ndi njira yowunikira m'munda wachitetezo chazidziwitso chomwe chimapereka kuwunika kwathunthu kwa zowopseza pa intaneti yogawidwa. StealthWatch idakhazikitsidwa pakutenga NetFlow ndi IPFIX kuchokera ku ma routers, masiwichi ndi zida zina zamanetiweki. Zotsatira zake, ma netiweki amakhala sensa tcheru ndipo amalola woyang'anira kuyang'ana m'malo omwe njira zachitetezo zama network, monga Next Generation Firewall, sizingafikire.
M'nkhani zam'mbuyomu ndidalemba kale za StealthWatch: ndipo . Tsopano ndikupempha kuti ndipitirize ndikukambirana momwe mungagwirire ntchito ndi ma alarm ndikufufuza zochitika zachitetezo zomwe yankho limapanga. Padzakhala zitsanzo za 6 zomwe ndikuyembekeza kuti zidzapereka lingaliro labwino la phindu la mankhwalawa.
Choyamba, ziyenera kunenedwa kuti StealthWatch ili ndi magawo ena a ma alarm pakati pa ma algorithms ndi ma feed. Zoyamba ndi mitundu yosiyanasiyana ya ma alarm (zidziwitso), zikayambika, mutha kuzindikira zinthu zokayikitsa pamaneti. Yachiwiri ndi zochitika zachitetezo. Nkhaniyi iwona zitsanzo 4 za ma aligorivimu omwe adayambitsa ndi zitsanzo ziwiri za ma feed.
1. Kusanthula kwa kuyanjana kwakukulu mkati mwamaneti
Choyambirira chokhazikitsa StealthWatch ndikutanthauzira makamu ndi ma network m'magulu. Mu tabu ya mawonekedwe a intaneti Konzani> Host Group Management Maukonde, makamu, ndi maseva ayenera kugawidwa m'magulu oyenera. Mukhozanso kupanga magulu anu. Mwa njira, kusanthula kuyanjana pakati pa makamu ku Cisco StealthWatch ndikosavuta, chifukwa simungangosunga zosefera pakusaka, komanso zotsatira zake.
Kuti muyambe, mu mawonekedwe a intaneti muyenera kupita ku tabu Unikani > Kusaka kwa Flow. Kenako muyenera kukhazikitsa magawo otsatirawa:
- Mtundu Wosaka - Zokambirana Zapamwamba (zochita zodziwika kwambiri)
- Nthawi - maola 24 (nthawi, mutha kugwiritsa ntchito ina)
- Sakani Dzina - Zokambirana Zapamwamba Mkati-Mkati (dzina lililonse laubwenzi)
- Mutu - Magulu Othandizira β M'kati mwa Hosts (gwero - gulu la makamu amkati)
- Kulumikizana (mutha kutchula madoko, mapulogalamu)
- Mnzake - Magulu Okhala nawo β Okhala M'kati (kopita - gulu lamagulu amkati)
- Muzosankha Zapamwamba, mutha kufotokozeranso wokhometsa komwe datayo imawonedwa, kusanja zotuluka (mwa ma byte, mitsinje, ndi zina). Ndizisiya ngati zosasintha.
Pambuyo kukanikiza batani Search mndandanda wa zochitika zikuwonetsedwa zomwe zasankhidwa kale ndi kuchuluka kwa deta yomwe yasamutsidwa.
Mu chitsanzo changa wolandira 10.150.1.201 (seva) imafalitsidwa mkati mwa ulusi umodzi wokha 1.5 GB traffic kwa wolandira 10.150.1.200 (kasitomala) ndi protocol MySQL. Batani Sinthani Mizati amakulolani kuti muwonjezere mizati ku deta linanena bungwe.
Chotsatira, mwakufuna kwa woyang'anira, mukhoza kupanga lamulo lachizoloΕ΅ezi lomwe nthawi zonse limayambitsa kuyanjana kwamtunduwu ndikukudziwitsani kudzera pa SNMP, imelo kapena Syslog.
2. Kuwunika kuyanjana kwapang'onopang'ono kwa kasitomala ndi seva mkati mwamaneti kuti achedwe
Malemba SRT (Nthawi Yoyankha Seva), RTT (Nthawi Yobwerera Kubwerera) amakulolani kuti mudziwe kuchedwa kwa seva komanso kuchedwa kwamanetiweki. Chida ichi chimakhala chothandiza makamaka mukafuna kupeza mwachangu chomwe chimayambitsa madandaulo a ogwiritsa ntchito pakugwiritsa ntchito pang'onopang'ono.
ndemanga: pafupifupi onse ogulitsa Netflow sindikudziwa momwe tumizani ma SRT, ma tag a RTT, nthawi zambiri, kuti muwone deta yotere pa FlowSensor, muyenera kukonza kutumiza kope la traffic kuchokera pazida zamtaneti. FlowSensor imatumiza IPFIX yowonjezera ku FlowCollector.
