Pulogalamu ya ProHoster > Blog > Ulamuliro > Momwe machitidwe owunikira magalimoto amawonera njira za owononga pogwiritsa ntchito MITER ATT & CK pogwiritsa ntchito chitsanzo cha PT Network Attack Discovery
Momwe machitidwe owunikira magalimoto amawonera njira za owononga pogwiritsa ntchito MITER ATT & CK pogwiritsa ntchito chitsanzo cha PT Network Attack Discovery
Malinga ndi Verizon, zambiri (87%) za zochitika zachitetezo chazidziwitso zimachitika mphindi zochepa, ndipo 68% yamakampani zimatenga miyezi kuti azindikire. Izi zikutsimikiziridwa ndi Ponemon Institute Research, malinga ndi zomwe zimatengera mabungwe ambiri pafupifupi masiku 206 kuti azindikire chochitika. Kutengera zomwe takumana nazo pakufufuza kwathu, obera amatha kuwongolera zida zamakampani kwazaka zambiri osazindikirika. Chifukwa chake, m'modzi mwa mabungwe omwe akatswiri athu adafufuza zomwe zidachitika pachitetezo chazidziwitso, zidawululidwa kuti obera adalamulira kwathunthu zida zonse za bungweli ndipo nthawi zonse amaba zidziwitso zofunika. kwa zaka zisanu ndi zitatu.
Tiyerekeze kuti muli ndi SIEM yomwe ikuyenda kale yomwe imasonkhanitsa zipika ndikusanthula zochitika, ndipo pulogalamu ya antivayirasi imayikidwa pamapeto. Komabe, sikuti zonse zitha kudziwika pogwiritsa ntchito SIEM, monga momwe sizingatheke kukhazikitsa machitidwe a EDR pa intaneti yonse, zomwe zikutanthauza kuti malo "akhungu" sangapewedwe. Machitidwe a Network traffic analysis (NTA) amathandiza kuthana nawo. Mayankho awa amazindikira zochitika za owukira m'magawo oyambilira a kulowa kwa netiweki, komanso poyesa kupeza mwayi ndikuyambitsa kuwukira mkati mwamaneti.
Pali mitundu iwiri ya ma NTA: ena amagwira ntchito ndi NetFlow, ena amasanthula kuchuluka kwa magalimoto. Ubwino wa machitidwe achiwiri ndikuti amatha kusunga zolemba zamagalimoto zakuda. Chifukwa cha izi, katswiri wazidziwitso zachitetezo amatha kutsimikizira kupambana kwachiwembucho, kuyika chiwopsezocho, kumvetsetsa momwe chiwembucho chidachitikira komanso momwe angapewerenso chimodzimodzi m'tsogolomu.
Tikuwonetsa momwe kugwiritsa ntchito NTA mungagwiritse ntchito umboni wachindunji kapena wosalunjika kuti muzindikire njira zonse zowukira zomwe zafotokozedwa m'chidziwitso. MITER AT&CK. Tidzakambirana za njira iliyonse ya 12, kusanthula njira zomwe zimazindikiridwa ndi magalimoto, ndikuwonetsa kuzindikira kwawo pogwiritsa ntchito dongosolo lathu la NTA.
Za chidziwitso cha ATT&CK
MITER ATT&CK ndi chidziwitso cha anthu chomwe chimapangidwa ndikusamalidwa ndi MITER Corporation potengera kusanthula kwa ma APT amoyo weniweni. Ndi njira zokhazikika komanso njira zomwe zimagwiritsidwa ntchito ndi omwe akuukira. Izi zimalola akatswiri oteteza zidziwitso padziko lonse lapansi kuti azilankhula chilankhulo chimodzi. Nawonso database ikukulirakulira ndikuwonjezeredwa ndi chidziwitso chatsopano.
Dongosololi limatchula njira 12, zomwe zimagawidwa ndi magawo a cyber attack:
kupezeka koyamba;
kuphedwa;
kuphatikiza (kulimbikira);
kuchuluka kwa shuga;
kupewa kuzindikira (kuzemba chitetezo);
kupeza ziphaso (zovomerezeka);
kufufuza;
kuyenda mkati mwa perimeter (motsatira kayendedwe);
kusonkhanitsa deta (kusonkhanitsa);
kulamula ndi kulamulira;
kutulutsa kwa data;
zotsatira.
Pa njira iliyonse, chidziwitso cha ATT & CK chimalemba mndandanda wa njira zomwe zimathandiza owukira kukwaniritsa cholinga chawo pakali pano. Popeza njira yomweyi ingagwiritsidwe ntchito pazigawo zosiyanasiyana, ingatanthauze njira zingapo.
