( thanks to Sergey G. Brester for the title idea )
Shamwari, chinangwa chechinyorwa ichi ndechekugovana ruzivo rwegore-refu bvunzo kushanda kwekirasi nyowani yeIDS mhinduro dzakavakirwa paDeception tekinoroji.
Kuti ndichengetedze kuwirirana kunonzwisisika kwekuratidzwa kwezvinhu, ndinoona zvakakodzera kutanga nezvivako. Saka, dambudziko:
- Kurwiswa kwakanangwa ndiyo mhando ine njodzi yekurwisa, zvisinei nekuti chikamu chavo muhuwandu hwekutyisidzira idiki.
- Hapana nzira yakavimbiswa inoshanda yekudzivirira perimeter (kana seti yenzira dzakadaro) isati yagadzirwa.
- Sezvo mutemo, kurwiswa kwakanangwa kunoitika mumatanho akati wandei. Kukunda perimeter inongova imwe yematanho ekutanga, ayo (iwe unogona kukanda matombo kwandiri) haakonzeri kukanganisa kwakanyanya kune "akabatwa", kunze kwekuti, zvechokwadi, iri DEoS (Kuparadza kwebasa) kurwisa (encryptors, etc. .). Iwo chaiwo "marwadzo" anotanga gare gare, apo midziyo yakatorwa inotanga kushandiswa kutenderera uye kugadzira "kudzika" kurwisa, uye isu hatina kuona izvi.
- Sezvo isu tichitanga kutambura kurasikirwa chaiko apo vanorwisa vanozosvika pazvinangwa zvekurwiswa (masevha ekushandisa, DBMS, matura edatha, matura, zvakakosha zvivakwa zvezvivakwa), zvine musoro kuti rimwe remabasa eiyo ruzivo rwekuchengetedza sevhisi kukanganisa kurwiswa kusati kwaitwa. chiitiko chinosuwisa ichi. Asi kuti uvhiringidze chimwe chinhu, unofanira kutanga waziva nezvazvo. Uye nokukurumidza, zviri nani.
- Saizvozvo, kuti ubudirire kutonga kwenjodzi (kureva, kuderedza kukuvadzwa kubva pakurwiswa kwakanangwa), zvakakosha kuve nezvishandiso zvinopa hushoma TTD (nguva yekuona - nguva kubva panguva yekupindirwa kusvika panguva yaonekwa kurwisa). Zvichienderana neindasitiri uye dunhu, nguva ino inosvika mazuva makumi mapfumbamwe nemapfumbamwe muUS, mazuva zana nemakumi matanhatu mudunhu reEMEA, mazuva zana nemakumi manomwe nemaviri mudunhu reAPAC (M-Trends 99, A View From the Front Lines, Mandiant).
- Musika unopa chii?
- "Sandboxes". Imwe kudzora kwekudzivirira, iyo iri kure nekunaka. Kune akawanda maitiro anoshanda ekuona uye nekunzvenga sandboxes kana whitelisting mhinduro. Vakomana vanobva "kudivi rakasviba" vachiri nhanho imwe pamberi apa.
- UEBA (masisitimu ekunyora maitiro uye kuona kutsauka) - mune dzidziso, inogona kushanda zvakanyanya. Asi, mumaonero angu, iyi inguva mune ramangwana riri kure. Mukuita, izvi zvichiri kudhura zvakanyanya, zvisingavimbike uye zvinoda yakakura kwazvo uye yakagadzikana IT uye ruzivo rwekuchengetedza ruzivo, iyo yatova nemidziyo yese inoburitsa data yekuongorora maitiro.
- SIEM chishandiso chakanaka chekuongorora, asi haikwanise kuona uye kuratidza chimwe chinhu chitsva uye chepakutanga panguva yakakodzera, nekuti mitemo yekubatanidza yakafanana nemasaini.
- Nekuda kweizvozvo, panodiwa chishandiso chinoda:
- kushanda zvakabudirira mumamiriro eiyo yatove yakakanganiswa perimeter,
- yakaona kurwiswa kwakabudirira mukati menguva chaiyo, zvisinei nemidziyo uye kusasimba kunoshandiswa,
- haina kutsamira pamasaini / mitemo / zvinyorwa / mitemo / maprofile uye zvimwe zvinhu zvakamira,
- yaisada huwandu hukuru hwe data uye masosi awo ekuongorora,
- yaizobvumira kurwiswa kuti kutsanangurwe kwete seimwe mhando yekuisa njodzi semhedzisiro yebasa re "akanakisa pasirese, ane kodzero uye akavharwa masvomhu", izvo zvinoda kumwe kuferefetwa, asi kuita sechiitiko chebhinari - "Hongu, tiri kurwiswaβ kana kuti βKwete, zvese zvakanakaβ,
- yaive yepasirese, yakanyatso scalable uye inogoneka kuita mune chero nharaunda yakasarudzika, zvisinei nemuviri uye zvine musoro network topology yakashandiswa.
