, zambiri (87%) za zochitika zachitetezo chazidziwitso zimachitika mphindi zochepa, ndipo 68% yamakampani zimatenga miyezi kuti azindikire. Izi zikutsimikiziridwa ndi , malinga ndi zomwe zimatengera mabungwe ambiri pafupifupi masiku 206 kuti azindikire chochitika. Kutengera zomwe takumana nazo pakufufuza kwathu, obera amatha kuwongolera zida zamakampani kwazaka zambiri osazindikirika. Chifukwa chake, m'modzi mwa mabungwe omwe akatswiri athu adafufuza zomwe zidachitika pachitetezo chazidziwitso, zidawululidwa kuti obera adalamulira kwathunthu zida zonse za bungweli ndipo nthawi zonse amaba zidziwitso zofunika. .
Tiyerekeze kuti muli ndi SIEM yomwe ikuyenda kale yomwe imasonkhanitsa zipika ndikusanthula zochitika, ndipo pulogalamu ya antivayirasi imayikidwa pamapeto. Komabe, , monga momwe sizingatheke kukhazikitsa machitidwe a EDR pa intaneti yonse, zomwe zikutanthauza kuti malo "akhungu" sangapewedwe. Machitidwe a Network traffic analysis (NTA) amathandiza kuthana nawo. Mayankho awa amazindikira zochitika za owukira m'magawo oyambilira a kulowa kwa netiweki, komanso poyesa kupeza mwayi ndikuyambitsa kuwukira mkati mwamaneti.
Pali mitundu iwiri ya ma NTA: ena amagwira ntchito ndi NetFlow, ena amasanthula kuchuluka kwa magalimoto. Ubwino wa machitidwe achiwiri ndikuti amatha kusunga zolemba zamagalimoto zakuda. Chifukwa cha izi, katswiri wazidziwitso zachitetezo amatha kutsimikizira kupambana kwachiwembucho, kuyika chiwopsezocho, kumvetsetsa momwe chiwembucho chidachitikira komanso momwe angapewerenso chimodzimodzi m'tsogolomu.
Tikuwonetsa momwe kugwiritsa ntchito NTA mungagwiritse ntchito umboni wachindunji kapena wosalunjika kuti muzindikire njira zonse zowukira zomwe zafotokozedwa m'chidziwitso. . Tidzakambirana za njira iliyonse ya 12, kusanthula njira zomwe zimazindikiridwa ndi magalimoto, ndikuwonetsa kuzindikira kwawo pogwiritsa ntchito dongosolo lathu la NTA.
Za chidziwitso cha ATT&CK
MITER ATT&CK ndi chidziwitso cha anthu chomwe chimapangidwa ndikusamalidwa ndi MITER Corporation potengera kusanthula kwa ma APT amoyo weniweni. Ndi njira zokhazikika komanso njira zomwe zimagwiritsidwa ntchito ndi omwe akuukira. Izi zimalola akatswiri oteteza zidziwitso padziko lonse lapansi kuti azilankhula chilankhulo chimodzi. Nawonso database ikukulirakulira ndikuwonjezeredwa ndi chidziwitso chatsopano.
Dongosololi limatchula njira 12, zomwe zimagawidwa ndi magawo a cyber attack:
- kupezeka koyamba;
- kuphedwa;
- kuphatikiza (kulimbikira);
- kuchuluka kwa shuga;
- kupewa kuzindikira (kuzemba chitetezo);
- kupeza ziphaso (zovomerezeka);
- kufufuza;
- kuyenda mkati mwa perimeter (motsatira kayendedwe);
- kusonkhanitsa deta (kusonkhanitsa);
- kulamula ndi kulamulira;
- kutulutsa kwa data;
- zotsatira.
Pa njira iliyonse, chidziwitso cha ATT & CK chimalemba mndandanda wa njira zomwe zimathandiza owukira kukwaniritsa cholinga chawo pakali pano. Popeza njira yomweyi ingagwiritsidwe ntchito pazigawo zosiyanasiyana, ingatanthauze njira zingapo.
