, ruzhinji (87%) rwezviitiko zvekuchengetedza ruzivo zvinoitika mumaminitsi mashoma, uye ku68% yemakambani zvinotora mwedzi kuti vazvione. Izvi zvinosimbiswa na , maererano neizvo zvinotora masangano mazhinji avhareji yemazuva 206 kuti aone chiitiko. Zvichienderana neruzivo rwekuferefeta kwedu, matsotsi anogona kudzora zvivakwa zvekambani kwemakore pasina kuonekwa. Saka, mune rimwe remasangano apo nyanzvi dzedu dzakaongorora chiitiko chekuchengetedza ruzivo, zvakaratidzwa kuti vapambi vakanyatsodzora hurongwa hwese hwesangano uye vaigara vachiba ruzivo rwakakosha. .
Ngatiti iwe watova neSIEM inomhanya iyo inounganidza matanda uye inoongorora zviitiko, uye antivirus software inoiswa pamagumo node. Zvakadaro, , sezvo zvisingabviri kushandisa EDR zvirongwa mukati mese network, izvo zvinoreva kuti "mapofu" mavara haagoni kudziviswa. Network traffic analysis (NTA) masisitimu anobatsira kubata nawo. Mhinduro idzi dzinoona chiitiko chevanorwisa pamatanho ekutanga ekupinda kwenetiweki, uye panguva yekuyedza kuwana tsoka uye kugadzira kurwisa mukati metiweki.
Kune marudzi maviri eNTAs: mamwe anoshanda neNetFlow, mamwe anoongorora mbishi traffic. Chakanakira chechipiri masisitimu ndechekuti ivo vanogona kuchengeta mbishi traffic rekodhi. Nekuda kweizvi, nyanzvi yekuchengetedza ruzivo inogona kuona kubudirira kwekurwiswa, kuisa kutyisidzira, kunzwisisa kuti kurwiswa kwakaitika sei uye nzira yekudzivirira yakafanana mune ramangwana.
Isu ticharatidza mashandisiro aunogona kushandisa NTA yaunogona kushandisa yakananga kana isina kunanga humbowo kuona ese anozivikanwa ekurwisa maitiro anotsanangurwa munheyo yeruzivo. . Isu tichataura nezve imwe neimwe yegumi nemaviri matekiniki, ongorora matekiniki anowonekwa netraffic, uye kuratidza kucherechedzwa kwavo vachishandisa yedu NTA system.
Nezve ATT & CK ruzivo hwaro
MITER ATT&CK ihwaro reruzivo rweveruzhinji rakagadzirwa uye rinochengetwa neMITER Corporation zvichibva pakuongorora kwechokwadi-hupenyu APTs. Iyo yakarongwa seti yemaitiro uye matekiniki anoshandiswa nevanorwisa. Izvi zvinobvumira nyanzvi dzekuchengetedza ruzivo kubva kumativi ese enyika kuti vataure mutauro wakafanana. Iyo dhatabhesi iri kuramba ichiwedzera uye ichiwedzerwa neruzivo rutsva.
Iyo dhatabhesi inozivisa gumi nemaviri matekiniki, ayo akakamurwa nematanho ekurwiswa kwecyber:
- kuwana kwekutanga;
- execution;
- kusimbisa (kuramba);
- ropafadzo kuwedzera;
- kudzivirira kuonekwa (kudzivirira kudzivirira);
- kuwana zvitupa (credential access);
- exploration;
- kufamba mukati me perimeter (lateral movement);
- kuunganidza data (kuunganidza);
- kuraira uye kutonga;
- data exfiltration;
- impact.
Kune yega yega zano, iyo ATT & CK yeruzivo base inonyora rondedzero yemaitiro anobatsira vanorwisa kuzadzisa chinangwa chavo padanho razvino rekurwiswa. Sezvo nzira imwe chete ichigona kushandiswa pamatanho akasiyana, inogona kureva maitiro akati wandei.
Tsanangudzo yetekiniki yega yega inosanganisira:
- identifier;
- runyoro rwemaitiro ayo anoshandiswa;
- mienzaniso yekushandiswa nemapoka eAPT;
- matanho ekuderedza kukanganisa kubva pakushandiswa kwayo;
- kurudziro yekuona.
