Algorithms ma auala mo le tali atu i faʻamatalaga faʻalavelave faʻalavelave, faiga i osofaʻiga i luga o le initaneti o loʻo i ai nei, auala e suʻesuʻeina ai faʻamatalaga faʻamatalaga i kamupani, suʻesuʻega suʻesuʻe ma masini feaveaʻi, suʻesuʻeina faila faʻailoga, suʻeina o faʻamatalaga geolocation ma auʻiliʻiliga o voluma tele o faʻamaumauga - o nei mea uma ma isi autu. e mafai ona suʻesuʻeina i aʻoaʻoga faʻatasi fou a le Group-IB ma Belkasoft. Ia Aokuso matou le muamua Belkasoft Digital Forensics course, lea e amata ia Setema 9, ma ua maua le tele o fesili, na matou filifili e talanoa atili auiliili e uiga i mea o le a suʻesuʻeina e tamaiti aʻoga, o le a le malamalama, agavaa ma ponesi (!) O le a maua e i latou e taunuu i le iuga. Muamua mea muamua.
Lua i le tasi
O le manatu o le faʻatautaia o aʻoaʻoga faʻatasi na faʻaalia ina ua amata ona fesili tagata auai o le Vaega-IB e uiga i se meafaigaluega e fesoasoani ia i latou i le suʻesuʻeina o faiga komepiuta ma fesoʻotaʻiga faʻafefete, ma tuʻufaʻatasia le faʻaogaina o mea faʻaoga saoloto e matou te fautuaina e faʻaaoga i taimi o faʻalavelave faʻalavelave.
I lo matou manatu, o sea meafaigaluega e mafai ona avea ma Belkasoft Evidence Center (ua uma ona matou talanoa i ai i Igor Mikhailov "Ki i le amataga: o polokalama sili ona lelei ma meafaigaluega mo suʻesuʻega komepiuta"). O le mea lea, matou, faatasi ai ma Belkasoft, ua atiaʻe ni aʻoaʻoga se lua: Belkasoft Digital Forensics и Belkasoft Fa'alavelave Tali Su'ega.
TAUA: o vasega e fa'asolosolo ma feso'ota'i! Belkasoft Digital Forensics ua tu'ufa'atasia i le Belkasoft Evidence Center polokalame, ma Belkasoft Incident Response Examination e fa'amaoni i le su'esu'eina o fa'alavelave e fa'aaoga ai oloa Belkasoft. O lona uiga, a'o le'i su'esu'eina le Belkasoft Incident Response Examination course, matou te matua fautuaina le fa'amae'aina o le Belkasoft Digital Forensics course. Afai e te amata vave i se vasega i suʻesuʻega faʻalavelave, e ono i ai i le tamaititi aʻoga ni avanoa faʻalavelave i le faʻaaogaina o le Belkasoft Evidence Center, suʻesuʻe ma suʻesuʻeina mea faʻapitoa. E mafai ona taʻitaʻia ai le mea moni e faapea, i le taimi o aʻoaʻoga i le Belkasoft Incident Response Examination, o le a le maua e le tamaititi se taimi e faʻatautaia ai mea, pe faʻagesegese le vaega o totoe i le mauaina o se malamalama fou, talu ai o le a faʻaalu le taimi o aʻoaʻoga. e le faiaoga o loʻo faʻamatalaina mea mai le Belkasoft Digital Forensics course.
Fa'amatalaga fa'akomepiuta fa'atasi ma Belkasoft Evidence Center
Faamoemoe o le vasega Belkasoft Digital Forensics - faʻafeiloaʻi tamaiti aʻoga i le polokalama Belkasoft Evidence Center, aʻoaʻo i latou e faʻaoga lenei polokalame e aoina mai faʻamaoniga mai punaoa eseese (faʻapipiʻi ao, manatua avanoa faʻafuaseʻi (RAM), masini feaveaʻi, faʻasalalauga faʻapipiʻi (faʻamalosi, masini moli, ma isi), matai. faiga fa'apitoa mo su'esu'ega ma metotia, metotia o su'esu'ega fa'afoma'i o meafaitino a le Windows, masini feavea'i, fa'alumaina o le RAM.O le a e a'oa'o fo'i e fa'ailoa ma fa'amaumau fa'amaumauga a tagata su'esu'e ma polokalame fe'au vave, faia ni kopi fa'afoma'i o fa'amatalaga mai fa'apogai eseese, aveese fa'amaumauga geolocation ma su'esu'e. mo fa'asologa o tusitusiga (su'esu'e e ala i upu autu), fa'aoga fa'amau pe a faia su'esu'ega, au'ili'ili le resitala a le Windows, fa'ata'ita'i tomai o le su'esu'eina o fa'amaumauga a le SQLite e le iloa, fa'avae o le su'esu'eina o faila ata ma ata vitio, ma metotia au'ili'ili na fa'aaoga i taimi o su'esu'ega.
