Umngxuma njengesixhobo sokhuseleko - 2, okanye indlela yokubamba i-APT "kwi-bait ephilayo"

(enkosi kuSergey G. Brester ngengcamango yesihloko iisebers)

Oogxa, injongo yeli nqaku kukwabelana ngamava omsebenzi wokuvavanya unyaka wonke weklasi entsha yezisombululo ze-IDS ezisekelwe kubuchwephesha bokukhohlisa.

Ukuze kugcinwe ukuhambelana okunengqiqo kokuboniswa kwezinto eziphathekayo, ndibona kuyimfuneko ukuqala ngeendawo. Ngoko ke, ingxaki:

1. Uhlaselo olujoliswe kuyo lolona hlobo luyingozi kakhulu lokuhlaselwa, nangona isabelo sabo kwinani elipheleleyo lezoyikiso lincinci.
2. Akukho ndlela iqinisekisiweyo esebenzayo yokukhusela umjikelezo (okanye iseti yezo ndlela) esele yenziwe.
3. Njengomthetho, ukuhlaselwa okujoliswe kuyo kwenzeka kwizigaba ezininzi. Ukugqithisa i-perimeter enye kuphela yezigaba zokuqala, apho (ungandigibisela ngamatye) akubangeli umonakalo omkhulu "kwixhoba", ngaphandle kokuba, ngokuqinisekileyo, yi-DEoS (Ukutshatyalaliswa kwenkonzo) ukuhlaselwa (encryptors, njl. .). "Intlungu" yokwenene iqala kamva, xa izinto ezithathiweyo ziqala ukusetyenziselwa ukujikeleza nokuphuhlisa uhlaselo "lobunzulu", kwaye asizange sikuqaphele oku.
4. Ekubeni siqala ukulahlekelwa yilahleko yokwenyani xa abahlaseli ekugqibeleni befikelela kwiithagethi zohlaselo (iiseva zesicelo, i-DBMS, iindawo zokugcina idatha, iindawo zokugcina, izinto ezibalulekileyo zeziseko ezingundoqo), kusengqiqweni ukuba omnye wemisebenzi yenkonzo yokhuseleko lolwazi kukuphazamisa uhlaselo ngaphambi kokuba uhlaselwe. esi siganeko silusizi. Kodwa ukuze uphazamise into ethile, kufuneka uqale wazi ngayo. Kwaye ngokukhawuleza, ngcono.
5. Ngako oko, ekulawuleni umngcipheko ophumelelayo (oko kukuthi, ukunciphisa umonakalo ovela ekuhlaselweni okujoliswe kuyo), kubalulekile ukuba ube nezixhobo eziza kubonelela ubuncinci be-TTD (ixesha lokufumanisa - ixesha elisuka kumzuzu wokungena ukuya kwixesha lokuhlaselwa kufunyenwe). Ngokuxhomekeke kushishino kunye nommandla, eli xesha liphakathi kweentsuku ze-99 e-US, iintsuku ze-106 kummandla we-EMEA, iintsuku ze-172 kummandla we-APAC (M-Trends 2017, A View From the Front Lines, Mandiant).
6. Ingaba imarike ibonelela ngantoni?
   • "Iibhokisi zesanti". Olunye ulawulo lokuthintela, olukude kakhulu. Zininzi iindlela ezisebenzayo zokubona kunye nokudlula iibhokisi zesanti okanye izisombululo zoluhlu olumhlophe. Abafana abavela "kwicala elimnyama" basenenyathelo elinye ngaphambili apha.
   • I-UEBA (iinkqubo zokuziphatha kweprofayili kunye nokuchonga ukutenxa) - ngokwethiyori, inokusebenza kakhulu. Kodwa, ngokombono wam, oku kwixesha elizayo elikude. Enyanisweni, oku kusabiza kakhulu, akuthembeki kwaye kufuna i-IT ekhulile kakhulu kwaye izinzile kunye neziseko zokhuseleko lolwazi, esele inazo zonke izixhobo eziza kuvelisa idatha yohlalutyo lokuziphatha.
   • I-SIEM sisixhobo esilungileyo sophando, kodwa ayikwazi ukubona kwaye ibonise into entsha kunye neyokuqala ngexesha elifanelekileyo, kuba imigaqo yokulungelelanisa ifana neesignesha.

