Siyakwamukela esihlokweni sesihlanu ochungechungeni olumayelana nesixazululo se-Check Point SandBlast Agent Management Platform. Izihloko ezedlule zingatholwa ngokulandela isixhumanisi esifanele: , , , . Namuhla sizobheka amakhono okuqapha ku-Management Platform, okungukuthi ukusebenza ngamalogi, amadeshibhodi asebenzisanayo (Buka) nemibiko. Sizophinde sithinte isihloko esithi Threat Hunting ukuhlonza izinsongo zamanje nezehlakalo ezixakile emshinini womsebenzisi.
izingodo
Umthombo oyinhloko wolwazi wokuqapha imicimbi yezokuphepha isigaba samalogi, esibonisa imininingwane enemininingwane ngesigameko ngasinye futhi ikuvumela ukuthi usebenzise izihlungi ezilungele ukucwenga indlela yakho yosesho. Isibonelo, uma uchofoza kwesokudla kupharamitha (I-Blade, Isenzo, Ukuqina, njll.) yelogi yentshisekelo yakho, le pharamitha ingahlungwa njenge Isihlungi: "Ipharamitha" noma Hlunga: "Ipharamitha". Futhi kupharamitha yomthombo inketho Yamathuluzi we-IP ingakhethwa lapho ungasebenzisa khona i-ping ekhelini/igama le-IP elinikeziwe noma uqalise i-nslookup ukuze uthole ikheli le-IP eliwumthombo ngegama.
Esigabeni samalogi, sokuhlunga imicimbi, kunesigatshana Sezibalo, esibonisa izibalo kuwo wonke amapharamitha: umdwebo wesikhathi onenani lamalogi, kanye namaphesenti epharamitha ngayinye. Kulesi sigatshana ungakwazi ukuhlunga kalula izingodo ngaphandle kokusebenzisa ibha yokusesha nokubhala izinkulumo zokuhlunga - vele ukhethe izimiso ozithakaselayo futhi uhlu olusha lwamalogi luzovezwa ngokushesha.
Imininingwane eningiliziwe kulogi ngayinye iyatholakala kuphaneli engakwesokudla yesigaba samalogi, kodwa kulula kakhulu ukuvula ilogu ngokuchofoza kabili ukuze uhlaziye okuqukethwe. Ngezansi kunesibonelo selogi (isithombe siyachofozeka), esibonisa ulwazi oluningiliziwe mayelana nokucushwa kwesenzo Sokuvimbela se-Treat Emulation blade kufayela elinegciwane elithi ".docx". Ilogi inezigatshana ezimbalwa ezibonisa imininingwane yomcimbi wezokuphepha: izinqubomgomo ezicushiwe nokuvikela, imininingwane yezobunhloli, ulwazi mayelana neklayenti kanye nethrafikhi. Imibiko etholakala kulogi idinga ukunakwa okukhethekile - Umbiko Wokulingisa Usongo kanye Nombiko Wezophenyo. Le mibiko ingaphinda ivulwe kuklayenti le-SandBlast Agent.
Umbiko Wokulingisa Usongo
Uma usebenzisa i-Treat Emulation blade, ngemva kokulingisa kokwenziwa efwini le-Check Point, isixhumanisi esiya embikweni onemininingwane ngemiphumela yokulingisa - Umbiko Wokulingisa Usongo - uyavela kulogi ehambisanayo. Okuqukethwe kombiko onjalo kuchazwe ngokuningiliziwe esihlokweni sethu mayelana . Kuhle ukuqaphela ukuthi lo mbiko uyasebenzisana futhi ikuvumela ukuthi "ucwile" kumininingwane yesigaba ngasinye. Kungenzeka futhi ukubuka ukurekhodwa kwenqubo yokulingisa emshinini we-virtual, landa ifayela elinonya langempela noma uthole i-hashi yalo, futhi uxhumane Nethimba Lempendulo Yesigameko Sephuzu Lokuhlola.
Umbiko we-Forensics
Cishe kunoma yimuphi umcimbi wezokuphepha, kukhiqizwa umbiko weForensics, ohlanganisa imininingwane enemininingwane mayelana nefayela eliyingozi: izici zalo, izenzo, indawo yokungena ohlelweni kanye nomthelela ezimpahleni ezibalulekile zenkampani. Sixoxe ngesakhiwo sombiko ngokuningiliziwe esihlokweni mayelana . Umbiko onjalo uwumthombo obalulekile wolwazi lapho uphenya izehlakalo zokuphepha, futhi uma kunesidingo, okuqukethwe kombiko kungathunyelwa ngokushesha Ethimbeni Lokuphendula Isigameko Se-Check Point.
