Ma aligorivimu ndi njira zoyankhira zochitika zachitetezo chazidziwitso, zomwe zikuchitika pakuwukira kwaposachedwa kwa cyber, njira zofufuzira kutayikira kwa data m'makampani, kufufuza asakatuli ndi zida zam'manja, kusanthula mafayilo obisika, kuchotsa zidziwitso za geolocation ndi kusanthula kwamavoliyumu akulu - zonsezi ndi mitu ina ikhoza phunzirani pamaphunziro atsopano ophatikizana a Gulu-IB ndi Belkasoft. Mu August ife maphunziro oyamba a Belkasoft Digital Forensics, omwe amayamba pa Seputembara 9, ndipo, atalandira mafunso ambiri, tidaganiza zofotokozera mwatsatanetsatane zomwe ophunzira aziphunzira, ndi chidziwitso chotani, luso ndi mabonasi (!) amene amafika kumapeto. Za zonse mu dongosolo.
Awiri onse m'modzi
Lingaliro lokhala ndi maphunziro ophatikizana lidawonekera pambuyo poti omwe adatenga nawo gawo pamaphunziro a Gulu-IB adayamba kufunsa za chida chomwe chingawathandize pakufufuza zamakompyuta ndi ma netiweki osokonekera, ndikuphatikiza magwiridwe antchito osiyanasiyana aulere omwe timalimbikitsa. kugwiritsa ntchito poyankha zochitika.
M'malingaliro athu, Belkasoft Evidence Center ikhoza kukhala chida chotere (takambirana kale mu Igor Mikhailov "Kiyi poyambira: mapulogalamu abwino kwambiri ndi zida zamakompyuta zamakompyuta"). Chifukwa chake, ife, pamodzi ndi Belkasoft, tapanga maphunziro awiri: Belkasoft Digital Forensics ΠΈ Belkasoft Incident Response Examination.
ZOFUNIKA: maphunzirowa ndi otsatizana komanso olumikizana! Belkasoft Digital Forensics idaperekedwa ku pulogalamu ya Belkasoft Evidence Center, ndipo Belkasoft Incident Response Examination idaperekedwa pakufufuza zochitika pogwiritsa ntchito zinthu za Belkasoft. Ndiye kuti, musanaphunzire maphunziro a Belkasoft Incident Response Examination, tikupangira kuti mumalize maphunziro a Belkasoft Digital Forensics. Mukangoyamba nthawi yomweyo ndi maphunziro ofufuza zomwe zachitika, wophunzirayo atha kukhala ndi mipata yokhumudwitsa pogwiritsa ntchito Belkasoft Evidence Center, kupeza ndikufufuza zaukadaulo. Izi zitha kupangitsa kuti pamaphunziro a Belkasoft Incident Response Examination, wophunzirayo sakhala ndi nthawi yodziwa bwino zinthuzo, kapena achepetse gulu lonse kuti apeze chidziwitso chatsopano, popeza nthawi yophunzitsira idzakhala. adagwiritsidwa ntchito ndi mphunzitsi kufotokoza zomwe zachokera ku Belkasoft Digital Forensics course.
Zazamakompyuta zamakompyuta ndi Belkasoft Evidence Center
Cholinga cha maphunzirowa Belkasoft Digital Forensics - kudziwitsa ophunzira pulogalamu ya Belkasoft Evidence Center, aphunzitseni momwe angagwiritsire ntchito pulogalamuyi kuti asonkhanitse umboni kuchokera kuzinthu zosiyanasiyana (kusungirako mitambo, kukumbukira mwachisawawa (RAM), zida zam'manja, zosungirako (ma hard drive, flash drive, etc.) , ukadaulo waukadaulo waukadaulo ndiukadaulo, njira zowunikira zakale za Windows zakale, zida zam'manja, zotayira zokumbukira Muphunziranso momwe mungazindikirire ndikulemba zolemba za osatsegula ndi zolemba zakale zapanthawi yomweyo, kupanga makope azamalamulo kuchokera kumagwero osiyanasiyana, kuchotsa zidziwitso za geolocation ndikufufuza. pa zolemba zolemba (sakani ndi mawu osakira), gwiritsani ntchito ma hashes pofufuza, kusanthula kaundula wa Windows, phunzirani luso lofufuzira ma database osadziwika a SQLite, zoyambira pakufufuza mafayilo azithunzi ndi makanema, ndi njira zowunikira zomwe zimagwiritsidwa ntchito pofufuza.