7. Ngenxa yoko, kukho imfuneko yesixhobo esiya kuthi:
   • isebenze ngempumelelo phantsi kweemeko zeperimeter esele ichaphazelekile,
   • Ubhaqe uhlaselo oluyimpumelelo ngexesha lokwenyani, nokuba zeziphi izixhobo kunye nobuthathaka obusetyenzisiweyo,
   • khange ixhomekeke kumsayino/kwimithetho/imibhalo-ngqangi/imigaqo-nkqubo/iiprofayili nezinye izinto ezingatshintshiyo,
   • khange ifune inani elikhulu ledatha kunye nemithombo yabo yohlalutyo,
   • kuya kuvumela uhlaselo ukuba lungachazwa njengoluhlobo oluthile lokubeka amanqaku emngciphekweni ngenxa yomsebenzi "wezona zibalaseleyo emhlabeni, ezinelungelo elilodwa lomenzi wechiza kwaye ke ngoko zivaliwe imathematika", efuna uphando olongezelelweyo, kodwa ngokubonakalayo njengesiganeko sokubini - "Ewe, siyahlaselwa” okanye “Hayi, yonke into ilungile”,
   • ibiyinto yendalo yonke, ilinganiseke ngokufanelekileyo kwaye inokwenzeka ukuba iphunyezwe kuyo nayiphi na imeko engqongileyo engafaniyo, kungakhathaliseki ukuba itopology yothungelwano ebonakalayo nesengqiqweni esetyenzisiweyo.

Izinto ezibizwa ngokuba zizisombululo zokukhohlisa ngoku zikhuphisana ngendima yesixhobo esinjalo. Oko kukuthi, izisombululo ezisekelwe kwingcamango endala ye-honeypots, kodwa kunye nenqanaba elihluke ngokupheleleyo lokuphunyezwa. Esi sihloko ngokuqinisekileyo sikhula ngoku.

Ngokweziphumo Gartner Security & Risc management summit 2017 Izisombululo zokukhohlisa zifakwe kwi-TOP 3 izicwangciso kunye nezixhobo ezicetyiswayo ukuba zisetyenziswe.

Ngokwengxelo I-TAG Cybersecurity Annual 2017 Inkohliso yenye yeendlela eziphambili zophuhliso lwezisombululo ze-IDS Intrusion Detection Systems).

Icandelo elipheleleyo lelokugqibela I-Cisco State yeNgxelo yoKhuseleko lwe-IT, ezinikezelwe kwi-SCADA, isekelwe kwidatha evela kwenye yeenkokeli kule marike, iTrapX Security (i-Israel), isisombululo esiye sasebenza kwindawo yethu yokuvavanya unyaka.

I-TrapX Deception Grid ikuvumela ukuba uhlawule kwaye usebenzise i-IDS esasazwe kakhulu embindini, ngaphandle kokunyusa umthwalo welayisensi kunye neemfuno zezixhobo zehardware. Ngapha koko, iTrapX ngumakhi okuvumela ukuba wenze kwizinto ezikhoyo zesiseko se-IT enye indlela enkulu yokubona uhlaselo kwinqanaba leshishini elibanzi, uhlobo lwenethiwekhi esasazwayo "i-alamu."

Ulwakhiwo lwesisombululo

Kwilabhoratri yethu sihlala sifunda kwaye sivavanya iimveliso ezintsha ezahlukeneyo kwicandelo lokhuseleko lwe-IT. Okwangoku, malunga ne-50 yeeseva ezahlukeneyo zenyani zibekwe apha, kubandakanywa amacandelo e-TrapX Deception Grid.

Ngoko, ukusuka phezulu ukuya ezantsi:

1. I-TSOC (TrapX Security Operation Console) yingqondo yenkqubo. Le yi-console yolawulo oluphakathi apho ulungelelwaniso, ukuthunyelwa kwesisombululo kunye nemisebenzi yonke yemihla ngemihla yenziwa. Kuba le yinkonzo yewebhu, inokubekwa naphi na - kwi-perimeter, kwilifu okanye kumboneleli we-MSSP.
2. I-TrapX Appliance (TSA) yi-server yenyani apho sidibanisa khona, sisebenzisa i-trunk port, ezo subnets esifuna ukuzigubungela ngokubeka iliso. Kwakhona, zonke izinzwa zethu zenethiwekhi ngokwenene "zihlala" apha.

