95% ya ziwopsezo zonse zaphunziridwa kale bwino. Izi zikuphatikiza mitundu monga sipamu, DDoS, ma virus, rootkits ndi pulogalamu yaumbanda ina yakale. Mutha kudziteteza ku ziwopsezo izi pogwiritsa ntchito njira zachitetezo zomwezo.
Pakukhazikitsa ntchito iliyonse 20% ya ntchito imatenga 80% ya nthawi kuti ithe, ndipo 20% yotsala ya ntchitoyo imatenga 80% ya nthawiyo. Momwemonso, m'malo onse owopsa, 5% yazowopseza zatsopano idzawerengera 70% ya chiwopsezo cha kampani. Pakampani yomwe njira zoyendetsera chitetezo zidziwitso zimakonzedwa, titha kuthana ndi 30% ya chiwopsezo chokhazikitsa ziwopsezo zodziwika mwanjira ina popewa (kukana ma netiweki opanda zingwe), kuvomereza (kukhazikitsa njira zotetezera) kapena kusintha. (mwachitsanzo, pa mapewa a ophatikiza) ngozi iyi. Dzitetezeni nokha ku Zovuta za masiku zero, kuukira kwa APT, chinyengo, kuukira kwa supply chain, cyber espionage ndi ntchito zapadziko lonse, komanso kuchuluka kwa kuukira kwina kuli kale kovuta kwambiri. Zotsatira za 5% ya ziwopsezozi zidzakhala zovuta kwambiri (Kuchuluka kwa ndalama za banki kuchokera ku gulu la buhtrap ndi 143 miliyoni) kuposa zotsatira za sipamu kapena ma virus, omwe mapulogalamu a antivayirasi amapulumutsa.
Pafupifupi aliyense ayenera kuthana ndi ziwopsezo za 5%. Posachedwapa tidayenera kukhazikitsa yankho lotseguka lomwe limagwiritsa ntchito pulogalamu kuchokera kunkhokwe ya PEAR (PHP Extension and Application Repository). Kuyesa kukhazikitsa pulogalamuyi kudzera pa peyala kwalephera chifukwa webusaitiyi inali yosapezeka (tsopano pali chotupa), ndinayenera kuyiyika kuchokera ku GitHub. Ndipo posachedwa zidapezeka kuti PEAR adakhala wozunzidwa kuukira kwa supply chain.
Mutha kukumbukirabe kuukira pogwiritsa ntchito CCleaner, mliri wa NePetya ransomware kudzera mu gawo losinthika la pulogalamu yopereka malipoti amisonkho MEDOC. Ziwopsezo zikuchulukirachulukira, ndipo funso lomveka limabuka - "Kodi tingathane bwanji ndi ziwopsezo izi 5%?"
Titha kubwerezanso kuti TH ndi njira yoyesera ma hypotheses. Iyi ndi njira yodziwika bwino yokhala ndi zinthu zodzipangira zokha, momwe wowunikirayo, kudalira chidziwitso chake ndi luso lake, amasefa zidziwitso zambiri kufunafuna zizindikiro za kunyengerera zomwe zimagwirizana ndi lingaliro lodziwika bwino la kukhalapo kwa chiwopsezo china. Chodziwika chake ndi mitundu yosiyanasiyana yazidziwitso.
Tiyenera kudziwa kuti Kusaka Zowopsa si mtundu wina wa mapulogalamu kapena zida za Hardware. Izi si zidziwitso zomwe zitha kuwonedwa mu njira ina. Iyi si njira yosaka ya IOC (Identifiers of Compromise). Ndipo uwu si mtundu wina wazinthu zomwe zimachitika popanda owunika zachitetezo chazidziwitso. Kusaka Kuwopseza ndi njira yoyamba komanso yofunika kwambiri.
Zigawo za Kusaka Ziwopsezo
Zigawo zitatu zazikulu za Kusaka Zowopsa: data, ukadaulo, anthu.
Data (chiyani?), kuphatikizapo Big Data. Mitundu yonse yamagalimoto oyenda, zambiri zama APT am'mbuyomu, ma analytics, zambiri pazochita za ogwiritsa ntchito, data yapaintaneti, zambiri kuchokera kwa ogwira ntchito, zambiri zakuda ndi zina zambiri.
Anthu (ndani?) - omwe ali ndi chidziwitso chochuluka pakuwunika kuukira kosiyanasiyana, amapangidwa mwanzeru komanso kuthekera kozindikira kuwukira. Nthawi zambiri awa ndi owunika zachitetezo azidziwitso omwe ayenera kukhala ndi kuthekera kopanga zongopeka ndikupeza chitsimikiziro cha iwo. Iwo ndiwo ulalo waukulu munjira.
