã®ç£èŠãçµã¿åãããããšã§ã®ã¿ãçæ³ã«è¿ãä¿è·ãåŸãããŸãããäžå®ã¬ãã«ã®æ®çãªã¹ã¯ãåžžã«ååšããŸãã
XNUMXçš®é¡ã®ç£èŠã«ããä¿è·
ãããŠãTH (ãããŠç©çãã®ãã®!) ããŸããŸãéèŠã«ãªãçç±ã¯æ¬¡ã®ãšããã§ãã
è
åšãææžçããªã¹ã¯ã
ãããããããžã§ã¯ãã®å®æœäžã«
ã»ãŒå
šå¡ã 5% ã®è
åšã«å¯ŸåŠããå¿
èŠããããŸãã æè¿ãPEAR (PHP Extension and Application Repository) ãªããžããªã®ã¢ããªã±ãŒã·ã§ã³ã䜿çšãããªãŒãã³ãœãŒã¹ ãœãªã¥ãŒã·ã§ã³ãã€ã³ã¹ããŒã«ããå¿
èŠããããŸããã pear ã€ã³ã¹ããŒã«çµç±ã§ãã®ã¢ããªã±ãŒã·ã§ã³ãã€ã³ã¹ããŒã«ããããšããŸãããã次ã®çç±ã«ãã倱æããŸããã
ãŸã èŠããŠããŸãã
è åšãã³ãã£ã³ã°ã®å®çŸ©
ãããã£ãŠãè åšãã³ãã£ã³ã°ã¯ãåŸæ¥ã®ã»ãã¥ãªã㣠ããŒã«ã§ã¯æ€åºã§ããªãé«åºŠãªè åšãããã¢ã¯ãã£ããã€å埩çã«æ€çŽ¢ããã³æ€åºããããã»ã¹ã§ãã é«åºŠãªè åšã«ã¯ãããšãã°ãAPT ãªã©ã®æ»æããŒããã€è匱æ§ã«å¯Ÿããæ»æãLiving off the Land ãªã©ãå«ãŸããŸãã
THã¯ä»®èª¬ãæ€èšŒããããã»ã¹ã§ãããšèšãæããããšãã§ããŸãã ããã¯ãèªååã®èŠçŽ ãå«ãäž»ã«æåã®ããã»ã¹ã§ãããã¢ããªã¹ãã¯ç¥èãšã¹ãã«ãé Œãã«ãç¹å®ã®è åšã®ååšã«ã€ããŠæåã«æ±ºå®ããã仮説ã«å¯Ÿå¿ãã䟵害ã®å åãæ¢ãããã«å€§éã®æ å ±ã粟æ»ããŸãã ç¹åŸŽã¯æ å ±æºã®å€ãã§ãã
Threat Hunting ã¯ãããçš®ã®ãœãããŠã§ã¢ãŸãã¯ããŒããŠã§ã¢è£œåã§ã¯ãªãããšã«æ³šæããŠãã ããã ãããã¯ãäžéšã®ãœãªã¥ãŒã·ã§ã³ã§è¡šç€ºãããã¢ã©ãŒãã§ã¯ãããŸããã ãã㯠IOC (Identifiers of Compromise) æ€çŽ¢ããã»ã¹ã§ã¯ãããŸããã ãããŠãããã¯ãæ å ±ã»ãã¥ãªã㣠ã¢ããªã¹ãã®åå ãªãã«çºçããããçš®ã®ååçãªæŽ»åã§ã¯ãããŸããã è åšãã³ãã£ã³ã°ã¯äœããããŸãããã»ã¹ã§ãã
è åšãã³ãã£ã³ã°ã®æ§æèŠçŽ
è
åšãã³ãã£ã³ã°ã® XNUMX ã€ã®äž»èŠãªæ§æèŠçŽ : ããŒã¿ããã¯ãããžãŒã人æã
ããŒã¿ïŒäœïŒïŒãããã°ããŒã¿ãå«ãã ããããçš®é¡ã®ãã©ãã£ã㯠ãããŒã以åã® APT ã«é¢ããæ å ±ãåæããŠãŒã¶ãŒ ã¢ã¯ãã£ããã£ã«é¢ããããŒã¿ããããã¯ãŒã¯ ããŒã¿ãåŸæ¥å¡ããã®æ å ±ãããŒã¯ãããã«é¢ããæ å ±ãªã©ã