Kufotokozera kwa njira iliyonse kumaphatikizapo:
- chizindikiritso;
- mndandanda wa njira zomwe zimagwiritsidwa ntchito;
- zitsanzo zogwiritsidwa ntchito ndi magulu a APT;
- njira zochepetsera kuwonongeka kwa kugwiritsidwa ntchito kwake;
- kuzindikira malingaliro.
Akatswiri achitetezo azidziwitso atha kugwiritsa ntchito zomwe zasungidwa m'dawunilodi kupanga zidziwitso za njira zowukira zomwe zikuchitika ndipo, poganizira izi, kupanga chitetezo chogwira ntchito. Kumvetsetsa momwe magulu enieni a APT amagwirira ntchito kumathanso kukhala gwero lamalingaliro ofufuza mwachangu zowopseza mkati. .
Za PT Network Attack Discovery
Tidzazindikira kugwiritsa ntchito njira zochokera ku ATT & CK matrix pogwiritsa ntchito dongosolo - Positive Technologies NTA system, yopangidwa kuti izindikire kuukira kozungulira komanso mkati mwa netiweki. PT NAD imakwirira, kumlingo wosiyanasiyana, njira zonse 12 za matrix a MITER ATT&CK. Iye ali wamphamvu kwambiri pozindikiritsa njira zopezera koyambirira, kusuntha kotsatira, ndi kulamulira ndi kulamulira. Mwa iwo, PT NAD imakhudza njira zopitilira theka la njira zodziwika bwino, kuzindikira momwe zimagwiritsidwira ntchito ndi zizindikiro zachindunji kapena zosalunjika.
Dongosolo limazindikira ziwopsezo pogwiritsa ntchito njira za ATT & CK pogwiritsa ntchito malamulo ozindikira omwe adapangidwa ndi gulu (PT ESC), kuphunzira pamakina, zisonyezo za kunyengerera, kusanthula mozama ndi kuwunika kobwerera. Kuwunika kwanthawi yeniyeni kwamagalimoto ophatikizidwa ndi zowonera kumakupatsani mwayi wozindikira zochitika zoyipa zomwe zabisika ndikutsata ma vectors otukuka komanso nthawi yakuukira.
mapu athunthu a PT NAD kupita ku MITER ATT&CK matrix. Chithunzicho ndi chachikulu, choncho tikukupemphani kuti muwone pawindo lapadera.
Kufikira koyamba
Njira zoyambira zofikira zimaphatikizapo njira zolowera pa intaneti yamakampani. Cholinga cha omwe akuwukira pakadali pano ndikupereka code yoyipa ku dongosolo lomwe lawukiridwa ndikuwonetsetsa kuti lingathe kuphedwanso.
Kusanthula kwamagalimoto kuchokera ku PT NAD kukuwonetsa njira zisanu ndi ziwiri zopezera mwayi woyambira:
1. : kuyendetsa-ndi kunyengerera
Njira yomwe wozunzidwa amatsegula tsamba lomwe limagwiritsidwa ntchito ndi omwe akuukira kuti agwiritse ntchito msakatuli ndikupeza zizindikiro zopezera ntchito.
Kodi PT NAD imachita chiyani?: Ngati kuchuluka kwa intaneti sikunasinthidwe, PT NAD imayang'ana zomwe zili mu mayankho a seva ya HTTP. Mayankhidwewa ali ndi zochitika zomwe zimalola oukirawo kuti apereke ma code osasintha mkati mwa msakatuli. PT NAD imadziwiratu zochitika zoterezi pogwiritsa ntchito malamulo ozindikira.
Kuphatikiza apo, PT NAD imazindikira zowopsa mu sitepe yapitayi. Malamulo ndi zisonyezo zosokoneza zimayambitsidwa ngati wogwiritsa ntchito adayendera tsamba lomwe lidamulozera kutsamba lomwe lili ndi zinthu zambiri.
2. : gwiritsani ntchito pulogalamu yoyang'ana anthu
Kugwiritsa ntchito zofooka mu ntchito zomwe zimapezeka pa intaneti.
