95% yekutyisidzira kwekuchengetedza ruzivo inozivikanwa, uye iwe unogona kuzvidzivirira kubva kwavari uchishandisa nzira dzechinyakare senge antiviruses, firewall, IDS, WAF. Iyo yasara 5% yekutyisidzira haizivikanwe uye ine njodzi zvakanyanya. Ivo vanoumba 70% yenjodzi yekambani nekuda kwekuti zvakanyanya kuoma kuvaona, ndoda kudzivirira kwavari. Mienzaniso ndiyo WannaCry ransomware denda, NotPetya/ExPetr, cryptominers, the "cyber weapon" Stuxnet (iyo yakarova Iran's nuclear nuclear resources) uye dzakawanda (chero ani zvake anorangarira Kido / Conficker?) kumwe kurwiswa kusina kunyatsodzivirirwa nemaitiro ekuchengetedza ekirasi. Tinoda kutaura nezve nzira yekupikisa idzi 5% yekutyisidzira uchishandisa Threat Hunting tekinoroji.
Iko kuenderera mberi kwekushanduka kwecyber kurwiswa kunoda kugara uchionekwa uye kupikisa, izvo zvinozotitungamira kuti tifunge nezve nhangemutange yemaoko isingaperi pakati pevanorwisa nevadziviriri. Yechinyakare chengetedzo masisitimu haachakwanise kupa inogamuchirwa mwero wechengetedzo, iyo iyo nhanho yenjodzi haikanganise zviratidzo zvakakosha zvekambani (hupfumi, zvematongerwo enyika, mukurumbira) pasina kuzvishandura kune imwe nhanho, asi kazhinji vanovhara zvimwe zve. njodzi. Nechekare mukuita uye kugadzirisa, emazuva ano ekuchengetedza masisitimu anozviwana ari pabasa rekubata uye anofanirwa kupindura kumatambudziko enguva itsva.
Threat Hunting tekinoroji inogona kunge iri imwe yemhinduro kumatambudziko enguva yedu kune nyanzvi yekuchengetedza ruzivo. Izwi rekuti Threat Hunting (rinozonzi TH) rakaonekwa makore akati wandei apfuura. Iyo tekinoroji pachayo inonakidza kwazvo, asi haisati yave nemiyero nemirairo inogamuchirwa. Nyaya yacho yakaomeswawo nehterogeneity yezvinyorwa zvemashoko uye nhamba shoma yemutauro weRussia zvinyorwa zvemashoko panyaya iyi. Panyaya iyi, isu paLANIT-Integration takasarudza kunyora ongororo yeiyi tekinoroji.
Pertinence
TH tekinoroji inotsamira pamatanho ekutarisa zvivakwa.. Kuchenjerera (zvakafanana neMSSP masevhisi) inzira yechinyakare yekutsvaga masiginecha akagadzirwa kare uye zviratidzo zvekurwiswa uye kuzvipindura. Iyi scenario inoitwa zvinobudirira neyechinyakare siginecha-yakavakirwa kuchengetedza maturusi. Hunting (MDR type sevhisi) inzira yekutarisa inopindura mubvunzo wekuti "Siginicha nemitemo zvinobva kupi?" Ndiyo nzira yekugadzira mitemo yekubatanidza nekuongorora zviratidzo zvakavanzika kana zvisati zvambozivikanwa zviratidzo uye zviratidzo zvekurwisa. Threat Hunting inoreva rudzi urwu rwekutarisa.
Chete nekubatanidza marudzi ese ari maviri ekutarisa tinowana dziviriro iri pedyo neyakanaka, asi pane nguva dzose pane imwe nhanho yenjodzi yakasara.
Kudzivirirwa uchishandisa marudzi maviri ekutarisa
Uye heino chikonzero nei TH (uye kuvhima zvachose!) ichawedzera kukosha:
Kutyisidzirwa, mishonga, njodzi.
. Izvi zvinosanganisira mhando dzakadai sespam, DDoS, mavhairasi, rootkits uye mamwe makirasi malware. Iwe unogona kuzvidzivirira kubva kune idzi kutyisidzira uchishandisa akafanana echinyakare kuchengetedza matanho.