ãã¯ãããžãŒïŒã©ã®ããã«ïŒïŒ ãã®ããŒã¿ã®åŠç - æ©æ¢°åŠç¿ãå«ãããã®ããŒã¿ãåŠçãããã¹ãŠã®å¯èœãªæ¹æ³ã
人ã ïŒèª°ïŒïŒ â ããŸããŸãªæ»æã®åæã«è±å¯ãªçµéšãæã¡ãéãçŽæãšæ»æãæ€åºããèœåãæã£ãŠãã人ã éåžžããããã¯æ å ±ã»ãã¥ãªã㣠ã¢ããªã¹ãã§ããã仮説ãçæãããã®ç¢ºèšŒãèŠã€ããèœåãå¿ èŠã§ãã ãããã¯ããã»ã¹ã®äž»èŠãªãªã³ã¯ã§ãã
ã¢ãã«ããª
ã¢ãã ã»ãã€ããã³
ã¢ãã«ãããã ã¢ããã§èª¿ã¹ãŠãããšãæªæã®ããã¢ã¯ãã£ããã£ã®èšŒæ ãæ°å€ãèŠã€ãããŸãã å蚌æ ã«ã¯ä¿¡é ŒãšåŒã°ãã尺床ããããããã¯ãã®èšŒæ ã®éã¿ãåæ ããç¹æ§ã§ãã æªæã®ãã掻åã®çŽæ¥çãªèšŒæ ã§ãããéãããããããã«åŸã£ãŠç§ãã¡ã¯ããã«ãã©ãããã®é ç¹ã«å°éããæ£ç¢ºã«æ¢ç¥ã®ææã«ã€ããŠå®éã®ã¢ã©ãŒããäœæã§ããŸãã ãããŠéæ¥çãªèšŒæ ãããããã®åèšã«ãã£ãŠãã©ãããã®é ç¹ã«å°éããããšãã§ããŸãã ãã€ãã®ããã«ãéæ¥çãªèšŒæ ã¯çŽæ¥çãªèšŒæ ãããã¯ããã«å€ããããŸããã€ãŸããããããåé¡ããŠåæããå¿ èŠããããè¿œå ã®èª¿æ»ãå®æœããå¿ èŠãããããããèªååããããšããå§ãããŸãã
ã¢ãã«ã¯ããªã
ã¢ãã«ã®äžéš (1 ãš 2) ã¯èªååãã¯ãããžãšããŸããŸãªåæã«åºã¥ããŠãããäžéš (3 ãš 4) ã¯ããã»ã¹ã管çããç¹å®ã®è³æ Œãæã€äººã ã«åºã¥ããŠããŸãã ã¢ãã«ã¯äžããäžã«ç§»åãããšèããããšãã§ããŸããéè²ã®äžéšã«ã¯ãé«ãä¿¡é Œæ§ãåããåŸæ¥ã®ã»ãã¥ãªã㣠ããŒã« (ãŠã€ã«ã¹å¯ŸçãEDRããã¡ã€ã¢ãŠã©ãŒã«ãã·ã°ããã£) ããã®ã¢ã©ãŒããããããã®äžã«ã€ã³ãžã±ãŒã¿ãŒã衚瀺ãããŸã ( IOCãURLãMD5 ãªã©)ã確å®æ§ã¯äœããè¿œå ã®èª¿æ»ãå¿ èŠã§ãã ãããŠãæãäœããŠæãåãã¬ãã« (4) ã¯ã仮説ã®çæãã€ãŸãåŸæ¥ã®ä¿è·æ段ãéçšããããã®æ°ããã·ããªãªã®äœæã§ãã ãã®ã¬ãã«ã¯ãæå®ããã仮説ã®ãœãŒã¹ã®ã¿ã«éå®ãããŸããã ã¬ãã«ãäœãã»ã©ãã¢ããªã¹ãã®è³æ Œã«å¯ŸããèŠä»¶ãå³ãããªããŸãã
ã¢ããªã¹ãã¯ãããããã決ããããæéã®ä»®èª¬ãåã«ãã¹ãããã ãã§ã¯ãªããæ°ãã仮説ãšãããããã¹ãããããã®ãªãã·ã§ã³ãçæããããåžžã«åªåããããšãéåžžã«éèŠã§ãã
TH 䜿çšæç床ã¢ãã«
