Litaelo le maqheka a ho arabela liketsahalong tsa ts'ireletso ea tlhahisoleseding, mekhoa ea litlhaselo tsa morao-rao tsa cyber, mekhoa ea ho batlisisa ho lutla ha data lik'hamphaning, ho etsa lipatlisiso ka libatli le lisebelisoa tsa thelefono, ho hlahloba lifaele tse patiloeng, ho ntša lintlha tsa geolocation le litlhahlobo tsa lintlha tse ngata - tsena tsohle le lihlooho tse ling. e ka ithutoa lithutong tse ncha tse kopaneng tsa Group-IB le Belkasoft. Ka August re thupelo ea pele ea Belkasoft Digital Forensics, e qalang ka la 9 Loetse, 'me ha re se re fumane lipotso tse ngata, re ile ra etsa qeto ea ho bua ka ho qaqileng haholoanyane ka seo liithuti li tla ithuta sona, ke tsebo efe, bokhoni le libonase (!) fihla pheletsong. Lintho tsa pele pele.
Ba babeli Kaofela ho e le 'ngoe
Mohopolo oa ho tšoara lithupelo tse kopaneng o hlahile ka mor'a hore barupeluoa ba sehlopha sa IB ba qale ho botsa ka sesebelisoa se ka ba thusang ho batlisisa lits'ebetso tsa khomphutha le marang-rang a senyehileng, le ho kopanya ts'ebetso ea lits'ebeletso tse fapaneng tsa mahala tseo re khothaletsang ho li sebelisa nakong ea karabelo ea liketsahalo.
Ka maikutlo a rona, sesebelisoa se joalo e ka ba Setsi sa Bopaki sa Belkasoft (re se re buile ka sona Igor Mikhailov "Ntho ea bohlokoa ho qaleng: software e ntle ka ho fetisisa le lisebelisoa tsa forensics tsa khomphutha"). Ka hona, rona, hammoho le Belkasoft, re thehile lithuto tse peli tsa koetliso: Belkasoft Digital Forensics и Tlhahlobo ea Karabo ea Ketsahalo ea Belkasoft.
BOHLOKOA: lithupelo li latelana ebile li hokahane! Belkasoft Digital Forensics e nehetsoe lenaneong la Setsi sa Bopaki sa Belkasoft, 'me Tlhahlobo ea Karabelo ea Ketsahalo ea Belkasoft e ikemiselitse ho etsa lipatlisiso tsa liketsahalo tse sebelisang lihlahisoa tsa Belkasoft. Ka mantsoe a mang, pele re ithuta thupelo ea Tlhahlobo ea Karabelo ea Ketsahalo ea Belkasoft, re khothaletsa ka matla ho phethela thupelo ea Belkasoft Digital Forensics. Haeba u qala hang-hang ka thupelo ea lipatlisiso tsa liketsahalo, seithuti se ka 'na sa ba le likheo tse khopisang tsa ho sebelisa Setsi sa Bopaki sa Belkasoft, ho fumana le ho hlahloba lintho tsa khale tsa khale. Sena se ka lebisa tabeng ea hore nakong ea thupelo thupelong ea Belkasoft Incident Response Examination, seithuti se ka 'na sa se ke sa ba le nako ea ho tseba boitsebiso, kapa se tla fokotsa sehlopha sohle ho fumana tsebo e ncha, kaha nako ea koetliso e tla sebelisoa. ka mokoetlisi ea hlalosang lintho tse tsoang thupelong ea Belkasoft Digital Forensics.
Forensics ea khomphutha e nang le Setsi sa Bopaki sa Belkasoft
Morero oa thupelo Belkasoft Digital Forensics - tsebisa baithuti lenaneong la Belkasoft Evidence Center, ba rute ho sebelisa lenaneo lena ho bokella bopaki ho tsoa mehloling e fapaneng (polokelo ea leru, memori ea phihlello e sa reroang (RAM), lisebelisoa tsa mehala, media ea polokelo (li-hard drive, li-flash drive, jj.), master mekhoa le mekhoa ea motheo ea forensic, mekhoa ea tlhahlobo ea forensic ea Windows artifacts, mobile devices, RAM dumps.U tla boela u ithute ho khetholla le ho ngola litokomane tsa li-browser le mananeo a melaetsa ea hang-hang, ho etsa likopi tsa forensic tsa data ho tsoa mehloling e fapaneng, ho ntša data ea geolocation le ho batla. bakeng sa tatellano ea mongolo (patlo ea mantsoe a sehlooho), sebelisa li-hashes ha u etsa lipatlisiso, hlahloba registry ea Windows, tseba bokhoni ba ho hlahloba li-database tse sa tsejoeng tsa SQLite, metheo ea ho hlahloba lifaele tsa litšoantšo le tsa video, le mekhoa ea ho hlahloba e sebelisoang nakong ea lipatlisiso.