Ndikosavuta kusanthula izi mu pulogalamu ya java ya StealtWatch, yomwe imayikidwa pakompyuta ya woyang'anira.
Dinani batani lakumanja la mbewa M'kati mwa Hosts ndi kupita ku tabu Flow Table.
Dinani pa fyuluta ndikukhazikitsa magawo ofunikira. Chitsanzo:
- Tsiku/Nthawi - M'masiku atatu omaliza
- Kuchita - Nthawi Yozungulira Yozungulira > = 50ms
Pambuyo powonetsa deta, tiyenera kuwonjezera magawo a RTT ndi SRT omwe amatisangalatsa. Kuti muchite izi, dinani pazanja pazithunzi ndikusankha ndi batani lakumanja la mbewa Sinthani Mizati. Kenako, dinani RTT, SRT magawo.
Nditakonza zopemphazo, ndidasanja ndi RTT avareji ndikuwona kuyanjana kocheperako.
Kuti mudziwe zambiri, dinani kumanja pa mtsinje ndikusankha Kuwona Mwachangu kwa Flow.
Izi zikusonyeza kuti wolandira 10.201.3.59 kuchokera ku gulu Kugulitsa ndi Kutsatsa pa protocol NFS apempha ku DNS seva kwa mphindi imodzi ndi masekondi 23 ndikungotsala pang'ono. Mu tabu polumikizira mutha kudziwa yemwe amatumiza kunja kwa data ya Netflow zomwe zidachokera. Mu tabu Table Zambiri zokhudzana ndi kuyanjana zikuwonetsedwa.
Kenako, muyenera kudziwa kuti ndi zida ziti zomwe zimatumiza magalimoto ku FlowSensor ndipo vuto lomwe lingakhalepo.
Kuphatikiza apo, StealthWatch ndi yapadera chifukwa imachita kuchotsera deta (kuphatikiza mitsinje yomweyo). Chifukwa chake, mutha kusonkhanitsa pafupifupi zida zonse za Netflow ndipo musawope kuti padzakhala zambiri zobwereza. M'malo mwake, mu chiwembu ichi zithandizira kumvetsetsa kuti ndi hop iti yomwe imachedwa kwambiri.
3. Kuwunika kwa ma protocol a HTTPS cryptographic
ETA (Encrypted Traffic Analytics) ndi ukadaulo wopangidwa ndi Cisco womwe umakupatsani mwayi wozindikira kulumikizana koyipa pamagalimoto obisika popanda kuwamasulira. Kuphatikiza apo, ukadaulo uwu umakupatsani mwayi "kuphatikiza" HTTPS mumitundu ya TLS ndi ma protocol a cryptographic omwe amagwiritsidwa ntchito polumikizana. Izi ndizothandiza makamaka mukafuna kudziwa ma netiweki omwe amagwiritsa ntchito miyezo yofooka ya crypto.
ndemanga: Muyenera kukhazikitsa pulogalamu ya netiweki pa StealthWatch - ETA Cryptographic Audit.
Pitani ku tabu Ma Dashboards β ETA Cryptographic Audit ndikusankha gulu la ochereza omwe tikufuna kuwasanthula. Kwa chithunzi chonse, tiyeni tisankhe M'kati mwa Hosts.
Mutha kuwona kuti mtundu wa TLS ndi mulingo wofananira wa crypto ndiwotuluka. Malinga ndi mwachizolowezi chiwembu mu ndime Magawo kupita ku Onani Mayendedwe ndipo kusaka kumayambira pa tabu yatsopano.
Kuchokera linanena bungwe Tingaone kuti khamu 198.19.20.136 pamwamba pa Maola 12 adagwiritsa ntchito HTTPS yokhala ndi TLS 1.2, pomwe ma encryption algorithm AES-256 ndi ntchito ya hash SHA-384. Chifukwa chake, ETA imakulolani kuti mupeze ma aligorivimu ofooka pamaneti.
4. Network anomaly analysis
Cisco StealthWatch imatha kuzindikira zovuta zamagalimoto pamaneti pogwiritsa ntchito zida zitatu: Zochitika Zazikulu (zochitika zachitetezo), Zochitika Zaubwenzi (zochitika za kuyanjana pakati pa magawo, ma network node) ndi kusanthula khalidwe.