O le a aoga le kosi i tagata atamamai faʻapitoa i le matata o suʻesuʻega faʻatekonolosi faakomepiuta (computer forensics); faʻapitoa faʻapitoa e fuafuaina mafuaʻaga mo se osofaʻiga manuia, suʻesuʻeina le faasologa o mea tutupu ma taunuuga o osofaʻiga i luga ole laiga; fa'apitoa fa'apitoa e fa'ailoa ma fa'amaumauina fa'amatalaga gaoi (leaks) e se tagata fa'apitoa (tagata soli totonu); fa'apitoa e-Discovery; SOC ma le CERT/CSIRT aufaigaluega; tagata faigaluega saogalemu faamatalaga; tagata e fiafia i mea tau komepiuta.
Fuafuaga a'oa'oga:
- Belkasoft Evidence Center (BEC): laasaga muamua
- Fausia ma le fa'agaioiina o mataupu ile BEC
- Aoina fa'amatalaga fa'atekinolosi mo su'esu'ega fa'afoma'i ma le BEC
- Fa'aaogaina o filiga
- Fausia lipoti
- Su'esu'ega i Polokalama Fe'au Fa'anatinati
- Su'esu'ega i luga ole laiga
- Su'esu'ega Mea Fa'akomepiuta
- Ave'ese fa'amaumauga fa'afanua
- Su'e fa'asologa o tusitusiga i mataupu
- Aveese ma au'ili'ili fa'amaumauga mai fa'aputuga o ao
- Fa'aaogā fa'ailoga tusi e fa'ailoa ai fa'amaoniga taua na maua i le taimi o su'esu'ega
- Su'esu'ega o faila faila a le Windows
- Windows Resitala Iloiloga
- Iloiloga o faʻamaumauga SQLite
- Metotia Toe Fa'aleleia o Fa'amatalaga
- Tekinolosi mo le suʻesuʻeina o faʻaputuga o le RAM
- Fa'aaogā fa'atatau o le hash ma su'esu'ega o le hash i su'esu'ega fa'afoma'i
- Iloiloga o faila fa'ailoga
- Metotia mo le suʻesuʻeina o faila ata ma vitio
- Le faʻaogaina o metotia faʻapitoa i suʻesuʻega faʻapitoa
- Otometi gaioiga masani e faʻaaoga ai le gagana faʻapipiʻi Belkascripts
- Lesona faatino
Vasega: Belkasoft Incident Response Examination
O le faʻamoemoe o le vasega o le aʻoaʻoina lea o faʻavae o suʻesuʻega faʻapitoa o osofaʻiga i luga ole laiga ma avanoa e faʻaogaina ai le Belkasoft Evidence Center i se suʻesuʻega. O le a e aʻoaʻoina e uiga i vete autu o osofaʻiga faʻaonapo nei i luga o fesoʻotaʻiga komepiuta, aʻoaʻo e faʻavasegaina osofaʻiga komepiuta e faʻavae i luga o le MITER ATT & CK matrix, faʻaoga algorithms suʻesuʻega faiga faʻaogaina e faʻavae ai le mea moni o le fetuutuunai ma toe fausia gaioiga a tagata osofaʻi, aʻoaʻo poʻo fea o loʻo i ai mea taua. faailoa po o fea faila na tatalaina mulimuli , lea e teuina ai e le faiga faʻaogaina faʻamatalaga e uiga i le auala na utaina ai faila ma faʻatinoina, pe faʻafefea ona feoai tagata osofaʻi i luga o le upega tafaʻilagi, ma aʻoaʻo pe faʻapefea ona suʻesuʻeina nei mea taua e faʻaaoga ai le BEC. O le a e a'oa'oina fo'i po'o a mea e tutupu i totonu o fa'amaumauga fa'akomupiuta e fiafia i ai mai le va'aiga o su'esu'ega fa'alavelave ma su'esu'ega mamao, ma a'oa'o pe fa'apefea ona su'esu'eina i latou e fa'aaoga ai le BEC.
O le a aoga le kosi i tagata tomai faapitoa e fuafuaina mafuaʻaga mo se faʻalavelave manuia, suʻesuʻeina filifili o mea tutupu ma taunuuga o osofaʻiga i luga ole laiga; pulega faiga; SOC ma le CERT/CSIRT aufaigaluega; tagata faigaluega mo le puipuiga o faamatalaga.