Thupelo ena e tla ba molemo ho litsebi tse nang le tsebo e khethehileng lefapheng la forensics ea tekheniki ea khomphutha (forensics ea khomphutha); litsebi tsa tekheniki tse khethollang mabaka a ho kenella ka katleho, ho sekaseka letoto la liketsahalo le litlamorao tsa litlhaselo tsa cyber; litsebi tsa tekheniki tse khethollang le ho ngola bosholu ba data (ho lutla) ke motho ea ka hare (motloli oa ka hare); litsebi tsa e-Discovery; Basebetsi ba SOC le CERT/CSIRT; basebetsi ba tshireletso ya tlhahisoleseding; ba chesehelang lipatlisiso tsa khomphutha.
Morero oa thupelo:
- Setsi sa Bopaki sa Belkasoft (BEC): mehato ea pele
- Pōpo le ts'ebetso ea linyeoe ho BEC
- Bokella bopaki ba dijithale bakeng sa lipatlisiso tsa forensic le BEC
- Ho sebelisa li-filters
- Ho hlahisa litlaleho
- Lipatlisiso ka Mananeo a Melaetsa ea Hang-hang
- Patlisiso ea Sebatli sa Marang-rang
- Patlisiso ea Sesebelisoa sa Mehala
- E ntša lintlha tsa geolocation
- Ho batla tatellano ea mongolo maemong
- Ho hula le ho sekaseka data ho tsoa ho polokelo ea leru
- Ho sebelisa li-bookmark ho totobatsa bopaki ba bohlokoa bo fumanoeng nakong ea lipatlisiso
- Tlhahlobo ea lifaele tsa sistimi ea Windows
- Windows Registry Analysis
- Tlhahlobo ea li-database tsa SQLite
- Mekhoa ea ho Fumana Boitsebiso
- Mekhoa ea ho hlahloba lithōle tsa RAM
- Ho sebelisa hash calculator le hash analysis ho lipatlisiso tsa forensic
- Tlhahlobo ea lifaele tse patiloeng
- Mekhoa ea ho ithuta lifaele tsa graphic le video
- Tšebeliso ea mekhoa ea ho hlahloba lipatlisiso tsa forensic
- Iketsetse liketso tse tloaelehileng u sebelisa puo ea mananeo a Belkascripts
- Lithuto tse sebetsang
Course: Tlhahlobo ea Karabelo ea Ketsahalo ea Belkasoft
Sepheo sa thupelo ke ho ithuta metheo ea lipatlisiso tsa forensic tsa litlhaselo tsa cyber le menyetla ea ho sebelisa Setsi sa Bopaki sa Belkasoft lipatlisisong. U tla ithuta ka li-vector tse ka sehloohong tsa litlhaselo tsa sejoale-joale ho marang-rang a likhomphutha, ithute ho hlophisa litlhaselo tsa likhomphutha tse ipapisitseng le MITER ATT&CK matrix, sebelisa li-algorithms tsa lipatlisiso tsa sistimi ho fumana 'nete ea ho sekisetsa le ho nchafatsa liketso tsa bahlaseli, ithute hore na lintho tsa khale li fumaneha hokae. bonts'a hore na ke lifaele life tse ileng tsa buloa ho qetela , moo tsamaiso ea ts'ebetso e bolokang tlhahisoleseding mabapi le hore na lifaele tse phethisoang li kopitsoe le ho bolaoa joang, hore na bahlaseli ba ile ba falla joang ho pholletsa le marang-rang, 'me ba ithuta ho hlahloba lintho tsena tse entsoeng ka matsoho ba sebelisa BEC. U tla boela u ithute hore na ke liketsahalo life tse ka har'a li-log tsa sistimi tse khahlang ho latela pono ea lipatlisiso tsa liketsahalo le ho fumana phihlello e hole, 'me u ithute ho li batlisisa u sebelisa BEC.
Thupelo ena e tla ba molemo ho litsebi tsa tekheniki tse khethollang mabaka a ho kenella ka katleho, ho sekaseka liketane tsa liketsahalo le litlamorao tsa tlhaselo ea cyber; batsamaisi ba tsamaiso; Basebetsi ba SOC le CERT/CSIRT; basebetsi ba tshireletso ya tlhahisoleseding.
