Bowo ngati chida chachitetezo - 2, kapena momwe mungagwire APT "pa nyambo yamoyo"

(zikomo kwa Sergey G. Brester chifukwa cha lingaliro lamutu sebers)

Anzathu, cholinga cha nkhaniyi ndikugawana zomwe zachitika pakuyesa kwapachaka kwa gulu latsopano la mayankho a IDS potengera matekinoloje achinyengo.

Pofuna kusunga mgwirizano womveka wa kufotokozera nkhaniyo, ndikuwona kuti ndikofunikira kuyamba ndi malo. Choncho, vuto:

1. Zowukira zomwe zimayang'aniridwa ndi mtundu wowopsa kwambiri, ngakhale kuti gawo lawo pachiwopsezo chonse ndi laling'ono.
2. Palibe njira zotsimikizirika zotetezera zozungulira (kapena zida zotere) zomwe zapangidwa.
3. Monga lamulo, kuukira kolunjika kumachitika m'magawo angapo. Kugonjetsa kozungulira ndi chimodzi mwa magawo oyambirira, omwe (mukhoza kundiponyera miyala) sikuwononga kwambiri "wozunzidwa", pokhapokha ngati, ndithudi, ndi DEoS (Kuwonongeka kwa utumiki) kuukira (encryptors, etc. .). "Zowawa" zenizeni zimayamba pambuyo pake, pamene katundu wogwidwa akuyamba kugwiritsidwa ntchito poyendetsa ndi kupanga "kuya" kuwukira, ndipo sitinazindikire izi.
4. Popeza timayamba kuvutika kwenikweni pamene owukira akufika pazomwe akuwukira (maseva ogwiritsira ntchito, DBMS, malo osungiramo zinthu, malo osungiramo zinthu, zinthu zofunika kwambiri), ndizomveka kuti imodzi mwantchito zachitetezo chazidziwitso ndikusokoneza ziwonetsero zisanachitike. chochitika chomvetsa chisoni ichi. Koma kuti musokoneze chinachake, choyamba muyenera kudziwa. Ndipo mwamsanga, ndi bwino.
5. Chifukwa chake, pakuwongolera bwino pachiwopsezo (ndiko kuti, kuchepetsa kuwonongeka kuchokera pakuwukira komwe mukufuna), ndikofunikira kukhala ndi zida zomwe zingapereke TTD yocheperako (nthawi yozindikira - nthawi yoyambira kulowerera mpaka pomwe kuukira kwapezeka). Kutengera makampani ndi dera, nthawiyi imakhala masiku 99 ku US, masiku 106 m'chigawo cha EMEA, masiku 172 m'chigawo cha APAC (M-Trends 2017, A View From the Front Lines, Mandiant).
6. Kodi msika umapereka chiyani?
   • "Sandboxes". Kuwongolera kwina kodziletsa, komwe sikuli koyenera. Pali njira zambiri zothandiza zodziwira ndikulambalala ma sandbox kapena ma whitelisting solution. Anyamata ochokera ku "mbali yamdima" akadali sitepe imodzi patsogolo apa.
   • UEBA (machitidwe opangira mbiri ndi kuzindikira zopatuka) - mwamalingaliro, amatha kukhala othandiza kwambiri. Koma, m'malingaliro anga, izi ndi nthawi ina m'tsogolomu. M'zochita, izi zikadali zodula kwambiri, zosadalirika ndipo zimafuna okhwima kwambiri komanso okhazikika a IT ndi chitetezo cha chidziwitso, chomwe chili ndi zida zonse zomwe zidzapangitse deta yowunikira khalidwe.
   • SIEM ndi chida chabwino chofufuzira, koma sichikhoza kuwona ndi kusonyeza chinachake chatsopano ndi choyambirira panthawi yake, chifukwa malamulo ogwirizanitsa ndi ofanana ndi siginecha.