Maphunzirowa adzakhala othandiza kwa akatswiri omwe ali ndi luso laukadaulo waukadaulo wamakompyuta (ukadaulo wamakompyuta); akatswiri aukadaulo omwe amazindikira zifukwa zolowera bwino, kusanthula zochitika zambiri ndi zotsatira za kuwukira kwa cyber; akatswiri omwe amazindikira ndikulemba za kuba kwa data (kutayikira) ndi munthu wamkati (wolakwa wamkati); akatswiri a e-Discovery; Ogwira ntchito a SOC ndi CERT/CSIRT; oteteza mauthenga; okonda zaukadaulo wamakompyuta.
Dongosolo la maphunziro:
- Belkasoft Umboni Center (BEC): masitepe oyamba
- Kupanga ndi kukonza milandu mu BEC
- Kusonkhanitsa Umboni Wapa digito pakufufuza kwa Forensic ndi BEC
- Kugwiritsa ntchito zosefera
- Lipoti
- Kuwona Mapulogalamu a Instant Messaging
- Kafukufuku wa Msakatuli Wapaintaneti
- Kafukufuku wam'manja
- Kutulutsa data ya geolocation
- Sakani mndandanda wamawu munthawi yake
- Kuchotsa deta ndi kusanthula kuchokera ku mtambo storages
- Kugwiritsa ntchito ma bookmarks kuti muwonetse umboni wofunikira womwe umapezeka pakufufuza
- Kusanthula Mafayilo a Windows System
- Kusanthula kwa registry ya Windows
- Kusanthula kwa database ya SQLite
- Njira Zobwezeretsanso Data
- Njira zowunika zotayika za RAM
- Kugwiritsa ntchito hash calculator ndi kusanthula kwa hashi pakufufuza kwazamalamulo
- Kusanthula kwa mafayilo osungidwa
- Njira zofufuzira mafayilo azithunzi ndi makanema
- Kugwiritsa ntchito njira zowunikira mu kafukufuku wazamalamulo
- Kudzipangira zochita nthawi zonse pogwiritsa ntchito chilankhulo chokhazikika cha Belkascripts
- Maphunziro othandiza
Maphunziro: Belkasoft Incident Response Examination
Cholinga cha maphunzirowa ndi kuphunzira zoyambira za kafukufuku wazamalamulo wa kuukira kwa Cyber ββkomanso mwayi wogwiritsa ntchito Belkasoft Umboni Center pakufufuza. Muphunzira za ma vectors amasiku ano pamanetiweki apakompyuta, phunzirani momwe mungasinthire kuukira kwa makompyuta potengera MITER ATT & CK matrix, gwiritsani ntchito ma algorithms ofufuza ogwiritsira ntchito kuti mutsimikizire zowona za kunyengerera ndikukonzanso zomwe akuukira, dziwani komwe zinthu zakale zili zomwe zikuwonetsa kuti ndi mafayilo ati omwe adatsegulidwa komaliza , pomwe makina ogwiritsira ntchito amasunga zambiri zokhudzana ndi kutsitsa ndikuyendetsa mafayilo omwe angathe kuchitidwa, momwe owukirawo adasunthira mozungulira netiweki, ndikuphunzira momwe angafufuzire zinthu zakalezi pogwiritsa ntchito BEC. Muphunziranso zochitika za syslog zomwe zingasangalatse pakufufuza zochitika ndi kutsimikiza kwakutali, ndikuphunzira momwe mungafufuzire pogwiritsa ntchito BEC.
Maphunzirowa adzakhala othandiza kwa akatswiri aukadaulo omwe amazindikira zifukwa zolowera bwino, kusanthula zochitika zambiri ndi zotsatira za kuwukira kwa cyber; oyang'anira dongosolo; Ogwira ntchito za SOC ndi CERT/CSIRT; ogwira ntchito zachitetezo chazidziwitso.
