Tikugashirei kune nyowani nyowani yezvinyorwa, panguva ino pamusoro penyaya yekuferefeta chiitiko, kureva malware kuongororwa uchishandisa Check Point forensics. Isu takamboburitsa
Sei zviitiko zvekudzivirira zviitiko zvakakosha? Zvinoita sekunge wabata hutachiona, zvatonaka, wadii nazvo? Sezvinoratidzwa nemaitiro, zvinokurudzirwa kwete kungovhara kurwiswa, asiwo kuti unzwisise kuti inoshanda sei: nzvimbo yekupinda yaive yei, njodzi yakashandiswa sei, maitiro api anosanganisirwa, kana registry uye faira system zvinokanganiswa, ndeipi mhuri. zvemavhairasi, chii chinogona kukanganisa, nezvimwewo. Iyi uye imwe data inobatsira inogona kuwanikwa kubva kuCheck Point's yakazara forensics mishumo (zvese zvinyorwa uye graphical). Zvakaoma zvikuru kuwana mushumo wakadaro nemaoko. Iyi data inogona kubatsira kutora matanho akakodzera uye kudzivirira kurwiswa kwakafanana kubudirira mune ramangwana. Nhasi tichatarisa kuCheck Point SandBlast Network forensics report.
SandBlast Network
Kushandiswa kwemabhokisi ejecha kusimbisa kuchengetedzwa kwetiweki perimeter kwagara kwave kwakajairika uye kunosungirwa sechikamu se IPS. PaCheck Point, iyo Threat Emulation blade, inova chikamu cheSandBlast tekinoroji (kune zvakare Threat Extraction), ine basa rekuita kwebhokisi rejecha. Takatoburitsa kare
- SandBlast Local Appliance - imwe yekuwedzera SandBlast appliance yakaiswa panetiweki yako, iyo mafaera anotumirwa kuti aongororwe.
- SandBlast Cloud - mafaera anotumirwa kuti aongororwe kune iyo Check Point gore.
Bhokisi rejecha rinogona kutorwa semutsara wekupedzisira wekudzivirira pane network perimeter. Inobatanidza chete mushure mekuongorora nenzira dzechinyakare - antivirus, IPS. Uye kana maturusi echinyakare akadaro asingape chero analytics, saka bhokisi rejecha rinogona "kutaurira" zvakadzama kuti sei faira rakavharwa uye kuti chii charinoita zvakaipa. Iyi forensics report inogona kuwanikwa kubva kune ese emunharaunda uye gore sandbox.
Tarisa Point Forensics Report
Ngatiti iwe, senyanzvi yekuchengetedza ruzivo, wakauya kuzoshanda uye wakavhura dashboard muSmartConsole. Pakarepo iwe unoona zviitiko zvemaawa makumi maviri nemana apfuura uye kutarisisa kwako kunokweverwa kune Kutyisidzira Emulation zviitiko - zvakanyanya kurwiswa zvine njodzi izvo zvisina kuvharwa nekuongorora siginecha.
Iwe unogona "kudonha" muzviitiko izvi uye woona matanda ese eThreat Emulation blade.
Mushure meizvi, iwe unogona kuwedzera kusefa matanda nekutyisidzira kutsoropodza nhanho (Severity), pamwe neChivimbo Chikamu (kuvimbika kwemhinduro):
Mushure mekuwedzera chiitiko chatinofarira, tinogona kujairana neruzivo rwese (src, dst, kuomarara, mutumi, nezvimwewo):
Uye ipapo unogona kuona chikamu Forensics with available pfupiso report. Kudzvanya pairi kuchavhura kuongororwa kwakadzama kweiyo malware muchimiro cheinoshanda HTML peji:
(Ichi chikamu chepeji.
Kubva pamushumo mumwechete, tinogona kudhawunirodha iyo yekutanga malware (mune password-yakachengetedzwa archive), kana nekukasira taura neCheck Point timu yekupindura.
Pazasi iwe unogona kuona yakanaka animation inoratidza muzvikamu zvematemu izvo zvinotozivikanwa kodhi yakaipa iyo muenzaniso wedu wakafanana (kusanganisira iyo kodhi pachayo uye macros). Aya analytics anounzwa uchishandisa muchina kudzidza muCheck Point Threat Cloud.
Ipapo iwe unogona kuona chaizvo izvo zviitiko mubhokisi rejecha zvakatibvumidza kugumisa kuti iyi faira ine hutsinye. Muchiitiko ichi, tinoona kushandiswa kwemaitiro ekupfuura uye kuedza kurodha ransomware:
Zvinogona kucherechedzwa kuti muchiitiko ichi, emulation yakaitwa mumasisitimu maviri (Win 7, Win XP) uye akasiyana software shanduro (Hofisi, Adobe). Pazasi pane vhidhiyo (slide show) ine maitiro ekuvhura iyi faira mubhokisi rejecha:
Vhidhiyo yemuenzaniso:
Pakupedzisira tinogona kuona zvakadzama kuti kurwisa kwacho kwakatanga sei. Ingave mune tabular fomu kana graphically:
Ikoko isu tinogona kudhawunirodha ruzivo urwu muRAW fomati uye pcap faira yeakadzama analytics yeiyo inogadzirwa traffic muWireshark:
mhedziso
Uchishandisa ruzivo urwu, unogona kusimbisa zvakanyanya kuchengetedzwa kwetiweki yako. Vhara mavhairasi ekuparadzira mauto, vhara kudzvanyirirwa kusagadzikana, vhara mhinduro inobvira kubva kuC&C nezvimwe zvakawanda. Kuongorora uku hakufanirwe kuregererwa.
Muzvinyorwa zvinotevera, isu tichatarisa zvakafanana mishumo yeSandBlast Agent, SnadBlast Mobile, pamwe neCloudGiard SaaS. Saka gara wakatarisa (
Source: www.habr.com