7. Chifukwa chake, pakufunika chida chothandizira:
   • adagwira ntchito bwino m'malo ozungulira omwe asokonezedwa kale,
   • adazindikira ziwopsezo zopambana munthawi yeniyeni, mosasamala kanthu za zida ndi zovuta zomwe zimagwiritsidwa ntchito,
   • sizinadalire ndi siginecha / malamulo / zolemba / ndondomeko / mbiri ndi zinthu zina zokhazikika,
   • sanafune kuchuluka kwa data ndi magwero awo kuti awunike,
   • angalole kuti ziwopsezo zisatanthauzidwe ngati mtundu wina wa kuyika pachiwopsezo chifukwa cha ntchito ya "zabwino kwambiri padziko lonse lapansi, masamu ovomerezeka komanso otsekedwa", zomwe zimafunikira kufufuzidwa kowonjezera, koma ngati chochitika cha binary - "Inde, tikuwukiridwa" kapena "Ayi, zonse zili bwino",
   • zinali zapadziko lonse lapansi, zowongoka bwino komanso zotheka kuzigwiritsa ntchito m'malo osiyanasiyana, mosasamala kanthu za mawonekedwe owoneka bwino a netiweki omwe amagwiritsidwa ntchito.

Zomwe zimatchedwa zothetsera chinyengo tsopano zikulimbirana udindo wa chida choterocho. Ndiko kuti, zothetsera zozikidwa pa lingaliro labwino lakale la miphika ya uchi, koma ndi mlingo wosiyana kwambiri wa kukhazikitsa. Mutuwu ukukuladi tsopano.

Malinga ndi zotsatira Gartner Security & Risc management summit 2017 Njira zothetsera chinyengo zikuphatikizidwa mu njira za TOP 3 ndi zida zomwe zimalimbikitsidwa kuti zigwiritsidwe ntchito.

Malinga ndi lipoti TAG Cybersecurity Year 2017 Chinyengo ndi amodzi mwa njira zazikulu zopangira mayankho a IDS Intrusion Detection Systems).

Chigawo chonse chakumapeto Cisco State of IT Security Report, yoperekedwa kwa SCADA, imachokera ku deta kuchokera kwa mmodzi wa atsogoleri pamsika uno, TrapX Security (Israel), yankho lomwe lakhala likugwira ntchito m'dera lathu loyesa kwa chaka.

TrapX Deception Grid imakupatsani mwayi wogula ndikugwiritsa ntchito IDS yogawidwa kwambiri pakati, osawonjezera katundu wamalayisensi ndi zofunikira pazachuma. M'malo mwake, TrapX ndi omanga omwe amakulolani kuti mupange kuchokera kuzinthu zomwe zilipo kale za IT njira imodzi yayikulu yodziwira kuukira pamabizinesi ambiri, mtundu wa "alamu" yogawidwa pamaneti.

Mayankho Kapangidwe

Mu labotale yathu timaphunzira nthawi zonse ndikuyesa zinthu zatsopano zosiyanasiyana pankhani yachitetezo cha IT. Pakadali pano, pafupifupi ma seva 50 osiyanasiyana ayikidwa pano, kuphatikiza zigawo za TrapX Deception Grid.

Kotero, kuchokera pamwamba mpaka pansi:

1. TSOC (TrapX Security Operation Console) ndiye ubongo wadongosolo. Iyi ndiye central management console yomwe kusinthidwa, kutumizira yankho ndi ntchito zonse za tsiku ndi tsiku zimachitika. Popeza iyi ndi ntchito yapaintaneti, imatha kutumizidwa kulikonse - mozungulira, pamtambo kapena kwa othandizira a MSSP.
2. TrapX Appliance (TSA) ndi seva yeniyeni momwe timalumikiziramo, pogwiritsa ntchito doko la thunthu, ma subnets omwe tikufuna kuphimba ndi kuyang'anira. Komanso, masensa athu onse amtaneti "amakhala" pano.

