Wamkelekile kuthotho olutsha lwamanqaku, ngeli xesha kwisihloko sophando lwezehlo, oko kukuthi uhlalutyo lwe-malware usebenzisa i-Check Point forensics. Siye sapapasha ngaphambili
Kutheni le nto i-forensics yothintelo lwezehlo ibalulekile? Kubonakala ngathi uyibambile intsholongwane, sele ilungile, kutheni ujongana nayo? Njengoko uqheliselo lubonisa, akucebisi kuphela ukuvimba ukuhlaselwa, kodwa nokuqonda ngokuthe ngqo indlela esebenza ngayo: yintoni indawo yokungena, yintoni ubungozi obusetyenzisiweyo, zeziphi iinkqubo ezichaphazelekayo, ingaba irejista kunye nenkqubo yefayile ichaphazelekayo, yiyiphi intsapho yeentsholongwane, yintoni umonakalo onokwenzeka, njl. Le kunye nezinye iinkcukacha eziluncedo zinokufunyanwa kwiingxelo ezibanzi ze-Check Point ze-forensics (zombini isicatshulwa kunye nomzobo). Kunzima kakhulu ukufumana ingxelo enjalo ngesandla. Le datha inokunceda ukuthatha inyathelo elifanelekileyo kwaye ithintele ukuhlaselwa okufanayo ekuphumeleleni kwixesha elizayo. Namhlanje siza kujonga ingxelo ye-Check Point SandBlast Network forensics.
Inethiwekhi yeSandBlast
Ukusetyenziswa kweebhokisi zesanti ukuqinisa ukukhuselwa kwe-perimeter yenethiwekhi sele iyinto eqhelekileyo kwaye inyanzelekile njengecandelo njenge-IPS. Kwi-Check Point, i-Treat Emulation blade, eyinxalenye ye-SandBlast technologies (kukho kwakhona i-Threat Extraction), ijongene nokusebenza kwebhokisi yesanti. Sele sipapashe ngaphambili
- Isixhobo seNdawo seSandBlast - isixhobo esongezelelweyo seSandBlast sifakwe kwinethiwekhi yakho, apho iifayile zithunyelwa khona ukuze zihlalutywe.
- Ifu leSandBlast - iifayile zithunyelwa ukuhlalutya kwilifu le-Check Point.
Ibhokisi yesanti inokuthathwa njengomgca wokugqibela wokukhusela kwi-perimeter yenethiwekhi. Idibanisa kuphela emva kokuhlalutya ngeendlela zakudala - i-antivirus, IPS. Kwaye ukuba izixhobo zesiko lokutyikitya aziboneleli ngokwenyani naluphi na uhlalutyo, ke ibhokisi yesanti "inokuthi" ixele" ngokweenkcukacha ukuba kutheni ifayile ivaliwe kwaye yintoni kanye kanye eyenzayo. Le ngxelo ye-forensics inokufumaneka kwibhokisi yesanti yasekhaya kunye nelifu.
Jonga iNgxelo yeNgxelo yeForensics
Masithi wena, njengengcali yokhuseleko lolwazi, weza emsebenzini kwaye wavula ideshibhodi kwiSmartConsole. Ngokukhawuleza ubona iziganeko kwiiyure zokugqibela ze-24 kwaye ingqalelo yakho itsalwa kwiziganeko ze-Treat Emulation - ukuhlaselwa okuyingozi kakhulu okungazange kuvinjwe ngokuhlalutya kwesiginesha.
Unako "ukuqhuba phantsi" kwezi ziganeko kwaye ubone zonke iilogi zeblade yokulinganisa iTreat.
Emva koku, ungongeza ukucoca iilog ngenqanaba lobungozi (Ubungqongqo), kunye neNqanaba lokuzithemba (ukuthembeka kwempendulo):
Emva kokwandisa umcimbi esinomdla kuwo, sinokuqhelana nolwazi jikelele (src, dst, ubukhali, umthumeli, njl.njl.):
Kwaye apho ungabona icandelo Forensics ekhoyo isishwankathelo ingxelo. Ukucofa kuyo kuya kuvula uhlalutyo oluneenkcukacha lwe-malware ngendlela yephepha elisebenzayo le-HTML:
(Le yinxalenye yephepha.
Ukususela kwingxelo efanayo, sinokukhuphela i-malware yoqobo (kwi-password ekhuselweyo), okanye ngokukhawuleza uqhagamshelane neqela lempendulo ye-Check Point.
Ngezantsi nje ungabona uphiliso oluhle olubonisa ngokwepesenti ikhowudi esele isaziwa ikhowudi ekhohlakeleyo umzekelo wethu enayo ngokufanayo (kuquka ikhowudi ngokwayo kunye neemacros). Olu hlalutyo luhanjiswa kusetyenziswa umatshini wokufunda kwi-Check Point Threat Cloud.
Emva koko unokubona kanye ukuba yeyiphi imisebenzi kwibhokisi yesanti esivumele ukuba sigqibe kwelokuba le fayile inonya. Kule meko, sibona ukusetyenziswa kobuchule bokudlula kunye nokuzama ukukhuphela i-ransomware:
Kunokuqatshelwa ukuba kule meko, ukulinganisa kwenziwa kwiinkqubo ezimbini (Win 7, Win XP) kunye neenguqulelo ezahlukeneyo zesoftware (iOfisi, iAdobe). Ngezantsi kukho ividiyo (umboniso wesilayidi) enenkqubo yokuvula le fayile kwibhokisi yesanti:
Umzekelo wevidiyo:
Ekugqibeleni sinokubona ngokweenkcukacha indlela olwaqala ngayo uhlaselo. Nokuba ikwimo yetheyibhile okanye ngokwemizobo:
Apho sinokukhuphela olu lwazi kwifomathi ye-RAW kunye nefayile ye-pcap yohlalutyo oluneenkcukacha lwetrafikhi eyenziwe eWireshark:
isiphelo
Ukusebenzisa olu lwazi, unokomeleza kakhulu ukhuseleko lwenethiwekhi yakho. Vimba iinginginya zokusasazwa kwentsholongwane, vala ubuthathaka obuxhatshaziweyo, vala impendulo enokwenzeka evela kwiC&C nokunye okuninzi. Olu hlalutyo alufanele lutyeshelwe.
Kumanqaku alandelayo, siya kujonga ngokufanayo iingxelo zeSandBlast Agent, SnadBlast Mobile, kunye ne-CloudGiard SaaS. Ngoko hlala ubukele (
umthombo: www.habr.com