Kodi PT NAD imachita chiyani?: Amawunika mozama zomwe zili m'mapaketi a netiweki, ndikuzindikira zizindikiro za zochitika zosasangalatsa. Makamaka, pali malamulo omwe amakulolani kuti muzindikire kuukira kwa machitidwe akuluakulu a kasamalidwe kazinthu (CMS), malo ochezera a pa intaneti a zida zapaintaneti, ndi kuukira kwa makalata ndi ma seva a FTP.
3. : ntchito zakutali zakunja
Zigawenga zimagwiritsa ntchito mautumiki akutali kuti alumikizane ndi zida zamkati zamaneti kuchokera kunja.
Kodi PT NAD imachita chiyani?: popeza dongosololi limazindikira ma protocol osati ndi manambala a doko, koma ndi zomwe zili m'mapaketi, ogwiritsa ntchito amatha kusefa magalimoto kuti apeze magawo onse a ma protocol akutali ndikuwona kuvomerezeka kwawo.
4. : kuphatikana ndi spearphishing
Tikulankhula za kutumiza koyipa kwa ma phishing attachments.
Kodi PT NAD imachita chiyani?: Imachotsa mafayilo mumsewu ndikuwayang'ana motsutsana ndi zisonyezo zosokoneza. Mafayilo omwe amatha kugwiritsidwa ntchito pazomata amazindikiridwa ndi malamulo omwe amasanthula zomwe zili pamakalata. M'malo amakampani, ndalama zotere zimawonedwa ngati zosasangalatsa.
5. : spearphishing link
Kugwiritsa ntchito maulalo achinyengo. Njirayi imaphatikizapo otsutsa kutumiza imelo yaphishing ndi ulalo womwe, mukadina, amatsitsa pulogalamu yoyipa. Monga lamulo, ulalowo umatsagana ndi zolemba zomwe zalembedwa motsatira malamulo onse a chikhalidwe cha anthu.
Kodi PT NAD imachita chiyani?: Imazindikira maulalo achinyengo pogwiritsa ntchito zisonyezo za kusagwirizana. Mwachitsanzo, mu mawonekedwe a PT NAD tikuwona gawo lomwe munali kulumikizana kwa HTTP kudzera pa ulalo womwe uli pamndandanda wa ma adilesi a phishing (phishing-urls).
Lumikizani kudzera pa ulalo wochokera pamndandanda wazizindikiro za compromise phishing-url
6. : ubale wodalirika
Kufikira pa intaneti ya wozunzidwayo kudzera mwa anthu ena omwe wozunzidwayo wakhazikitsa ubale wodalirika. Owukira amatha kuthyolako gulu lodalirika ndikulumikizana ndi netiweki yomwe mukufuna kudzera mu izo. Kuti achite izi, amagwiritsa ntchito maulumikizidwe a VPN kapena zikhulupiliro za domain, zomwe zitha kudziwika kudzera pakuwunika kwamagalimoto.
Kodi PT NAD imachita chiyani?: imagawa ma protocol ndikusunga magawo omwe adagawidwa mu nkhokwe, kuti wofufuza zachitetezo azidziwitso atha kugwiritsa ntchito zosefera kuti apeze zolumikizana zonse zokayikitsa za VPN kapena maulalo amitundu yosiyanasiyana munkhokwe.
7. : akaunti zovomerezeka
Kugwiritsa ntchito zidziwitso zanthawi zonse, zakomweko kapena madambwe kuti zivomerezedwe pazakunja ndi zamkati.
Kodi PT NAD imachita chiyani?: Imapeza zokha mbiri kuchokera ku HTTP, FTP, SMTP, POP3, IMAP, SMB, DCE/RPC, SOCKS5, LDAP, ma protocol a Kerberos. Mwambiri, uku ndi kulowa, mawu achinsinsi ndi chizindikiro cha kutsimikizika kopambana. Ngati zagwiritsidwa ntchito, zikuwonetsedwa mu khadi lolingana ndi gawo.