   Labu yathu ili ndi TSA imodzi yotumizidwa (mwsapp1), koma zenizeni pakhoza kukhala zambiri. Izi zitha kukhala zofunikira pamanetiweki akulu pomwe palibe kulumikizana kwa L2 pakati pa magawo (chitsanzo chodziwika bwino ndi "Holding and subsidiaries" kapena "Banki likulu ndi nthambi") kapena ngati netiweki ili ndi magawo odzipatula, mwachitsanzo, makina owongolera okhazikika. Munthambi/gawo lililonse lotere, mutha kuyika TSA yanu ndikuyilumikiza ku TSOC imodzi, pomwe chidziwitso chonse chidzasinthidwa pakati. Zomangamangazi zimakulolani kuti mupange machitidwe owunikira omwe amagawidwa popanda kufunikira kokonzanso maukonde kapena kusokoneza magawo omwe alipo.

   Komanso, titha kutumiza kopi yamagalimoto otuluka ku TSA kudzera pa TAP/SPAN. Ngati tiwona kulumikizana ndi ma botnet odziwika, ma seva olamulira ndi owongolera, kapena magawo a TOR, tidzalandiranso zotsatira zake mu console. Network Intelligence Sensor (NIS) ndiyomwe imayambitsa izi. M'malo athu, ntchitoyi ikugwiritsidwa ntchito pa firewall, kotero sitinagwiritse ntchito pano.

3. Misampha Yogwiritsa Ntchito (Full OS) - miphika ya uchi yachikhalidwe yotengera ma seva a Windows. Simukusowa ambiri aiwo, chifukwa cholinga chachikulu cha masevawa ndikupereka mautumiki a IT ku gawo lotsatira la masensa kapena kuzindikira kuukira kwa ntchito zamabizinesi zomwe zitha kutumizidwa mu Windows. Tili ndi seva imodzi yotereyi yomwe idayikidwa mu labotale yathu (FOS01)

   

4. Misampha yotsatiridwa ndiyo chigawo chachikulu cha yankho, chomwe chimatilola, pogwiritsa ntchito makina amodzi okha, kupanga "malo osungira" owundana kwambiri kwa omwe akuwukira ndikukhutitsa maukonde abizinesi, ma vlans ake onse, ndi masensa athu. Wowukirayo amawona sensor yotere, kapena phantom host, ngati Windows PC yeniyeni kapena seva, seva ya Linux kapena chipangizo china chomwe timasankha kumuwonetsa.

   
   
   Pazabwino zabizinesi komanso chifukwa cha chidwi, tidatumiza "zolengedwa ziwiri" - Ma Windows PC ndi ma seva amitundu yosiyanasiyana, ma seva a Linux, ATM yokhala ndi Windows ophatikizidwa, SWIFT Web Access, chosindikizira cha netiweki, Cisco. switch, kamera ya Axis IP, MacBook, PLC -chipangizo komanso babu yanzeru. Pali olandila 13 onse. Nthawi zambiri, wogulitsa amalimbikitsa kutumizira masensa oterowo osachepera 10% ya chiwerengero cha omwe ali ndi makamu enieni. Malo apamwamba ndi malo omwe alipo.

   Mfundo yofunika kwambiri ndi yakuti aliyense wolandira wotereyo si makina enieni omwe amafunikira zothandizira ndi zilolezo. Uku ndi kunyenga, kutsanzira, njira imodzi pa TSA, yomwe ili ndi magawo ndi adilesi ya IP. Chifukwa chake, mothandizidwa ndi TSA imodzi, titha kudzaza maukonde ndi mazana a makamu oterowo, omwe angagwire ntchito ngati masensa mu alamu. Ukadaulo uwu ndi womwe umapangitsa kuti zitheke kukulitsa lingaliro la mphika wa uchi motsika mtengo pamabizinesi aliwonse akulu omwe amagawidwa.