Model PARIS
Adam Bateman amafotokoza PARIS chitsanzo cha njira yabwino ya TH. Dzinali likunena za malo otchuka ku France. Chitsanzochi chikhoza kuwonedwa m'njira ziwiri - kuchokera pamwamba ndi pansi.
Pamene tikugwiritsa ntchito chitsanzo kuchokera pansi mpaka pansi, tidzakumana ndi umboni wambiri wa zochita zoipa. Umboni uliwonse uli ndi muyeso wotchedwa chidaliro - khalidwe lomwe limasonyeza kulemera kwa umboniwu. Pali "chitsulo", umboni wachindunji wa zochitika zoyipa, malinga ndi zomwe titha kufika pamwamba pa piramidi ndikupanga chenjezo lenileni la matenda odziwika bwino. Ndipo pali umboni wosalunjika, kuchuluka kwake komwe kungatifikitsenso pamwamba pa piramidi. Monga nthawi zonse, pali umboni wochulukirapo kuposa umboni wachindunji, zomwe zikutanthauza kuti ziyenera kusanjidwa ndikuwunikidwa, kafukufuku wowonjezera ayenera kuchitidwa, ndipo ndikofunikira kuti izi zitheke.
Gawo lapamwamba lachitsanzo (1 ndi 2) limachokera ku matekinoloje opangira makina ndi ma analytics osiyanasiyana, ndipo gawo lapansi (3 ndi 4) limachokera kwa anthu omwe ali ndi ziyeneretso zina zomwe zimayendetsa ndondomekoyi. Mutha kulingalira zachitsanzo chomwe chikuyenda kuchokera pamwamba mpaka pansi, komwe kumtunda kwa mtundu wa buluu tili ndi zidziwitso zochokera ku zida zotetezera zachikhalidwe (antivirus, EDR, firewall, signatures) ndi chidaliro chachikulu ndi chidaliro, ndipo pansipa pali zizindikiro ( IOC, URL, MD5 ndi ena), omwe ali ndi digiri yotsika ndipo amafuna maphunziro owonjezera. Ndipo gawo lotsika kwambiri komanso lalitali kwambiri (4) ndi m'badwo wamalingaliro, kukhazikitsidwa kwa zochitika zatsopano zogwiritsira ntchito njira zachikhalidwe zodzitetezera. Mulingo uwu siwongotengera magwero odziwika amalingaliro. M'munsimu mlingo, zofunikira kwambiri zimayikidwa pa ziyeneretso za katswiri.
Ndikofunikira kwambiri kuti openda asangoyesa zongopeka zodziwikiratu, koma nthawi zonse azigwira ntchito kuti apange malingaliro atsopano ndi zosankha zowayesa.
TH Kugwiritsa Ntchito Kukhwima Model
M'dziko labwino, TH ndi njira yopitilira. Koma, popeza palibe dziko labwino, tiyeni tiwunikenso kukhwima chitsanzo ndi njira potengera anthu, njira ndi matekinoloje omwe amagwiritsidwa ntchito. Tiyeni tione chitsanzo cha TH yozungulira yozungulira. Pali magawo 5 ogwiritsira ntchito ukadaulo uwu. Tiyeni tiyang'ane pa iwo pogwiritsa ntchito chitsanzo cha kusinthika kwa gulu limodzi la akatswiri.
Milingo yakukhwima anthu Njira umisiri
Mulingo wa 0
Akatswiri a SOC
24/7
Zida Zachikhalidwe:
Chikhalidwe
Seti ya zidziwitso
Kuwunika mosasamala
IDS, AV, Sandboxing,
Popanda TH
Kugwira ntchito ndi zidziwitso
Zida zowunikira siginecha, data ya Threat Intelligence.