Chidule cha Maphunziro
Cyber ββββKill Chain imalongosola magawo akulu aukadaulo uliwonse pamakompyuta (kapena makompyuta) a wozunzidwa motere:
Zochita za ogwira ntchito a SOC (CERT, chitetezo chazidziwitso, ndi zina zotero) ndicholinga choletsa olowa kuti asapeze zidziwitso zotetezedwa.
Ngati olowererawo adalowa m'malo otetezedwa, ndiye kuti anthu omwe ali pamwambawa ayesetse kuchepetsa kuwonongeka kwa omwe akuwukirawo, kudziwa momwe chiwembucho chidachitikira, kukonzanso zochitikazo ndi kutsata zomwe adachita omwe akuwukirawo muzowonongeka zachidziwitso komanso tsatirani njira zopewera kuwukira kwamtunduwu mtsogolo.
Pazidziwitso zosokonekera, mitundu yotsatirayi ingapezeke yomwe ikuwonetsa kusokonekera kwa netiweki (kompyuta):
Zotsatira zonsezi zitha kupezeka pogwiritsa ntchito Belkasoft Evidence Center.
BEC ili ndi gawo la "Incident Investigation", pomwe, posanthula zosungirako zosungirako, zidziwitso za zinthu zakale zimayikidwa zomwe zingathandize wofufuzayo pofufuza zochitika.
BEC imathandizira kuwunika kwamitundu ikuluikulu yazinthu zakale za Windows zomwe zikuwonetsa kukhazikitsidwa kwa mafayilo omwe angathe kuchitidwa pamakina omwe akufufuzidwa, kuphatikiza Amcache, Userassist, Prefetch, BAM/DAM, , kusanthula zochitika zadongosolo.
Zambiri zokhudzana ndi zotsatizana zomwe zili ndi zambiri zokhudzana ndi zomwe ogwiritsa ntchito achita mudongosolo losokonezedwa zitha kuperekedwa motere:
Izi, mwa zina, zikuphatikizanso zokhudzana ndi kukhazikitsidwa kwa mafayilo omwe angathe kuchitidwa:
Zambiri pakuyendetsa fayilo 'RDPWInst.exe'.
Zambiri zokhudzana ndi owukira omwe amakhala pamakina osokonekera zitha kupezeka mu makiyi oyambira olembetsa a Windows, ntchito, ntchito zomwe zakonzedwa, zolemba za Logon, WMI, ndi zina zotero. Zitsanzo zodziwira zidziwitso zapaintaneti mu makina owukira zitha kuwoneka pazithunzi zotsatirazi:
Kukanikiza owukira pogwiritsa ntchito ndandanda wa ntchito popanga ntchito yomwe imayendetsa script ya PowerShell.
Kukonza owukira pogwiritsa ntchito Windows Management Instrumentation (WMI).
Kukanikiza owukira ndi Logon script.
Kusuntha kwa owukira pamaneti osokonekera a makompyuta amatha kuzindikirika, mwachitsanzo, posanthula zipika zamakina a Windows (pamene owukirawo amagwiritsa ntchito ntchito ya RDP).
Zambiri zamalumikizidwe a RDP omwe apezeka.
Zambiri zokhudzana ndi kayendetsedwe ka owononga kudzera pa intaneti.
Chifukwa chake, Belkasoft Evidence Center imatha kuthandiza ofufuza kuzindikira makompyuta omwe asokonekera pamakompyuta omwe akuwukiridwa, kupeza zoyambitsa zaumbanda, njira zokhazikika pamakina ndikuyenda mozungulira ma netiweki, ndi zina za omwe akuwukira pa makompyuta omwe asokonezedwa.
Momwe mungachititsire maphunziro otere ndikupeza zinthu zakale zomwe zafotokozedwa pamwambapa zafotokozedwa mu maphunziro a Belkasoft Incident Response Examination.