   Malinga ndi owukira, okonda awa ndi owoneka bwino chifukwa ali ndi zofooka ndipo amawoneka kuti ndi osavuta kuwatsata. Wowukirayo amawona mautumiki pa makamuwa ndipo amatha kuyanjana nawo ndikuwaukira pogwiritsa ntchito zida ndi ma protocol (smb/wmi/ssh/telnet/web/dnp/bonjour/Modbus, etc.). Koma ndizosatheka kugwiritsa ntchito makamuwa kuti mupange kuwukira kapena kuyendetsa nambala yanu.

5. Kuphatikizika kwa matekinoloje awiriwa (FullOS ndi misampha yotsatiridwa) kumatilola kuti tipeze mwayi woti wowukira posachedwa adzakumana ndi chinthu china cha netiweki yathu yolumikizira. Koma tingatsimikizire bwanji kuti mwayi uwu uli pafupi ndi 100%?

   Zomwe zimatchedwa zizindikiro zachinyengo zimalowa munkhondo. Chifukwa cha iwo, titha kuphatikiza ma PC ndi ma seva onse omwe alipo mu IDS yathu yogawidwa. Zizindikiro zimayikidwa pama PC enieni a ogwiritsa ntchito. Ndikofunika kumvetsetsa kuti zizindikiro sizinthu zomwe zimawononga chuma ndipo zingayambitse mikangano. Zizindikiro ndi zinthu zopanda chidziwitso, ngati "zinyenyeswazi" za mbali yowukira yomwe imatsogolera kumsampha. Mwachitsanzo, ma drive network omwe ali ndi mamapu, ma bookmark kwa ma admin abodza mumsakatuli ndikuwasungira mawu achinsinsi, magawo osungidwa a ssh/rdp/winscp, misampha yathu yokhala ndi ndemanga pamafayilo amakamu, mawu achinsinsi osungidwa kukumbukira, zidziwitso za ogwiritsa ntchito omwe sanakhalepo, ofesi. mafayilo, kutsegula komwe kudzayambitsa dongosolo, ndi zina zambiri. Chifukwa chake, timayika wowukirayo pamalo opotoka, odzaza ndi ma vectors omwe sakhala owopsa kwa ife, koma mosiyana. Ndipo alibe njira yodziwira pamene zimene akudziwazo zili zoona komanso zili zabodza. Chifukwa chake, sikuti timangotsimikizira kuzindikira mwachangu za kuwukira, komanso kumachepetsa kwambiri kupita patsogolo kwake.

Chitsanzo cha kupanga msampha wa maukonde ndi kukhazikitsa zizindikiro. Mawonekedwe ochezeka komanso osasintha pamanja ma configs, zolemba, ndi zina.

M'malo athu, tinakonza ndikuyika zizindikiro zambiri zoterezi pa FOS01 yomwe ikuyendetsa Windows Server 2012R2 ndi PC yoyesera Windows 7. RDP ikugwira ntchito pamakinawa ndipo nthawi ndi nthawi timawapachika mu DMZ, kumene masensa athu angapo. (monga misampha) amawonetsedwanso. Chifukwa chake timapeza zochitika zokhazikika, mwachibadwa.

Kotero, nazi ziwerengero zofulumira za chaka:

56 - zochitika zojambulidwa,
2 - omenyera gwero adapezeka.

Mapu ogwirizira, osavuta kuwomba

Panthawi imodzimodziyo, yankho silimapanga mtundu wina wa mega-log kapena chakudya cha zochitika, zomwe zimatenga nthawi yaitali kuti zimvetse. M'malo mwake, yankho lokhalo limagawa zochitika ndi mitundu yawo ndipo limalola gulu la chitetezo cha chidziwitso kuti liganizire makamaka pa zoopsa kwambiri - pamene wowukirayo akuyesera kukweza magawo olamulira (kuyanjana) kapena pamene malipiro a binary (matenda) akuwonekera mumsewu wathu.