çæ³çãªäžçã§ã¯ãTH ã¯ç¶ç¶çãªããã»ã¹ã§ãã ã§ãçæ³ã®äžçãªããŠãªãããåæããŠã¿ãã
æç床ã®ã¬ãã«
人
ÐÑПÑеÑÑÑ
æè¡
ã¬ãã«0
SOC ã¢ããªã¹ã
24/7
äŒçµ±çãªæ¥œåš:
äŒçµ±çãª
ã¢ã©ãŒãã®ã»ãã
ããã·ãã¢ãã¿ãªã³ã°
IDSãAVããµã³ãããã¯ã¹ã
THãªã
ã¢ã©ãŒãã®æäœ
ã·ã°ããã£åæããŒã«ãè åšã€ã³ããªãžã§ã³ã¹ ããŒã¿ã
ã¬ãã«1
SOC ã¢ããªã¹ã
ã¯ã³ã¿ã€ã TH
EDR
å®éšç
ãã©ã¬ã³ãžãã¯ã®åºç€ç¥è
IOCæ€çŽ¢
ãããã¯ãŒã¯ããã€ã¹ããã®ããŒã¿ãéšåçã«ã«ããŒ
THã®å®éš
ãããã¯ãŒã¯ãšã¢ããªã±ãŒã·ã§ã³ã«é¢ããååãªç¥è
éšåé©çš
ã¬ãã«2
äžæçãªè·æ¥
ã¹ããªã³ã
EDR
å®æçãª
æ³å»åŠã«é¢ããå¹³åçãªç¥è
é±ããæãž
å®å
šãªã¢ããªã±ãŒã·ã§ã³
èšæTH
ãããã¯ãŒã¯ãšã¢ããªã±ãŒã·ã§ã³ã«é¢ããåªããç¥è
ã¬ã®ã¥ã©ãŒTH
EDRããŒã¿å©çšã®å®å
šèªåå
é«åºŠãª EDR æ©èœã®éšåçãªäœ¿çš
ã¬ãã«3
å°çšTHã³ãã³ã
24/7
仮説ãæ€èšŒããéšåçãªèœå TH
äºé²
ãã©ã¬ã³ãžãã¯ãšãã«ãŠã§ã¢ã«é¢ããåªããç¥è
äºé²TH
é«åºŠãª EDR æ©èœãæ倧éã«æŽ»çš
ç¹æ®ãªã±ãŒã¹TH
æ»æåŽã«é¢ããåªããç¥è
ç¹æ®ãªã±ãŒã¹TH
ãããã¯ãŒã¯ããã€ã¹ããã®ããŒã¿ãå®å
šã«ã«ããŒ
ããŒãºã«åãããæ§æ
ã¬ãã«4
å°çšTHã³ãã³ã
24/7
TH 仮説ããã¹ãããå®å
šãªæ©èœ
äžæµ
ãã©ã¬ã³ãžãã¯ãšãã«ãŠã§ã¢ã«é¢ããåªããç¥è
äºé²TH
ã¬ãã« 3 ã«å ããŠ:
THã®äœ¿çš
æ»æåŽã«é¢ããåªããç¥è
仮説ã®ãã¹ããèªååãæ€èšŒ TH
ããŒã¿ãœãŒã¹ã®ç·å¯ãªçµ±åã
ç 究å
ããŒãºã«å¿ããéçºã API ã®éæšæºçãªäœ¿çšã
人æãããã»ã¹ããã¯ãããžãŒå¥ã®THæç床ã¬ãã«
0ã¬ãã«ïŒ TH ã䜿çšããªãåŸæ¥ã®ã éåžžã®ã¢ããªã¹ãã¯ãIDSãAVããµã³ãããã¯ã¹ãã·ã°ããã£åæããŒã«ãªã©ã®æšæºããŒã«ãšãã¯ãããžãŒã䜿çšããŠãããã·ãç£èŠã¢ãŒãã§æšæºã»ããã®ã¢ã©ãŒããåŠçããŸãã
1ã¬ãã«ïŒ TH ã䜿çšããå®éšçã ãã©ã¬ã³ãžãã¯ã®åºæ¬çãªç¥èãšããããã¯ãŒã¯ãšã¢ããªã±ãŒã·ã§ã³ã«é¢ããååãªç¥èãæã€åãã¢ããªã¹ããã䟵害ã®çè·¡ãæ€çŽ¢ããããšã§ãXNUMX åéãã®è åšãã³ãã£ã³ã°ãå®è¡ã§ããŸãã EDR ã¯ããããã¯ãŒã¯ ããã€ã¹ããã®ããŒã¿ãéšåçã«ã«ããŒããããŒã«ã«è¿œå ãããŸãã ããŒã«ã¯éšåçã«äœ¿çšãããŠããŸãã
