95% ya ziwopsezo zachitetezo zimadziwika, ndipo mutha kudziteteza kwa iwo pogwiritsa ntchito njira zachikhalidwe monga ma antivayirasi, ma firewall, IDS, WAF. Zotsala 5% zowopseza sizikudziwika komanso zoopsa kwambiri. Amapanga 70% ya chiwopsezo cha kampani chifukwa ndizovuta kwambiri kuzizindikira, makamaka kuteteza kwa iwo. Zitsanzo ndi mliri wa WannaCry ransomware, NotPetya / ExPetr, cryptominers, "cyber weapon" Stuxnet (yomwe inagunda zida za nyukiliya za Iran) ndi ambiri (aliyense akukumbukira Kido / Conficker?) kuukira kwina komwe sikutetezedwa bwino kwambiri ndi njira zotetezera zakale. Tikufuna kukambirana za momwe tingathanirane ndi 5% yazowopseza pogwiritsa ntchito ukadaulo wa Threat Hunting.
Kusinthika kosalekeza kwa ziwopsezo za cyber kumafuna kuzindikirika kosalekeza ndi zoyeserera, zomwe pamapeto pake zimatipangitsa kuganiza za mpikisano wopanda malire pakati pa owukira ndi oteteza. Machitidwe apamwamba achitetezo sangathenso kupereka chitetezo chovomerezeka, chomwe chiwopsezo sichimakhudza zizindikiro zazikulu za kampani (zachuma, ndale, mbiri) popanda kuzisintha kuti zikhale zowonongeka, koma nthawi zambiri zimaphimba zina mwazo. zoopsa. Kale pokonzekera ndikukonzekera, machitidwe achitetezo amakono akudzipeza okha pa ntchito yogwira ndipo ayenera kuyankha zovuta za nthawi yatsopano.
Tekinoloje ya Threat Hunting ikhoza kukhala imodzi mwamayankho ku zovuta zanthawi yathu ino kwa katswiri wazotetezedwa. Mawu akuti Threat Hunting (amene pano akutchedwa TH) adawonekera zaka zingapo zapitazo. Tekinoloje yokha ndiyosangalatsa, koma ilibe miyezo ndi malamulo ovomerezeka. Nkhaniyi imakhalanso yovuta chifukwa cha kusiyana kwa magwero a chidziwitso ndi chiwerengero chochepa cha magwero a chinenero cha Chirasha pamutuwu. Pachifukwa ichi, ife ku LANIT-Integration tinaganiza zolemba ndemanga yaukadaulo uwu.
Kuyenera
Tekinoloje ya TH imadalira njira zowunikira zowonongeka.. Kuchenjeza (zofanana ndi ntchito za MSSP) ndi njira yachikhalidwe yosaka masiginecha opangidwa kale ndi zizindikiro zowukira ndikuyankha. Izi zimachitidwa bwino ndi zida zodzitchinjiriza zachikhalidwe. Hunting (MDR type service) ndi njira yowunikira yomwe imayankha funso lakuti "Kodi siginecha ndi malamulo amachokera kuti?" Ndilo ndondomeko yopangira malamulo ogwirizanitsa pofufuza zizindikiro zobisika kapena zosadziwika kale ndi zizindikiro za kuwukira. Kusaka Ziwopsezo kumatanthawuza kuwunika kwamtunduwu.
Pokhapokha pophatikiza mitundu yonse iwiri yowunikira timapeza chitetezo chomwe chili pafupi ndi chabwino, koma nthawi zonse pamakhala chiopsezo chotsalira.
Chitetezo pogwiritsa ntchito mitundu iwiri yowunika
Ichi ndichifukwa chake TH (ndi kusaka kwathunthu!) idzakhala yofunika kwambiri:
Zowopsa, zothandizira, zoopsa.
. Izi zikuphatikiza mitundu monga sipamu, DDoS, ma virus, rootkits ndi pulogalamu yaumbanda ina yakale. Mutha kudziteteza ku ziwopsezo izi pogwiritsa ntchito njira zachitetezo zomwezo.