Mulingo wa 1
Akatswiri a SOC
Nthawi imodzi TH
BDU
Zoyeserera
Chidziwitso choyambirira cha forensics
Kufufuza kwa IOC
Kufalitsa pang'ono kwa data kuchokera pazida zama netiweki
Kuyesera ndi TH
Kudziwa bwino ma network ndi mapulogalamu
Kugwiritsa ntchito pang'ono
Mulingo wa 2
Ntchito yosakhalitsa
Sprints
BDU
Nthawi ndi nthawi
Chidziwitso chapakati cha forensics
Mlungu ndi mwezi
Kugwiritsa ntchito kwathunthu
Zosakhalitsa TH
Kudziwa bwino kwa ma network ndi mapulogalamu
Nthawi zonse TH
Kugwiritsa ntchito kwathunthu kwa data ya EDR
Kugwiritsa ntchito pang'ono luso lapamwamba la EDR
Mulingo wa 3
Lamulo la TH lodzipatulira
24/7
Kutha kwapang'ono kuyesa ma hypotheses a TH
Zoteteza
Kudziwa bwino za forensics ndi pulogalamu yaumbanda
Kuteteza TH
Kugwiritsa ntchito mphamvu zapamwamba za EDR
Milandu yapadera TH
Kudziwa bwino kwa mbali yowukira
Milandu yapadera TH
Kuphimba kwathunthu kwa data kuchokera pazida zama netiweki
Kusintha kuti zigwirizane ndi zosowa zanu
Mulingo wa 4
Lamulo la TH lodzipatulira
24/7
Kutha kwathunthu kuyesa malingaliro a TH
Kutsogolera
Kudziwa bwino za forensics ndi pulogalamu yaumbanda
Kuteteza TH
Level 3, kuphatikiza:
Kugwiritsa ntchito TH
Kudziwa bwino kwa mbali yowukira
Kuyesa, zodziwikiratu ndi kutsimikizira zongopeka TH
kuphatikiza kolimba kwa magwero a data;
Kukhoza kufufuza
chitukuko molingana ndi zosowa komanso kugwiritsa ntchito mosavomerezeka kwa API.
Gawo 1: kuyesa, pogwiritsa ntchito TH. Ofufuza omwewo omwe ali ndi chidziwitso choyambirira cha forensics komanso chidziwitso chabwino cha maukonde ndi mapulogalamu amatha kuchita nthawi imodzi Kusaka Zowopsa pofufuza zisonyezo za kusagwirizana. Ma EDR amawonjezedwa ku zida zomwe zili ndi kuphimba pang'ono kwa data kuchokera pazida zamtaneti. Zida zimagwiritsidwa ntchito pang'ono.
Gawo 2: periodic, yochepa TH. Ofufuza omwewo omwe adakweza kale chidziwitso chawo muzozama, maukonde ndi gawo lofunsira amayenera kuchita nawo pafupipafupi Kusaka Kuopseza (sprint), kunena, sabata pamwezi. Zidazi zimawonjezera kufufuza kwathunthu kwa deta kuchokera ku zipangizo zamakina, kusanthula deta kuchokera ku EDR, ndi kugwiritsa ntchito pang'ono mphamvu zapamwamba za EDR.
Gawo 3: kupewa, milandu pafupipafupi ya TH. Ofufuza athu adadzipanga okha kukhala gulu lodzipatulira ndipo adayamba kukhala ndi chidziwitso chabwino kwambiri chazazambiri zaukadaulo ndi pulogalamu yaumbanda, komanso chidziwitso cha njira ndi machenjerero a mbali yowukira. Ntchitoyi ikuchitika kale 24/7. Gululi limatha kuyesa pang'ono malingaliro a TH pomwe likugwiritsa ntchito luso lapamwamba la EDR ndi kuphimba kwathunthu kwa data kuchokera pazida zamtaneti. Ofufuza amathanso kukonza zida kuti zigwirizane ndi zosowa zawo.
Gawo 4: apamwamba, gwiritsani ntchito TH. Gulu lomwelo linapeza luso lofufuza, luso lopanga ndi kusinthiratu njira yoyesera malingaliro a TH. Tsopano zidazo zawonjezeredwa ndi kusakanikirana kwapafupi kwa magwero a deta, chitukuko cha mapulogalamu kuti akwaniritse zosowa, komanso kugwiritsa ntchito mosagwirizana ndi ma API.
Njira yosavuta, kusaka koyambira, imagwiritsidwa ntchito kuchepetsa gawo la kafukufuku pogwiritsa ntchito mafunso enaake. Kusanthula kwachiwerengero kumagwiritsidwa ntchito, mwachitsanzo, kupanga mawonekedwe amtundu wa ogwiritsa ntchito kapena ma netiweki mwachitsanzo chowerengera. Njira zowonera zimagwiritsidwa ntchito kuwonetsa zowoneka ndi kufewetsa kusanthula kwa data mu mawonekedwe a ma graph ndi ma chart, zomwe zimapangitsa kuti zikhale zosavuta kuzindikira mawonekedwe muchitsanzo. Njira yophatikizira yosavuta ndi magawo akuluakulu imagwiritsidwa ntchito kukhathamiritsa kusaka ndi kusanthula. Pamene ndondomeko ya TH ya bungwe ikukhwima, m'pamenenso kugwiritsa ntchito makina ophunzirira makina kumakhala koyenera. Amagwiritsidwanso ntchito kwambiri posefa sipamu, kuzindikira magalimoto oyipa komanso kuzindikira zachinyengo. Mtundu wapamwamba kwambiri wamakina ophunzirira makina ndi njira za Bayesian, zomwe zimalola kugawa, kuchepetsa kukula kwa zitsanzo, ndi kutengera mitu.