Zvinonzi zvigadziriso zvekunyengedza zvava kurwira basa rechishandiso chakadaro. Ndiko kuti, zvigadziriso zvichibva pane yakanaka yekare pfungwa yehuchi, asi ine nhanho yakasiyana zvachose yekushandisa. Musoro uyu zvechokwadi uri kukwira zvino.
Maererano nemigumisiro Mishonga yehunyengeri inosanganisirwa muTOP 3 mazano uye zvishandiso zvinokurudzirwa kushandiswa.
Maererano neshumo Kunyengedza ndeimwe yenzira huru dzekuvandudza kweIDS Intrusion Detection Systems) mhinduro.
Chikamu chose chekupedzisira , yakatsaurirwa kuSCADA, inobva pane data kubva kune mumwe wevatungamiri mumusika uyu, TrapX Security (Israel), iyo mhinduro yave ichishanda munzvimbo yedu yekuedza kwegore.
TrapX Deception Grid inobvumidza iwe kudhura uye kushanda zvakanyanya kugoverwa IDS nechepakati, pasina kuwedzera rezinesi mutoro uye zvinodiwa zve Hardware zviwanikwa. Muchokwadi, TrapX muvaki anotendera iwe kuti ugadzire kubva kuzvinhu zviripo zveIT zvigadziriso imwe hombe yekuona kurwiswa pachiyero chebhizinesi-yakafara, rudzi rwekugoverwa network "alarm."
Solution Mamiriro
Murabhoritari yedu tinogara tichidzidza uye kuyedza zvigadzirwa zvitsva zvakasiyana mumunda wekuchengetedza IT. Parizvino, anenge makumi mashanu akasiyana-siyana maseva akaiswa pano, kusanganisira TrapX Deception Grid zvikamu.
Saka, kubva kumusoro kusvika pasi:
- TSOC (TrapX Security Operation Console) ndiyo uropi hwehurongwa. Iyi ndiyo yepakati manejimendi console kuburikidza nekugadziriswa, kutumira kwemhinduro uye mabasa ese ezuva nezuva anoitwa. Sezvo iyi iri sevhisi yewebhu, inogona kuiswa chero kupi - painotenderera, mugore kana kune MSSP mupi.
- TrapX Appliance (TSA) iseva chaiyo yatinobatanidza mairi, tichishandisa trunk port, iwo ma subnets atinoda kuvhara nekutarisa. Zvakare, ese edu network masensa anonyatso "gara" pano.
Lab yedu ine imwe TSA yakaiswa (mwsapp1), asi muchokwadi panogona kunge paine akawanda. Izvi zvinogona kudikanwa mumanetiweki makuru uko pasina L2 yekubatanidza pakati pezvikamu (muenzaniso wakajairika ndewe "Kubata uye vatsigiri" kana "Bank head office nemapazi") kana kana network ine zvikamu zvakasarudzika, semuenzaniso, automated process control system. Mune yega yega bazi / chikamu, iwe unogona kuendesa yako wega TSA uye kuibatanidza kune imwechete TSOC, uko ruzivo rwese rwunozoitwa nechepakati. Ichi chivakwa chinokutendera iwe kuti uvake akagoverwa ekutarisa masisitimu pasina chikonzero chekugadzirisa zvakanyanya network kana kukanganisa chikamu chiripo.
Zvakare, isu tinogona kuendesa kopi yeinobuda traffic kuTSA kuburikidza neTAP/SPAN. Kana tikaona hukama neanozivikanwa botnets, kuraira uye kutonga maseva, kana TOR zvikamu, isu tinozogamuchirawo mhedzisiro mukoni. Network Intelligence Sensor (NIS) inokonzera izvi. Munharaunda yedu, basa iri rinoitwa pane firewall, saka isu hatina kuishandisa pano.
- Misungo Yekushandisa (Yakazara OS) - midziyo yechinyakare yakavakirwa pamaseva eWindows. Iwe haudi mazhinji acho, sezvo chinangwa chikuru chemaseva aya kupa masevhisi eIT kune inotevera layer ye sensors kana kuona kurwiswa kwebhizinesi maapplication anogona kuiswa munzvimbo yeWindows. Tine imwe sevha yakadaro yakaiswa murabhoritari yedu (FOS01)
- Misungo yakamisikidzwa ndiyo chikamu chikuru chemhinduro, iyo inotibvumira, tichishandisa imwechete chaiyo muchina, kugadzira yakanyanyisa "migodhi" yevanorwisa uye kugutsa network yebhizinesi, ese mavlans ayo, nema sensors edu. Anorwisa anoona sensor yakadaro, kana phantom host, seWindows PC chaiyo kana sevha, Linux server kana imwe mudziyo watinosarudza kumuratidza.