   Ilebhu yethu ine-TSA enye esetyenzisiweyo (mwsapp1), kodwa eneneni ingaba zininzi. Oku kunokuba yimfuneko kuthungelwano olukhulu apho kungabikho uxhulumaniso lwe-L2 phakathi kwamacandelo (umzekelo oqhelekileyo othi "Ukubamba kunye ne-subsidiaries" okanye "i-ofisi yebhanki yebhanki kunye namasebe") okanye ukuba inethiwekhi inamacandelo ahlukeneyo, umzekelo, iinkqubo ezizenzekelayo zokulawula inkqubo. Kwisebe ngalinye / icandelo, ungathumela i-TSA yakho kwaye uyidibanise kwi-TSOC enye, apho lonke ulwazi luya kuqhutyelwa phambili. Olu lwakhiwo lukuvumela ukuba wakhe iinkqubo zokubeka iliso ezisasaziweyo ngaphandle kwesidingo sokuhlengahlengisa ngokugqithisileyo inethiwekhi okanye ukuphazamisa ukwahlula okukhoyo.

   Kwakhona, singangenisa ikopi yetrafikhi ephumayo eTSA ngeTAP/SPAN. Ukuba sibona uxhulumaniso kunye ne-botnets ezaziwayo, umyalelo kunye neeseva zokulawula, okanye iiseshoni ze-TOR, siya kufumana umphumo kwi-console. I-Network Intelligence Sensor (NIS) inoxanduva loku. Kwindawo esihlala kuyo, oku kusebenza kuphunyezwa kwi-firewall, ngoko asizange siyisebenzise apha.

3. Imigibe yesicelo (i-OS egcweleyo) - i-honeypot yendabuko esekelwe kwiiseva zeWindows. Awudingi uninzi lwazo, kuba eyona njongo iphambili yezi seva kukubonelela ngeenkonzo ze-IT kuluhlu olulandelayo lwezinzwa okanye ukubona uhlaselo kwizicelo zeshishini ezinokuthi zibekwe kwindawo yeWindows. Sineseva enye efakwe kwilabhoratri yethu (FOS01)

   

4. Imigibe efanisiweyo yeyona nto iphambili yesisombululo, esivumela ukuba, sisebenzisa umatshini omnye obambekayo, senze "indawo yemigodi" exineneyo kubahlaseli kwaye sizalise inethiwekhi yeshishini, zonke ii-vlans zayo, kunye nezinzwa zethu. Umhlaseli ubona i-sensor enjalo, okanye i-phantom host, njenge-Windows PC okanye iseva yokwenene, iseva ye-Linux okanye esinye isixhobo esigqiba ekubeni simbonise.

   
   
   Ukulungela ishishini kunye nangenxa yokufuna ukwazi, sasebenzisa "isibini sesidalwa ngasinye" - iiWindows PC kunye neeseva zeenguqulelo ezahlukeneyo, iiseva zeLinux, i-ATM eneWindows efakelweyo, i-SWIFT Web Access, umshicileli wenethiwekhi, iCisco. switsha, i Axis IP camera, MacBook, PLC -isixhobo nkqu ibhalbhu yokukhanya smart. Kukho ababuki zindwendwe abali-13 bebonke. Ngokubanzi, umthengisi ucebisa ukuba kusetyenziswe izinzwa ezinjalo kwinani leepesenti ezili-10 zenani leenginginya zangempela. Ibha ephezulu yindawo ekhoyo yedilesi.

   Inqaku elibaluleke kakhulu kukuba inginginya nganye ayingomatshini ogcweleyo opheleleyo ofuna izixhobo kunye neelayisensi. Le yinkohliso, ukulinganisa, inkqubo enye kwi-TSA, enesethi yeeparamitha kunye nedilesi ye-IP. Ke ngoko, ngoncedo lwe-TSA enye, sinokuyihluza inethiwekhi ngamakhulu emikhosi ye-phantom, eya kusebenza njengeenzwa kwi-alamu. Bobu buchwephesha obenza ukuba kukwazeke ukukala ngexabiso elisebenzayo ingqikelelo yembiza yobusi kulo naliphi na ishishini elikhulu elisasazwayo.