Diamond Model ndi TH Strategies
Sergio Caltagiron, Andrew Pendegast ndi Christopher Betz mu ntchito yawo "Dongosolo la Diamondi la Intrusion AnalysisΒ» adawonetsa zigawo zikuluzikulu za ntchito iliyonse yoyipa komanso kulumikizana pakati pawo.
Mtundu wa diamondi wa zochita zoyipa
Malingana ndi chitsanzo ichi, pali njira 4 Zosaka Zowopsya, zomwe zimachokera ku zigawo zikuluzikulu zogwirizana.
1. Njira yolunjika kwa ozunzidwa. Tikuganiza kuti wozunzidwayo ali ndi otsutsa ndipo adzapereka "mwayi" kudzera pa imelo. Tikuyang'ana data ya adani mumakalata. Sakani maulalo, zolumikizira, ndi zina. Tikuyang'ana chitsimikiziro cha lingaliro ili kwa nthawi inayake (mwezi, masabata awiri); ngati sitichipeza, ndiye kuti lingaliro silinagwire ntchito.
2. Njira yoyang'anira zomangamanga. Pali njira zingapo zogwiritsira ntchito njirayi. Kutengera kupezeka ndi mawonekedwe, ena ndi osavuta kuposa ena. Mwachitsanzo, timayang'anira ma seva a mayina a domain omwe amadziwika kuti amakhala ndi madera oyipa. Kapena timadutsa njira yowunikira kulembetsa kwa mayina atsopano amtundu wodziwika wogwiritsidwa ntchito ndi mdani.
3. Njira yoyendetsedwa ndi kuthekera. Kuphatikiza pa njira yoyang'ana ozunzidwa yomwe imagwiritsidwa ntchito ndi ambiri oteteza maukonde, pali njira yowunikira mwayi. Ndilo lachiwiri lodziwika bwino ndipo limayang'ana pa kuzindikira mphamvu za mdani, zomwe ndi "malware" komanso kuthekera kwa mdani kugwiritsa ntchito zida zovomerezeka monga psexec, powershell, certutil ndi ena.
4. Njira yolimbana ndi adani. Njira yolimbana ndi mdani imayang'ana pa mdani mwiniwake. Izi zikuphatikiza kugwiritsa ntchito zidziwitso zotseguka zopezeka pagulu (OSINT), kusonkhanitsa deta za mdani, njira zake ndi njira zake (TTP), kusanthula zomwe zidachitika m'mbuyomu, data ya Threat Intelligence, ndi zina zambiri.
Magwero azidziwitso ndi zongopeka mu TH
Zolemba zina za Threat Hunting
Pakhoza kukhala magwero ambiri a chidziwitso. Katswiri wabwino amayenera kutulutsa zidziwitso pa chilichonse chomwe chili pafupi. Magwero odziwika pafupifupi muzomangamanga zilizonse adzakhala deta kuchokera ku zida zachitetezo: DLP, SIEM, IDS/IPS, WAF/FW, EDR. Komanso, magwero odziwika bwino azikhala zisonyezo zosiyanasiyana za kunyengerera, ntchito za Threat Intelligence, data ya CERT ndi OSINT. Kuphatikiza apo, mutha kugwiritsa ntchito zidziwitso kuchokera ku darknet (mwachitsanzo, mwadzidzidzi pamakhala kuyitanitsa bokosi la makalata la mutu wa bungwe, kapena woyimira paudindo wopanga maukonde wawululidwa chifukwa cha ntchito yake), zomwe adalandira kuchokera HR (ndemanga za munthu yemwe adagwira ntchito m'malo am'mbuyomu), zidziwitso zochokera kuchitetezo (mwachitsanzo, zotsatira za chitsimikiziro cha mnzake).
Koma musanagwiritse ntchito magwero onse omwe alipo, m'pofunika kukhala ndi lingaliro limodzi.
Kuti ayese ma hypotheses, ayenera kuyikidwa patsogolo. Ndipo kuti muyike patsogolo malingaliro ambiri apamwamba, m'pofunika kugwiritsa ntchito njira mwadongosolo. Njira yopangira ma hypotheses ikufotokozedwa mwatsatanetsatane mu nkhani, ndizosavuta kutenga chiwembuchi ngati maziko a njira yoperekera malingaliro.
