( thanks to Sergey G. Brester for the title idea )
Shamwari, chinangwa chechinyorwa ichi ndechekugovana ruzivo rwegore-refu bvunzo kushanda kwekirasi nyowani yeIDS mhinduro dzakavakirwa paDeception tekinoroji.
Kuti ndichengetedze kuwirirana kunonzwisisika kwekuratidzwa kwezvinhu, ndinoona zvakakodzera kutanga nezvivako. Saka, dambudziko:
- Kurwiswa kwakanangwa ndiyo mhando ine njodzi yekurwisa, zvisinei nekuti chikamu chavo muhuwandu hwekutyisidzira idiki.
- Iko hakuna yakavimbiswa inoshanda nzira yekudzivirira yeperimeter (kana yakaoma yenzira dzakadaro) isati yagadzirwa.
- Kazhinji, kurwisa kwakanangwa kunoitika mumatanho akati wandei. Perimeter kutyora ingori imwe yematanho ekutanga, ayo (iwe unogona kukanda matombo kwandiri) haakonzeri kukanganisa kwakanyanya kune "akabatwa", kunze kwekunge, hongu, iri DEoS (Kuparadza Kwebasa) kurwisa (encryptors, nezvimwewo). Iwo chaiwo "marwadzo" anotanga gare gare, apo midziyo yakatorwa inotanga kushandiswa kutenderera uye kugadzira kurwisa "zvakadzama", uye isu hatina kuzviona.
- Sezvo isu tichitanga kutambura kurasikirwa chaiko apo vanorwisa vanozopedzisira vasvika kunzvimbo dzekurwiswa (masevha ekushandisa, DBMS, chengetedzo yedata, marekodhi, zvakakosha zvivakwa zvezvivakwa), zvine musoro kuti rimwe rebasa rebasa rekuchengetedza ruzivo ndere kukanganisa kurwiswa pamberi pechiitiko chinosiririsa. Asi kuti uvhiringidze chimwe chinhu, unofanira kutanga waziva nezvazvo. Uye nokukurumidza - zviri nani.
- Saizvozvowo, kuitira kubudirira kwekugadzirisa njodzi (kureva, kuderedza kukuvadzwa kubva pakurwiswa kwakanangidzirwa), zvakakosha kuva nezvishandiso zvinovimbisa zvishoma TTD (nguva yekuona - nguva kubva panguva yekupinda kusvika panguva yekuona kurwiswa). Zvichienderana neindasitiri uye dunhu, nguva iyi iri paavhareji mazuva makumi mapfumbamwe nemapfumbamwe muUS, mazuva gumi nematanhatu mudunhu reEMEA, mazuva zana nemakumi manomwe nemaviri mudunhu reAPAC (M-Trends 99, A View From the Front Lines, Mandiant).
- Musika unopa chii?
- "Sandboxes". Imwe kudzora kwekudzivirira, iyo iri kure nekunaka. Kune akawanda maitiro anoshanda ekuona uye nekunzvenga sandboxes kana whitelisting mhinduro. Vakomana vanobva "kudivi rakasviba" vachiri nhanho imwe pamberi apa.
- UEBA (maitiro ekuzvibata uye anomaly yekuona masisitimu) - mune dzidziso, inogona kushanda zvakanyanya. Asi, mumaonero angu, iyi inguva mune ramangwana riri kure. Mukuita, ichiri kudhura zvakanyanya, isingavimbike uye inoda yakakura kwazvo uye yakagadzikana IT uye IS zvivakwa, uko zvese zvishandiso zvinogadzira data yekuongorora maitiro atovepo.
- SIEM chishandiso chakanaka chekuferefeta, asi haikwanise kuona kana kuratidza chero chinhu chitsva kana chepakutanga nenguva, nekuti mitemo yekubatanidza ndiyo masiginicha mamwe chete.
- Nekuda kweizvozvo, pakanga pave kudiwa chishandiso chaizo:
- yakashanda zvinobudirira munzvimbo yakatokanganiswa,
- inoona kurwiswa kwakabudirira munguva iri pedyo-chaiyo zvisinei nematurusi uye kusasimba kunoshandiswa,
- haina kutsamira pamasaini / mitemo / zvinyorwa / mitemo / maprofile uye zvimwe zvinhu zvakamira,
- yaisada huwandu hukuru hwe data uye masosi awo ekuongorora,
- zvingatibvumira kutsanangura kurwiswa kwete seimwe mhando yengozi yekugova semhedzisiro yebasa re "akanakisa pasi rose, ane kodzero uye akavharwa masvomhu", izvo zvinoda kumwe kuferefetwa, asi kuita sechiitiko chebhinari - "Hongu, tiri kurwiswa" kana "Kwete, zvese zvakanaka",
- yaive yepasirese, yakanyatso scalable uye ichigoneka kuita mune chero nharaunda yakasarudzika, zvisinei nemuviri uye zvine musoro network topology yakashandiswa.