Nekuda kwebhizinesi uye nekuda kuziva, takaisa "peya yechisikwa chimwe nechimwe" - Windows PC uye maseva emhando dzakasiyana siyana, Linux maseva, ATM ine Windows yakadzikwa, SWIFT Web Access, network printer, Cisco. chinja, Axis IP kamera, MacBook, PLC -device uye kunyange akangwara mwenje girobhu. Kune 13 vaenzi pamwe chete. Kazhinji, mutengesi anokurudzira kuendesa masensa akadaro muhuwandu hunosvika 10% yehuwandu hwevatenzi chaivo. Iyo yepamusoro bar ndiyo inowanikwa kero nzvimbo.Chinhu chakanyanya kukosha ndechekuti yega yega mugadziri akadaro haisi yakazara-yakazara chaiyo muchina unoda zviwanikwa uye marezinesi. Uku kunyengedza, kutevedzera, imwe nzira paTSA, iyo ine seti yemaparamita uye IP kero. Naizvozvo, nerubatsiro rweiyo TSA imwe chete, tinogona kugutsa network nemazana emhando dzakadai dzemaphantom, dzinoshanda sema sensors mu alarm system. Ndiyo tekinoroji iyi inoita kuti zvikwanisike kuyera-zvinobudirira kuyera pfungwa yehuchi pane chero bhizinesi rakakura rakagoverwa.
Kubva pamaonero eanorwisa, mauto aya anoyevedza nekuti ane zvinokanganisa uye anoita kunge ari nyore kunangwa. Anorwisa anoona masevhisi pane aya mauto uye anogona kudyidzana navo ovarwisa vachishandisa zvakajairwa maturusi nemaprotocol (smb/wmi/ssh/telnet/web/dnp/bonjour/Modbus, nezvimwewo). Asi hazvigoneke kushandisa aya mauto kugadzira kurwisa kana kumhanyisa yako kodhi.
- Iko kusanganiswa kweaya matekinoroji maviri (FullOS uye emulated misungo) inotibvumira kuwana yakakwira nhamba mukana wekuti anorwisa achasangana nenguva kana gare gare chimwe chinhu chetiweki yedu yekusaina. Asi tingava sei nechokwadi chekuti mukana uyu uri pedyo ne100%?
Iwo anonzi maDeception tokens anopinda muhondo. Kutenda kwavari, tinogona kusanganisira ese aripo maPC uye maseva ebhizinesi muIDS yedu yakagoverwa. Tokeni anoiswa pamaPC chaiwo evashandisi. Zvakakosha kunzwisisa kuti zviratidzo hazvisi vamiririri vanodya zviwanikwa uye vanogona kukonzera kukakavara. Tokens inyaya yeruzivo ruzivo, rudzi rwe "breadcrumbs" yedivi rinorwisa rinoitungamira mumusungo. Semuenzaniso, mamepu etiweki madhiraivha, mabhukimaki kune enhema mawebhu admins mubrowser uye akavachengetera mapassword, akachengetwa ssh/rdp/winscp zvikamu, misungo yedu ine zvirevo mumafaira evaenzi, mapassword akachengetwa mundangariro, magwaro evashandisi vasiripo, hofisi. mafaera, kuvhura kunokonzeresa sisitimu, nezvimwe zvakawanda. Nekudaro, isu tinoisa anorwisa munzvimbo yakakanganiswa, yakazadzwa nekurwisa mavector ayo asinganyatso kutyisidzira isu, asi zvakapesana. Uye haana nzira yokuziva nayo kuti mashoko acho ndeapi uye ndepapi ari enhema. Nokudaro, isu hatisi chete tive nechokwadi chekuona nekukurumidza kwekurwiswa, asiwo zvakanyanya kuderedza kufambira mberi kwayo.
Muenzaniso wekugadzira musungo wetiweki uye kumisikidza tokeni. Hushamwari interface uye hapana manyore editing ye configs, zvinyorwa, nezvimwe.
Munharaunda yedu, takagadzirisa uye takaisa nhamba yezviratidzo zvakadaro paFOS01 inoshandisa Windows Server 2012R2 uye PC yekuedza iri kushanda Windows 7. RDP iri kushanda pamichina iyi uye isu nguva nenguva tino "isungirira" muDMZ, umo ma sensor edu akati wandei. (emulated misungo) inoratidzwawo. Saka isu tinowana nguva dzose rukova rwezviitiko, sechisikigo sekutaura.