Panguva yekuitwa kwechero chirongwa, uye iyo 20% yakasara yebasa inotora makumi masere muzana yenguva. Saizvozvo, munzvimbo yese yekutyisidzira, 80% yekutyisidzira kutsva ichaita 5% yenjodzi kukambani. Mukambani umo magadzirirwo ekuchengetedza ruzivo akarongwa, tinogona kubata makumi matatu muzana yenjodzi yekuitwa kwekutyisidzira kunozivikanwa neimwe nzira nekudzivisa (kuramba mawireless network musimboti), kugamuchira (kuita nhanho dzinodiwa dzekuchengetedza) kana kushandura. (semuenzaniso, pamapfudzi emusanganisi) njodzi iyi. Zvidzivirire kubva, APT kurwiswa, phishing,, cyber espionage uye mashandiro enyika, pamwe nenhamba yakawanda yekumwe kurwiswa zvatove zvakanyanya kuoma. Migumisiro yeiyi 5% yekutyisidzira ichave yakanyanya kuoma () kupfuura mhedzisiro ye spam kana mavhairasi, kubva kune iyo antivirus software inochengetedza.
Anenge munhu wese anofanira kutarisana ne5% yekutyisidzira. Isu nguva pfupi yadarika takafanirwa kuisa yakavhurika-sosi mhinduro inoshandisa application kubva kuPEAR (PHP Extension uye Application Repository) repository. Kuedza kuisa iyi application kuburikidza nepear install kwakundikana nekuti yakanga isipo (ikozvino pane stub pairi), ndaifanira kuiisa kubva kuGitHub. Uye nguva pfupi yadarika zvakazoitika kuti PEAR akabatwa.
Uchiri kurangarira, denda reNePetya ransomware kuburikidza negadziriso module yechirongwa chekuzivisa mutero. Kutyisidzira kuri kuramba kuchiwedzera kuoma, uye mubvunzo une musoro unomuka - "Tingarwisa sei idzi 5% yekutyisidzira?"
Tsanangudzo Yekutyisidzira Kuvhima
Saka, Kutyisidzira Kuvhima ndiyo maitiro ekutsvaga uye kudzokorora kutsvaga uye kuona kwekutyisidzira kwepamberi kusingaonekwe nemidziyo yekuchengetedza yechinyakare. Kutyisidzira kwepamberi kunosanganisira, semuenzaniso, kurwiswa kwakadai seAPT, kurwiswa kwe0-zuva kusasimba, Kurarama kunze kweNyika, zvichingodaro.
Isu tinogona zvakare kudzokorora kuti TH ndiyo maitiro ekuyedza ma hypotheses. Iri ibasa remanyorero rine zvinhu zve otomatiki, umo muongorori, achivimba neruzivo uye nehunyanzvi hwake, anosefa mukati mehuwandu hweruzivo mukutsvaga zviratidzo zvekukanganisika zvinoenderana neyakatemerwa fungidziro yekuvapo kweimwe njodzi. Chinhu chayo chakasiyana ndechekusiyana-siyana kwezvinyorwa zvemashoko.
Izvo zvinofanirwa kucherechedzwa kuti Threat Hunting haisi imwe mhando yesoftware kana hardware chigadzirwa. Idzi hadzisi chenjedzo dzinogona kuonekwa mune imwe mhinduro. Iyi haisi IOC (Identifiers of Compromise) yekutsvaga maitiro. Uye iyi haisi imwe yerudzi rwechiitwa chisingaiti chinoitika pasina kubatanidzwa kwevanoongorora kuchengetedza ruzivo. Kutyisidzira Kuvhima ndiko kutanga uye kwekutanga maitiro.
Zvikamu zvekutyisidzira Kuvhima
Zvitatu zvikuru zvikamu zvekutyisidzira Kuvhima: data, tekinoroji, vanhu.
Data (chii?), kusanganisira Big Data. Mhando dzese dzetraffic dzinoyerera, ruzivo nezve yapfuura APTs, analytics, data pane zvemushandisi chiitiko, network data, ruzivo kubva kuvashandi, ruzivo pane yakasviba nezvimwe zvakawanda.