Kuphedwa
Njira zophatikizira zimaphatikizapo njira zomwe owukira amagwiritsa ntchito polemba ma code pamakina osokonekera. Kuthamanga nambala yoyipa kumathandizira omwe akuukira kuti akhazikitse kukhalapo (njira yolimbikira) ndikukulitsa mwayi wofikira kumakina akutali pamanetiwo poyenda mkati mozungulira.
PT NAD imakupatsani mwayi kuti muwone kugwiritsa ntchito njira 14 zomwe owukira amagwiritsa ntchito kuti apereke manambala oyipa.
1. CMSTP (Microsoft Connection Manager Profile Installer)
Njira yomwe owukira amakonzekera fayilo yapadera ya INF yoyipa ya Windows CMSTP.exe (Connection Manager Profile Installer). CMSTP.exe imatenga fayilo ngati parameter ndikuyika mbiri yautumiki kuti ilumikizane ndikutali. Chotsatira chake, CMSTP.exe ikhoza kugwiritsidwa ntchito potsegula ndi kuchita ma libraries amphamvu (*.dll) kapena scriptlets (*.sct) kuchokera ku maseva akutali.
Kodi PT NAD imachita chiyani?: Imazindikira zokha kusamutsa kwamitundu yapadera yamafayilo a INF mumayendedwe a HTTP. Kuphatikiza pa izi, imazindikira kufalitsa kwa HTTP kwa zolemba zoyipa ndi malaibulale olumikizirana kuchokera pa seva yakutali.
2. : mawonekedwe a mzere wamalamulo
Kuyanjana ndi mawonekedwe a mzere wolamula. Mawonekedwe a mzere wolamula amatha kuyanjana nawo kwanuko kapena kutali, mwachitsanzo pogwiritsa ntchito zida zakutali.
Kodi PT NAD imachita chiyani?: imadziwikiratu kukhalapo kwa zipolopolo kutengera mayankho ku malamulo kuti akhazikitse zida zosiyanasiyana zamalamulo, monga ping, ifconfig.
3. : gawo lachitsanzo ndi COM yogawidwa
Kugwiritsa ntchito matekinoloje a COM kapena DCOM kuyika ma code pamakina am'deralo kapena akutali mukuyenda pamaneti.
Kodi PT NAD imachita chiyani?: Imazindikira mafoni okayikitsa a DCOM omwe owukira amagwiritsa ntchito kuyambitsa mapulogalamu.
4. : kugwiritsidwa ntchito kwa kasitomala
Kugwiritsiridwa ntchito kwa ziwopsezo kuti mugwiritse ntchito code yokhazikika pamakina ogwirira ntchito. Zothandiza kwambiri kwa omwe akuwukira ndi omwe amalola kuti code ichitike pakompyuta yakutali, chifukwa imatha kulola owukira kuti azitha kugwiritsa ntchito dongosololi. Njirayi ingagwiritsidwe ntchito pogwiritsa ntchito njira izi: kutumiza makalata oipa, tsamba la webusayiti lomwe lili ndi zoyeserera za msakatuli, komanso kugwiritsa ntchito kutali kwazovuta za pulogalamuyo.
Kodi PT NAD imachita chiyani?: Mukasanthula kuchuluka kwa maimelo, PT NAD imayang'ana ngati pali mafayilo omwe angathe kuchitidwa pazomata. Imachotsa zokha zikalata zamaofesi kuchokera pamaimelo omwe angakhale ndi zantchito. Kuyesera kugwiritsa ntchito zofooka kumawonekera mumsewu, zomwe PT NAD imadzizindikira yokha.
5. : mza
Gwiritsani ntchito mshta.exe, yomwe imagwiritsa ntchito Microsoft HTML applications (HTA) ndi .hta extension. Chifukwa mshta imagwiritsa ntchito mafayilo podutsa makonda achitetezo a msakatuli, owukira amatha kugwiritsa ntchito mshta.exe kuti awononge mafayilo oyipa a HTA, JavaScript, kapena VBScript.