2ã¬ãã«ïŒ å®æçãäžæçãªTHã ãã§ã«ãã©ã¬ã³ãžãã¯ããããã¯ãŒã¯ãã¢ããªã±ãŒã·ã§ã³éšåã®ç¥èãåäžãããŠããåãã¢ããªã¹ãã¯ãå®æçã«ãããšãã°æã« XNUMX é±ââéãè åšãã³ãã£ã³ã° (ã¹ããªã³ã) ã«åŸäºããå¿ èŠããããŸãã ãã®ããŒã«ã«ããããããã¯ãŒã¯ ããã€ã¹ããã®ããŒã¿ã®å®å šãªæ¢çŽ¢ãEDR ããã®ããŒã¿åæã®èªååãããã³é«åºŠãª EDR æ©èœã®éšåçãªäœ¿çšãè¿œå ãããŸãã
3ã¬ãã«ïŒ äºé²çã§é »ç¹ãªTHã®çäŸã åœç€Ÿã®ã¢ããªã¹ãã¯å°ä»»ããŒã ãç·šæãããã©ã¬ã³ãžãã¯ãšãã«ãŠã§ã¢ã«é¢ããåªããç¥èã«å ããæ»æåŽã®ææ³ãšæŠè¡ã«é¢ããç¥èãæã¡å§ããŸããã ãã®ããã»ã¹ã¯ãã§ã« 24 æé幎äžç¡äŒã§å®è¡ãããŠããŸãã ããŒã ã¯ããããã¯ãŒã¯ ããã€ã¹ããã®ããŒã¿ãå®å šã«ã«ããŒãã EDR ã®é«åºŠãªæ©èœãæ倧éã«æŽ»çšããªãããTH 仮説ãéšåçã«ãã¹ãããããšãã§ããŸãã ã¢ããªã¹ãã¯ãããŒãºã«åãããŠããŒã«ãæ§æããããšãã§ããŸãã
4ã¬ãã«ïŒ ãã€ãšã³ãã®å Žåã¯THã䜿çšããŸãã åãããŒã ã¯ãç 究ããèœåãTH 仮説ããã¹ãããããã»ã¹ãçæããã³èªååããèœåãç²åŸããŸããã çŸåšããããã®ããŒã«ã¯ãããŒã¿ ãœãŒã¹ã®ç·å¯ãªçµ±åãããŒãºãæºãããœãããŠã§ã¢éçºãããã³ API ã®éæšæºçãªäœ¿çšã«ãã£ãŠè£å®ãããŠããŸãã
è åšãã³ãã£ã³ã°æè¡
åºæ¬çãªè åšãã³ãã£ã³ã°ææ³
Ð
æãåçŽãªæ¹æ³ã§ããåºæ¬æ€çŽ¢ã¯ãç¹å®ã®ã¯ãšãªã䜿çšããŠèª¿æ»ç¯å²ãçµã蟌ãããã«äœ¿çšãããŸãã çµ±èšåæã¯ãããšãã°ãå žåçãªãŠãŒã¶ãŒãŸãã¯ãããã¯ãŒã¯ã®ã¢ã¯ãã£ããã£ãçµ±èšã¢ãã«ã®åœ¢åŒã§æ§ç¯ããããã«äœ¿çšãããŸãã èŠèŠåæè¡ã¯ãããŒã¿ã®åæãã°ã©ãããã£ãŒãã®åœ¢åŒã§èŠèŠçã«è¡šç€ºããã³ç°¡çŽ åããããã«äœ¿çšãããããã«ãããµã³ãã«å ã®ãã¿ãŒã³ãèå¥ãããããªããŸãã æ€çŽ¢ãšåæãæé©åããããã«ãã㌠ãã£ãŒã«ãã«ããåçŽãªéèšã®ææ³ã䜿çšãããŸãã çµç¹ã® TH ããã»ã¹ãæçããã»ã©ãæ©æ¢°åŠç¿ã¢ã«ãŽãªãºã ã®äœ¿çšãããéèŠã«ãªããŸãã ãŸããã¹ãã ã®ãã£ã«ã¿ãªã³ã°ãæªæã®ãããã©ãã£ãã¯ã®æ€åºãäžæ£è¡çºã®æ€åºã«ãåºã䜿çšãããŠããŸãã ããé«åºŠãªã¿ã€ãã®æ©æ¢°åŠç¿ã¢ã«ãŽãªãºã ã¯ãã€ãºæ³ã§ãããåé¡ããµã³ãã« ãµã€ãºã®åæžãããã㯠ã¢ããªã³ã°ãå¯èœã§ãã