I-SmartView
I-Check Point SmartView iyithuluzi elikahle lokudala nokubuka amadeshibhodi aguqukayo (Buka) nemibiko ngefomethi ye-PDF. Kusuka ku-SmartView ungakwazi futhi ukubuka amalogi abasebenzisi kanye nemicimbi yokuhlola yabalawuli. Isibalo esingezansi sibonisa imibiko ewusizo kakhulu namadeshibhodi okusebenza ne-SandBlast Agent.
Imibiko ku-SmartView imibhalo enolwazi lwezibalo mayelana nemicimbi phakathi nenkathi ethile yesikhathi. Isekela ukulayisha imibiko ngefomethi ye-PDF emshinini lapho i-SmartView ivuliwe, kanye nokulayisha njalo ku-PDF/Excel ku-imeyili yomlawuli. Ngaphezu kwalokho, isekela ukungenisa/ukuthunyelwa kwamanye amazwe kwezifanekiso zombiko, ukudalwa kwemibiko yakho, kanye nekhono lokufihla amagama abasebenzisi emibikweni. Isibalo esingezansi sibonisa isibonelo sombiko owakhelwe ngaphakathi Wokuvimbela Usongo.
Amadeshibhodi (Buka) ku-SmartView avumela umlawuli ukuthi afinyelele amalogi omcimbi ohambisanayo - vele uchofoze kabili into oyithandayo, kungaba ikholomu yeshadi noma igama lefayela eliyingozi. Njengemibiko, ungazakhela awakho amadeshibhodi futhi ufihle idatha yomsebenzisi. Amadeshibhodi aphinde asekele ukungenisa/ukuthunyelwa kwamanye amazwe kwezifanekiso, ukulayishwa njalo ku-PDF/Excel ku-imeyili yomlawuli, nezibuyekezo zedatha ezizenzakalelayo zokuqapha imicimbi yezokuphepha ngesikhathi sangempela.
Izigaba zokuqapha ezengeziwe
Incazelo yamathuluzi okuqapha ku-Management Platform ngeke iphelele ngaphandle kokusho Uhlolojikelele, Ukuphathwa Kwekhompyutha, Izilungiselelo Zephoyinti lokugcina kanye nezigaba ze-Push Operations. Lezi zigaba zichazwe ngokuningiliziwe ku , nokho, kuyoba usizo ukucabangela amakhono abo okuxazulula izinkinga zokuqapha. Ake siqale ngokuthi Ukubuka konke, okuhlanganisa izigatshana ezimbili - Uhlolojikelele Lokusebenza kanye Nokuhlola Uhlolojikelele, okungamadeshibhodi anolwazi mayelana nesimo semishini evikelwe yabasebenzisi kanye nemicimbi yezokuphepha. Njengalapho usebenzisana nanoma iyiphi enye ideshibhodi, izigatshana ze-Operational Overview and Security Overview, lapho uchofoza kabili kupharamitha oyithakaselayo, zikuvumela ukuthi ufike engxenyeni ethi Ukuphathwa Kwekhompyutha ngesihlungi esikhethiwe (ngokwesibonelo, “Amadeskithophu” noma “Pre- Isimo Sokuqalisa: Sinikwe amandla”), noma esigabeni esithi Amalogi omcimbi othile. Isigatshana Sokubukezwa Kokuphepha siyideshibhodi ethi “Cyber Attack View – Endpoint”, engenziwa ngendlela oyifisayo futhi isethwe ukuze ibuyekeze idatha ngokuzenzakalelayo.
Kusukela esigabeni Ukuphathwa Kwekhompyutha ungakwazi ukuqapha isimo se-ejenti emishinini yabasebenzisi, isimo sokubuyekezwa kwesizindalwazi se-Anti-Malware, izigaba zokubethela kwediski, nokunye okuningi. Yonke idatha ibuyekezwa ngokuzenzakalelayo, futhi kusihlungi ngasinye kuboniswa iphesenti lemishini efanayo yabasebenzisi. Ukukhipha idatha yekhompyutha ngefomethi ye-CSV nakho kuyasekelwa.