Nyanzvi dzekuchengetedza ruzivo dzinogona kushandisa ruzivo kubva kudhatabhesi kuronga ruzivo nezve yazvino nzira dzekurwisa uye, uchifunga izvi, kuvaka inoshanda yekuchengetedza system. Kunzwisisa mashandisiro anoita mapoka chaiwo eAPT anogona zvakare kuve sosi yekufungidzira kwekutsvaga kutsvaga kutyisidzira mukati. .
Nezve PT Network Attack Discovery
Isu tinozoona kushandiswa kwehunyanzvi kubva kuATT&CK matrix tichishandisa sisitimu -Positive Technologies NTA system, yakagadzirirwa kuona kurwiswa paperimeter uye mukati metiweki. PT NAD inovhara, kusvika kumadhigirii akasiyana, ese gumi nemaviri matekiniki eMITTER ATT&CK matrix. Ane simba zvakanyanya mukuziva matekiniki ekutanga kuwana, lateral kufamba, uye kuraira uye kutonga. Mavari, PT NAD inovhara inopfuura hafu yemaitiro anozivikanwa, kuona mashandisiro avo nezviratidzo zvakananga kana zvisina kunanga.
Iyo sisitimu inoona kurwiswa uchishandisa ATT & CK matekiniki uchishandisa yekuona mitemo yakagadzirwa nechikwata (PT ESC), kudzidza kwemichina, zviratidzo zvekukanganisika, analytics yakadzama uye kuongorora kwekudzoka. Chaiyo-nguva yekuongorora traffic yakasanganiswa neyekudzokorodza inobvumidza iwe kuti uone chazvino chakavanzika chehutsinye chiitiko uye kuteedzera kusimudzira mavector uye nguva yekurwiswa.
Mepu yakazara yePT NAD kuenda kuMITER ATT&CK matrix. Mufananidzo wacho wakakura, saka tinokukurudzira kuti uuone pane rimwe hwindo.
Kutanga kuwana
Matanho ekutanga ekuwana anosanganisira matekiniki ekupinza network yekambani. Chinangwa chevanorwisa panguva ino kuendesa kodhi ine hutsinye kune yakarwiswa system uye kuona mukana wekuwedzera kuurayiwa kwayo.
Ongororo yetraffic kubva kuPT NAD inoburitsa matekiniki manomwe ekuwana yekutanga kuwana:
1. : drive-by compromise
Nzira iyo munhu anenge abatwa anovhura webhusaiti iyo inoshandiswa nevanorwisa kushandisa iyo web browser uye kuwana maapplication tokens.
Chii chinoita PT NAD?: Kana webhu traffic isina kuvharirwa, PT NAD inotarisa zvirimo muHTTP server mhinduro. Mhinduro idzi dzine zviito zvinobvumira vanorwisa kuti vatemese kodhi mukati mebrowser. PT NAD inoona otomatiki kuita kwakadaro uchishandisa mitemo yekuona.
Pamusoro pezvo, PT NAD inoona kutyisidzira munhanho yapfuura. Mitemo uye zviratidzo zvekukanganisika zvinokonzereswa kana mushandisi akashanyira saiti iyo yakamuendesa kune saiti ine boka rezviitiko.
2. : kushandisa application yakatarisana neruzhinji
Kushandiswa kwekusagadzikana mumasevhisi anowanikwa kubva paInternet.
Chii chinoita PT NAD?: Inoita ongororo yakadzama yezviri mukati metiweki mapaketi, kuona zviratidzo zvechiito chisingafadzi. Kunyanya, kune mitemo inokubvumira kuti uone kurwiswa kwemaitiro makuru ekutonga zvemukati (CMS), mawebhusaiti emidziyo yetiweki, uye kurwiswa kwetsamba neFTP maseva.
3. : ekunze masevhisi ari kure
Vanorwisa vanoshandisa kure kure masevhisi kubatanidza kune yemukati network zviwanikwa kubva kunze.
Chii chinoita PT NAD?: sezvo sisitimu ichicherekedza maprotocol kwete nenhamba dzechiteshi, asi nezviri mukati memapakiti, vashandisi vehurongwa vanogona kusefa traffic kuti vawane masesesheni ese ekure ekupinda mapuroteni uye tarisa pamutemo wavo.
4. : spearphishing attachment
Isu tiri kutaura nezve inotorious kutumira kwe phishing attachments.
Chii chinoita PT NAD?: Anobvisa otomatiki mafaera kubva mutraffic uye anoatarisa achipesana nezviratidzo zvekukanganisa. Mafaira anotepfekwa mune zvakabatanidzwa anoonekwa nemitemo inoongorora zviri mukati meiyo mail traffic. Munzvimbo yemakambani, mari yakadaro inoonekwa seyakaoma.