Saka, hedzino nhamba dzinokurumidza dzegore:
56 - zviitiko zvakanyorwa,
2 - kurwisa sosi mauto akaonekwa.
Interactive, inodzvanya kurwisa mepu
Panguva imwecheteyo, mhinduro haigadziri imwe mhando ye mega-log kana chiitiko chekudya, izvo zvinotora nguva yakareba kuti unzwisise. Pane kudaro, mhinduro yacho pachayo inoronga zviitiko nemhando dzadzo uye inobvumira timu yekuchengetedza ruzivo kuti itarise zvakanyanya kune zvakanyanya njodzi - apo anorwisa anoyedza kusimudza kudzora zvikamu (kudyidzana) kana kana mabhinari payloads (utachiona) ichionekwa mutraffic yedu.
Ruzivo rwese nezvezviitiko runoverengeka uye kuratidzwa, mumaonero angu, muchimiro chiri nyore kunzwisisa kunyangwe kumushandisi ane ruzivo rwekutanga mumunda wekuchengetedza ruzivo.
Zvizhinji zvezviitiko zvakarekodhwa ndezvekuedza kuongorora vatinotambira kana kubatana chete.
Kana kuedza kumanikidza mapassword eRDP
Asi pakanga painewo dzimwe nyaya dzinonakidza, kunyanya apo vanorwisa "vakakwanisa" kufungidzira password yeRDP uye kuwana mukana kune network yemuno.
Anorwisa anoedza kuita kodhi achishandisa psexec.
Murwi akawana chikamu chakachengetwa, icho chakamupinza mumusungo muchimiro cheLinux server. Pakarepo mushure mekubatanidza, neimwe pre-yakagadzirirwa seti yemirairo, yakaedza kuparadza ese mafaira egi uye anowirirana masisitimu akasiyana.
Anorwisa anoedza kuita SQL jekiseni pahuchi inotevedzera SWIFT Web Access.
Pamusoro pekurwiswa kwakadaro βkwemuzvarirwo,β takaitawo mimwe miedzo yedu pachedu. Imwe yeanonyanya kuburitsa ndeyekuyedza nguva yekuona yetiweki worm pane network. Kuti tiite izvi takashandisa chishandiso kubva kuGuardiCore chinonzi . Iri ihonye yetiweki inogona kubira Windows neLinux, asi isina chero "payload".
Isu takaendesa nzvimbo yekuraira yenzvimbo, takatangisa muenzaniso wekutanga wehonye pane imwe yemashini, uye takagamuchira yambiro yekutanga muTrapX console isingasviki miniti nehafu. TTD 90 masekondi maringe nemazuva 106 paavhareji...
Nekuda kwekugona kusanganisa nemamwe makirasi emhinduro, isu tinogona kubva kubva nekukurumidza kuona kutyisidzira kuti tipindure otomatiki kwazviri.
Semuenzaniso, kubatanidzwa neNAC (Network Access Control) masisitimu kana neCarbonBlack zvinokutendera kuti ubvise otomatiki maPC akakanganiswa kubva kunetiweki.
Kubatanidzwa nemabhokisi ejecha kunobvumira mafaera anobatanidzwa mukurwiswa kuti aendeswe otomatiki kuti aongororwe.
McAfee kubatanidzwa
Mhinduro inewo yayo yakavakirwa-mukati chiitiko correlation system.
Asi isu hatina kugutsikana nekugona kwayo, saka takaisanganisa neHP ArcSight.
Iyo yakavakirwa-mukati matiketi sisitimu inobatsira nyika yese kubata nekutyisidzira kwakaonekwa.
Sezvo mhinduro yakagadziridzwa "kubva pakutanga" kune zvinodiwa nemasangano ehurumende uye chikamu chikuru chekambani, inongoshandisa maitiro-based access model, kubatanidzwa neAD, yakagadziridzwa hurongwa hwemishumo uye zvinokonzera (zviitiko zvezviitiko), orchestration ye. makuru ekubata zvivakwa kana MSSP vanopa.
Panzvimbo yekutorazve
Kana paine chirongwa chakadaro chekutarisa, icho, nenzira yekufananidzira, chinovhara musana wedu, zvino nekukanganisa kweperimeter zvese zvinongotanga. Chinhu chinonyanya kukosha ndechekuti kune mukana chaiwo wekutarisana nezviitiko zvekuchengetedza ruzivo, uye kwete kutarisana nemigumisiro yavo.
Source: www.habr.com