Pakukhazikitsa ntchito iliyonse, ndipo 20% yotsala ya ntchitoyo imatenga 80% ya nthawiyo. Momwemonso, m'malo onse owopsa, 5% yazowopseza zatsopano idzawerengera 70% ya chiwopsezo cha kampani. Pakampani yomwe njira zoyendetsera chitetezo zidziwitso zimakonzedwa, titha kuthana ndi 30% ya chiwopsezo chokhazikitsa ziwopsezo zodziwika mwanjira ina popewa (kukana ma netiweki opanda zingwe), kuvomereza (kukhazikitsa njira zotetezera) kapena kusintha. (mwachitsanzo, pa mapewa a ophatikiza) ngozi iyi. Dzitetezeni nokha ku, kuukira kwa APT, chinyengo,, cyber espionage ndi ntchito zapadziko lonse, komanso kuchuluka kwa kuukira kwina kuli kale kovuta kwambiri. Zotsatira za 5% ya ziwopsezozi zidzakhala zovuta kwambiri () kuposa zotsatira za sipamu kapena ma virus, omwe mapulogalamu a antivayirasi amapulumutsa.
Pafupifupi aliyense ayenera kuthana ndi ziwopsezo za 5%. Posachedwapa tidayenera kukhazikitsa yankho lotseguka lomwe limagwiritsa ntchito pulogalamu kuchokera kunkhokwe ya PEAR (PHP Extension and Application Repository). Kuyesa kukhazikitsa pulogalamuyi kudzera pa peyala kwalephera chifukwa inali yosapezeka (tsopano pali chotupa), ndinayenera kuyiyika kuchokera ku GitHub. Ndipo posachedwa zidapezeka kuti PEAR adakhala wozunzidwa.
Mutha kukumbukirabe, mliri wa NePetya ransomware kudzera mu gawo losinthika la pulogalamu yopereka malipoti amisonkho. Ziwopsezo zikuchulukirachulukira, ndipo funso lomveka limabuka - "Kodi tingathane bwanji ndi ziwopsezo izi 5%?"
Tanthauzo la Kusaka Ziwopsezo
Chifukwa chake, Threat Hunting ndi njira yosaka mwachangu komanso mobwerezabwereza ndikuzindikira ziwopsezo zapamwamba zomwe sizingadziwike ndi zida zachitetezo zachikhalidwe. Ziwopsezo zapamwamba zimaphatikizapo, mwachitsanzo, kuwukira monga APT, kuwukira pachiwopsezo chamasiku 0, Kukhala Padziko Lonse, ndi zina zotero.
Titha kubwerezanso kuti TH ndi njira yoyesera ma hypotheses. Iyi ndi njira yodziwika bwino yokhala ndi zinthu zodzipangira zokha, momwe wowunikirayo, kudalira chidziwitso chake ndi luso lake, amasefa zidziwitso zambiri kufunafuna zizindikiro za kunyengerera zomwe zimagwirizana ndi lingaliro lodziwika bwino la kukhalapo kwa chiwopsezo china. Chodziwika chake ndi mitundu yosiyanasiyana yazidziwitso.
Tiyenera kudziwa kuti Kusaka Zowopsa si mtundu wina wa mapulogalamu kapena zida za Hardware. Izi si zidziwitso zomwe zitha kuwonedwa mu njira ina. Iyi si njira yosaka ya IOC (Identifiers of Compromise). Ndipo uwu si mtundu wina wazinthu zomwe zimachitika popanda owunika zachitetezo chazidziwitso. Kusaka Kuwopseza ndi njira yoyamba komanso yofunika kwambiri.
Zigawo za Kusaka Ziwopsezo
Zigawo zitatu zazikulu za Kusaka Zowopsa: data, ukadaulo, anthu.
Data (chiyani?), kuphatikizapo Big Data. Mitundu yonse yamagalimoto oyenda, zambiri zama APT am'mbuyomu, ma analytics, zambiri pazochita za ogwiritsa ntchito, data yapaintaneti, zambiri kuchokera kwa ogwira ntchito, zambiri zakuda ndi zina zambiri.
Technologies (motani?) kukonza deta iyi - njira zonse zomwe zingatheke pokonza deta iyi, kuphatikizapo Machine Learning.
Anthu (ndani?) - omwe ali ndi chidziwitso chochuluka pakuwunika kuukira kosiyanasiyana, amapangidwa mwanzeru komanso kuthekera kozindikira kuwukira. Nthawi zambiri awa ndi owunika zachitetezo azidziwitso omwe ayenera kukhala ndi kuthekera kopanga zongopeka ndikupeza chitsimikiziro cha iwo. Iwo ndiwo ulalo waukulu munjira.