5. : spearphishing link
Kushandisa phishing links. Iyo tekinoroji inosanganisira vanorwisa vanotumira phishing email ine chinongedzo icho, kana chadzvanywa, chinodhawunirodha chirongwa chakaipa. Sezvo mutemo, chinongedzo chinoperekedzwa nechinyorwa chakagadzirwa maererano nemitemo yese yesocial engineering.
Chii chinoita PT NAD?: Inoona phishing link uchishandisa zviratidzo zvekukanganisika. Semuenzaniso, mune yePT NAD interface tinoona chikamu umo maive neHTTP yekubatanidza kuburikidza nelink inosanganisirwa mune rondedzero ye phishing kero (phishing-urls).
Kubatanidza kuburikidza nekubatanidza kubva pane rondedzero yezviratidzo zvekukanganisa phishing-urls
6. : kuvimbwa ukama
Kuwana kune network yemunhu akabatwa kuburikidza nevechitatu mapato akabatwa naye hukama hwakavimbika. Vanorwisa vanogona kubira sangano rinovimbwa uye vobatanidza kune inotarirwa network kuburikidza nayo. Kuti vaite izvi, vanoshandisa VPN yekubatanidza kana domain trust, iyo inogona kuzivikanwa kuburikidza nekuongorora traffic.
Chii chinoita PT NAD?: inokwenenzvera mapuroteni ekushandisa uye inochengetedza minda yakakamurwa mudhatabhesi, kuitira kuti muongorori wekuchengetedza ruzivo ashandise mafirita kuwana ese anofungira VPN kubatana kana kuyambuka-domain yekubatanidza mudhatabhesi.
7. : maakaundi anoshanda
Uchishandisa zvakajairwa, zvemuno kana domain zvitupa zvemvumo pane zvekunze uye zvemukati masevhisi.
Chii chinoita PT NAD?: Inotora otomatiki zvinyorwa kubva kuHTTP, FTP, SMTP, POP3, IMAP, SMB, DCE/RPC, SOCKS5, LDAP, Kerberos protocol. Kazhinji, iyi ndiyo login, password uye chiratidzo chekubudirira kwechokwadi. Kana akashandiswa, anoratidzwa mukadhi rechikamu rinoenderana.
Kuuraya
Matekiniki ekuuraya anosanganisira matekiniki anoshandiswa nevanorwisa kuita kodhi pane zvakakanganiswa masisitimu. Kumhanya kwakashata kodhi kunobatsira vanorwisa kumisa kuvepo (kushingirira nzira) uye kuwedzera mukana kune kure masisitimu panetiweki nekufamba mukati meiyo perimeter.
PT NAD inokutendera kuti uone kushandiswa kwemaitiro gumi nemana anoshandiswa nevanorwisa kuita kodhi yakaipa.
1. CMSTP (Microsoft Connection Manager Profile Installer)
Nzira iyo vanorwisa vanogadzirira yakakosha yekuisa INF faira kune yakavakirwa-mukati Windows utility CMSTP.exe (Connection Manager Profile Installer). CMSTP.exe inotora iyo faira separameter uye inoisa iyo sevhisi profiles yekubatanidza kure. Nekuda kweizvozvo, CMSTP.exe inogona kushandiswa kurodha nekuita dynamic link library (*.dll) kana scriptlets (*.sct) kubva kumaseva ari kure.
Chii chinoita PT NAD?: Inoona otomatiki kutamiswa kwemhando dzakakosha dzeINF mafaera muHTTP traffic. Pamusoro peizvi, inoona kutapurirana kweHTTP kweakaipa scriptlets uye dynamic link raibhurari kubva kure server.
2. : command-line interface
Kudyidzana neiyo command line interface. Iyo yekuraira mutsara interface inogona kudyidzana neyemunharaunda kana kure, semuenzaniso kushandisa kure yekuwana zvishandiso.
Chii chinoita PT NAD?: inoona otomatiki kuvepo kwematehwe zvichienderana nemhinduro kumirairo yekuvhura akasiyana siyana ekuraira mitsetse, senge ping, ifconfig.
3. : chikamu chinhu modhi uye yakagoverwa COM
Kushandisa COM kana DCOM matekinoroji kuita kodhi pane emuno kana kure masisitimu uchifambisa kunetiweki.
Chii chinoita PT NAD?: Inoona inofungidzira DCOM mafoni ayo vanorwisa vanowanzo shandisa kuvhura zvirongwa.