Technologies (sei?) kugadzirisa iyi data - nzira dzese dzinogoneka dzekugadzirisa iyi data, kusanganisira Kudzidza Kwemuchina.
Vanhu (ndiani?) - avo vane ruzivo rwakakura mukuongorora kwakasiyana kurwisa, vakagadzira intuition uye kugona kuona kurwiswa. Kazhinji ava ndivo vaongorori vekuchengetedza ruzivo vanofanirwa kuve nehunyanzvi hwekugadzira hypotheses uye kuwana humbowo kwavari. Ndivo chikuru chinongedzo mukuita.
Muenzaniso PARIS
Adam Bateman PARIS modhi yeiyo yakakodzera TH maitiro. Iri zita rinoreva nzvimbo ine mukurumbira muFrance. Iyi modhi inogona kutariswa mumativi maviri - kubva kumusoro uye kubva pasi.
Sezvatinoshanda nenzira yedu kuburikidza nemuenzaniso kubva pasi kumusoro, tichasangana neuchapupu hwakawanda hwekuita kwakashata. Chidimbu chega chega chehumbowo chine chiyero chinonzi chivimbo - hunhu hunoratidza huremu hwehumbowo uhu. Kune "simbi", humbowo hwakananga hwekuita kwakashata, maererano nezvatinogona kusvika pakarepo pamusoro pepiramidhi uye kugadzira yambiro chaiyo pamusoro pehutachiona hunozivikanwa. Uye kune humbowo husina kunanga, huwandu hwahwo hunogonawo kutitungamirira kumusoro kwepiramidhi. Senguva dzose, kune humbowo husina kunanga kupfuura humbowo hwakananga, zvinoreva kuti dzinoda kurongwa nekuongororwa, tsvakiridzo yekuwedzera inofanirwa kuitwa, uye zvinokurudzirwa kuita izvi otomatiki.
Muenzaniso PARIS.
Chikamu chepamusoro cheiyo modhi (1 uye 2) chakavakirwa paotomatiki matekinoroji uye akasiyana analytics, uye chikamu chepasi (3 ne4) chakavakirwa pavanhu vane zvimwe zvikwaniriso vanobata maitiro. Iwe unogona kufunga nezvemuenzaniso uchifamba kubva kumusoro uchienda pasi, uko muchikamu chepamusoro cheruvara rwebhuruu tine chenjedzo kubva kune zvechinyakare kuchengetedza maturusi (antivirus, EDR, firewall, siginicha) nehupamhi hwekuvimba uye kuvimba, uye pazasi pane zviratidzo ( IOC, URL, MD5 nevamwe), vane dhigirii rechokwadi uye vanoda kuwedzera kudzidza. Uye iyo yakaderera uye yakanyanyisa nhanho (4) chizvarwa chekufungidzira, kusikwa kwezviitiko zvitsva zvekushanda kwechinyakare nzira dzekudzivirira. Iyi nhanho haina kungogumira kune yakatsanangurwa masosi ekufungidzira. Iyo yakaderera mwero, zvakanyanya zvinodiwa zvinoiswa pane izvo muongorori.
Izvo zvakakosha kuti vanoongorora vasangoyedza seti inogumira yekufungidzira kwakafanotemerwa, asi kugara vachishanda kugadzira fungidziro nyowani uye sarudzo dzekudziyedza.
TH Kushandisa Maturity Model
Munyika yakanaka, TH inzira inoenderera. Asi, sezvo pasina nyika yakanaka, ngationgororei uye nzira maererano nevanhu, maitiro uye matekinoroji anoshandiswa. Ngatitarisei muenzaniso weyakanaka spherical TH. Pane 5 mazinga ekushandisa tekinoroji iyi. Ngatitarisei kwavari tichishandisa muenzaniso wekushanduka kwechikwata chimwe chevaongorori.
Matanho ekukura
vanhu
Maitiro acho
zvigadzirwa
0 Chikamu
SOC Vaongorori
24/7
Zviridzwa zvechinyakare:
Traditional
Seti yezviyeuchidzo
Passive monitoring
IDS, AV, Sandboxing,
Pasina TH
Kushanda nezviziviso
Maturusi ekuongorora masaini, Threat Intelligence data.