Isici esibalulekile sokuqapha ukuphepha kwezindawo zokusebenza ukusetha izaziso mayelana nemicimbi ebalulekile (Izaziso) kanye nezingodo zokuthekelisa (Imicimbi Yokuthekelisa) ukuze igcinwe kuseva yelogi yenkampani. Zombili izilungiselelo zenziwa esigabeni se-Endpoint Settings, kanye ne Izaziso Kuyenzeka ukuxhuma iseva yemeyili ukuze uthumele izaziso zomcimbi kumlawuli futhi ulungiselele imikhawulo yokucupha/ukukhubaza izaziso kuye ngamaphesenti/inani lamadivayisi ahlangabezana nemibandela yomcimbi. Export Imicimbi ikuvumela ukuthi ulungiselele ukudluliswa kwamalogi kusuka ku-Management Platform kuya kuseva yelogi yenkampani ukuze kuqhutshekwe nokucubungula. Isekela i-SYSLOG, i-CEF, i-LEEF, amafomethi we-SPLUNK, izivumelwano ze-TCP/UDP, noma yiziphi izinhlelo ze-SIEM ezine-ejenti ye-syslog esebenzayo, ukusetshenziswa kokubethela kwe-TLS/SSL kanye nokuqinisekiswa kweklayenti le-syslog.
Ukuze uthole ukuhlaziya okujulile kwemicimbi ku-ejenti noma uma uthintana nosekelo lobuchwepheshe, ungakwazi ukuqoqa amalogi ngokushesha kuklayenti le-SandBlast Agent usebenzisa umsebenzi ophoqelelwe esigabeni se-Push Operations. Ungalungiselela ukudluliswa kwengobo yomlando ekhiqiziwe ngamalogi kumaseva Ephoyinti Lokuhlola noma amaseva ezinkampani, futhi ingobo yomlando enamalogu ilondolozwa emshinini womsebenzisi ohlwini lwemibhalo C:UseruseernameCPInfo. Isekela ukwethulwa kwenqubo yokuqoqa ilogu ngesikhathi esithile kanye nekhono lokuhlehlisa ukusebenza komsebenzisi.
Ukuzingela Usongo
I-Threat Hunting isetshenziselwa ukusesha ngokuqhubekayo imisebenzi enonya nokuziphatha okuxakile kusistimu ukuze kuqhutshekwe kuphenywe umcimbi ongaba khona wokuvikela. Isigaba Sokuzingela Usongo ku-Management Platform sikuvumela ukuthi useshe imicimbi enamapharamitha acacisiwe kudatha yomshini womsebenzisi.
Ithuluzi Lokuzingela Usongo linemibuzo embalwa echazwe ngaphambilini, isibonelo: ukuhlukanisa izizinda ezinonya noma amafayela, ukulandelela izicelo ezingavamile kumakheli athile we-IP (ngokuhlobene nezibalo ezijwayelekile). Isakhiwo sesicelo siqukethe amapharamitha amathathu: inkomba (iphrothokholi yenethiwekhi, isihlonzi senqubo, uhlobo lwefayela, njll.), opharetha (“kukhona”, “akakho”, “kuhlanganisa”, “okukodwa koku”, njll.) kanye cela umzimba. Ungasebenzisa izinkulumo ezivamile emzimbeni wesicelo, futhi ungasebenzisa izihlungi eziningi ngesikhathi esisodwa kubha yokusesha.
Ngemva kokukhetha isihlungi nokuqedela ukucutshungulwa kwesicelo, uyakwazi ukufinyelela yonke imicimbi efanele, unekhono lokubuka ulwazi oluningiliziwe mayelana nomcimbi, ukuvalela into eceliwe, noma ukhiqize umbiko onemininingwane ye-Forensics onencazelo yomcimbi. Okwamanje, leli thuluzi likunguqulo ye-beta futhi esikhathini esizayo kuhlelwe ukwandisa isethi yamakhono, isibonelo, ukwengeza ulwazi mayelana nomcimbi ngendlela ye-Miter Att&ck matrix.
isiphetho
Ake sifingqe: kulesi sihloko sibheke amakhono okuqapha imicimbi yezokuphepha ku-SandBlast Agent Management Platform, futhi safunda ithuluzi elisha lokusesha ngokuqhubekayo izenzo ezinonya nokudida emishinini yabasebenzisi - Ukuzingela Okusongelayo. Isihloko esilandelayo sizoba ngesokugcina kulolu chungechunge futhi kulo sizobheka imibuzo evame ukubuzwa mayelana nesisombululo se-Management Platform futhi sikhulume ngamathuba okuhlola lo mkhiqizo.
. Ukuze ungaphuthelwa ukushicilelwa okulandelayo esihlokweni se-SandBlast Agent Management Platform - landela izibuyekezo ezinkundleni zokuxhumana zethu (, , , , ).
Source: www.habr.com