Siyakwamukela ochungechungeni olusha lwama-athikili, kulokhu esihlokweni sophenyo lwesigameko, okungukuthi ukuhlaziya uhlelo olungayilungele ikhompuyutha kusetshenziswa i-Check Point forensics. Sashicilela ngaphambilini ekusebenzeni ku-Smart Event, kodwa kulokhu sizobheka imibiko ye-forensics ezenzakalweni ezithile emikhiqizweni ehlukene ye-Check Point:
Kungani i-forensics yokuvimbela izigameko ibalulekile? Kungabonakala sengathi ulibambile leli gciwane, sekuvele kuhle, kungani ubhekana nalo? Njengoba umkhuba ubonisa, akunconywa ukuvimba ukuhlaselwa kuphela, kodwa futhi nokuqonda kahle ukuthi kusebenza kanjani: ukuthi yayiyini indawo yokungena, yikuphi ubungozi obusetshenzisiwe, yiziphi izinqubo ezihilelekile, noma ngabe irejista kanye nesistimu yefayela iyathinteka, yimuphi umndeni. zamagciwane, yimuphi umonakalo ongase ube khona, njll. Lokhu kanye nolunye ulwazi oluwusizo lungatholwa emibikweni ye-Check Point ye-forensics ebanzi (kokubili umbhalo kanye nesithombe). Kunzima kakhulu ukuthola umbiko onjalo mathupha. Le datha ingase isize ukuthatha isinyathelo esifanele futhi ivimbele ukuhlasela okufanayo ekuphumeleleni esikhathini esizayo. Namuhla sizobheka umbiko we-Check Point SandBlast Network forensics.
Inethiwekhi yeSandBlast
Ukusetshenziswa kwama-sandbox ukuze kuqiniswe ukuvikelwa komjikelezo wenethiwekhi sekuyisikhathi eside kuyinto evamile futhi kuyimpoqo njengengxenye njenge-IPS. E-Check Point, i-Threat Emulation blade, eyingxenye yobuchwepheshe be-SandBlast (kukhona ne-Threat Extraction), inesibopho sokusebenza kwebhokisi lesihlabathi. Sesivele sishicilele ngaphambilini futhi ngenguqulo ye-Gaia 77.30 (Ngincoma kakhulu ukuyibuka uma ungaqondi ukuthi sikhuluma ngani manje). Ngokombono wezokwakha, akukho okushintshile kusukela ngaleso sikhathi. Uma une-Check Point Gateway ku-perimeter yenethiwekhi yakho, ungasebenzisa izinketho ezimbili zokuhlanganisa ne-sandbox:
- I-SandBlast Local Appliance β kufakwe umshini weSandBlast owengeziwe kunethiwekhi yakho, lapho amafayela athunyelwa khona ukuze ahlaziywe.
- Ifu leSandBlast - amafayela athunyelwa ukuze ahlaziywe efwini le-Check Point.
Ibhokisi lesihlabathi lingabhekwa njengomugqa wokugcina wokuzivikela kumjikelezo wenethiwekhi. Ixhuma kuphela ngemuva kokuhlaziywa ngezindlela zakudala - i-antivirus, i-IPS. Futhi uma amathuluzi esiginesha anjalo endabuko enganikezeli nganoma yiziphi izibalo, khona-ke i-sandbox "ingatshela" ngokuningiliziwe ukuthi kungani ifayela livinjiwe nokuthi lenzani ngempela ngonya. Lo mbiko we-forensics ungatholwa kukho kokubili ibhokisi lesihlabathi lendawo nelefu.
Hlola Umbiko we-Point Forensics
Ake sithi wena, njengochwepheshe bezokuphepha kolwazi, uze emsebenzini futhi wavula ideshibhodi ku-SmartConsole. Ngokushesha ubona izehlakalo zamahora angu-24 okugcina futhi ukunaka kwakho kudonswa ezenzakalweni Zokulingisa Usongo - ukuhlasela okuyingozi kakhulu okungazange kuvinjwe ukuhlaziywa kwesiginesha.
Ungakwazi "ukushayela phansi" kule micimbi futhi ubone wonke amalogi weblade yokulingisa usongo.
Ngemva kwalokhu, ungakwazi ngokwengeza ukuhlunga izingodo ngezinga elibucayi lokusongela (Ukuqina), kanye Nezinga Lokuqiniseka (ukwethembeka kwempendulo):
Ngemva kokwandisa umcimbi esinentshisekelo kuwo, singakwazi ukujwayelana nolwazi olujwayelekile (src, dst, ubukhali, umthumeli, njll.):
Futhi lapho ungabona isigaba Forensics etholakalayo Isifinyezo umbiko. Ukuchofoza kuyo kuzovula ukuhlaziya okuningiliziwe kohlelo olungayilungele ikhompuyutha ngendlela yekhasi le-HTML elisebenzisanayo:
(Lena ingxenye yekhasi. )
Kusuka embikweni ofanayo, singalanda uhlelo olungayilungele ikhompuyutha yoqobo (kwingobo yomlando evikelwe ngephasiwedi), noma sithinte ngokushesha ithimba lokuphendula le-Check Point.
Ngezansi nje ungabona ukugqwayiza okuhle okubonisa ngokwephesenti ikhodi engalungile kakade eyaziwa isibonelo sethu esifana ngayo (okuhlanganisa ikhodi ngokwayo namamakhro). Lezi zibalo zilethwa kusetshenziswa ukufunda komshini ku-Check Point Threat Cloud.
Bese ungabona kahle ukuthi imiphi imisebenzi esebhokisini lesihlabathi esivumele ukuthi siphethe ngokuthi leli fayela linonya. Kulokhu, sibona ukusetshenziswa kwamasu okudlula kanye nomzamo wokulanda i-ransomware:
Kuyaphawuleka ukuthi kuleli cala, ukulingisa kwenziwa ezinhlelweni ezimbili (Win 7, Win XP) nezinguqulo zesofthiwe ezahlukene (Office, Adobe). Ngezansi kunevidiyo (umbukiso wamaslayidi) enenqubo yokuvula leli fayela ku-sandbox:
Ividiyo eyisibonelo:
Ekugcineni singabona ngokuningiliziwe ukuthi ukuhlasela kwaqala kanjani. Kungaba ngefomethi yethebula noma ngemifanekiso:
Lapho singalanda lolu lwazi ngefomethi ye-RAW kanye nefayela le-pcap ukuze uthole ukuhlaziya okuningiliziwe kwethrafikhi ekhiqizwe e-Wireshark:
isiphetho
Ngokusebenzisa lolu lwazi, ungaqinisa kakhulu ukuvikelwa kwenethiwekhi yakho. Vimba abasingathi bokusabalalisa amagciwane, vala ubungozi obuxhashaziwe, vimba impendulo engaba khona evela ku-C&C nokunye okuningi. Lokhu kuhlaziya akufanele kunganakwa.
Ezihlokweni ezilandelayo, sizobheka ngokufanayo imibiko ye-SandBlast Agent, SnadBlast Mobile, kanye ne-CloudGiard SaaS. Ngakho hlala ubukele (, , , )!
Source: www.habr.com