Va'aiga Aoao
Cyber Kill Chain o loʻo faʻamatalaina vaega autu o soʻo se osofaʻiga faʻapitoa i komepiuta a le tagata manua (poʻo fesoʻotaʻiga komepiuta) e pei ona taua i lalo:
O gaioiga a tagata faigaluega SOC (CERT, faʻamatalaga saogalemu, ma isi) e faʻatatau i le puipuia o tagata faʻalavelave mai le mauaina o punaoa faʻamatalaga puipuia.
Afai e osofaʻia e le au osofaʻi mea tetele puipuia, ona tatau lea i tagata o loʻo i luga ona taumafai e faʻaitiitia le faʻaleagaina o gaioiga a le au osofaʻi, fuafua pe faʻafefea ona faia le osofaʻiga, toe faʻaleleia mea na tutupu ma le faasologa o gaioiga a le au osofaʻi i le faʻaogaina o faʻamatalaga faʻamatalaga, ma ave. faiga e puipuia ai lea ituaiga osofaiga i le lumanai.
O ituaiga fa'ailoga nei e mafai ona maua i totonu o fa'amatalaga fa'aletonu, e fa'ailoa mai ai o le feso'ota'iga (komepiuta) ua fa'aletonu:
O ia fa'ailoga uma e mafai ona maua i le fa'aogaina o le polokalame Belkasoft Evidence Center.
O loʻo i ai i le BEC se vaega o le "Suʻesuʻega Faʻalavelave", lea, pe a suʻesuʻeina faʻasalalauga faʻasalalau, tuʻuina faʻamatalaga e uiga i mea taua e mafai ona fesoasoani i le tagata suʻesuʻe pe a suʻesuʻeina mea na tutupu.
E lagolagoina e le BEC le suʻesuʻeina o ituaiga autu o Windows artifacts e faʻaalia ai le faʻatinoina o faila faila i luga o le faiga o loʻo suʻesuʻeina, e aofia ai Amcache, Userassist, Prefetch, BAM / DAM faila, , su'esu'ega o mea e tutupu i le system.
O fa'amatalaga e uiga i fa'ailoga o lo'o i ai fa'amatalaga e uiga i gaioiga a tagata fa'aoga i se faiga fa'aletonu e mafai ona tu'uina atu ile fomu nei:
O lenei faʻamatalaga, faʻatasi ai ma isi mea, e aofia ai faʻamatalaga e uiga i le faʻaogaina o faila faila:
Fa'amatalaga e uiga i le fa'agaioia o le faila 'RDPWInst.exe'.
O faʻamatalaga e uiga i le auai o tagata osofaʻi i faiga faʻafefeteina e mafai ona maua i le Windows registry startup keys, services, scheduled tasks, Logon scripts, WMI, etc. O faʻataʻitaʻiga o le suʻeina o faʻamatalaga e uiga i tagata osofaʻi o loʻo faʻapipiʻi i le faiga e mafai ona vaʻaia i ata nei:
Faʻasalaina tagata osofaʻi e faʻaaoga le faʻatulagaina o galuega e ala i le fatuina o se galuega e faʻaogaina ai le PowerShell script.
Fa'amaopoopoina osofa'iga e fa'aaoga ai le Windows Management Instrumentation (WMI).
Fa'atasia tagata osofa'i e fa'aaoga le Logon script.
O le fegasoloaʻi o tagata osofaʻi i luga o se fesoʻotaʻiga komipiuta faʻafefeteina e mafai ona iloa, mo se faʻataʻitaʻiga, e ala i le suʻesuʻeina o logs system Windows (pe a faʻaogaina e le au osofaʻi le auaunaga RDP).
Fa'amatalaga e uiga i feso'ota'iga RDP ua maua.
Faʻamatalaga e uiga i le fegasoloaʻi o tagata osofaʻi i luga o le upega tafaʻilagi.
O le mea lea, e mafai ai e le Belkasoft Evidence Center ona fesoasoani i tagata suʻesuʻe e iloa ai komepiuta faʻafefeteina i totonu o fesoʻotaʻiga komipiuta osofaʻi, suʻe faʻailoga o le faʻalauiloaina o mea leaga, faʻailoga o le faʻapipiʻiina i le faiga ma le gaioiga i luga o le upega tafailagi, ma isi faʻailoga o gaioiga osofaʻi i luga o komepiuta faʻafefe.
E fa'afefea ona fa'atinoina ia su'esu'ega ma iloa mea taua o lo'o fa'amatalaina i luga o lo'o fa'amatalaina ile Belkasoft Incident Response Examination course.