Model PARIS
Adam Bateman PARIS chitsanzo cha njira yabwino ya TH. Dzinali likunena za malo otchuka ku France. Chitsanzochi chikhoza kuwonedwa m'njira ziwiri - kuchokera pamwamba ndi pansi.
Pamene tikugwiritsa ntchito chitsanzo kuchokera pansi mpaka pansi, tidzakumana ndi umboni wambiri wa zochita zoipa. Umboni uliwonse uli ndi muyeso wotchedwa chidaliro - khalidwe lomwe limasonyeza kulemera kwa umboniwu. Pali "chitsulo", umboni wachindunji wa zochitika zoyipa, malinga ndi zomwe titha kufika pamwamba pa piramidi ndikupanga chenjezo lenileni la matenda odziwika bwino. Ndipo pali umboni wosalunjika, kuchuluka kwake komwe kungatifikitsenso pamwamba pa piramidi. Monga nthawi zonse, pali umboni wochulukirapo kuposa umboni wachindunji, zomwe zikutanthauza kuti ziyenera kusanjidwa ndikuwunikidwa, kafukufuku wowonjezera ayenera kuchitidwa, ndipo ndikofunikira kuti izi zitheke.
Model PARIS.
Gawo lapamwamba lachitsanzo (1 ndi 2) limachokera ku matekinoloje opangira makina ndi ma analytics osiyanasiyana, ndipo gawo lapansi (3 ndi 4) limachokera kwa anthu omwe ali ndi ziyeneretso zina zomwe zimayendetsa ndondomekoyi. Mutha kulingalira zachitsanzo chomwe chikuyenda kuchokera pamwamba mpaka pansi, komwe kumtunda kwa mtundu wa buluu tili ndi zidziwitso zochokera ku zida zotetezera zachikhalidwe (antivirus, EDR, firewall, signatures) ndi chidaliro chachikulu ndi chidaliro, ndipo pansipa pali zizindikiro ( IOC, URL, MD5 ndi ena), omwe ali ndi digiri yotsika ndipo amafuna maphunziro owonjezera. Ndipo gawo lotsika kwambiri komanso lalitali kwambiri (4) ndi m'badwo wamalingaliro, kukhazikitsidwa kwa zochitika zatsopano zogwiritsira ntchito njira zachikhalidwe zodzitetezera. Mulingo uwu siwongotengera magwero odziwika amalingaliro. M'munsimu mlingo, zofunikira kwambiri zimayikidwa pa ziyeneretso za katswiri.
Ndikofunikira kwambiri kuti openda asangoyesa zongopeka zodziwikiratu, koma nthawi zonse azigwira ntchito kuti apange malingaliro atsopano ndi zosankha zowayesa.
TH Kugwiritsa Ntchito Kukhwima Model
M'dziko labwino, TH ndi njira yopitilira. Koma, popeza palibe dziko labwino, tiyeni tiwunikenso ndi njira potengera anthu, njira ndi matekinoloje omwe amagwiritsidwa ntchito. Tiyeni tione chitsanzo cha TH yozungulira yozungulira. Pali magawo 5 ogwiritsira ntchito ukadaulo uwu. Tiyeni tiyang'ane pa iwo pogwiritsa ntchito chitsanzo cha kusinthika kwa gulu limodzi la akatswiri.
Milingo yakukhwima
anthu
Njira
umisiri
Mulingo wa 0
Akatswiri a SOC
24/7
Zida Zachikhalidwe:
Chikhalidwe
Seti ya zidziwitso
Kuwunika mosasamala
IDS, AV, Sandboxing,
Popanda TH
Kugwira ntchito ndi zidziwitso
Zida zowunikira siginecha, data ya Threat Intelligence.