Kodi PT NAD imachita chiyani?: Mafayilo a .hta oti aphedwe kudzera mshta amatumizidwanso pamaneti - izi zitha kuwoneka pamagalimoto. PT NAD imazindikira kusamutsa kwa mafayilo oyipa otere. Imajambula mafayilo, ndipo zambiri za iwo zitha kuwonedwa mumakhadi agawo.
6. : PowerShell
Gwiritsani ntchito PowerShell kuti mupeze zambiri ndikuchita nambala yoyipa.
Kodi PT NAD imachita chiyani?: PowerShell ikagwiritsidwa ntchito ndi owukira akutali, PT NAD imazindikira izi pogwiritsa ntchito malamulo. Imazindikira mawu osakira a chilankhulo cha PowerShell omwe amagwiritsidwa ntchito nthawi zambiri m'malemba oyipa komanso kutumiza zolembedwa za PowerShell pa protocol ya SMB.
7. : ntchito yokonzedwa
Kugwiritsa ntchito Windows Task Scheduler ndi zida zina kuti mugwiritse ntchito mapulogalamu kapena zolemba nthawi zina.
Kodi PT NAD imachita chiyani?: owukira amapanga ntchito zotere, nthawi zambiri patali, zomwe zikutanthauza kuti magawo oterowo amawonekera pamagalimoto. PT NAD imazindikira zokha ntchito zokayikitsa ndikusintha magwiridwe antchito pogwiritsa ntchito mawonekedwe a ATSVC ndi ITaskSchedulerService RPC.
8. : kulemba
Kukhazikitsa ma script kuti mupange zochita zosiyanasiyana za owukira.
Kodi PT NAD imachita chiyani?: imazindikira kutumizidwa kwa zolembedwa pamaneti, ndiko kuti, ngakhale asanayambike. Imazindikira zomwe zili mumsewu ndipo imazindikira kutumizidwa kwamafayilo ndi netiweki ndi zowonjezera zogwirizana ndi zilankhulo zodziwika bwino.
9. : ntchito
Thamangani fayilo yomwe ingathe kuchitika, malangizo a mzere wolamula, kapena script polumikizana ndi ntchito za Windows, monga Service Control Manager (SCM).
Kodi PT NAD imachita chiyani?: imayang'anira kuchuluka kwa magalimoto a SMB ndikuzindikira mwayi wopezeka ku SCM ndi malamulo opangira, kusintha ndi kuyambitsa ntchito.
Njira yoyambira ntchito imatha kukhazikitsidwa pogwiritsa ntchito pulogalamu yakutali ya PSExec. PT NAD imasanthula protocol ya SMB ndikuwona kugwiritsidwa ntchito kwa PSExec ikagwiritsa ntchito fayilo ya PSEXESVC.exe kapena dzina lautumiki la PSEXECSVC kuti lipereke khodi pamakina akutali. Wogwiritsa ntchito ayenera kuyang'ana mndandanda wa malamulo omwe aperekedwa komanso kuvomerezeka kwa lamulo lakutali kuchokera kwa wolandirayo.
Khadi yowukira mu PT NAD ikuwonetsa zambiri zamaukadaulo ndi njira zomwe zimagwiritsidwa ntchito molingana ndi matrix a ATT & CK kuti wogwiritsa ntchito amvetsetse kuti owukirawo ali pa siteji yanji, zolinga zomwe akutsata, ndi njira zolipirira zomwe angatenge.
Lamulo lokhudza kugwiritsa ntchito chida cha PSExec lidayambika, lomwe lingasonyeze kuyesa kupereka malamulo pamakina akutali.
10. : mapulogalamu a chipani chachitatu
Njira yomwe owukira amapeza mwayi wogwiritsa ntchito pulogalamu yoyang'anira kutali kapena pulogalamu yamakampani yotumizira ndikuigwiritsa ntchito kuyendetsa nambala yoyipa. Zitsanzo zamapulogalamu otere: SCCM, VNC, TeamViewer, HBSS, Altiris.