Zonse zokhudzana ndi zochitika zimawerengedwa ndikuperekedwa, m'malingaliro anga, mu mawonekedwe osavuta kumva ngakhale kwa wogwiritsa ntchito chidziwitso chofunikira pachitetezo cha chidziwitso.

Zambiri mwazojambulidwa ndizoyesa kuyang'ana omwe akutilandira kapena ma intaneti amodzi.

Kapena kuyesa kukakamiza mawu achinsinsi a RDP

Koma panalinso zochitika zosangalatsa, makamaka pamene owukira "adakwanitsa" kulosera mawu achinsinsi a RDP ndikupeza mwayi wogwiritsa ntchito netiweki yakomweko.

Wowukira amayesa kukhazikitsa code pogwiritsa ntchito psexec.

Wowukirayo adapeza gawo lopulumutsidwa, lomwe lidamufikitsa mumsampha ngati seva ya Linux. Atangolumikiza, ndi malamulo amodzi okonzekeratu, adayesa kuwononga mafayilo onse a logi ndi zosinthika zofananira.

Wowukira amayesa jekeseni wa SQL pamphika wa uchi womwe umatsanzira SWIFT Web Access.

Kuwonjezera pa kuukiridwa “kwachibadwa” koteroko, tinapanganso mayesero athu angapo. Chimodzi mwazowulula kwambiri ndikuyesa nthawi yodziwika ya nyongolotsi pamaneti. Kuti tichite izi tidagwiritsa ntchito chida chochokera ku GuardiCore chotchedwa Monkey Yotenga Matenda. Ichi ndi nyongolotsi yamtaneti yomwe imatha kubera Windows ndi Linux, koma popanda "malipiro" aliwonse.
Tidatumiza malo olamulira am'deralo, tidayambitsa mphutsi pa imodzi mwa makinawo, ndipo tidalandira chenjezo loyamba mu TrapX console pasanathe mphindi imodzi ndi theka. TTD masekondi 90 motsutsana ndi masiku 106 pafupifupi ...

Chifukwa cha kuthekera kophatikizana ndi magulu ena a mayankho, titha kuchoka pakungozindikira ziwopsezo ndikungoyankha zokha.

Mwachitsanzo, kuphatikiza ndi makina a NAC (Network Access Control) kapena CarbonBlack kumakupatsani mwayi wodula ma PC osokonekera pamanetiweki.

Kuphatikiza ndi ma sandboxes kumalola mafayilo omwe akukhudzidwa kuti atumizidwe kuti awonedwe.

Kuphatikiza kwa McAfee

Yankho limakhalanso ndi njira yake yolumikizira zochitika.

Koma sitinakhutitsidwe ndi kuthekera kwake, kotero tidaphatikiza ndi HP ArcSight.

Njira yopangira matikiti imathandiza dziko lonse lapansi kuthana ndi zowopseza zomwe zadziwika.

Popeza kuti yankho linapangidwa "kuyambira pachiyambi" pa zosowa za mabungwe a boma ndi gawo lalikulu la makampani, mwachibadwa amagwiritsa ntchito chitsanzo chothandizira kupeza, kugwirizanitsa ndi AD, ndondomeko yopangidwa ndi malipoti ndi zoyambitsa (zidziwitso za zochitika), orchestration for zikuluzikulu zogwirira ntchito kapena opereka MSSP.

M'malo moyambiranso

Ngati pali njira yowunikira yotereyi, yomwe, mophiphiritsira, imaphimba kumbuyo kwathu, ndiye kuti ndi kunyengerera kwa kuzungulira zonse zikungoyamba kumene. Chofunika kwambiri ndi chakuti pali mwayi weniweni wothana ndi zochitika za chitetezo cha chidziwitso, osati kuthana ndi zotsatira zake.

Source: www.habr.com