Mulingo wa 1
Akatswiri a SOC
Nthawi imodzi TH
BDU
Zoyeserera
Chidziwitso choyambirira cha forensics
Kufufuza kwa IOC
Kufalitsa pang'ono kwa data kuchokera pazida zama netiweki
Kuyesera ndi TH
Kudziwa bwino ma network ndi mapulogalamu
Kugwiritsa ntchito pang'ono
Mulingo wa 2
Ntchito yosakhalitsa
Sprints
BDU
Nthawi ndi nthawi
Chidziwitso chapakati cha forensics
Mlungu ndi mwezi
Kugwiritsa ntchito kwathunthu
Zosakhalitsa TH
Kudziwa bwino kwa ma network ndi mapulogalamu
Nthawi zonse TH
Kugwiritsa ntchito kwathunthu kwa data ya EDR
Kugwiritsa ntchito pang'ono luso lapamwamba la EDR
Mulingo wa 3
Lamulo la TH lodzipatulira
24/7
Kutha kwapang'ono kuyesa ma hypotheses a TH
Zoteteza
Kudziwa bwino za forensics ndi pulogalamu yaumbanda
Kuteteza TH
Kugwiritsa ntchito mphamvu zapamwamba za EDR
Milandu yapadera TH
Kudziwa bwino kwa mbali yowukira
Milandu yapadera TH
Kuphimba kwathunthu kwa data kuchokera pazida zama netiweki
Kusintha kuti zigwirizane ndi zosowa zanu
Mulingo wa 4
Lamulo la TH lodzipatulira
24/7
Kutha kwathunthu kuyesa malingaliro a TH
Kutsogolera
Kudziwa bwino za forensics ndi pulogalamu yaumbanda
Kuteteza TH
Level 3, kuphatikiza:
Kugwiritsa ntchito TH
Kudziwa bwino kwa mbali yowukira
Kuyesa, zodziwikiratu ndi kutsimikizira zongopeka TH
kuphatikiza kolimba kwa magwero a data;
Kukhoza kufufuza
chitukuko molingana ndi zosowa komanso kugwiritsa ntchito mosavomerezeka kwa API.
Kukhwima kwa TH ndi anthu, njira ndi matekinoloje
Gawo 0: chikhalidwe, popanda kugwiritsa ntchito TH. Ofufuza nthawi zonse amagwira ntchito ndi zidziwitso zanthawi zonse m'njira yowunikira mosasamala pogwiritsa ntchito zida ndi ukadaulo wamba: IDS, AV, sandbox, zida zowunikira siginecha.
Gawo 1: kuyesa, pogwiritsa ntchito TH. Ofufuza omwewo omwe ali ndi chidziwitso choyambirira cha forensics komanso chidziwitso chabwino cha maukonde ndi mapulogalamu amatha kuchita nthawi imodzi Kusaka Zowopsa pofufuza zisonyezo za kusagwirizana. Ma EDR amawonjezedwa ku zida zomwe zili ndi kuphimba pang'ono kwa data kuchokera pazida zamtaneti. Zida zimagwiritsidwa ntchito pang'ono.
Gawo 2: periodic, yochepa TH. Ofufuza omwewo omwe adakweza kale chidziwitso chawo muzozama, maukonde ndi gawo lofunsira amayenera kuchita nawo pafupipafupi Kusaka Kuopseza (sprint), kunena, sabata pamwezi. Zidazi zimawonjezera kufufuza kwathunthu kwa deta kuchokera ku zipangizo zamakina, kusanthula deta kuchokera ku EDR, ndi kugwiritsa ntchito pang'ono mphamvu zapamwamba za EDR.
Gawo 3: kupewa, milandu pafupipafupi ya TH. Ofufuza athu adadzipanga okha kukhala gulu lodzipatulira ndipo adayamba kukhala ndi chidziwitso chabwino kwambiri chazazambiri zaukadaulo ndi pulogalamu yaumbanda, komanso chidziwitso cha njira ndi machenjerero a mbali yowukira. Ntchitoyi ikuchitika kale 24/7. Gululi limatha kuyesa pang'ono malingaliro a TH pomwe likugwiritsa ntchito luso lapamwamba la EDR ndi kuphimba kwathunthu kwa data kuchokera pazida zamtaneti. Ofufuza amathanso kukonza zida kuti zigwirizane ndi zosowa zawo.
Gawo 4: apamwamba, gwiritsani ntchito TH. Gulu lomwelo linapeza luso lofufuza, luso lopanga ndi kusinthiratu njira yoyesera malingaliro a TH. Tsopano zidazo zawonjezeredwa ndi kusakanikirana kwapafupi kwa magwero a deta, chitukuko cha mapulogalamu kuti akwaniritse zosowa, komanso kugwiritsa ntchito mosagwirizana ndi ma API.