Dongosolo la maphunziro:
- Zomwe zikuchitika paziwopsezo zapaintaneti. Tekinoloje, zida, zolinga za owukira
- Kugwiritsa ntchito zitsanzo zowopseza kumvetsetsa njira, njira, ndi njira za omwe akuukira
- Cyber ββββkupha unyolo
- Algorithm yoyankha zochitika: chizindikiritso, kukhazikika, kutulutsa zizindikiritso, fufuzani ma node omwe ali ndi kachilombo
- Kusanthula Windows Systems ndi BEC
- Kuzindikiritsa njira zoyambira matenda, kufalitsa maukonde, kulimbikira, ntchito zapaintaneti zaumbanda pogwiritsa ntchito BEC
- Kuzindikiritsa machitidwe omwe ali ndi kachilombo ndikubwezeretsanso mbiri ya matenda pogwiritsa ntchito BEC
- Maphunziro othandiza
FAQKodi maphunziro amachitikira kuti?
Maphunziro amachitikira ku likulu la Gulu-IB kapena pamalo akunja (kumalo ophunzitsira). Kuchoka kwa mphunzitsi pamapulatifomu kwa makasitomala amakampani ndikotheka.
Ndani amatsogolera makalasi?
Ophunzitsa ku Gulu-IB ndi akatswiri omwe ali ndi zaka zambiri zakufufuza zazamalamulo, kufufuza kwamakampani komanso kuyankha kwachitetezo chazidziwitso.
Kuyenerera kwa ophunzitsa kumatsimikiziridwa ndi ziphaso zambiri zapadziko lonse lapansi: GCFA, MCFE, ACE, EnCE, etc.
Ophunzitsa athu amapeza mosavuta chilankhulo chodziwika bwino ndi omvera, kufotokozera ngakhale mitu yovuta kwambiri m'njira yofikirika. Ophunzira aphunzira zambiri zofunikira komanso zosangalatsa pakufufuza zochitika zamakompyuta, njira zodziwira ndikuthana ndi vuto la makompyuta, amapeza chidziwitso chenicheni chomwe angagwiritse ntchito akamaliza maphunziro awo.
Kodi maphunzirowa adzapereka luso lothandiza lomwe silikugwirizana ndi zinthu za Belkasoft, kapena lusoli lidzakhala losagwiritsidwa ntchito popanda pulogalamuyi?
Maluso omwe amapezeka pamaphunzirowa adzakhala othandiza ngakhale osagwiritsa ntchito zinthu za Belkasoft.
Ndi chiyani chomwe chikuphatikizidwa pakuyezetsa koyamba?
Kuyesa koyambirira ndikuyesa kudziwa zoyambira zamakompyuta zamakompyuta. Kuyesa kudziwa za Belkasoft ndi Gulu-IB sikunakonzedwe.
Kodi ndingapeze kuti zambiri zamaphunziro akampani?
Mkati mwa maphunziro a maphunziro, Gulu-IB imaphunzitsa akatswiri poyankha zochitika, kafukufuku wa pulogalamu yaumbanda, akatswiri anzeru za cyber (Threat Intelligence), akatswiri ogwira ntchito ku Security Operation Center (SOC), akatswiri osakira ziwopsezo (Threat Hunter), ndi zina zambiri. . Mndandanda wathunthu wamaphunziro a olemba kuchokera ku Gulu-IB ulipo .
Ndi mabonasi ati omwe ophunzira omwe amamaliza maphunziro a Gulu-IB ndi Belkasoft amalandira?
Omwe adamaliza maphunziro ophatikizana a Gulu-IB ndi Belkasoft alandila:
- satifiketi yomaliza maphunziro;
- kulembetsa kwaulere pamwezi ku Belkasoft Evidence Center;
- 10% kuchotsera pogula Belkasoft Evidence Center.
Tikukukumbutsani kuti maphunziro oyamba ayamba Lolemba, 9 september, - musaphonye mwayi wopeza chidziwitso chapadera m'munda wachitetezo chazidziwitso, ma forensics apakompyuta ndi kuyankha zochitika! Kulembetsa maphunziro .
ZotsatiraPokonzekera nkhaniyi, ulaliki wa Oleg Skulkin "Kugwiritsa ntchito ma forensics okhazikika kuti mupeze zisonyezo zololera kuti ayankhe bwino moyendetsedwa ndi nzeru" idagwiritsidwa ntchito.
Source: www.habr.com