Mwa njira, njirayi ndiyofunikira makamaka pokhudzana ndi kusintha kwakukulu kupita ku ntchito yakutali ndipo, chifukwa chake, kulumikizidwa kwa zida zambiri zapanyumba zosatetezedwa kudzera munjira zokayikitsa zofikira kutali.
Kodi PT NAD imachita chiyani?: imazindikira yokha ntchito ya mapulogalamu otere pa intaneti. Mwachitsanzo, malamulowa amayambitsidwa ndi kugwirizana kudzera pa VNC protocol ndi ntchito ya EvilVNC Trojan, yomwe imayika mwachinsinsi seva ya VNC pa wogwidwayo ndikuyiyambitsa yokha. Komanso, PT NAD imangozindikira protocol ya TeamViewer, izi zimathandiza katswiri, pogwiritsa ntchito fyuluta, kupeza magawo onsewa ndikuwona kuvomerezeka kwawo.
11. : kugwiritsa ntchito
Njira yomwe wogwiritsa ntchito amayendetsa mafayilo omwe angayambitse kupha ma code. Izi zitha kukhala, mwachitsanzo, ngati atsegula fayilo yotheka kapena kuyendetsa chikalata chaofesi ndi macro.
Kodi PT NAD imachita chiyani?: amawona mafayilo oterowo pagawo losamutsa, asanayambitsidwe. Zambiri za iwo zitha kuphunziridwa mu khadi la magawo omwe adafalitsidwa.
12. : Windows Management Instrumentation
Kugwiritsa ntchito chida cha WMI, chomwe chimapereka mwayi wofikirako komanso kutali ndi zida za Windows. Pogwiritsa ntchito WMI, owukira amatha kuyanjana ndi machitidwe am'deralo ndi akutali ndikuchita ntchito zosiyanasiyana, monga kusonkhanitsa zidziwitso pazolinga zowunikira ndikuyambitsa njira zakutali ndikusuntha mozungulira.
Kodi PT NAD imachita chiyani?: Popeza kuyanjana ndi machitidwe akutali kudzera pa WMI kumawoneka mumsewu, PT NAD imadziwiratu zopempha za intaneti kuti zikhazikitse magawo a WMI ndikuyang'ana kuchuluka kwa malemba omwe amagwiritsa ntchito WMI.
13. : Windows Remote Management
Kugwiritsa ntchito ntchito ya Windows ndi protocol yomwe imalola wogwiritsa ntchito kulumikizana ndi machitidwe akutali.
Kodi PT NAD imachita chiyani?: Imawona maulumikizidwe a netiweki atakhazikitsidwa pogwiritsa ntchito Windows Remote Management. Magawo oterowo amadziwikiratu ndi malamulo.
14. : XSL (Extensible Stylesheet Language) kukonza script
Chilankhulo cha kalembedwe ka XSL chimagwiritsidwa ntchito kufotokoza kukonzedwa ndi kuwonera deta mu mafayilo a XML. Kuthandizira magwiridwe antchito ovuta, mulingo wa XSL umaphatikizapo kuthandizira zolembedwa m'zilankhulo zosiyanasiyana. Zilankhulo izi zimalola kukhazikitsidwa kwa ma code mosasamala, zomwe zimatsogolera pakulambalala kwa mfundo zachitetezo potengera mindandanda yoyera.
Kodi PT NAD imachita chiyani?: imazindikira kusamutsa kwa mafayilo otere pamaneti, ndiye kuti, ngakhale asanayambike. Imangozindikira mafayilo a XSL akutumizidwa pa netiweki ndi mafayilo okhala ndi mawonekedwe odabwitsa a XSL.
Pazida zotsatirazi, tiwona momwe dongosolo la PT Network Attack Discovery NTA limapezera njira ndi njira zina zowukira malinga ndi MITER ATT&CK. Dzimvetserani!
olemba:
- Anton Kutepov, katswiri wa PT Expert Security Center, Positive Technologies
- Natalia Kazankova, wogulitsa malonda ku Positive Technologies
Source: www.habr.com