1 Chikamu
SOC Vaongorori
Imwe-nguva TH
BDU
Kuedza
Ruzivo rwekutanga rwe forensics
IOC kutsvaga
Kuvharwa kwechikamu che data kubva kunetiweki zvishandiso
Kuedza neTH
Kuziva kwakanaka kwema network uye maapplication
Chikamu chekushandisa
2 Chikamu
Basa renguva pfupi
Sprints
BDU
Periodic
Avhareji ruzivo rwe forensics
Vhiki nemwedzi
Full application
Yenguva pfupi TH
Kuziva kwakanyanya kwema network uye maapplication
Nguva dzose TH
Yakazara otomatiki yeEDR data kushandiswa
Kushandiswa kwechikamu chepamusoro EDR kugona
3 Chikamu
Yakatsaurirwa TH kuraira
24/7
Kugona kwakasarudzika kuyedza hypotheses TH
Kudzivirira
Ruzivo rwakanyanya rwe forensics uye malware
Kudzivirira TH
Kushandiswa kwakazara kwepamusoro EDR kugona
Nyaya dzinokosha TH
Kuziva kwakanakisa kwedivi rinorwisa
Nyaya dzinokosha TH
Kufukidzwa kwakazara kwedata kubva kunetiweki zvishandiso
Configuration kuti ienderane nezvido zvako
4 Chikamu
Yakatsaurirwa TH kuraira
24/7
Kugona kwakazara kuyedza TH hypotheses
Kutungamira
Ruzivo rwakanyanya rwe forensics uye malware
Kudzivirira TH
Level 3, kuwedzera:
Kushandisa TH
Kuziva kwakanakisa kwedivi rinorwisa
Kuedza, otomatiki uye ongororo yekufungidzira TH
kubatanidzwa kwakasimba kwezvinyorwa zve data;
Kugona kutsvakurudza
kusimudzira zvinoenderana nezvinodiwa uye isiri-yakajairwa kushandiswa kweAPI.
TH mazinga ekukura nevanhu, maitiro uye matekinoroji
Level 0: zvechinyakare, pasina kushandisa TH. Vaongorori venguva dzose vanoshanda neyakajairwa seti yechenjedzo mune yekungotarisa nzira vachishandisa yakajairwa maturusi uye matekinoroji: IDS, AV, sandbox, siginecha yekuongorora maturusi.
Level 1: kuyedza, uchishandisa TH. Vaongorori vakafanana vane ruzivo rwekutanga rwe forensics uye ruzivo rwakanaka rwemanetiweki uye maapplication vanogona kuita imwe-nguva Kutyisidzira Kuvhima nekutsvaga zviratidzo zvekukanganisa. EDRs inowedzerwa kune zvishandiso zvine chikamu chekuvhara data kubva kunetiweki zvishandiso. Zvishandiso zvinoshandiswa zvishoma.
Level 2: periodic, kwenguva pfupi TH. Vaongorori vakafanana vakatovandudza ruzivo rwavo mune forensics, network uye chikamu chekunyorera vanofanirwa kugara vachiita Threat Hunting (sprint), toti, vhiki pamwedzi. Zvishandiso zvinowedzera kuongororwa kwedata kubva kunetiweki zvishandiso, otomatiki yekuongorora data kubva kuEDR, uye chikamu chekushandiswa kwepamusoro EDR kugona.
Level 3: kudzivirira, kazhinji zviitiko zveTH. Vaongorori vedu vakazvironga kuita timu yakazvipira uye vakatanga kuve neruzivo rwakanyanya rwe forensics uye malware, pamwe neruzivo rwemaitiro uye matekiniki edivi rekurwisa. Iyo nzira yakatoitwa 24/7. Chikwata chinokwanisa kuyedza zvishoma TH hypotheses uku ichikwirisa zvizere hunyanzvi hwepamberi hweEDR nekuvhara kuzere kwedata kubva kunetiweki zvishandiso. Vanoongorora vanokwanisawo kugadzira maturusi kuti aenderane nezvavanoda.