4. : kushandiswa kwekuurayiwa kwevatengi
Kushandiswa kwekusagadzikana kuita zvekupokana kodhi pane yebasa. Izvo zvakanyanya kubatsira zvevanorwisa ndezviya zvinobvumira kodhi kuti iitwe pane iri kure system, sezvo vachigona kubvumidza vanorwisa kuti vawane mukana kune iyo system. Iyo tekinoroji inogona kuitwa uchishandisa nzira dzinotevera: kutumira kwakashata, webhusaiti ine browser yekushandisa, uye kure kushandiswa kwekukanganisa kwekushandisa.
Chii chinoita PT NAD?: Kana uchipenengura traffic yetsamba, PT NAD inoitarisa kuti ivepo here mafaera anogona kuitiswa mune zvakabatanidzwa. Anobvisa otomatiki magwaro emuhofisi kubva kumaemail angangove ane zviito. Kuedza kushandisa kusagadzikana kunoonekwa mutraffic, iyo PT NAD inoona otomatiki.
5. : mshta
Shandisa mshta.exe utility, iyo inoshandisa Microsoft HTML applications (HTA) ine .hta extension. Nekuti mshta inobata mafaera nekupfuura browser kuchengetedza marongero, vanorwisa vanogona kushandisa mshta.exe kuita yakaipa HTA, JavaScript, kana VBScript mafaera.
Chii chinoita PT NAD?: .hta mafaira ekushandiswa kuburikidza nemshta anotumirwawo pamusoro pemambure - izvi zvinogona kuonekwa mumigwagwa. PT NAD inoona otomatiki kutamiswa kwemafaira akashata akadaro. Iyo inobata mafaera, uye ruzivo pamusoro pawo runogona kutariswa muchikamu chechikamu.
6. : PowerShell
Uchishandisa PowerShell kuwana ruzivo uye kuita hutsinye kodhi.
Chii chinoita PT NAD?: Kana PowerShell ichishandiswa nevanorwisa vari kure, PT NAD inoona izvi vachishandisa mitemo. Inoona PowerShell mazwi emutauro anonyanya kushandiswa mumagwaro ane hutsinye uye kufambisa kwePowerShell zvinyorwa pamusoro peSMB protocol.
7. : basa rakarongwa
Kushandisa Windows Task Scheduler uye zvimwe zvinoshandiswa kuti uite otomatiki zvirongwa kana zvinyorwa panguva dzakatarwa.
Chii chinoita PT NAD?: vanorwisa vanogadzira mabasa akadaro, kazhinji ari kure, zvinoreva kuti zvikamu zvakadaro zvinoonekwa mutraffic. PT NAD inoona otomatiki kugadzirwa kwebasa uye kushandura mashandiro uchishandisa iyo ATSVC uye ITaskSchedulerService RPC nzvimbo.
8. : kunyora
Kuitwa kwezvinyorwa zve automate zvakasiyana siyana zvevanorwisa.
Chii chinoita PT NAD?: inoona kufambiswa kwezvinyorwa pamusoro petiweki, ndiko kuti, kunyangwe zvisati zvatangwa. Iyo inoona script zvirimo mu traffic mbishi uye inoona network kutapurirana mafaera ane ekuwedzera anoenderana neanozivikanwa script mitauro.
9. : kuita basa
Mhanya faira rinogoneka, kuraira mutsara wemirairo, kana script nekudyidzana neWindows masevhisi, seSevhisi Kudzora Maneja (SCM).
Chii chinoita PT NAD?: inotarisa SMB traffic uye inoona kuwana kuSCM nemitemo yekugadzira, kuchinja uye kutanga sevhisi.
Iyo sevhisi yekutanga tekinoroji inogona kuitwa uchishandisa iri kure command execution utility PSExec. PT NAD inoongorora SMB protocol uye inoona kushandiswa kwePSExec painoshandisa iyo PSEXESVC.exe faira kana yakajairwa PSEXECSVC zita rebasa rekuita kodhi pamushini uri kure. Mushandisi anofanirwa kutarisa rondedzero yemirairo yakaitwa uye iko pamutemo kweiyo kure yekuraira kuuraya kubva kune iyo host.
Kadhi rekurwisa muPT NAD rinoratidza data pamatekiniki uye matekiniki anoshandiswa zvinoenderana neATT & CK matrix kuitira kuti mushandisi anzwisise kuti ndeapi nhanho yekurwiswa nevanorwisa, zvibodzwa zvipi zvavari kuronda, uye ndeapi matanho ekubhadhara ekutora.
