Siyakwamukela ochungechungeni olusha lwezihloko, kulokhu mayelana nesihloko sokuphenywa kwezehlakalo, ikakhulukazi ukuhlaziywa kwe-malware kusetshenziswa i-Check Point forensics. Sasishicilele ngaphambilini ngokusebenza ku-Smart Event, kodwa kulokhu sizobheka imibiko ye-forensic ngemicimbi ethile emikhiqizweni ehlukene ye-Check Point:
Kungani ukuhlaziywa kwezehlakalo ezivinjelwe kubalulekile? Kungase kubonakale sengathi ubambe igciwane, ngakho kungani uzikhathaza ngokubhekana nalo? Okuhlangenwe nakho kubonisa ukuthi kubalulekile hhayi nje ukuvimba ukuhlaselwa kodwa nokuqonda ukuthi kusebenza kanjani: ukuthi kwakuyini indawo yokungena, ukuthi yikuphi ukukhubazeka okwasetshenziswa, yiziphi izinqubo ezazihilelekile, ukuthi ngabe uhlelo lokubhalisa kanye nefayela lwathinteka yini, ukuthi kwakuwumndeni wamagciwane, ukuthi umonakalo ongakanani owabangelwa yilo, njll. Lokhu kanye neminye imininingwane ewusizo ingatholakala emibikweni ephelele ye-Check Point forensic (kokubili umbhalo kanye nesithombe). Ukuthola umbiko onjalo ngesandla kunzima kakhulu. Le datha ingakusiza ukuthi uthathe isinyathelo esifanele futhi uvimbele ukuhlaselwa okufanayo ukuthi kuphumelele esikhathini esizayo. Namuhla, sizobheka umbiko we-Check Point SandBlast Network forensic.
Inethiwekhi yeSandBlast
Ukusebenzisa ama-sandbox ukuqinisa ukuphepha kwenethiwekhi sekuyisikhathi eside kuyinto evamile futhi ebalulekile njenge-IPS. Ukusebenza kwe-sandbox ye-Check Point kuphathwa yi-Threat Emulation blade, eyingxenye yobuchwepheshe bayo be-SandBlast (obuhlanganisa ne-Threat Extraction). Sishicilele lesi sihloko ngaphambilini. Emuva ku-Gaia version 77.30 (ngincoma kakhulu ukuthi uyibuke uma ungaqondi ukuthi sikhuluma ngani). Ngokombono wokwakha, akukho lutho olushintshile kusukela ngaleso sikhathi. Uma une-Check Point Gateway efakiwe ku-perimeter yenethiwekhi yakho, unezinketho ezimbili zokuhlanganiswa kwe-sandbox:
- Isisetshenziswa Sendawo SaseSandBlast — kufakwe enye insiza ye-SandBlast kunethiwekhi yakho, lapho amafayela athunyelwa khona ukuze ahlaziywe.
- Ifu leSandBlast — amafayela athunyelwa efwini le-Check Point ukuze ahlaziywe.
Ibhokisi lesanti lingabhekwa njengomugqa wokugcina wokuzivikela kumjikelezo wenethiwekhi. Lisebenza kuphela ngemva kokuhlaziywa ngamathuluzi endabuko, njengesofthiwe ye-antivirus kanye ne-IPS. Nakuba amathuluzi endabuko asekelwe esiginesha enikeza cishe akukho ukuhlaziywa, ibhokisi lesanti linganikeza ulwazi oluningiliziwe mayelana nokuthi kungani ifayela livinjiwe nokuthi lenza muphi umsebenzi ononya. Lo mbiko we-forensic ungatholakala kokubili ebhokisini lesanti lendawo kanye nebhokisi lesanti elisekelwe efwini.
Umbiko We-Check Point Forensics
Ake sithi wena, njengochwepheshe wezokuphepha kolwazi, uza emsebenzini bese uvula ideshibhodi ye-SmartConsole. Ubona izehlakalo emahoreni angu-24 edlule, futhi ukunaka kwakho kudonselwa emicimbini ye-Treat Emulation—ukuhlaselwa okuyingozi kakhulu okungazange kuvinjelwe ukuhlaziywa kwesiginesha.
Ungahlola lezi zenzakalo bese ubuka zonke izingodo ze-Treat Emulation blade.
Ngemva kwalokhu, ungaqhubeka nokuhlunga amalogi ngezinga lobunzima bosongo (Ubunzima), kanye neZinga Lokuqiniseka (ukuthembeka kokuqalisa):
Ngokwandisa umcimbi esiwuthandayo, singabuka ulwazi olujwayelekile (i-src, i-dst, ubukhali, umthumeli, njll.):
Futhi lapho ungabona nesigaba Forensics okufinyeleleka kalula Isifinyezo umbiko. Ukuchofoza kuyo kuzovula ukuhlaziywa okuningiliziwe kwe-malware njengekhasi le-HTML elisebenzisanayo:
(Lena yingxenye yekhasi. )
Kusukela kulo mbiko ofanayo, singalanda i-malware yokuqala (ku-archive evikelwe ngephasiwedi) noma sixhumane ngokushesha nethimba lempendulo le-Check Point.
Ngezansi, ungabona i-animation enhle ekhombisa iphesenti le-malware eyaziwayo ehambisana nesampula yethu (kufaka phakathi ikhodi uqobo kanye nama-macro). Lokhu kuhlaziywa kunikezwa kusetshenziswa i-machine learning ku-Check Point Threat Cloud.
Ungabe usubona ukuthi yimuphi umsebenzi we-sandbox oholele esiphethweni sokuthi leli fayela linonya. Kulesi simo, sibona ukusetshenziswa kwamasu okubalekela kanye nokuzama ukulanda i-ransomware:
Ungabona ukuthi kulokhu, ukulingisa kwenziwe ezinhlelweni ezimbili (i-Win 7, i-Win XP) kanye nezinguqulo zesofthiwe ezahlukene (i-Office, i-Adobe). Ngezansi ividiyo (umbukiso wesilayidi) ekhombisa inqubo yokuvula leli fayela ku-sandbox:
Isibonelo sevidiyo:
Ekugcineni, singabona inqubekela phambili yokuhlasela ngokuningiliziwe, kungaba etafuleni noma ngesimo sesithombe:
Singalanda futhi lolu lwazi ngefomethi ye-RAW kanye nefayela le-pcap ukuze kuhlaziywe ngokuningiliziwe ithrafikhi ekhiqizwe ku-Wireshark:
isiphetho
Usebenzisa lolu lwazi, ungaqinisa kakhulu ukuphepha kwenethiwekhi yakho. Ungavimba abasingathi bokusatshalaliswa kwamagciwane, ulungise ubuthakathaka obusetshenziswa kabi, uvimbele impendulo engaba khona ku-C&C, nokunye okuningi. Lokhu kuhlaziya akufanele kunganakwa.
Ezihlokweni ezizayo, sizoxoxa ngendlela efanayo ngemibiko ye-SandBlast Agent, i-SnadBlast Mobile, kanye ne-CloudGiard SaaS. Ngakho hlala ubukele (, , , )!
Source: www.habr.com