ãã€ã€ã¢ã³ãã¢ãã«ãšTHæŠç¥
ã»ã«ãžãªã»ã«ã«ã¿ãžãã³ãã¢ã³ããªã¥ãŒã»ãã³ãã¬ã¹ããã¯ãªã¹ããã¡ãŒã»ãããã®äœåã
æªæã®ããã¢ã¯ãã£ããã£ã®ãã€ã€ã¢ã³ã ã¢ãã«
ãã®ã¢ãã«ã«ãããšã察å¿ããäž»èŠã³ã³ããŒãã³ãã«åºã¥ãã 4 ã€ã®è åšãã³ãã£ã³ã°æŠç¥ããããŸãã
1. 被害è å¿åã®æŠç¥ã 被害è ã«ã¯æµå¯Ÿè ãããŠã圌ããé»åã¡ãŒã«ã§ãæ©äŒããå±ããŠãããšæ³å®ããŸãã ã¡ãŒã«ã§æµã®ããŒã¿ãæ¢ããŠããŸãã ãªã³ã¯ãæ·»ä»ãã¡ã€ã«ãªã©ãæ€çŽ¢ããŸãã ãã®ä»®èª¬ã®ç¢ºèªãäžå®æé (XNUMX ãæãXNUMX é±é) æ¢ããŸãããèŠã€ãããªããã°ã仮説ã¯æ©èœããŸããã§ããã
2. ã€ã³ãã©ã¹ãã©ã¯ãã£ãŒæåã®æŠç¥ã ãã®æŠç¥ã䜿çšããã«ã¯ããã€ãã®æ¹æ³ããããŸãã ã¢ã¯ã»ã¹ãšèŠèªæ§ã«ãã£ãŠã¯ãç°¡åãªãã®ãšããã§ãªããã®ããããŸãã ããšãã°ãæªæã®ãããã¡ã€ã³ããã¹ãããŠããããšãç¥ãããŠãããã¡ã€ã³ ããŒã ãµãŒããŒãç£èŠããŸãã ãŸãã¯ãæ»æè ã䜿çšããæ¢ç¥ã®ãã¿ãŒã³ããªããããã¹ãŠã®æ°ãããã¡ã€ã³åç»é²ãç£èŠããããã»ã¹ãå®è¡ããŸãã
3. èœåäž»å°ã®æŠç¥ã ã»ãšãã©ã®ãããã¯ãŒã¯é²åŸ¡è ã䜿çšãã被害è éèŠã®æŠç¥ã«å ããŠãæ©äŒéèŠã®æŠç¥ããããŸãã ãã㯠XNUMX çªç®ã«äººæ°ããããæµå¯Ÿè ã®æ©èœãã€ãŸãããã«ãŠã§ã¢ããšãpsexecãpowershellãcertutil ãªã©ã®æ£èŠã®ããŒã«ã䜿çšããæµå¯Ÿè ã®æ©èœã®æ€åºã«çŠç¹ãåœãŠãŠããŸãã
4. æµéèŠã®æŠç¥ã æµå¯Ÿè äžå¿ã®ã¢ãããŒãã¯ãæµå¯Ÿè èªèº«ã«çŠç¹ãåœãŠãŸãã ããã«ã¯ãå ¬çã«å ¥æå¯èœãªæ å ±æºããã®ãªãŒãã³æ å ±ã®äœ¿çš (OSINT)ãæµããã®æè¡ãšæ¹æ³ã«é¢ããããŒã¿ã®åé (TTP)ã以åã®ã€ã³ã·ãã³ãã®åæãè åšã€ã³ããªãžã§ã³ã¹ ããŒã¿ãªã©ãå«ãŸããŸãã
TH ã®æ å ±æºãšä»®èª¬
è åšãã³ãã£ã³ã°ã®ããã®ããã€ãã®æ å ±æº