Izvo zvinonzi zvigadziriso zvekunyengedza zvino vari kutora basa rechombo chakadaro. Ndiko kuti, zvigadziriso zvichibva pane yakanaka yekare pfungwa yehuchi, asi ine nhanho yakasiyana zvachose yekushandisa. Musoro uyu zvechokwadi uri kukwira zvino.
Maererano nemigumisiro Mazano ehunyengeri ari pakati peTOP 3 mazano uye maturusi anokurudzirwa kushandiswa.
Maererano neshumo Kunyengedza ndeimwe yenzira huru dzekuvandudza kweIDS Intrusion Detection Systems) mhinduro.
Chikamu chose chekupedzisira , yakatsaurirwa kuSCADA, inobva pane data kubva kune mumwe wevatungamiri mumusika uyu, TrapX Security (Israel), iyo mhinduro yave ichishanda munzvimbo yedu yekuedza kwegore ikozvino.
TrapX Kunyengedza Grid inokutendera iwe kuvaka uye kushanda yakakura yakagovaniswa IDS nechepakati, pasina kuwedzera rezinesi mutoro uye hardware zviwanikwa zvinodiwa. Muchokwadi, TrapX muvaki anotendera iwe kuti ugadzire imwe hombe-yakakura kurwisa yekuona nzira kubva kune zvinhu zveiyo iripo IT zvivakwa, rudzi rwekugoverwa network "alarm".
Solution Mamiriro
Mulabhu yedu tinogara tichidzidza uye kuyedza hunyanzvi hwakasiyana mumunda wekuchengetedza IT. Parizvino, kune angangoita makumi mashanu akasiyana maseva akaiswa pano, kusanganisira TrapX Deception Grid zvikamu.
Saka, kubva kumusoro kusvika pasi:
- TSOC (TrapX Security Operation Console) ndiyo uropi hwehurongwa. Iyi ndiyo yepakati manejimendi console, nerubatsiro rwekuti mhinduro inogadziriswa, inoiswa uye yese yemazuva ese basa rinoitwa. Sezvo iyi iri sevhisi yewebhu, inogona kuisirwa chero kupi - muperimeter, mugore kana kune MSSP mupi.
- TrapX Appliance (TSA) iseva chaiyo yatinobatanidza ma subnets atinoda kutarisa kuburikidza ne trunk port. Yese yedu network sensors "inogara" pano.
Mulabhu yedu, takaisa imwe TSA (mwsapp1), asi muchokwadi panogona kunge paine akawanda acho. Izvi zvinogona kudikanwa mumanetiweki makuru uko pasina L2 yekubatanidza pakati pezvikamu (muenzaniso wakajairika ndewe "Holding uye subsidiaries" kana "Bank head office nemapazi") kana kana paine zvikamu zvakasarudzika mumambure, semuenzaniso, automated process control system. Mune yega yega bazi / chikamu, iwe unogona kuendesa yako wega TSA uye kuibatanidza kune imwechete TSOC, uko ruzivo rwese rwunozoitwa nechepakati. Ichi chivakwa chinokutendera iwe kuti uvake akagoverwa ekutarisa masisitimu pasina kudikanwa kwekugadziridzwa kwakadzama kwetiweki kana kukanganisa kwechikamu chiripo.
Tinogona zvakare kuendesa kopi yekubuda traffic kuTSA kuburikidza neTAP/SPAN. Muchiitiko chekuonekwa kwekubatana nemabhoti anozivikanwa, maseva ekuraira, zvikamu zveTOR, isu tinozogamuchirawo mhedzisiro mukoni. Network Intelligence Sensor (NIS) inokonzera izvi. Munharaunda yedu, basa iri rinoitwa pane firewall, saka isu hatina kuishandisa pano.
- Misungo yeApplication (Full OS) - mapoto echinyakare ehuchi akavakirwa pa Windows-maseva. Haasi akawanda anodiwa, sezvo chinangwa chikuru chemaseva aya chiri kupa masevhisi eIT kune anotevera masensa kana kuona kurwiswa kwemapurogiramu ebhizinesi anogona kuiswa mu Windows-Chitatu. Tine sevha imwe chete yakadaro (FOS01) yakaiswa murabhoritari yedu.