Kusanthula kwamakhalidwe, kumalolanso kuti pakapita nthawi kuti apange chitsanzo cha khalidwe la munthu wina kapena gulu la makamu. Kuchuluka kwa magalimoto komwe kumadutsa pa StealthWatch, zidziwitso zolondola zimakhala chifukwa cha kusanthula uku. Poyamba, dongosololi limayambitsa molakwika kwambiri, choncho malamulo ayenera "kupotozedwa" ndi manja. Ndikupangira kuti musanyalanyaze zochitika zoterezi kwa masabata angapo oyambirira, monga momwe dongosololi lidzasinthira lokha, kapena kuwonjezera pazosiyana.
M'munsimu muli chitsanzo cha lamulo lofotokozedwatu Osadandaula, yomwe imati chochitikacho chidzawombera popanda alamu ngati wolandila mugulu la Inside Hosts amalumikizana ndi gulu la Inside Hosts ndipo mkati mwa maola 24 magalimoto adzapitilira 10 megabytes.
Mwachitsanzo, tiyeni titenge alamu Kusunga Data, zomwe zikutanthauza kuti malo ena opezeka/kopita adatsitsa/kutsitsa kuchuluka kwambiri modabwitsa kuchokera kugulu la olandira kapena olandira. Dinani pa chochitikacho ndikupita ku tebulo kumene makamu oyambitsa akuwonetsedwa. Kenako, sankhani woyang'anira yemwe timamukonda pamndandandawo Kusunga Data.
Chochitika chikuwonetsa kuti "mapoints" 162k adapezeka, ndipo malinga ndi mfundoyi, "mfundo" 100k ndizololedwa - awa ndi ma metric a StealthWatch amkati. Mugulu Magawo Kankhani Onani Mayendedwe.
Tingaone zimenezo wolandira alendo adalumikizana ndi wolandirayo usiku 10.201.3.47 kuchokera ku dipatimenti Kugulitsa & Kutsatsa pa protocol HTTPS ndi dawunilodi 1.4 GB. Mwina chitsanzo ichi sichikuyenda bwino, koma kuzindikira kuyanjana ngakhale kwa ma gigabytes mazana angapo kumachitika chimodzimodzi. Choncho, kufufuza kwina kwa anomalies kungapangitse zotsatira zosangalatsa.
ndemanga: mu mawonekedwe a intaneti a SMC, deta ili m'ma tabu Mabodibodi amawonetsedwa sabata yatha komanso pagawo polojekiti m'masabata awiri apitawa. Kuti mufufuze zochitika zakale ndikupanga malipoti, muyenera kugwira ntchito ndi java console pakompyuta ya woyang'anira.
5. Kupeza ma sikani amkati amtaneti
Tsopano tiyeni tiwone zitsanzo zingapo za ma feed - zochitika zokhudzana ndi chitetezo. Izi zimapindulitsa kwambiri akatswiri achitetezo.
Pali mitundu ingapo yojambulira yojambulira mu StealthWatch:
- Port Scan-gwero limayang'ana madoko angapo pagulu lomwe likupita.
- Addr tcp scan - gwero limayang'ana maukonde onse padoko lomwelo la TCP, ndikusintha adilesi ya IP. Pankhaniyi, gwero limalandira mapaketi a TCP Reset kapena salandira mayankho konse.
- Addr udp scan - gwero limayang'ana maukonde onse padoko lomwelo la UDP, ndikusintha adilesi ya IP. Pankhaniyi, gwero limalandira mapaketi a ICMP Port Unreachable kapena salandira mayankho konse.
- Ping Scan - gwero limatumiza zopempha za ICMP ku netiweki yonse kuti mufufuze mayankho.
- Stealth Scan tΡp/udp - gwero linagwiritsa ntchito doko lomwelo kuti lilumikizane ndi madoko angapo panjira yopita nthawi imodzi.
Kuti zikhale zosavuta kupeza zojambulira zonse zamkati nthawi imodzi, pali pulogalamu ya netiweki ya StealthWatch - Kuwunika Kuwoneka. Kupita ku tabu Ma Dashboards β Kuwunika Kuwoneka β Internal Network Scanners muwona zochitika zachitetezo zokhudzana ndi sikani pamasabata a 2 apitawa.
Kudina batani tsatanetsatane, mudzawona kuyambika kwa kusanthula kwa netiweki iliyonse, momwe magalimoto amayendera ndi ma alarm ofanana.