æ å ±æºã¯ãããããããŸãã çæ³çãªã¢ããªã¹ãã¯ãåšå²ã«ãããã¹ãŠã®ãã®ããæ å ±ãæœåºã§ããå¿ èŠããããŸãã ã»ãŒãã¹ãŠã®ã€ã³ãã©ã¹ãã©ã¯ãã£ã«ãããäžè¬çãªãœãŒã¹ã¯ãDLPãSIEMãIDS/IPSãWAF/FWãEDR ãªã©ã®ã»ãã¥ãªã㣠ããŒã«ããã®ããŒã¿ã§ãã ãŸããå žåçãªæ å ±æºã¯ã䟵害ã®ããŸããŸãªææšãè åšã€ã³ããªãžã§ã³ã¹ ãµãŒãã¹ãCERTãããã³ OSINT ããŒã¿ã§ãã ããã«ãããŒã¯ãããããã®æ å ±ã䜿çšããããšãã§ããŸã (ããšãã°ãçªç¶çµç¹ã®ãããã®ã¡ãŒã«ããã¯ã¹ããããã³ã°ããåœä»€ããã£ãããããã¯ãŒã¯ ãšã³ãžãã¢ã®åè£è ã®æŽ»åãæŽé²ããããªã©)ã人äºïŒä»¥åã®å€åå ããã®åè£è ã®ã¬ãã¥ãŒïŒãã»ãã¥ãªãã£ãµãŒãã¹ããã®æ å ±ïŒååŒå ã®æ€èšŒçµæãªã©ïŒã
ãã ããå©çšå¯èœãªãã¹ãŠã®æ å ±æºã䜿çšããåã«ãå°ãªããšã XNUMX ã€ã®ä»®èª¬ãç«ãŠãå¿ èŠããããŸãã
仮説ãæ€èšŒããã«ã¯ããŸã仮説ãæ瀺ããå¿
èŠããããŸãã ãããŠã質ã®é«ã仮説ãæ°å€ãææ¡ããã«ã¯ãäœç³»çãªã¢ãããŒããé©çšããå¿
èŠããããŸãã 仮説ãçæããããã»ã¹ã«ã€ããŠã¯ã以äžã§è©³ãã説æããŸãã
仮説ã®äž»ãªæ å ±æºã¯æ¬¡ã®ãšããã§ãã ATT&CKãããªãã¯ã¹ (æµå¯ŸçãªæŠè¡ããã¯ããã¯ãäžè¬ç¥è)ã ããã¯æ¬è³ªçã«ãæ»æã®æçµæ®µéã§æŽ»åãå®è¡ããæ»æè ã®è¡åãè©äŸ¡ããããã®ç¥èããŒã¹ããã³ã¢ãã«ã§ãããéåžžã¯ãã« ãã§ãŒã³ã®æŠå¿µã䜿çšããŠèª¬æãããŸãã ã€ãŸããæ»æè ãäŒæ¥ã®å éšãããã¯ãŒã¯ãã¢ãã€ã«ããã€ã¹ã«äŸµå ¥ããåŸã®æ®µéã§ãã ãã¬ããž ããŒã¹ã«ã¯åœåãæ»æã«äœ¿çšããã 121 ã®æŠè¡ãšãã¯ããã¯ã®èª¬æãå«ãŸããŠãããããããã Wiki 圢åŒã§è©³çŽ°ã«èª¬æãããŠããŸãã ããŸããŸãªè åšã€ã³ããªãžã§ã³ã¹åæã¯ã仮説ãçæããããã®ãœãŒã¹ãšããŠé©ããŠããŸãã ç¹ã«æ³šç®ãã¹ãã¯ãã€ã³ãã©ã¹ãã©ã¯ãã£åæãšäŸµå ¥ãã¹ãã®çµæã§ããããã¯ãç¹å®ã®æ¬ ç¹ãæã€ç¹å®ã®ã€ã³ãã©ã¹ãã©ã¯ãã£ã«åºã¥ããŠãããšããäºå®ã«ãããéå£ã®ä»®èª¬ããåŸãããæã貎éãªããŒã¿ã§ãã
仮説æ€èšŒããã»ã¹
ã»ã«ã²ã€ã»ãœã«ããããé£ããŠãã
ã¹ããŒãž 1: TI ãã¡ãŒã