Course Overview
Cyber Kill Chain e hlalosa mehato ea mantlha ea tlhaselo efe kapa efe ea tekheniki likhomphutha tsa motho ea hlasetsoeng (kapa marang-rang a khomphutha) ka tsela e latelang:
Liketso tsa basebetsi ba SOC (CERT, tšireletso ea tlhahisoleseding, joalo-joalo) li reretsoe ho thibela batho ba kenang ka har'a naha ho fumana mehloli ea tlhahisoleseding e sirelelitsoeng.
Haeba bahlaseli ba kenella lits'ebetsong tse sirelelitsoeng, batho ba kaholimo ba lokela ho leka ho fokotsa ts'enyehelo e tsoang mesebetsing ea bahlaseli, ba tsebe hore na tlhaselo e entsoe joang, ba hlophise liketsahalo le tatellano ea liketso tsa bahlaseli ka har'a sebopeho sa tlhaiso-leseling se senyehileng, 'me ba nke. mehato ea ho thibela mofuta ona oa tlhaselo nakong e tlang.
Mefuta e latelang ea mesaletsa e ka fumanoa litsing tsa tlhahisoleseling tse senyehileng, tse bonts'ang hore marang-rang (khomphutha) e senyehile:
Melato eohle e joalo e ka fumanoa ho sebelisoa lenaneo la Belkasoft Evidence Center.
BEC e na le module ea "Incident Investigation", moo, ha ho hlahlojoa mecha ea litaba ea polokelo, ho behoa tlhahisoleseding e mabapi le lintho tsa khale tse ka thusang mofuputsi ha a batlisisa liketsahalo.
BEC e ts'ehetsa tlhahlobo ea mefuta ea mantlha ea li-artifact tsa Windows tse bonts'ang ts'ebetso ea lifaele tse ka sebetsoang tsamaisong e ntseng e etsoa lipatlisiso, ho kenyeletsoa Amcache, Userassist, Prefetch, BAM/DAM, , tlhahlobo ea liketsahalo tsa tsamaiso.
Tlhahisoleseding e mabapi le mesaletsa e nang le tlhahisoleseling mabapi le liketso tsa basebelisi tsamaisong e senyehileng e ka hlahisoa ka mokhoa o latelang:
Tlhahisoleseding ena, har'a lintho tse ling, e kenyelletsa tlhahisoleseling mabapi le ho tsamaisa lifaele tse phethiloeng:
Lintlha tse mabapi le ho tsamaisa faele ea 'RDPWInst.exe'.
Lintlha tse mabapi le boteng ba bahlaseli lits'ebetsong tse senyehileng li ka fumanoa ho linotlolo tsa ho qala tsa Windows registry, lits'ebeletso, mesebetsi e reriloeng, mangolo a Logon, WMI, joalo-joalo. Mehlala ea ho lemoha tlhahisoleseling mabapi le bahlaseli ba khomaretsoeng tsamaisong e ka bonoa litšoantšong tse latelang:
Ho qobella bahlaseli ho sebelisa kemiso ea mosebetsi ka ho theha mosebetsi o tsamaisang mongolo oa PowerShell.
Ho kopanya bahlaseli ba sebelisang Windows Management Instrumentation (WMI).
Ho kopanya bahlaseli ka ho sebelisa mongolo oa Logon.
Ho tsamaea ha bahlaseli ho pholletsa le marang-rang a khomphuta e senyehileng ho ka fumanoa, ka mohlala, ka ho hlahloba lits'ebetso tsa tsamaiso ea Windows (haeba bahlaseli ba sebelisa tšebeletso ea RDP).
Lintlha mabapi le likhokahano tsa RDP tse fumanoeng.
Tlhahisoleseding e mabapi le motsamao oa bahlaseli ho pholletsa le marang-rang.
Ka hona, Setsi sa Bopaki sa Belkasoft se ka thusa bafuputsi ho tsebahatsa likhomphutha tse senyehileng marangrang a khomphutha e hlasetsoeng, ho fumana mesaletsa ea ho hlahisoa ha malware, mesaletsa ea ho lokisoa tsamaisong le ho sisinyeha ha marang-rang, le mesaletsa e meng ea ts'ebetso ea bahlaseli likhomphutha tse senyehileng.
Mokhoa oa ho etsa lipatlisiso tse joalo le ho lemoha lintho tsa khale tse hlalositsoeng ka holimo li hlalositsoe thupelong ea koetliso ea Tlhahlobo ea Karabelo ea Ketsahalo ea Belkasoft.