Gwero lalikulu la malingaliro adzakhala Zithunzi za ATT&CK (Njira Zotsutsana, Njira ndi Chidziwitso Chodziwika). Kwenikweni, ndizo maziko a chidziwitso ndi chitsanzo chowunika khalidwe la owukira omwe amachita ntchito zawo kumapeto kwa chiwonongeko, kawirikawiri amafotokozedwa pogwiritsa ntchito lingaliro la Kill Chain. Izi zikutanthauza kuti, pamasitepe pambuyo poti wowukirayo alowa mu netiweki yamkati yabizinesi kapena pa foni yam'manja. Chidziwitso choyambirira chinali ndi mafotokozedwe a njira 121 ndi njira zomwe zimagwiritsidwa ntchito poukira, zomwe zimafotokozedwa mwatsatanetsatane mu mtundu wa Wiki. Ma analytics osiyanasiyana a Threat Intelligence ndioyenera ngati gwero lopangira ma hypotheses. Chodziwika kwambiri ndi zotsatira za kusanthula kwachitukuko ndi mayesero olowera - ichi ndi deta yamtengo wapatali kwambiri yomwe ingatipatse malingaliro a ironclad chifukwa chakuti amachokera kuzinthu zowonongeka ndi zofooka zake zenizeni.
Njira yoyesera ya Hypothesis
Sergei Soldatov anabweretsa chithunzi chabwino ndi kufotokozera mwatsatanetsatane ndondomekoyi, ikuwonetseratu njira yoyesera malingaliro a TH mu dongosolo limodzi. Ndiwonetsa magawo akulu ndi kufotokozera mwachidule.
Panthawi imeneyi m'pofunika kuunikira zinthu (powasanthula pamodzi ndi zidziwitso zonse zowopsa) ndikuwapatsa zilembo zamakhalidwe awo. Izi ndi fayilo, URL, MD5, ndondomeko, zofunikira, chochitika. Mukawadutsa pamakina a Threat Intelligence, ndikofunikira kulumikiza ma tag. Ndiye kuti, tsamba ili lidazindikirika mu CNC mchaka chotere, MD5 iyi idalumikizidwa ndi pulogalamu yaumbanda, MD5 iyi idatsitsidwa kuchokera patsamba lomwe limagawa pulogalamu yaumbanda.
Gawo 2: Milandu
Pa gawo lachiwiri, timayang'ana kuyanjana pakati pa zinthuzi ndikuzindikira mgwirizano pakati pa zinthu zonsezi. Timapeza machitidwe olembedwa omwe amachita zoyipa.
Gawo 3: Wowunika
Pa gawo lachitatu, mlanduwu umasamutsidwa kwa katswiri wodziwa zambiri yemwe ali ndi chidziwitso chochuluka pa kusanthula, ndipo amapereka chigamulo. Amawerengera kuti chiyani, kuti, bwanji, chifukwa chiyani komanso chifukwa chiyani. Thupi ili linali pulogalamu yaumbanda, kompyuta iyi inali ndi kachilombo. Imawulula kugwirizana pakati pa zinthu, imayang'ana zotsatira zodutsa mu sandbox.
Zotsatira za ntchito ya wowunika zimafalitsidwa kwambiri. Digital Forensics imayang'ana zithunzi, Malware Analysis imayang'ana "matupi" omwe apezeka, ndipo gulu la Incident Response litha kupita pamalowo ndikufufuza zomwe zili kale. Chotsatira cha ntchitoyi chidzakhala chitsimikiziro chotsimikizika, kuwukira kodziwika ndi njira zothana nazo.
Sinthani machitidwe achizolowezi. Kusanthula kwa zipika, kujambula zochitika, kudziwitsa antchito ndi gawo lalikulu la automation.
Phunzirani kuyanjana bwino ndi mainjiniya, opanga mapulogalamu, ndi chithandizo chaukadaulo kuti mugwirizane pazochitika.
Lembani ndondomeko yonse, mfundo zazikulu, zotsatira zomwe zapindula kuti mubwerere kwa iwo pambuyo pake kapena kugawana deta iyi ndi anzanu;
Khalani ochezeka: Dziwani zomwe zikuchitika ndi antchito anu, omwe mumawalemba ntchito, ndi omwe mumawapatsa mwayi wodziwa zambiri za bungwe.
Dziwani zomwe zikuchitika pankhani yakuwopseza kwatsopano ndi njira zodzitetezera, onjezerani luso lanu laukadaulo (kuphatikiza ndi magwiridwe antchito a IT ndi ma subsystems), pitani kumisonkhano ndikulumikizana ndi anzanu.
Okonzeka kukambirana za bungwe la ndondomeko ya TH mu ndemanga.