ãã®æ®µéã§ã¯åŒ·èª¿ããå¿ èŠããããŸã ç© ïŒãã¹ãŠã®è åšããŒã¿ãšäžç·ã«ããããåæããããšã«ãã£ãŠïŒããããã®ç¹æ§ã®ã©ãã«ãå²ãåœãŠãŸãã ãããã¯ããã¡ã€ã«ãURLãMD5ãããã»ã¹ããŠãŒãã£ãªãã£ãã€ãã³ãã§ãã Threat Intelligence ã·ã¹ãã ãééãããéã«ã¯ã¿ã°ãä»ããå¿ èŠããããŸãã ã€ãŸãããã®ãµã€ãã¯äœå¹Žãã« CNC ã§æ³šç®ããããã® MD5 ã¯ããããã®ãã«ãŠã§ã¢ã«é¢é£ä»ããããŠããããã® MD5 ã¯ãã«ãŠã§ã¢ãé åžãããµã€ãããããŠã³ããŒãããããã®ã§ãã
ã¹ããŒãž 2: ã±ãŒã¹
第 XNUMX 段éã§ã¯ããããã®ãªããžã§ã¯ãéã®çžäºäœçšã調ã¹ãããããã¹ãŠã®ãªããžã§ã¯ãéã®é¢ä¿ãç¹å®ããŸãã ç§ãã¡ã¯ãäœãæªãããšãããŠããã·ã¹ãã ãããŒã¯ãããŸãã
ã¹ããŒãž 3: ã¢ããªã¹ã
第 XNUMX 段éã§ã¯ãäºä»¶ã¯è±å¯ãªåæçµéšãæã€çµéšè±å¯ãªåæè ã«è»¢éããã圌ãè©æ±ºãäžããŸãã 圌ã¯ããã®ã³ãŒããäœããã©ãã§ãã©ã®ããã«ããªãããããŠãªãè¡ãã®ãããã€ããŸã§è§£æããŸãã ãã®äœã¯ãã«ãŠã§ã¢ã§ããããã®ã³ã³ãã¥ãŒã¿ã¯ææããŠããŸããã ãªããžã§ã¯ãéã®æ¥ç¶ãæããã«ãããµã³ãããã¯ã¹ãä»ããŠå®è¡ããçµæã確èªããŸãã
åæè ã®äœæ¥çµæã¯ããã«éä¿¡ãããŸãã ããžã¿ã« ãã©ã¬ã³ãžãã¯ã¯ç»åââãæ€æ»ãããã«ãŠã§ã¢åæã¯çºèŠããããéºäœããæ€æ»ããŸããã€ã³ã·ãã³ã察å¿ããŒã ã¯çŸå Žã«èµŽããŠããã§ã«ããã«ããäœãã調æ»ã§ããŸãã äœæ¥ã®çµæã確èªããã仮説ãç¹å®ãããæ»æãããã³ããã«å¯Ÿæããæ¹æ³ãåŸãããŸãã
çµæ
ã¹ã¬ãããã³ãã£ã³ã°ã¯ãã«ã¹ã¿ãã€ãºãããæ°ããéæšæºã®è åšã«å¹æçã«å¯Ÿæã§ãããããªãæ°ãããã¯ãããžãŒã§ããããã®ãããªè åšã®æ°ã®å¢å ãšäŒæ¥ã€ã³ãã©ã®è€éåãèæ ®ãããšã倧ããªæåŸ ãå¯ããããŠããŸãã ããã«ã¯ãããŒã¿ãããŒã«ãã¢ããªã¹ããšãã XNUMX ã€ã®ã³ã³ããŒãã³ããå¿ èŠã§ãã è åšãã³ãã£ã³ã°ã®å©ç¹ã¯ãè åšã®å®è¡ãé²ãããšã«éå®ãããŸããã æ€çŽ¢ããã»ã¹ã§ã¯ãã»ãã¥ãªã㣠ã¢ããªã¹ãã®ç®ãéããŠã€ã³ãã©ã¹ãã©ã¯ãã£ãšãã®åŒ±ç¹ã培åºçã«èª¿æ»ãããããã®ç¹ãããã«åŒ·åã§ããããšãå¿ããªãã§ãã ããã
ç§ãã¡ã®æèŠã§ã¯ãçµç¹å 㧠TH ããã»ã¹ãéå§ããããã«å®è¡ããå¿ èŠãããæåã®ã¹ãããã§ãã
- ãšã³ããã€ã³ããšãããã¯ãŒã¯ ã€ã³ãã©ã¹ãã©ã¯ãã£ã®ä¿è·ã«æ³šæããŠãã ããã ãããã¯ãŒã¯äžã®ãã¹ãŠã®ããã»ã¹ã®å¯èŠæ§ (NetFlow) ãšå¶åŸ¡ (ãã¡ã€ã¢ãŠã©ãŒã«ãIDSãIPSãDLP) ã«æ³šæããŠãã ããã ãšããžã«ãŒã¿ãŒããæåŸã®ãã¹ããŸã§ã®ãããã¯ãŒã¯ãææ¡ããŸãã