Njira Zosaka Zowopsa
Basic Threat Huntiques Techniques
Π TH, potengera kukhwima kwaukadaulo wogwiritsidwa ntchito, ndi: kufufuza kofunikira, kusanthula ziwerengero, njira zowonera, kuphatikiza kosavuta, kuphunzira pamakina, ndi njira za Bayesian.
Njira yosavuta, kusaka koyambira, imagwiritsidwa ntchito kuchepetsa gawo la kafukufuku pogwiritsa ntchito mafunso enaake. Kusanthula kwachiwerengero kumagwiritsidwa ntchito, mwachitsanzo, kupanga mawonekedwe amtundu wa ogwiritsa ntchito kapena ma netiweki mwachitsanzo chowerengera. Njira zowonera zimagwiritsidwa ntchito kuwonetsa zowoneka ndi kufewetsa kusanthula kwa data mu mawonekedwe a ma graph ndi ma chart, zomwe zimapangitsa kuti zikhale zosavuta kuzindikira mawonekedwe muchitsanzo. Njira yophatikizira yosavuta ndi magawo akuluakulu imagwiritsidwa ntchito kukhathamiritsa kusaka ndi kusanthula. Pamene ndondomeko ya TH ya bungwe ikukhwima, m'pamenenso kugwiritsa ntchito makina ophunzirira makina kumakhala koyenera. Amagwiritsidwanso ntchito kwambiri posefa sipamu, kuzindikira magalimoto oyipa komanso kuzindikira zachinyengo. Mtundu wapamwamba kwambiri wamakina ophunzirira makina ndi njira za Bayesian, zomwe zimalola kugawa, kuchepetsa kukula kwa zitsanzo, ndi kutengera mitu.
Diamond Model ndi TH Strategies
Sergio Caltagiron, Andrew Pendegast ndi Christopher Betz mu ntchito yawo "Β» adawonetsa zigawo zikuluzikulu za ntchito iliyonse yoyipa komanso kulumikizana pakati pawo.
Mtundu wa diamondi wa zochita zoyipa
Malingana ndi chitsanzo ichi, pali njira 4 Zosaka Zowopsya, zomwe zimachokera ku zigawo zikuluzikulu zogwirizana.
1. Njira yolunjika kwa ozunzidwa. Tikuganiza kuti wozunzidwayo ali ndi otsutsa ndipo adzapereka "mwayi" kudzera pa imelo. Tikuyang'ana data ya adani mumakalata. Sakani maulalo, zolumikizira, ndi zina. Tikuyang'ana chitsimikiziro cha lingaliro ili kwa nthawi inayake (mwezi, masabata awiri); ngati sitichipeza, ndiye kuti lingaliro silinagwire ntchito.
2. Njira yoyang'anira zomangamanga. Pali njira zingapo zogwiritsira ntchito njirayi. Kutengera kupezeka ndi mawonekedwe, ena ndi osavuta kuposa ena. Mwachitsanzo, timayang'anira ma seva a mayina a domain omwe amadziwika kuti amakhala ndi madera oyipa. Kapena timadutsa njira yowunikira kulembetsa kwa mayina atsopano amtundu wodziwika wogwiritsidwa ntchito ndi mdani.
3. Njira yoyendetsedwa ndi kuthekera. Kuphatikiza pa njira yoyang'ana ozunzidwa yomwe imagwiritsidwa ntchito ndi ambiri oteteza maukonde, pali njira yowunikira mwayi. Ndilo lachiwiri lodziwika bwino ndipo limayang'ana pa kuzindikira mphamvu za mdani, zomwe ndi "malware" komanso kuthekera kwa mdani kugwiritsa ntchito zida zovomerezeka monga psexec, powershell, certutil ndi ena.
4. Njira yolimbana ndi adani. Njira yolimbana ndi mdani imayang'ana pa mdani mwiniwake. Izi zikuphatikiza kugwiritsa ntchito zidziwitso zotseguka zopezeka pagulu (OSINT), kusonkhanitsa deta za mdani, njira zake ndi njira zake (TTP), kusanthula zomwe zidachitika m'mbuyomu, data ya Threat Intelligence, ndi zina zambiri.
