(sibonga u-Sergey G. Brester ngombono wesihloko )
Ozakwethu, inhloso yalesi sihloko ukwabelana ngesipiliyoni somsebenzi wokuhlola unyaka wonke wekilasi elisha lezixazululo ze-IDS ezisekelwe kubuchwepheshe beDeception.
Ukuze kugcinwe ukuhambisana okunengqondo kokwethulwa kokuqukethwe, ngibona kudingekile ukuqala ngezakhiwo. Ngakho, inkinga:
- Ukuhlasela okuhlosiwe kuwuhlobo lokuhlasela oluyingozi kakhulu, naphezu kweqiniso lokuthi ingxenye yabo enanini eliphelele lezinsongo lincane.
- Azikho izindlela ezisebenzayo eziqinisekisiwe zokuvikela i-perimeter (noma isethi yalezo zindlela) esezisunguliwe.
- Njengomthetho, ukuhlaselwa okuhlosiwe kwenzeka ngezigaba eziningana. Ukunqoba i-perimeter kungenye yezigaba zokuqala, okuthi (ungangijikijela ngamatshe) akubangeli umonakalo omkhulu "kumuntu oyisisulu", ngaphandle uma, kunjalo, ukuhlasela kwe-DEoS (Ukubhujiswa kwenkonzo) (encryptors, njll. .). "Ubuhlungu" bangempela buqala kamuva, lapho izimpahla ezithunjiwe ziqala ukusetshenziselwa ukuzulazula nokuthuthukisa ukuhlasela "okujulile", futhi asizange sikuqaphele lokhu.
- Njengoba siqala ukulahlekelwa kwangempela lapho abahlaseli ekugcineni befinyelela izinhloso zokuhlasela (amaseva wesicelo, i-DBMS, izindawo zokugcina idatha, izinqolobane, izakhi ezibalulekile zengqalasizinda), kunengqondo ukuthi omunye wemisebenzi yesevisi yezokuphepha kolwazi ukuphazamisa ukuhlasela ngaphambi kokuhlasela. lesi sigameko esibuhlungu. Kodwa ukuze uphazamise okuthile, kufanele uqale uthole ngakho. Futhi ngokushesha, kungcono.
- Ngakho-ke, ukuze kube yimpumelelo yokulawula ubungozi (okungukuthi, ukunciphisa umonakalo ovela ekuhlaselweni okuhlosiwe), kubalulekile ukuba namathuluzi azohlinzeka nge-TTD encane (isikhathi sokubona - isikhathi kusukela ngesikhathi sokungenwa kuze kube yilapho ukuhlaselwa kutholwa). Ngokuya ngemboni nesifunda, lesi sikhathi sifinyelela isilinganiso sezinsuku ezingama-99 e-US, izinsuku eziyi-106 esifundeni se-EMEA, izinsuku eziyi-172 esifundeni se-APAC (M-Trends 2017, A View From the Front Lines, Mandiant).
- Imakethe inikeza ini?
- "Amabhokisi esihlabathi". Okunye ukulawulwa kokuvimbela, okukude nokuhle. Kunamasu amaningi asebenzayo okuthola nokudlula ama-sandbox noma izixazululo zohlu olumhlophe. Abafana abavela "ohlangothini olumnyama" basahamba ngesinyathelo esisodwa lapha.
- I-UEBA (izinhlelo zokuziphatha kwephrofayela kanye nokuhlonza ukuchezuka) - ngokombono, zingasebenza kakhulu. Kodwa, ngokubona kwami, lokhu kusesikhathini esizayo esikude. Empeleni, lokhu kusabiza kakhulu, akuthembeki futhi kudinga ingqalasizinda yokuphepha ye-IT evuthiwe futhi ezinzile, esevele inawo wonke amathuluzi azokhiqiza idatha yokuhlaziywa kokuziphatha.
- I-SIEM iyithuluzi elihle lophenyo, kodwa ayikwazi ukubona nokubonisa into entsha neyokuqala ngesikhathi, ngoba imithetho yokuxhumanisa iyafana namasignesha.
- Ngenxa yalokho, kunesidingo sethuluzi elingase:
- isebenze ngempumelelo ngaphansi kwezimo zomjikelezo osuvele usengozini,
- ithole ukuhlasela okuyimpumelelo cishe ngesikhathi sangempela, kungakhathalekile amathuluzi nokuba sengozini okusetshenzisiwe,
- bekungancikile kumasiginesha/imithetho/imibhalo/izinqubomgomo/amaphrofayili nezinye izinto ezimile,
- ayidinganga inani elikhulu ledatha nemithombo yayo ukuze ihlaziywe,
- kungavumela ukuhlaselwa kungachazwa njengohlobo oluthile lokubeka amaphuzu engozini ngenxa yomsebenzi "wezibalo ezihamba phambili emhlabeni, ezinelungelo lobunikazi futhi ngenxa yalokho ezivaliwe", ezidinga uphenyo olwengeziwe, kodwa empeleni njengomcimbi kanambambili - "Yebo, siyahlaselwa” noma “Cha, konke kulungile”,
- ibisebenza emhlabeni wonke, scalable kahle futhi kungenzeka ukuthi isetshenziswe kunoma iyiphi indawo ehlukahlukene, ngaphandle kokubheka i-topology yenethiwekhi ebonakalayo nenengqondo esetshenzisiwe.