Chotsatira, mutha "kulephera" kulowa pagulu kuchokera pa tabu yomwe ili pachithunzi cham'mbuyo ndikuwona zochitika zachitetezo, komanso zochitika sabata yatha ya wolandila uyu.
Mwachitsanzo, tiyeni tipende chochitikacho Port Scan kuchokera kwa wolandira 10.201.3.149 pa 10.201.0.72, Kukanikiza Zochita> Mayendedwe Ogwirizana. Kusaka kwa ulusi kumayambika ndipo chidziwitso chofunikira chikuwonetsedwa.
Momwe timawonera alendowa kuchokera kumodzi mwa madoko ake 51508 / TCP kufufuzidwa maola 3 apitawo olandirako ndi doko 22, 28, 42, 41, 36, 40 (TCP). Magawo ena samawonetsa zambiri chifukwa sizinthu zonse za Netflow zomwe zimathandizidwa ndi Netflow exporter.
6. Kuwunika kwa pulogalamu yaumbanda yomwe idatsitsidwa pogwiritsa ntchito CTA
CTA (Cognitive Threat Analytics) - Kusanthula kwamtambo kwa Cisco, komwe kumalumikizana bwino ndi Cisco StealthWatch ndikukulolani kuti muthandizire kusanthula kopanda siginecha ndikusanthula siginecha. Izi zimapangitsa kuti zitheke kuzindikira Trojans, nyongolotsi zapaintaneti, pulogalamu yaumbanda yamasiku a zero ndi pulogalamu yaumbanda ina ndikugawa pa intaneti. Komanso, ukadaulo wa ETA womwe watchulidwa kale umakupatsani mwayi wosanthula mauthenga oyipa otere mumayendedwe obisika.
Kwenikweni pa tabu yoyamba pa intaneti pali widget yapadera Cognitive Threat Analytics. Chidule chachidule chikuwonetsa ziwopsezo zomwe zapezeka kwa ogwiritsa ntchito: Trojan, mapulogalamu achinyengo, adware yokhumudwitsa. Mawu oti "Encrypted" akuwonetsa ntchito ya ETA. Mwa kuwonekera pa wolandila, zidziwitso zonse za izo, zochitika zachitetezo, kuphatikiza zipika za CTA, zimawonekera.
Poyang'ana pa gawo lililonse la CTA, chochitikacho chikuwonetsa zambiri zokhudzana ndi kuyanjana. Kuti mupeze ma analytics athunthu, dinani apa Onani Tsatanetsatane wa Zochitika, ndipo mudzatengedwera kumalo osiyana Cognitive Threat Analytics.
Pakona yakumanja yakumanja, fyuluta imakulolani kuti muwonetse zochitika ndi mulingo wovuta. Mukaloza vuto linalake, zipika zimawonekera pansi pa chinsalu chokhala ndi nthawi yofananira kumanja. Chifukwa chake, katswiri wachitetezo wazidziwitso amamvetsetsa bwino yemwe ali ndi kachilomboka, pambuyo pake zomwe zidayamba kuchitapo kanthu.
Pansipa pali chitsanzo china - Trojan yakubanki yomwe idapatsira wolandirayo 198.19.30.36. Wolandira uyu adayamba kuyanjana ndi madera oyipa, ndipo zipika zikuwonetsa zambiri pakuyenda kwakuchitaku.
Chotsatira, imodzi mwamayankho abwino kwambiri omwe angakhalepo ndikupatula olandira alendowo chifukwa cha mbadwa ndi Cisco ISE kuti mupeze chithandizo ndi kusanthula.
Pomaliza
Yankho la Cisco StealthWatch ndi m'modzi mwa atsogoleri pakati pa zinthu zowunikira maukonde potsata kusanthula kwa maukonde komanso chitetezo chazidziwitso. Chifukwa chake, mutha kuwona kuyanjana kosavomerezeka pamaneti, kuchedwa kwa mapulogalamu, ogwiritsa ntchito kwambiri, zolakwika, pulogalamu yaumbanda ndi ma APT. Kuphatikiza apo, mutha kupeza ma scanner, pentesters, ndikuchita crypto-audit ya traffic ya HTTPS. Mutha kupeza zambiri zogwiritsa ntchito pa .
Ngati mukufuna kuwona momwe zonse zimagwirira ntchito bwino pamaneti anu, tumizani .
Posachedwapa, tikukonzekera zofalitsa zambiri zaukadaulo pazinthu zosiyanasiyana zotetezedwa. Ngati mumakonda mutuwu, tsatirani zosintha zamakanema athu (, , , )!
Source: www.habr.com