Mutemo wekushandisa iyo PSExec utility inokonzeresa, iyo inogona kuratidza kuedza kuita mirairo pamushini uri kure.
10. : software yechitatu
Nzira iyo vanorwisa vanowana mukana kune kure manejimendi software kana yemubatanidzwa software deployment system uye voishandisa kumhanyisa kodhi yakaipa. Mienzaniso yesoftware yakadai: SCCM, VNC, TeamViewer, HBSS, Altiris.
Nenzira, nzira iyi inonyanya kukosha maererano neshanduko huru kuenda kubasa riri kure uye, nekudaro, kubatana kwezvizhinji zvisina kudzivirirwa zvishandiso zvepamba kuburikidza neasinganzwisisike nzira yekuwana kure.
Chii chinoita PT NAD?: inoona otomatiki kushanda kwesoftware yakadaro pane network. Semuenzaniso, iyo mitemo inokonzereswa nekubatanidza kuburikidza neVNC protocol uye chiitiko cheEvilVNC Trojan, iyo inoisa muchivande sevha yeVNC pane anenge abatwa uye otoitanga. Zvakare, PT NAD inoona otomatiki iyo TeamViewer protocol, izvi zvinobatsira muongorori, achishandisa sefa, tsvaga ese masesheni akadai uye tarisa kuvimbika kwavo.
11. : kushandiswa kwemushandisi
Nzira iyo mushandisi anomhanyisa mafaera anogona kutungamira kukuita kodhi. Izvi zvinogona kuva, semuenzaniso, kana akavhura faira rinogoneka kana kuita gwaro rehofisi rine macro.
Chii chinoita PT NAD?: inoona mafaera akadaro padanho rekutamisa, isati yatangwa. Ruzivo pamusoro pavo runogona kudzidzwa mukadhi rezvikamu mavakafambiswa.
12. :Windows Management Instrumentation
Kushandiswa kwechishandiso cheWMI, chinopa nharaunda uye kure kupinda kune Windows system zvikamu. Uchishandisa WMI, vanorwisa vanogona kudyidzana nemasisitimu emunharaunda uye ari kure uye kuita mabasa akasiyana siyana, sekuunganidza ruzivo rwezvinangwa zvekuongorora uye kuvhura maitiro kure uchifamba uchienda nechekure.
Chii chinoita PT NAD?: Sezvo kudyidzana nemasisitimu ari kure kuburikidza neWMI kunoonekwa mumotokari, PT NAD inoona otomatiki zvikumbiro zvenetiweki zvekutanga WMI masesheni uye inotarisa traffic yezvinyorwa zvinoshandisa WMI.
13. : Windows Remote Management
Kushandisa Windows sevhisi uye protocol inobvumira mushandisi kupindirana nemasisitimu ari kure.
Chii chinoita PT NAD?: Inoona network yekubatanidza yakatangwa uchishandisa Windows Remote Management. Zvirongwa zvakadaro zvinoonekwa otomatiki nemitemo.
14. : XSL (Extensible Stylesheet Mutauro) script processing
XSL style markup language inoshandiswa kutsanangura kugadzirisa uye kuona kwedata mumafaira eXML. Kutsigira mashandiro akaomarara, chiyero cheXSL chinosanganisira tsigiro yezvinyorwa zvakaiswa mumitauro yakasiyana siyana. Mitauro iyi inobvumira kuitwa kwekodhi kodhi, izvo zvinotungamira mukudarika kwemitemo yekuchengetedza yakavakirwa pane chena runyorwa.
Chii chinoita PT NAD?: inoona kuendeswa kwemafaira akadaro pamusoro petiweki, ndiko kuti, kunyange vasati vatangwa. Iyo inoona otomatiki mafaera eXSL ari kufambiswa pamusoro petiweki uye mafaera ane anoshamisa XSL markup.
Muzvishandiso zvinotevera, isu tichatarisa kuti iyo PT Network Attack Discovery NTA system inowana sei mamwe maitiro ekurwisa uye matekiniki zvinoenderana neMITER ATT&CK. Ramba wakatarisa!
Authors:
- Anton Kutepov, nyanzvi paPT Nyanzvi Chengetedzo Center, Positive Technologies
- Natalia Kazankova, mutengesi wezvigadzirwa paPositive Technologies
Source: www.habr.com