Level 4: yepamusoro-soro, shandisa TH. Chikwata chimwe chete chakawana kugona kutsvagisa, kugona kugadzira uye otomatiki maitiro ekuyedza TH hypotheses. Iye zvino maturusi akawedzerwa nekubatanidzwa kwepedyo kwezvinyorwa zve data, kuvandudzwa kwesoftware kusangana nezvinodiwa, uye kusashandisa-standard maAPIs.
Kutyisidzira Kuvhima Techniques
Basic Threat Hunting Techniques
Π TH, mukurongeka kwekukura kwetekinoroji inoshandiswa, ndeiyi: kutsvaga kwekutanga, kuongororwa kwenhamba, matekiniki ekuona, kuunganidzwa kwakapusa, kudzidza muchina, uye nzira dzeBayesian.
Iyo yakapusa nzira, yekutanga kutsvaga, inoshandiswa kudzikisa pasi nzvimbo yetsvagurudzo uchishandisa chaiyo mibvunzo. Kuongorora kwenhamba kunoshandiswa, semuenzaniso, kuvaka yakajairika mushandisi kana network chiitiko muchimiro cheiyo nhamba yemuenzaniso. Maitiro ekuona anoshandiswa kuratidza nekuona uye kurerutsa kuongororwa kwedata muchimiro chegirafu nemachati, izvo zvinoita kuti zvive nyore kuona mapatani mumuenzaniso. Maitiro ekuunganidza akareruka neakakosha minda anoshandiswa kukwenenzvera kutsvaga nekuongorora. Iyo yakanyanya kukura iyo TH maitiro esangano anosvika, ndiko kunonyanya kukosha kushandiswa kwemaalgorithms ekudzidza muchina. Iwo anoshandiswawo zvakanyanya mukusefa spam, kuona traffic yakaipa uye kuona zviitiko zvehutsotsi. Imwe mhando yemhando yepamusoro yemuchina wekudzidza algorithm inzira dzeBayesian, dzinobvumira kurongedza, saizi yekudzikisa saizi, uye kuenzanisira musoro.
Diamond Model uye TH Strategies
Sergio Caltagiron, Andrew Pendegast naChristopher Betz mubasa ravo "Β» yakaratidza zvikamu zvakakosha zvechero chiitiko chakaipa uye hukama pakati pazvo.
Dhaimondi modhi yezviitwa zvakashata
Zvinoenderana nemuenzaniso uyu, kune 4 Kutyisidzira Kuvhima mazano, ayo anobva pane anoenderana akakosha zvikamu.
1. Zano rakanangana nevanotambudzwa. Isu tinofungidzira kuti munhu akabatwa ane vanopikisa uye ivo vanoendesa "mikana" kuburikidza neemail. Tiri kutsvaga data yemuvengi mutsamba. Tsvaga zvinongedzo, zvakanamirwa, nezvimwe. Tiri kutsvaga kusimbiswa kweiyi fungidziro yeimwe nguva yenguva (mwedzi, mavhiki maviri); kana isu tikasaiwana, saka iyo hypothesis haina kushanda.
2. Infrastructure-oriented strategy. Pane nzira dzakawanda dzekushandisa nzira iyi. Zvichienderana nekuwana uye kuonekwa, mamwe ari nyore pane mamwe. Semuyenzaniso, isu tinotarisisa maseva ezita remazita anozivikanwa kuti anotambira hutsinye domains. Kana kuti isu tinoenda nenzira yekutarisa kunyoreswa kwezita rezita rezita remhando inozivikanwa inoshandiswa nemhandu.
3. Kugona-inofambiswa zano. Pamusoro peiyo yakabatwa-yakatarisana zano rinoshandiswa nevazhinji vadziviriri venetiweki, pane mukana-wakatarisana nezano. Ndiyo yechipiri inonyanya kufarirwa uye inotarisa pakuona kugona kubva kune mhandu, iyo "malware" uye kugona kweanopikisa kushandisa zvishandiso zviri pamutemo sepsexec, powershell, certutil nevamwe.
4. Nzira yemuvengi. Muvengi-centric maitiro anotarisa kune mhandu pachake. Izvi zvinosanganisira kushandiswa kweruzivo rwakavhurika kubva kunowanikwa pachena masosi (OSINT), kuunganidzwa kwedata nezvemuvengi, matekiniki ake uye nzira (TTP), kuongororwa kwezviitiko zvakapfuura, Threat Intelligence data, nezvimwe.
