Takulandilani pamndandanda watsopano, nthawi ino pamutu wofufuza zochitika, kusanthula pulogalamu yaumbanda pogwiritsa ntchito kafukufuku wa Check Point. Tidasindikiza kale
Chifukwa chiyani ma forensics oletsa zochitika ndizofunikira? Zikuwoneka kuti mwagwira kachilomboka, ndizabwino kale, bwanji mukuchita nazo? Monga momwe machitidwe amasonyezera, ndibwino kuti musatseke chiwonongeko chokha, komanso kuti mumvetse bwino momwe zimagwirira ntchito: malo olowera anali chiyani, chiopsezo chotani chomwe chinagwiritsidwa ntchito, ndi njira ziti zomwe zikukhudzidwa, ngati kaundula ndi fayilo zimakhudzidwa, ndi banja liti. mavairasi, zomwe zingathe kuwonongeka, ndi zina zotero. Izi ndi zina zothandiza zitha kupezeka kuchokera ku malipoti atsatanetsatane azamalamulo a Check Point (zonse zolembedwa ndi zojambula). Ndizovuta kwambiri kupeza lipoti lotere pamanja. Izi zitha kuthandiza kuchitapo kanthu moyenera ndikuletsa kuukira kofananako kuti zisachitike m'tsogolo. Lero tiyang'ana lipoti la Check Point SandBlast Network forensics.
SandBlast Network
Kugwiritsiridwa ntchito kwa sandboxes kulimbikitsa chitetezo cha chigawo cha maukonde kwakhala kofala kwa nthawi yayitali ndipo ndi gawo lovomerezeka monga IPS. Ku Check Point, tsamba la Threat Emulation, lomwe ndi gawo laukadaulo wa SandBlast (palinso Threat Extraction), imayang'anira magwiridwe antchito a sandbox. Tasindikiza kale
- SandBlast Local Appliance - chida chowonjezera cha SandBlast chimayikidwa pa netiweki yanu, komwe mafayilo amatumizidwa kuti akawunike.
- Mtambo wa SandBlast - mafayilo amatumizidwa kuti akawunikidwe kumtambo wa Check Point.
Bokosi la mchenga likhoza kuonedwa ngati mzere womaliza wachitetezo pa intaneti. Imalumikizana pokhapokha kusanthula ndi njira zakale - antivayirasi, IPS. Ndipo ngati zida zosainira zachikhalidwe zotere sizipereka ma analytics aliwonse, ndiye kuti sandbox imatha "kuwuza" mwatsatanetsatane chifukwa chomwe fayiloyo idatsekedwa komanso kuti imachita zoyipa zotani. Lipoti la forensics ili litha kupezeka kuchokera ku sandbox yakumaloko komanso yamtambo.
Check Point Forensics Report
Tiyerekeze kuti inu, monga katswiri wodziwa chitetezo, munabwera kudzagwira ntchito ndikutsegula dashboard ku SmartConsole. Nthawi yomweyo mukuwona zomwe zachitika m'maola 24 apitawa ndipo chidwi chanu chimakopeka ku zochitika za Threat Emulation - zoopsa kwambiri zomwe sizinatsekedwe ndi kusanthula siginecha.
Mutha "kubowolera" muzochitika izi ndikuwona zipika zonse za tsamba la Threat Emulation.
Pambuyo pa izi, mutha kusefanso zipikazo potengera kuopsa kowopsa (Kulimba), komanso ndi Confidence Level (kudalirika kwamayankhidwe):
Titakulitsa chochitika chomwe tikufuna, titha kudziwa zambiri (src, dst, kuuma, wotumiza, ndi zina zotero):
Ndipo pamenepo mutha kuwona gawo Zam'tsogolo ndi kupezeka Chidule lipoti. Kudina kudzatsegula kusanthula kwatsatanetsatane kwa pulogalamu yaumbanda ngati tsamba lolumikizana la HTML:
(Ili ndi gawo la tsamba.
Kuchokera ku lipoti lomweli, titha kutsitsa pulogalamu yaumbanda yoyambirira (mumalo otetezedwa achinsinsi), kapena funsani gulu loyankha la Check Point.
Pansipa mutha kuwona makanema owoneka bwino omwe amawonetsa kuchuluka komwe kumadziwika kale ndi code yoyipa yomwe chitsanzo chathu chimafanana (kuphatikiza ma code omwewo ndi ma macros). Ma analytics awa amaperekedwa pogwiritsa ntchito makina ophunzirira mu Check Point Threat Cloud.
Kenako mutha kuwona zomwe zili mu sandbox zidatilola kunena kuti fayiloyi ndi yoyipa. Pankhaniyi, tikuwona kugwiritsa ntchito njira zodutsa ndikuyesa kutsitsa ransomware:
Tisaiwale kuti mu nkhani iyi, kutsanzira kunachitika mu machitidwe awiri (Win 7, Win XP) ndi Mabaibulo osiyana mapulogalamu (Office, Adobe). Pansipa pali kanema (chiwonetsero chazithunzi) ndikutsegula fayiloyi mu sandbox:
Kanema wachitsanzo:
Pamapeto pake tingaone mwatsatanetsatane mmene kuukirako kunayambira. Mu mawonekedwe a tabular kapena graphically:
Kumeneko titha kutsitsa izi mumtundu wa RAW ndi fayilo ya pcap kuti muwunike mwatsatanetsatane kuchuluka kwa magalimoto omwe apangidwa ku Wireshark:
Pomaliza
Pogwiritsa ntchito chidziwitsochi, mutha kulimbikitsa kwambiri chitetezo cha maukonde anu. Tsekani ogawa ma virus, kutsekeka komwe kumagwiritsidwa ntchito, kuletsa mayankho zotheka kuchokera ku C&C ndi zina zambiri. Kusanthula uku sikuyenera kunyalanyazidwa.
M'nkhani zotsatirazi, tidzawona momwemonso malipoti a SandBlast Agent, SnadBlast Mobile, komanso CloudGiard SaaS. Ndiye khalani maso (
Source: www.habr.com