   Ngokwembono yomhlaseli, aba bamkeli banomtsalane kuba baqulathe ubuthathaka kwaye babonakala benokujoliswa ngokulula. Umhlaseli ubona iinkonzo kule mikhosi kwaye unokusebenzisana nabo kwaye abahlasele ngokusebenzisa izixhobo eziqhelekileyo kunye neeprotocol (smb/wmi/ssh/telnet/web/dnp/bonjour/Modbus, njl.). Kodwa akunakwenzeka ukusebenzisa le mikhosi ukuphuhlisa uhlaselo okanye ukuqhuba ikhowudi yakho.

5. Ukudityaniswa kwezi teknoloji zimbini (i-FullOS kunye nemigibe efanisiweyo) ivumela ukuba sifezekise amathuba aphezulu okuba umhlaseli kungekudala okanye kamva adibane nento ethile yenethiwekhi yethu yokubonisa. Kodwa sinokuqiniseka njani ukuba eli thuba lisondele kwi-100%?

   Izinto ezibizwa ngokuba yi-Deception tokens zingena edabini. Enkosi kubo, sinokubandakanya zonke iiPC ezikhoyo kunye neeseva zeshishini kwi-IDS yethu esasaziweyo. Iimpawu zibekwe kwiiPC zokwenyani zabasebenzisi. Kubalulekile ukuqonda ukuba iithokheni azikho ii-agent ezidla izixhobo kwaye zingabangela iingxabano. Amathokheni zizinto zolwazi lwe-passive, uhlobo lwe "breadcrumbs" kwicala elihlaselayo elikhokelela emgibeni. Umzekelo, iidrive zenethiwekhi ezimepthiweyo, iibhukhimakhi kwii-admins zewebhu ezingeyonyani kwisikhangeli kwaye zigcine amagama ayimfihlo kubo, zigcinwe iiseshini ze-ssh/rdp/winscp, imigibe yethu enezimvo kwiifayile zenginginya, iipassword ezigcinwe kwimemori, iziqinisekiso zabasebenzisi abangekhoyo, iofisi. iifayile, ukuvula okuya kuvusa inkqubo, nokunye okuninzi. Ke, sibeka umhlaseli kwindawo egqwethekileyo, egcwele zii-vectors zohlaselo ezingabeki isoyikiso kuthi, kodwa ngokuchaseneyo. Yaye akanayo indlela yokugqiba apho inkcazelo iyinyaniso nalapho ibubuxoki. Ngaloo ndlela, asiqinisekisi nje ukufumanisa ngokukhawuleza ukuhlaselwa, kodwa kwakhona sinciphisa kakhulu inkqubela phambili yayo.

Umzekelo wokudala umgibe womnatha kunye nokumisela amathokheni. Ujongano olunobuhlobo kwaye akukho kuhlela ngesandla koqwalaselo, izikripthi, njl.

Kwimekobume yethu, siqwalasele kwaye sabeka inani leethokheni ezinjalo kwi-FOS01 eqhuba i-Windows Server 2012R2 kunye ne-PC yovavanyo esebenzayo Windows 7. I-RDP iyasebenza kula matshini kwaye ngamaxesha athile "siwaxhoma" kwi-DMZ, apho inani leenzwa zethu. (imigibe efanisiweyo) nayo iyaboniswa. Ngoko sifumana umzila oqhubekayo weziganeko, ngokwemvelo ukuthetha.

Ke, nazi iinkcukacha-manani ezikhawulezayo zonyaka:

56 - iziganeko ezirekhodiweyo,
I-2-imithombo yohlaselo ifunyenwe.

Iyasebenzisana, imephu yohlaselo ecofayo

Ngelo xesha, isisombululo asivelisi uhlobo oluthile lwe-mega-log okanye isiganeko sokudla, esithatha ixesha elide ukuyiqonda. Kunoko, isisombululo ngokwaso sihlula iziganeko ngeentlobo zazo kwaye sivumela iqela lokhuseleko lolwazi ukuba ligxininise ngokukodwa kwizinto eziyingozi kakhulu - xa umhlaseli ezama ukuphakamisa iiseshoni zokulawula (intsebenziswano) okanye xa i-binary payloads (usulelo) ibonakala kwi-traffic yethu.