- Misungo inotevedzera ndiyo chinhu chikuru chemhinduro, zvichitibvumira kugadzira nzvimbo ine simba rakawanda kune vanorwisa vachishandisa muchina mumwe chete wepamhepo uye kuzadza network yebhizinesi, kusanganisira maVLAN ayo ese, nemasensa edu. Murwisi anoona sensor yakadaro, kana kuti phantom host, seyechokwadi. Windows PC kana sevha, Linux sevha kana chimwe chishandiso chatinosarudza kuiratidza.
Nekuda kwebhizinesi nekuda kuziva, takaisa "peya yezvisikwa zvese" - Windows Makomputa nemaseva emhando dzakasiyana-siyana, Linux-maseva, ATM c Windows yakamboiswa mukati, SWIFT Web Access, network printer, Cisco switch, Axis IP camera, MacBook, PLC device, uye kunyange smart light bulb. Izvi zvinoreva ma host gumi nematatu. Kazhinji, mutengesi anokurudzira kuisa ma sensor akadaro angangoita 10% yehuwandu hwema host chaiwo. Muganho wepamusoro inzvimbo yekero iripo.Chinhu chakanyanya kukosha ndechekuti yega yega mugadziri akadaro haisi yakazara-yakazara chaiyo muchina unoda zviwanikwa uye marezinesi. Iyo "dummy", yekutevedzera, imwe maitiro paTSA, ine seti yemaparamita uye IP kero. Naizvozvo, nerubatsiro rweiyo TSA imwe chete, isu tinogona kugutsa network nemazana emhando dzakadai dzinoshanda sema sensors mu alarm system. Ndiyo tekinoroji iyi inobvumira pfungwa ye "honeypots" kuti ive yehupfumi uye inonyatso kuyerwa pachiyero chechero bhizinesi rakakura rakagoverwa.
Aya mauto anokwezva kubva pakuona kweanorwisa, sezvo aine kusasimba uye anotaridzika kunge ari nyore kunangwa. Anorwisa anoona masevhisi pane aya mauto uye anogona kudyidzana navo, kuvarwisa vachishandisa zvakajairwa maturusi nemaprotocol (smb/wmi/ssh/telnet/web/dnp/bonjour/Modbus, nezvimwewo). Asi hazvigoneke kushandisa aya mauto kugadzira kurwisa uye kuvhura kodhi yako.
- Iko kusanganiswa kweaya matekinoroji maviri (FullOS uye emulated honeypots) inotibvumira kuwana mukana wepamusoro wekuti munhu anorwisa anozopedzisira asangana nechimwe chinhu chetiweki yedu yekusaina. Asi tingaita sei kuti mukana uyu uve pedyo ne100%?
Izvo zvinonzi zviratidzo (Zviratidzo zvekunyengera) zvinopinda muhondo. Kutenda kwavari, tinogona kusanganisira ese aripo maPC uye maseva ebhizinesi muIDS yedu yakagoverwa. Zviratidzo zvinoiswa pamaPC chaiwo evashandisi. Zvakakosha kunzwisisa kuti zviratidzo hazvisi mumiririri anodya zviwanikwa uye anogona kukonzera kukakavara. Tokens inyaya yeruzivo ruzivo, rudzi rwe "breadcrumbs" yebato rinorwisa, iro rinoitungamira mumusungo. Semuenzaniso, akabatana netiweki madhiraivha, mabhukimaki kune emanyepo ewebhu admin mapaneru mubrowser uye akachengetedza mapassword kwavari, akachengetwa ssh/rdp/winscp zvikamu, misungo yedu ine zvirevo mumafaira evaenzi, mapassword akachengetwa mundangariro, magwaro evashandisi vasipo, mafaera ehofisi, kuvhurwa kweiyo kunotanga sisitimu, nezvimwe zvakawanda. Nekudaro, isu tinoisa anorwisa munzvimbo yakashatiswa yakazadzwa nekurwisa mavector ayo asinganyatso kutyisidzira isu, asi zvakapesana. Uye haana nzira yokuziva nayo kuti mashoko acho ndeapi uye ndepapi ari enhema. Nokudaro, isu hatisi kungoita kuti tive nechokwadi chekuona nokukurumidza kwekurwiswa, asiwo zvakanyanya kuderedza kufambira mberi kwayo.
Muenzaniso wekugadzira musungo wetiweki uye kumisikidza tokeni. Mushandisi-ane hushamwari interface uye hapana manyore editing ye configs, zvinyorwa, nezvimwe.
Munharaunda yedu, takagadzira uye takaisa mamwe ma tokeni akadaro paFOS01 tichitungamirirwa ne Windows Server 2012R2 uye PC yekuyedza iri pasi pe Windows 7. Michina iyi inoshandisa RDP, uye nguva nenguva tinoi "rembedza" muDMZ, uko kune masensa edu akati wandei (emulated traps) aripowo. Nenzira iyi, tinogamuchira zviitiko zvakawanda, sezvingatarisirwa.