Morero oa thupelo:
- Mekhoa ea Cyberattack. Theknoloji, lisebelisoa, lipakane tsa bahlaseli
- Ho sebelisa mekhoa ea litšokelo ho utloisisa maqheka, mekhoa le mekhoa ea bahlaseli
- Cyber kill chain
- Algorithm ea karabelo ea ketsahalo: boitsebahatso, sebaka sa sebaka, tlhahiso ea matšoao, batla li-node tse ncha tse tšoaelitsoeng
- Tlhahlobo ea litsamaiso tsa Windows tse sebelisang BEC
- Ho sibolloa ha mekhoa ea ts'oaetso ea mantlha, phatlalatso ea marang-rang, ho kopanya, le ts'ebetso ea marang-rang ea malware e sebelisang BEC
- Hlalosa litsamaiso tse tšoaelitsoeng le ho khutlisetsa nalane ea ts'oaetso ka BEC
- Lithuto tse sebetsang
LBHLithuto li tšoareloa hokae?
Lithuto li tšoareloa ntlo-kholo ea Sehlopha-IB kapa sebakeng sa kantle (setsi sa koetliso). Hoa khoneha hore mokoetlisi a tsamaee libakeng tse nang le bareki ba mekhatlo.
Ke mang ea tsamaisang litlelase?
Bakoetlisi ho Group-IB ke litsebi tse nang le boiphihlelo ba lilemo tse ngata tsa ho etsa lipatlisiso tsa forensic, lipatlisiso tsa khoebo le ho arabela liketsahalong tsa ts'ireletso ea tlhahisoleseling.
Litšoaneleho tsa bakoetlisi li netefatsoa ke litifikeiti tse ngata tsa machaba: GCFA, MCFE, ACE, EnCE, joalo-joalo.
Bakoetlisi ba rona ba fumana puo e tloaelehileng habonolo le bamameli, ba hlalosa ka ho hlaka esita le lihlooho tse thata ka ho fetisisa. Baithuti ba tla ithuta lintlha tse ngata tse bohlokoa le tse khahlisang mabapi le ho batlisisa liketsahalo tsa khomphutha, mekhoa ea ho tseba le ho hanyetsa litlhaselo tsa likhomphutha, le ho fumana tsebo e sebetsang eo ba ka e sebelisang hang ka mor'a ho fumana mangolo.
Na lithupelo li tla fana ka litsebo tse sebetsang tse sa amaneng le lihlahisoa tsa Belkasoft, kapa na litsebo tsee li tla be li sa sebetse ntle le software ee?
Tsebo e fumanoeng nakong ea thupelo e tla ba molemo ntle le ho sebelisa lihlahisoa tsa Belkasoft.
Ke eng e kenyellelitsoeng tekong ea pele?
Teko ea mantlha ke teko ea tsebo ea metheo ea forensics ea khomphutha. Ha ho na merero ea ho leka tsebo ea lihlahisoa tsa Belkasoft le Group-IB.
Nka fumana lintlha kae mabapi le lithupelo tsa k'hamphani?
E le karolo ea lithuto tsa thuto, Group-IB e koetlisa litsebi mabapi le karabelo ea liketsahalo, lipatlisiso tsa malware, litsebi tsa cyber intelligence (Threat Intelligence), litsebi tse sebetsang Setsing sa Ts'ebetso ea Ts'ireletso (SOC), litsebi tsa ts'ebetso ea ho tsoma litšokelo (Threat Hunter), jj. . Lenane le felletseng la lithuto tsa thepa ho tsoa ho Sehlopha-IB le teng .
Ke libonase life tseo baithuti ba qetang lithuto tse kopaneng lipakeng tsa Group-IB le Belkasoft ba li fumanang?
Ba qetileng koetliso lithutong tse kopaneng lipakeng tsa Group-IB le Belkasoft ba tla fumana:
- setifikeiti sa ho qeta thupelo;
- peeletso ea mahala ea khoeli le khoeli ho Belkasoft Evidence Center;
- 10% theolelo ka theko ea Belkasoft Evidence Center.
Re u hopotsa hore thupelo ea pele e qala ka Mantaha, 9 september, - u se ke ua hloloheloa monyetla oa ho fumana tsebo e ikhethang tšimong ea ts'ireletso ea tlhahisoleseding, forensics ea k'homphieutha le karabo ea liketsahalo! Ngoliso bakeng sa thupelo .
MohloliHa re hlophisa sengoloa, re sebelisitse nehelano ea Oleg Skulkin "Ho sebelisa li-forensics tse thehiloeng ho baeti ho fumana matšoao a ho sekisetsa bakeng sa karabelo e atlehileng ea liketsahalo tse tsamaisoang ke bohlale."
Source: www.habr.com