Magwero azidziwitso ndi zongopeka mu TH
Zolemba zina za Threat Hunting
Pakhoza kukhala magwero ambiri a chidziwitso. Katswiri wabwino amayenera kutulutsa zidziwitso pa chilichonse chomwe chili pafupi. Magwero odziwika pafupifupi muzomangamanga zilizonse adzakhala deta kuchokera ku zida zachitetezo: DLP, SIEM, IDS/IPS, WAF/FW, EDR. Komanso, magwero odziwika bwino azikhala zisonyezo zosiyanasiyana za kunyengerera, ntchito za Threat Intelligence, data ya CERT ndi OSINT. Kuphatikiza apo, mutha kugwiritsa ntchito zidziwitso kuchokera ku darknet (mwachitsanzo, mwadzidzidzi pamakhala kuyitanitsa bokosi la makalata la mutu wa bungwe, kapena woyimira paudindo wopanga maukonde wawululidwa chifukwa cha ntchito yake), zomwe adalandira kuchokera HR (ndemanga za munthu yemwe adagwira ntchito m'malo am'mbuyomu), zidziwitso zochokera kuchitetezo (mwachitsanzo, zotsatira za chitsimikiziro cha mnzake).
Koma musanagwiritse ntchito magwero onse omwe alipo, m'pofunika kukhala ndi lingaliro limodzi.
Kuti ayese ma hypotheses, ayenera kuyikidwa patsogolo. Ndipo kuti muyike patsogolo malingaliro ambiri apamwamba, m'pofunika kugwiritsa ntchito njira mwadongosolo. Njira yopangira ma hypotheses ikufotokozedwa mwatsatanetsatane mu, ndizosavuta kutenga chiwembuchi ngati maziko a njira yoperekera malingaliro.
Gwero lalikulu la malingaliro adzakhala Zithunzi za ATT&CK (Njira Zotsutsana, Njira ndi Chidziwitso Chodziwika). Kwenikweni, ndizo maziko a chidziwitso ndi chitsanzo chowunika khalidwe la owukira omwe amachita ntchito zawo kumapeto kwa chiwonongeko, kawirikawiri amafotokozedwa pogwiritsa ntchito lingaliro la Kill Chain. Izi zikutanthauza kuti, pamasitepe pambuyo poti wowukirayo alowa mu netiweki yamkati yabizinesi kapena pa foni yam'manja. Chidziwitso choyambirira chinali ndi mafotokozedwe a njira 121 ndi njira zomwe zimagwiritsidwa ntchito poukira, zomwe zimafotokozedwa mwatsatanetsatane mu mtundu wa Wiki. Ma analytics osiyanasiyana a Threat Intelligence ndioyenera ngati gwero lopangira ma hypotheses. Chodziwika kwambiri ndi zotsatira za kusanthula kwachitukuko ndi mayesero olowera - ichi ndi deta yamtengo wapatali kwambiri yomwe ingatipatse malingaliro a ironclad chifukwa chakuti amachokera kuzinthu zowonongeka ndi zofooka zake zenizeni.
Njira yoyesera ya Hypothesis
Sergei Soldatov anabweretsa ndi kufotokozera mwatsatanetsatane ndondomekoyi, ikuwonetseratu njira yoyesera malingaliro a TH mu dongosolo limodzi. Ndiwonetsa magawo akulu ndi kufotokozera mwachidule.
Gawo 1: TI Farm
Panthawi imeneyi m'pofunika kuunikira zinthu (powasanthula pamodzi ndi zidziwitso zonse zowopsa) ndikuwapatsa zilembo zamakhalidwe awo. Izi ndi fayilo, URL, MD5, ndondomeko, zofunikira, chochitika. Mukawadutsa pamakina a Threat Intelligence, ndikofunikira kulumikiza ma tag. Ndiye kuti, tsamba ili lidazindikirika mu CNC mchaka chotere, MD5 iyi idalumikizidwa ndi pulogalamu yaumbanda, MD5 iyi idatsitsidwa kuchokera patsamba lomwe limagawa pulogalamu yaumbanda.