Lonke ulwazi malunga neziganeko luyafundeka kwaye lubonakaliswe, ngokombono wam, kwifomu elula ukuyiqonda nakumsebenzisi onolwazi olusisiseko kwinkalo yokhuseleko lolwazi.

Uninzi lweziganeko ezirekhodiweyo ziinzame zokuskena ababuki zindwendwe bethu okanye uqhagamshelo olulodwa.

Okanye iinzame zokunyanzela amagama ayimfihlo kwiRDP

Kodwa bekukho iimeko ezinomdla ngakumbi, ngakumbi xa abahlaseli "belawula" ukuqikelela igama eliyimfihlo le-RDP kwaye bafumane ukufikelela kwinethiwekhi yendawo.

Umhlaseli uzama ukwenza ikhowudi usebenzisa i-psexec.

Umhlaseli wafumana iseshoni egciniweyo, eyakhokelela emgibeni ngendlela ye-Linux server. Ngokukhawuleza emva kokudibanisa, kunye neseti enye yemiyalelo elungiselelwe kwangaphambili, izame ukutshabalalisa zonke iifayile zelog kunye noguquko lwenkqubo ehambelanayo.

Umhlaseli uzama ukwenza inaliti ye-SQL kwi-honeypot efana ne-SWIFT Web Access.

Ukongezelela kwezo ntlaselo “zemvelo,” siye saqhuba nolwethu uvavanyo oluninzi. Enye yezona zinto zityhilayo kukuvavanya ixesha lokufunyanwa kwembungu yenethiwekhi kwinethiwekhi. Ukwenza oku sisebenzise isixhobo esivela kwi-GuardiCore esibizwa Inkawu yosulelo. Lo ngumbungu womnatha onokuqweqwedisa iiWindows kunye neLinux, kodwa ngaphandle komthwalo "wokuhlawula".
Sasebenzisa iziko lomyalelo wendawo, saqalisa umzekelo wokuqala wombungu komnye oomatshini, kwaye safumana isilumkiso sokuqala kwi-console yeTrapX ngaphantsi komzuzu kunye nesiqingatha. TTD imizuzwana engama-90 ngokuchasene neentsuku ezili-106 ngokomndilili...

Ngombulelo kubuchule bokudibanisa nezinye iindidi zezisombululo, sinokusuka ekufumaneni izisongelo ngokukhawuleza ukuya kuziphendulela ngokuzenzekelayo.

Umzekelo, ukudityaniswa ne-NAC (uLawulo loFikelelo lweNetwork) okanye neCarbonBlack kuya kukuvumela ukuba ukhuphe ngokuzenzekelayo uqhagamshelo lweePC ezisengozini kwinethiwekhi.

Ukudibanisa kunye neebhokisi zesanti kuvumela iifayile ezibandakanyekayo ekuhlaselweni ukuba zingeniswe ngokuzenzekelayo ukuze zihlalutywe.

Ukudityaniswa kweMcAfee

Isisombululo sikwanayo nenkqubo yaso eyakhelwe-ngaphakathi yokulungelelanisa isiganeko.

Kodwa azange saneliseke bubuchule bayo, ngoko ke siyidibanise neHP ArcSight.

Inkqubo yokuthengisa amatikiti eyakhelwe-ngaphakathi inceda ihlabathi lonke ukuba limelane nezoyikiso ezibhaqiweyo.

Ekubeni isisombululo saphuhliswa "ukususela ekuqaleni" kwiimfuno zee-arhente zikarhulumente kunye necandelo elikhulu leenkampani, ngokwemvelo sisebenzisa imodeli yokufikelela esekelwe kwindima, ukudibanisa ne-AD, inkqubo ephuhlisiwe yeengxelo kunye ne-triggers (izilumkiso zesiganeko), i-orchestration for izakhiwo ezinkulu zokubamba okanye ababoneleli beMSSP.

Endaweni yokuqalisa kwakhona

Ukuba kukho inkqubo enjalo yokubeka iliso, ethi, ngokufuziselayo, igubungele umva wethu, ngoko kunye ne-compromise ye-perimeter yonke into iqala nje. Into ebaluleke kakhulu kukuba kukho ithuba lokwenene lokujongana neziganeko zokhuseleko lolwazi, kwaye ungajongani nemiphumo yazo.

umthombo: www.habr.com