Nzvimbo dzeruzivo uye fungidziro muTH
Mamwe masosi eruzivo rweThreat Hunting
Panogona kuva nezvinyorwa zvakawanda zvemashoko. Muongorori akakodzera anofanira kukwanisa kutora ruzivo kubva kune zvese zviri pedyo. Zvakajairika zvinyorwa munenge chero zvivakwa zvichave data kubva kune yekuchengetedza maturusi: DLP, SIEM, IDS/IPS, WAF/FW, EDR. Zvakare, akajairwa masosi eruzivo achave akasiyana zviratidzo zvekukanganisa, Threat Intelligence masevhisi, CERT uye OSINT data. Pamusoro pezvo, iwe unogona kushandisa ruzivo kubva kune darknet (semuenzaniso, kamwe kamwe pane kuraira kwekubira bhokisi retsamba remukuru wesangano, kana mukwikwidzi wechinzvimbo cheinjiniya wetiweki akafumurwa basa rake), ruzivo rwakagamuchirwa kubva HR (wongororo yemumiriri kubva kunzvimbo yapfuura yebasa), ruzivo kubva kune yekuchengetedza sevhisi (semuenzaniso, mhedzisiro yekuongororwa kweanopikisa).
Asi usati washandisa zvese zviripo, zvinodikanwa kuve neinenge imwe fungidziro.
Kuti uedze mafungidziro, anofanirwa kutanga aiswa pamberi. Uye kuti uise mberi akawanda emhando yepamusoro fungidziro, zvinodikanwa kushandisa nzira yakarongeka. Iyo nzira yekugadzira hypotheses inotsanangurwa zvakadzama mu, zviri nyore kwazvo kutora chirongwa ichi sehwaro hwemaitiro ekuisa mberi fungidziro.
Mhedziso huru yekufungidzira ichave ATT & CK matrix (Adversarial Tactics, Techniques uye Ruzivo Rwose). Icho, muchidimbu, nheyo yezivo uye muenzaniso wekuongorora maitiro evanorwisa vanoita mabasa avo mumatanho ekupedzisira ekurwiswa, kazhinji anotsanangurwa achishandisa pfungwa yeKill Chain. Ndiko kuti, pamatanho mushure mekunge munhu anorwisa apinda mukati metiweki yebhizinesi kana panharembozha. Nheyo yeruzivo pakutanga yaisanganisira tsananguro dze121 matekiniki uye matekiniki anoshandiswa mukurwisa, imwe neimwe inotsanangurwa zvakadzama muWiki fomati. Yakasiyana-siyana Threat Intelligence analytics inonyatsokodzera sesosi yekugadzira hypotheses. Kunyanya kucherechedzwa ndiwo mhedzisiro yekuongororwa kwezvivakwa uye bvunzo dzekupinda - iyi ndiyo inonyanya kukosha data iyo ironclad hypotheses inogona kutipa nekuda kwekuti ivo vakavakirwa pane chaiyo hupfumi nekukanganisa kwayo chaiko.
Hypothesis yekuongorora maitiro
Sergei Soldatov akauya ine tsananguro yakadzama yemaitiro, inoratidza maitiro ekuyedza TH hypotheses mune imwechete system. Ini ndicharatidza matanho makuru netsanangudzo pfupi.
Danho 1: TI Farm
Panguva ino zvakakosha kusimbisa zvinhu (nekuvaongorora pamwe chete nedata rekutyisidzira) uye nekuvapa mavara ehunhu hwavo. Aya ndiwo faira, URL, MD5, maitiro, utility, chiitiko. Kana uchivapfuudza kuburikidza neThreat Intelligence system, zvinodikanwa kuti ubatanidze ma tag. Kureva kuti, saiti ino yakacherechedzwa muCNC mugore rakadaro uye rakadaro, iyi MD5 yakabatana neiyo uye yakadai malware, iyi MD5 yakatorwa kubva kune saiti yakagovera malware.