Gawo 2: Milandu
Pa gawo lachiwiri, timayang'ana kuyanjana pakati pa zinthuzi ndikuzindikira mgwirizano pakati pa zinthu zonsezi. Timapeza machitidwe olembedwa omwe amachita zoyipa.
Gawo 3: Wowunika
Pa gawo lachitatu, mlanduwu umasamutsidwa kwa katswiri wodziwa zambiri yemwe ali ndi chidziwitso chochuluka pa kusanthula, ndipo amapereka chigamulo. Amawerengera kuti chiyani, kuti, bwanji, chifukwa chiyani komanso chifukwa chiyani. Thupi ili linali pulogalamu yaumbanda, kompyuta iyi inali ndi kachilombo. Imawulula kugwirizana pakati pa zinthu, imayang'ana zotsatira zodutsa mu sandbox.
Zotsatira za ntchito ya wowunika zimafalitsidwa kwambiri. Digital Forensics imayang'ana zithunzi, Malware Analysis imayang'ana "matupi" omwe apezeka, ndipo gulu la Incident Response litha kupita pamalowo ndikufufuza zomwe zili kale. Chotsatira cha ntchitoyi chidzakhala chitsimikiziro chotsimikizika, kuwukira kodziwika ndi njira zothana nazo.
Zotsatira
Threat Hunting ndiukadaulo wachichepere womwe umatha kuthana ndi zowopseza zosinthidwa makonda, zatsopano komanso zosagwirizana, zomwe zili ndi chiyembekezo chachikulu chifukwa chakuchulukira kwa ziwopsezo zotere komanso kuwonjezereka kwazinthu zamabizinesi. Zimafunika zigawo zitatu - deta, zida ndi akatswiri. Ubwino wa Kusaka Ziwopsezo sikungoletsa kukhazikitsidwa kwa ziwopsezo. Musaiwale kuti panthawi yofufuzira timadutsa muzitsulo zathu ndi zofooka zake kudzera m'maso mwa katswiri wa chitetezo ndipo tikhoza kulimbikitsanso mfundozi.
Njira zoyamba zomwe, m'malingaliro athu, ziyenera kuchitidwa kuti muyambe ndondomeko ya TH m'gulu lanu.
- Samalirani zoteteza ma endpoints ndi network network. Samalirani mawonekedwe (NetFlow) ndikuwongolera (firewall, IDS, IPS, DLP) pamachitidwe onse pamaneti anu. Dziwani netiweki yanu kuchokera pa rauta yam'mphepete mpaka kwa womaliza.
- Onani.
- Chitani ma pentest pafupipafupi azinthu zofunikira zakunja, pendani zotsatira zake, zindikirani zomwe mukufuna kuwopseza ndikutseka zofooka zawo.
- Gwiritsani ntchito njira yotseguka ya Threat Intelligence (mwachitsanzo, MISP, Yeti) ndikusanthula zipika molumikizana nayo.
- Khazikitsani nsanja yoyankhira zochitika (IRP): R-Vision IRP, The Hive, sandbox posanthula mafayilo okayikitsa (FortiSandbox, Cuckoo).
- Sinthani machitidwe achizolowezi. Kusanthula kwa zipika, kujambula zochitika, kudziwitsa antchito ndi gawo lalikulu la automation.
- Phunzirani kuyanjana bwino ndi mainjiniya, opanga mapulogalamu, ndi chithandizo chaukadaulo kuti mugwirizane pazochitika.
- Lembani ndondomeko yonse, mfundo zazikulu, zotsatira zomwe zapindula kuti mubwerere kwa iwo pambuyo pake kapena kugawana deta iyi ndi anzanu;
- Khalani ochezeka: Dziwani zomwe zikuchitika ndi antchito anu, omwe mumawalemba ntchito, ndi omwe mumawapatsa mwayi wodziwa zambiri za bungwe.
- Dziwani zomwe zikuchitika pankhani yakuwopseza kwatsopano ndi njira zodzitetezera, onjezerani luso lanu laukadaulo (kuphatikiza ndi magwiridwe antchito a IT ndi ma subsystems), pitani kumisonkhano ndikulumikizana ndi anzanu.
Okonzeka kukambirana za bungwe la ndondomeko ya TH mu ndemanga.
Kapena bwerani mudzagwire nafe ntchito!
Magwero ndi zida zophunzirira
Source: www.habr.com