Kufotokozera kwa njira iliyonse kumaphatikizapo:
chizindikiritso;
mndandanda wa njira zomwe zimagwiritsidwa ntchito;
zitsanzo zogwiritsidwa ntchito ndi magulu a APT;
njira zochepetsera kuwonongeka kwa kugwiritsidwa ntchito kwake;
Tidzazindikira kugwiritsa ntchito njira zochokera ku ATT & CK matrix pogwiritsa ntchito dongosolo PT Network Attack Discovery - Positive Technologies NTA system, yopangidwa kuti izindikire kuukira kozungulira komanso mkati mwa netiweki. PT NAD imakwirira, kumlingo wosiyanasiyana, njira zonse 12 za matrix a MITER ATT&CK. Iye ali wamphamvu kwambiri pozindikiritsa njira zopezera koyambirira, kusuntha kotsatira, ndi kulamulira ndi kulamulira. Mwa iwo, PT NAD imakhudza njira zopitilira theka la njira zodziwika bwino, kuzindikira momwe zimagwiritsidwira ntchito ndi zizindikiro zachindunji kapena zosalunjika.
Dongosolo limazindikira ziwopsezo pogwiritsa ntchito njira za ATT & CK pogwiritsa ntchito malamulo ozindikira omwe adapangidwa ndi gulu PT Katswiri Security Center (PT ESC), kuphunzira pamakina, zisonyezo za kunyengerera, kusanthula mozama ndi kuwunika kobwerera. Kuwunika kwanthawi yeniyeni kwamagalimoto ophatikizidwa ndi zowonera kumakupatsani mwayi wozindikira zochitika zoyipa zomwe zabisika ndikutsata ma vectors otukuka komanso nthawi yakuukira.
Pano mapu athunthu a PT NAD kupita ku MITER ATT&CK matrix. Chithunzicho ndi chachikulu, choncho tikukupemphani kuti muwone pawindo lapadera.
Kufikira koyamba
Njira zoyambira zofikira zimaphatikizapo njira zolowera pa intaneti yamakampani. Cholinga cha omwe akuwukira pakadali pano ndikupereka code yoyipa ku dongosolo lomwe lawukiridwa ndikuwonetsetsa kuti lingathe kuphedwanso.
Kusanthula kwamagalimoto kuchokera ku PT NAD kukuwonetsa njira zisanu ndi ziwiri zopezera mwayi woyambira:
Kodi PT NAD imachita chiyani?: Ngati kuchuluka kwa intaneti sikunasinthidwe, PT NAD imayang'ana zomwe zili mu mayankho a seva ya HTTP. Mayankhidwewa ali ndi zochitika zomwe zimalola oukirawo kuti apereke ma code osasintha mkati mwa msakatuli. PT NAD imadziwiratu zochitika zoterezi pogwiritsa ntchito malamulo ozindikira.
Kuphatikiza apo, PT NAD imazindikira zowopsa mu sitepe yapitayi. Malamulo ndi zisonyezo zosokoneza zimayambitsidwa ngati wogwiritsa ntchito adayendera tsamba lomwe lidamulozera kutsamba lomwe lili ndi zinthu zambiri.
Kugwiritsa ntchito zofooka mu ntchito zomwe zimapezeka pa intaneti.
Kodi PT NAD imachita chiyani?: Amawunika mozama zomwe zili m'mapaketi a netiweki, ndikuzindikira zizindikiro za zochitika zosasangalatsa. Makamaka, pali malamulo omwe amakulolani kuti muzindikire kuukira kwa machitidwe akuluakulu a kasamalidwe kazinthu (CMS), malo ochezera a pa intaneti a zida zapaintaneti, ndi kuukira kwa makalata ndi ma seva a FTP.
Kodi PT NAD imachita chiyani?: popeza dongosololi limazindikira ma protocol osati ndi manambala a doko, koma ndi zomwe zili m'mapaketi, ogwiritsa ntchito amatha kusefa magalimoto kuti apeze magawo onse a ma protocol akutali ndikuwona kuvomerezeka kwawo.
Kugwiritsa ntchito maulalo achinyengo. Njirayi imaphatikizapo otsutsa kutumiza imelo yaphishing ndi ulalo womwe, mukadina, amatsitsa pulogalamu yoyipa. Monga lamulo, ulalowo umatsagana ndi zolemba zomwe zalembedwa motsatira malamulo onse a chikhalidwe cha anthu.
Kodi PT NAD imachita chiyani?: Imazindikira maulalo achinyengo pogwiritsa ntchito zisonyezo za kusagwirizana. Mwachitsanzo, mu mawonekedwe a PT NAD tikuwona gawo lomwe munali kulumikizana kwa HTTP kudzera pa ulalo womwe uli pamndandanda wa ma adilesi a phishing (phishing-urls).
Lumikizani kudzera pa ulalo wochokera pamndandanda wazizindikiro za compromise phishing-url
Kodi PT NAD imachita chiyani?: Imapeza zokha mbiri kuchokera ku HTTP, FTP, SMTP, POP3, IMAP, SMB, DCE/RPC, SOCKS5, LDAP, ma protocol a Kerberos. Mwambiri, uku ndi kulowa, mawu achinsinsi ndi chizindikiro cha kutsimikizika kopambana. Ngati zagwiritsidwa ntchito, zikuwonetsedwa mu khadi lolingana ndi gawo.