Danho rechipiri: Nyaya
Padanho rechipiri, tinotarisa kudyidzana pakati pezvinhu izvi toona hukama huripo pakati pezvinhu izvi zvese. Tinowana masisitimu akamakwa anoita chimwe chinhu chakaipa.
Danho rechitatu: Muongorori
Pachikamu chechitatu, nyaya yacho inotamirwa kune muongorori ane ruzivo ane ruzivo rwakakura mukuongorora, uye anoita mutongo. Anoverengera pasi kune mabheti chii, kupi, sei, sei uye nei iyi kodhi ichiita. Muviri uyu waive malware, komputa iyi yaive nehutachiona. Inoburitsa hukama pakati pezvinhu, inotarisa mhedzisiro yekumhanya kuburikidza nebhokisi rejecha.
Migumisiro yebasa remuongorori inoparadzirwa mberi. Digital Forensics inoongorora mifananidzo, Malware Analysis inoongorora "miviri" yakawanikwa, uye Incident Response timu inogona kuenda kune saiti uye kuferefeta chimwe chinhu chiripo. Mhedzisiro yebasa ichave yakasimbiswa hypothesis, kurwiswa kwakazivikanwa uye nzira dzekupikisa.
Migumisiro
Threat Hunting tekinoroji ichiri diki iyo inogona kunyatso kupikisa yakagadziridzwa, nyowani uye isiri-yakajairwa kutyisidzira, iyo ine tarisiro huru yakapihwa huwandu huri kukura hwekutyisidzira kwakadaro uye kuwedzera kuoma kwezvivakwa zvemakambani. Inoda zvikamu zvitatu - data, zvishandiso uye vaongorori. Mabhenefiti eThreat Hunting haana kugumira pakudzivirira kuitwa kwekutyisidzira. Usakanganwa kuti panguva yekutsvaga isu tinonyura mukati mezvivakwa zvedu uye nzvimbo dzayo dzisina simba kuburikidza nemeso emuongorori wekuchengetedza uye anogona kuwedzera kusimbisa aya mapoinzi.
Matanho ekutanga ayo, semaonero edu, anofanirwa kutorwa kutanga maitiro eTH musangano rako.
- Chengetedza kuchengetedza endpoints uye network network. Chengetedza kuoneka (NetFlow) uye kutonga (firewall, IDS, IPS, DLP) yezvese maitiro panetiweki yako. Ziva network yako kubva kumucheto router kusvika kune wekupedzisira muenzi.
- Ongorora.
- Gadzira mapentest ezvishoma zvakakosha zvekunze zviwanikwa, ongorora mhedzisiro yazvo, tarisa zvinonyanya kutariswa zvekurwiswa uye kuvhara kusasimba kwavo.
- Shandisa yakavhurika sosi Threat Intelligence system (semuenzaniso, MISP, Yeti) uye ongorora matanda pamwe chete nayo.
- Shandisa chiitiko chekupindura chikuva (IRP): R-Vision IRP, Iyo Hive, bhokisi rejecha rekuongorora mafaira anofungidzirwa (FortiSandbox, Cuckoo).
- Automate routine process. Kuongororwa kwematanda, kurekodha kwezviitiko, kuzivisa vashandi ibasa rakakura rekuita otomatiki.
- Dzidza kunyatso kudyidzana nevainjiniya, vanogadzira, uye tsigiro yehunyanzvi yekubatana pane zviitiko.
- Nyora maitiro ese, mapoinzi akakosha, mhedzisiro yakawanikwa kuitira kuti udzoke kwavari gare gare kana kugovera iyi data nevamwe vaunoshanda navo;
- Iva nemagariro: Ziva zviri kuitika nevashandi vako, waunohaya, uye waunopa mukana kune zviwanikwa zveruzivo zvesangano.
- Ramba uchiziva maitiro mumunda wekutyisidzira kutsva uye nzira dzekudzivirira, wedzera yako nhanho yehunyanzvi kuverenga (kusanganisira mukushanda kweIT masevhisi uye subsystems), enda kumisangano uye kutaurirana nevamwe vaunoshanda navo.
Yakagadzirira kukurukura sangano reTH maitiro mumashoko.
Kana kuti huya ushande nesu!
Nzvimbo uye zvinhu zvekudzidza
Source: www.habr.com