Fuafuaga a'oa'oga:
- Tulaga Cyberattack. Tekinolosi, meafaigaluega, sini a tagata osofaʻi
- Fa'aaogā fa'ata'ita'iga tau fa'amata'u e malamalama ai i ta'iala a tagata osofa'i, faiga, ma faiga
- Cyber kill filifili
- Algoritma tali fa'alavelave: fa'ailoaina, fa'asinomaga, fa'atupuina o fa'ailoga, su'e ni pona fou ua a'afia
- Iloiloga o faiga Pupuni e faʻaaoga ai le BEC
- Su'esu'eina o metotia o fa'ama'i fa'ama'i muamua, fa'asalalauina o feso'ota'iga, fa'atasi, ma le gaioiga o feso'ota'iga o mea leaga e fa'aaoga ai le BEC
- Fa'ailoa faiga fa'ama'i ma toe fa'afo'i tala'aga fa'ama'i e fa'aaoga ai le BEC
- Lesona faatino
FAQO fea e fai ai kosi?
O a'oa'oga e faia i le Ofisa autu o le Group-IB po'o se nofoaga i fafo (nofoaga mo a'oa'oga). E mafai e se faiaoga ona malaga i nofoaga ma tagata faʻatau pisinisi.
O ai e taitaia vasega?
O faiaoga i le Group-IB o loʻo i ai le tele o tausaga o le poto masani i le faʻatinoina o suʻesuʻega faʻapitoa, suʻesuʻega faʻatasi ma le tali atu i faʻamatalaga saogalemu faʻalavelave.
O agavaa o faiaoga e faʻamaonia e le tele o tusi pasi faavaomalo: GCFA, MCFE, ACE, EnCE, ma isi.
E faigofie ona maua e matou faiaoga se gagana masani ma le au maimoa, faʻamalamalama manino e oʻo lava i mataupu sili ona faigata. O le a aʻoaʻoina e tamaiti aʻoga le tele o faʻamatalaga talafeagai ma manaia e uiga i le suʻesuʻeina o faʻalavelave komepiuta, metotia o le faʻamaonia ma le faʻafetauiina o osofaʻiga komepiuta, ma maua le poto faʻatino moni e mafai ona latou faʻaoga vave pe a maeʻa le faauuga.
O le a tu'uina atu ea'oga ni tomai aoga e le feso'ota'i ma oloa Belkasoft, pe o le a le fa'aaogaina nei tomai e aunoa ma lenei polokalama?
O tomai na maua i le taimi o aʻoaʻoga o le a aoga e aunoa ma le faʻaaogaina o oloa Belkasoft.
O le a le mea e aofia ai i le suʻega muamua?
Ole su'ega muamua ole su'ega ole malamalama ile fa'avae ole su'esu'ega fa'akomepiuta. E leai ni fuafuaga e faʻataʻitaʻi le malamalama o Belkasoft ma Group-IB oloa.
O fea e mafai ona ou maua ai faʻamatalaga e uiga i aʻoaʻoga a le kamupani?
I le avea ai o se vaega o aʻoaʻoga faʻaleaʻoaʻoga, o le Vaega-IB e toleniina tagata faʻapitoa i tali faʻalavelave, suʻesuʻega o mea leaga, tagata poto faʻapitoa i luga o le initaneti (Threat Intelligence), faʻapitoa e galulue i le Nofoaga Puipuiga Puipuiga (SOC), faʻapitoa i le tulituliloaina o le taufaamataʻu (Threat Hunter), ma isi. . O lo'o avanoa le lisi atoa o a'oa'oga fa'apitoa mai le Group-IB .
O a ponesi e maua e tamaiti aʻoga e faʻamaeʻaina vasega faʻatasi i le va o le Group-IB ma Belkasoft?
O i latou ua maeʻa aʻoaʻoga i vasega faʻatasi i le va o le Group-IB ma Belkasoft o le a mauaina:
- tusi faamaonia o le mae'a o le vasega;
- totogi fua masina i le Belkasoft Evidence Center;
- 10% fa'aitiitiga i le fa'atauina o le Belkasoft Evidence Center.
Matou te faamanatu atu o le vasega muamua e amata i le Aso Gafua, 9 september, - aua le misia le avanoa e maua ai le malamalama tulaga ese i le tulaga o le saogalemu o faʻamatalaga, faʻamatalaga komepiuta ma tali faʻalavelave! Le resitalaina mo le kosi .
PunaoaI le sauniaina o le tusiga, na matou faʻaogaina le faʻamatalaga a Oleg Skulkin "Faʻaaogaina o suʻesuʻega faʻapitoa faʻapitoa e maua ai faʻailoga o le fetuutuunai mo le manuia o le tali atu i faʻalavelave faʻafuaseʻi."
puna: www.habr.com