Njira yomwe owukira amakonzekera fayilo yapadera ya INF yoyipa ya Windows CMSTP.exe (Connection Manager Profile Installer). CMSTP.exe imatenga fayilo ngati parameter ndikuyika mbiri yautumiki kuti ilumikizane ndikutali. Chotsatira chake, CMSTP.exe ikhoza kugwiritsidwa ntchito potsegula ndi kuchita ma libraries amphamvu (*.dll) kapena scriptlets (*.sct) kuchokera ku maseva akutali.
Kodi PT NAD imachita chiyani?: Imazindikira zokha kusamutsa kwamitundu yapadera yamafayilo a INF mumayendedwe a HTTP. Kuphatikiza pa izi, imazindikira kufalitsa kwa HTTP kwa zolemba zoyipa ndi malaibulale olumikizirana kuchokera pa seva yakutali.
Thamangani fayilo yomwe ingathe kuchitika, malangizo a mzere wolamula, kapena script polumikizana ndi ntchito za Windows, monga Service Control Manager (SCM).
Kodi PT NAD imachita chiyani?: imayang'anira kuchuluka kwa magalimoto a SMB ndikuzindikira mwayi wopezeka ku SCM ndi malamulo opangira, kusintha ndi kuyambitsa ntchito.
Njira yoyambira ntchito imatha kukhazikitsidwa pogwiritsa ntchito pulogalamu yakutali ya PSExec. PT NAD imasanthula protocol ya SMB ndikuwona kugwiritsidwa ntchito kwa PSExec ikagwiritsa ntchito fayilo ya PSEXESVC.exe kapena dzina lautumiki la PSEXECSVC kuti lipereke khodi pamakina akutali. Wogwiritsa ntchito ayenera kuyang'ana mndandanda wa malamulo omwe aperekedwa komanso kuvomerezeka kwa lamulo lakutali kuchokera kwa wolandirayo.
Khadi yowukira mu PT NAD ikuwonetsa zambiri zamaukadaulo ndi njira zomwe zimagwiritsidwa ntchito molingana ndi matrix a ATT & CK kuti wogwiritsa ntchito amvetsetse kuti owukirawo ali pa siteji yanji, zolinga zomwe akutsata, ndi njira zolipirira zomwe angatenge.
Kodi PT NAD imachita chiyani?: imazindikira yokha ntchito ya mapulogalamu otere pa intaneti. Mwachitsanzo, malamulowa amayambitsidwa ndi kugwirizana kudzera pa VNC protocol ndi ntchito ya EvilVNC Trojan, yomwe imayika mwachinsinsi seva ya VNC pa wogwidwayo ndikuyiyambitsa yokha. Komanso, PT NAD imangozindikira protocol ya TeamViewer, izi zimathandiza katswiri, pogwiritsa ntchito fyuluta, kupeza magawo onsewa ndikuwona kuvomerezeka kwawo.
Kugwiritsa ntchito chida cha WMI, chomwe chimapereka mwayi wofikirako komanso kutali ndi zida za Windows. Pogwiritsa ntchito WMI, owukira amatha kuyanjana ndi machitidwe am'deralo ndi akutali ndikuchita ntchito zosiyanasiyana, monga kusonkhanitsa zidziwitso pazolinga zowunikira ndikuyambitsa njira zakutali ndikusuntha mozungulira.
Kodi PT NAD imachita chiyani?: Popeza kuyanjana ndi machitidwe akutali kudzera pa WMI kumawoneka mumsewu, PT NAD imadziwiratu zopempha za intaneti kuti zikhazikitse magawo a WMI ndikuyang'ana kuchuluka kwa malemba omwe amagwiritsa ntchito WMI.
Kugwiritsa ntchito ntchito ya Windows ndi protocol yomwe imalola wogwiritsa ntchito kulumikizana ndi machitidwe akutali.
Kodi PT NAD imachita chiyani?: Imawona maulumikizidwe a netiweki atakhazikitsidwa pogwiritsa ntchito Windows Remote Management. Magawo oterowo amadziwikiratu ndi malamulo.
Chilankhulo cha kalembedwe ka XSL chimagwiritsidwa ntchito kufotokoza kukonzedwa ndi kuwonera deta mu mafayilo a XML. Kuthandizira magwiridwe antchito ovuta, mulingo wa XSL umaphatikizapo kuthandizira zolembedwa m'zilankhulo zosiyanasiyana. Zilankhulo izi zimalola kukhazikitsidwa kwa ma code mosasamala, zomwe zimatsogolera pakulambalala kwa mfundo zachitetezo potengera mindandanda yoyera.
Kodi PT NAD imachita chiyani?: imazindikira kusamutsa kwa mafayilo otere pamaneti, ndiye kuti, ngakhale asanayambike. Imangozindikira mafayilo a XSL akutumizidwa pa netiweki ndi mafayilo okhala ndi mawonekedwe odabwitsa a XSL.
Pazida zotsatirazi, tiwona momwe dongosolo la PT Network Attack Discovery NTA limapezera njira ndi njira zina zowukira malinga ndi MITER ATT&CK. Dzimvetserani!
olemba:
Anton Kutepov, katswiri wa PT Expert Security Center, Positive Technologies
Natalia Kazankova, wogulitsa malonda ku Positive Technologies