- æ¢æ€
MITER ATTïŒCK . - å°ãªããšãäž»èŠãªå€éšãªãœãŒã¹ã«å¯ŸããŠå®æçã«äŸµå ¥ãã¹ããå®æœãããã®çµæãåæããŠãäž»ãªæ»æ察象ãç¹å®ãããã®è匱æ§ã解æ¶ããŸãã
- ãªãŒãã³ãœãŒã¹ã®è åšã€ã³ããªãžã§ã³ã¹ ã·ã¹ãã (MISPãYeti ãªã©) ãå®è£ ãããããšé£æºããŠãã°ãåæããŸãã
- ã€ã³ã·ãã³ã察å¿ãã©ãããã©ãŒã (IRP) ãå®è£ ããŸã: R-Vision IRPãThe Hiveãäžå¯©ãªãã¡ã€ã«ãåæããããã®ãµã³ãããã¯ã¹ (FortiSandboxãCuckoo)ã
- æ¥åžžçãªããã»ã¹ãèªååããŸãã ãã°ã®åæãã€ã³ã·ãã³ãã®èšé²ãã¹ã¿ãããžã®éç¥ã¯ãèªååã®å€§ããªåéã§ãã
- ãšã³ãžãã¢ãéçºè ããã¯ãã«ã« ãµããŒããšå¹æçã«å¯Ÿè©±ããŠã€ã³ã·ãã³ãã«ååããæ¹æ³ãåŠã³ãŸãã
- åŸã§æ»ã£ããããã®ããŒã¿ãååãšå ±æãããã§ããããã«ãããã»ã¹å šäœãããŒãã€ã³ããéæãããçµæãææžåããŸãã
- 瀟亀çã«ãªã: åŸæ¥å¡ã«äœãèµ·ãã£ãŠããã®ãã誰ãéçšããã®ãã誰ã«çµç¹ã®æ å ±ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãèš±å¯ããã®ãã«æ³šæããŠãã ããã
- æ°ããè åšãä¿è·æ¹æ³ã®åéã®ååãåžžã«ææ¡ããæè¡ãªãã©ã·ãŒã®ã¬ãã«ãé«ãïŒIT ãµãŒãã¹ããµãã·ã¹ãã ã®éçšãå«ãïŒãäŒè°ã«åºåžããååãšã³ãã¥ãã±ãŒã·ã§ã³ãåããŸãããã
TH ããã»ã¹ã®æ§æã«ã€ããŠã³ã¡ã³ãã§è°è«ããæºåãã§ããŠããŸãã
ãŸãã¯ãç§ãã¡ãšäžç·ã«åããŸãããïŒ
䞻任æ å ±ã»ãã¥ãªãã£ã³ã³ãµã«ã¿ã³ã æ å ±ã»ãã¥ãªãã£ã·ã¹ãã ã¢ãŒããã¯ã ãªãŒããããã¯ãŒã¯ã»ãã¥ãªãã£ãšã³ãžã㢠ãªãŒãæ å ±ã»ãã¥ãªã㣠ãšã³ãžã㢠(SIEM) æ å ±ã»ãã¥ãªãã£ã¢ãŒããã¯ãïŒç³è«ïŒ
å匷ããããã®æ å ±æºãšè³æ
ã¹ã¬ãããã³ã¿ãŒã°ã« æ»æ.mitre.org ããžã¿ã«ãã©ã¬ã³ãžãã¯.sans.org resources.infosecinstitute.com www.redcanary.com www.cybereason.com www.anti-malware.ru www.anti-malware.ru Reply-to-all.blogspot.com lukatsky.blogspot.com ãã¯ã€ãããŒããŒ.theregister.co.uk
åºæïŒ habr.com