Saka, heano mamwe mapfupi manhamba egore:
56 - zviitiko zvakanyorwa,
2 - kurwisa sosi mauto akaonekwa.
Interactive, inodzvanya kurwisa mepu
Panguva imwecheteyo, mhinduro haiburitse imwe mega-log kana chiitiko chekudya chinotora nguva yakareba kugadzirisa. Pane kudaro, mhinduro yacho pachayo inoronga zviitiko nemhando dzadzo uye inobvumira timu yekuchengetedza ruzivo kuti itarise zvakanyanya kune zvakanyanya njodzi - apo anorwisa anoyedza kusimudza kudzora zvikamu (kudyidzana) kana kana mabhinari payloads (utachiona) ichionekwa mutraffic yedu.
Ruzivo rwese nezvezviitiko runoverengeka uye rwunoratidzwa, mumaonero angu, nenzira iri nyore-kunzwisisa kunyange kumushandisi ane ruzivo rwekutanga mumunda wekuchengetedza ruzivo.
Zvizhinji zvezviitiko zvakarekodhwa ndezvekuedza kuongorora vatinotambira kana kubatana nemunhu.
Kana kuedza kumanikidza mapassword eRDP
Asi pakanga painewo dzimwe nyaya dzinonakidza, kunyanya apo vanorwisa "vakakwanisa" kutora password yeRDP uye kuwana mukana kune network yemuno.
Anorwisa anoedza kuita kodhi achishandisa psexec.
Murwisi akawana mukana wakachengetedzwa wakamupinza mumusungo muchimiro che Linux-server. Mushure mekubatanidza, ichishandisa seti imwe chete yemirairo yakagadzirirwa, yakaedza kuparadza mafaira ese elog uye masystem variables anoenderana.
Anorwisa anoedza kuita jekiseni reSQL pahuchi inotevedzera SWIFT Web Access.
Pamusoro pekurwiswa "kwechisikigo" kwakadaro, takaitisawo mimwe miedzo yedu pachedu. Chimwe chezvinonyanya kuratidza kuyedza nguva inotora kuona network worm mune network. Kune izvi, takashandisa chishandiso kubva kuGuardiCore chinonzi Iri igonye re network rinogona kubata Windows и Linux, asi pasina mutoro "unobatsira".
Isu takatumira nzvimbo yekuraira yenzvimbo, takatangisa muenzaniso wekutanga wehonye pane imwe yemashini, uye takagamuchira chiziviso chekutanga muTrapX console isingasviki miniti nehafu. TTD 90 masekondi maringe nemazuva zana nematanhatu paavhareji…
Nekuda kwekugona kusanganisa nemamwe makirasi emhinduro, isu tinogona kubva kubva nekukurumidza kuona kutyisidzira kuti tipindure otomatiki kwazviri.
Semuenzaniso, kubatanidzwa neNAC (Network Access Control) masisitimu kana CarbonBlack inobvumira maPC akakanganiswa kuti abviswe otomatiki kubva kunetiweki.
Kubatanidzwa nemabhokisi ejecha anotendera iwe kuti utumire otomatiki mafaera akabatanidzwa mukurwiswa kwekuongorora.
McAfee kubatanidzwa
Mhinduro inewo yayo yakavakirwa-mukati chiitiko correlation system.
Asi isu hatina kugutsikana nekugona kwayo, saka takaisanganisa neHP ArcSight.
Iyo yakavakirwa-mukati matiketi sisitimu inobatsira kubata nekutyisidzira kwakaonekwa "sechikwata".
Sezvo mhinduro yakagadzirwa "kubva pakutanga" kune zvinodiwa nemasangano ehurumende uye chikamu chikuru chekambani, inongoshandisa maitiro-based access model, kubatanidzwa neAD, yakagadziridzwa hurongwa hwemishumo uye zvinokonzera (zviziviso zvezviitiko), orchestration yezvivako zvakakura zvekubata kana MSSP vanopa.
Panzvimbo yekutorazve
Kana paine chirongwa chakadaro chekutarisa, icho, nenzira yekufananidzira, chinovhara musana wedu, zvino nekukanganisa kweperimeter, zvese zvinongotanga. Chinhu chinonyanya kukosha ndechekuti mukana chaiwo unoratidzika kurwisa zviitiko zvekuchengetedza ruzivo, uye kwete kutarisana nekubviswa kwemigumisiro yavo.
Source: www.habr.com