Lokho okuthiwa yizixazululo zokukhohlisa manje kubanga indima yethuluzi elinjalo. Okungukuthi, izixazululo ezisekelwe kumqondo omuhle omdala wezinyosi, kodwa ngezinga elihluke ngokuphelele lokuqaliswa. Lesi sihloko siyakhula impela manje.
Ngokwemiphumela Izixazululo zokukhohlisa zifakiwe kumasu namathuluzi angu-TOP 3 anconywa ukuthi asetshenziswe.
Ngokombiko Inkohliso ingenye yezinkomba eziphambili zokuthuthukiswa kwezixazululo ze-IDS Intrusion Detection Systems).
Ingxenye yonke yokugcina , ezinikezelwe ku-SCADA, isekelwe kudatha evela komunye wabaholi kule makethe, i-TrapX Security (Israel), isisombululo sayo esisebenza endaweni yethu yokuhlola unyaka.
I-TrapX Deception Grid ikuvumela ukuthi ubize futhi usebenzise i-IDS esabalaliswe kakhulu phakathi nendawo, ngaphandle kokukhulisa umthwalo welayisensi kanye nezidingo zezinsiza zehardware. Eqinisweni, i-TrapX iwumakhi okuvumela ukuthi udale kusukela kuzakhi zengqalasizinda ekhona ye-IT indlela eyodwa enkulu yokuthola ukuhlaselwa ngesilinganiso esibanzi sebhizinisi, uhlobo “lwe-alamu” yenethiwekhi esabalalisiwe.
Isakhiwo Sesixazululo
Elabhorethri yethu sihlala sifunda futhi sihlola imikhiqizo emisha ehlukahlukene emkhakheni wezokuphepha kwe-IT. Njengamanje, cishe amaseva angama-50 ahlukene asetshenziswa lapha, okuhlanganisa izingxenye ze-TrapX Deception Grid.
Ngakho, kusukela phezulu kuya phansi:
- I-TSOC (TrapX Security Operation Console) ingubuchopho bohlelo. Lena ikhonsoli yokuphatha emaphakathi lapho ukucushwa, ukuthunyelwa kwesixazululo kanye nakho konke ukusebenza kwansuku zonke kwenziwa. Njengoba lena kuyisevisi yewebhu, ingafakwa noma yikuphi - kumjikelezo, emafini noma kumhlinzeki we-MSSP.
- I-TrapX Appliance (TSA) iyisiphakeli esibonakalayo lapho sixhuma khona, sisebenzisa imbobo ye-trunk, lawo ma-subnets esifuna ukuwahlanganisa ngokuqapha. Futhi, zonke izinzwa zethu zenethiwekhi empeleni "zibukhoma" lapha.
Ilebhu yethu ine-TSA eyodwa esetshenzisiwe (mwsapp1), kodwa empeleni ingaba maningi. Lokhu kungase kudingeke kumanethiwekhi amakhulu lapho kungekho khona ukuxhumana kwe-L2 phakathi kwamasegimenti (isibonelo esivamile “Isibambiso nezinkampani ezingaphansi” noma “Ihhovisi elikhulu lasebhange namagatsha”) noma uma inethiwekhi inezigaba ezihlukanisiwe, isibonelo, amasistimu okulawula inqubo azenzakalelayo. Kulelo nalelo gatsha/ingxenye, ungakwazi ukusebenzisa i-TSA yakho futhi uyixhume ku-TSOC eyodwa, lapho lonke ulwazi luzocutshungulwa phakathi nendawo. Lesi sakhiwo sikuvumela ukuthi wakhe amasistimu okuqapha asabalalisiwe ngaphandle kwesidingo sokuhlela kabusha inethiwekhi noma ukuphazamisa ukuhlukaniswa okukhona.
Futhi, singathumela ikhophi yethrafikhi ephumayo e-TSA nge-TAP/SPAN. Uma sithola ukuxhumana nama-botnet aziwayo, amaseva womyalo nokulawula, noma izikhathi ze-TOR, sizothola umphumela kukhonsoli. I-Network Intelligence Sensor (NIS) inesibopho salokhu. Endaweni yethu, lokhu kusebenza kusetshenziswa ku-firewall, ngakho asizange sikusebenzise lapha.
- Izicupho Zohlelo (I-OS Egcwele) - izimbiza zoju zendabuko ezisekelwe kumaseva e-Windows. Awudingi eziningi zazo, njengoba inhloso enkulu yalezi ziphakeli ukuhlinzeka ngezinsizakalo ze-IT kungqimba olulandelayo lwezinzwa noma ukuthola ukuhlaselwa kwezinhlelo zokusebenza zebhizinisi ezingase zisetshenziswe endaweni ye-Windows. Sineseva eyodwa enjalo efakwe elabhorethri yethu (FOS01)
- Izicupho ezilingisiwe ziyingxenye eyinhloko yesisombululo, esisivumela, sisebenzisa umshini owodwa owodwa, ukudala "inkundla yemigodi" eminyene kakhulu yabahlaseli futhi sigcwalise inethiwekhi yebhizinisi, wonke ama-vlans ayo, ngezinzwa zethu. Umhlaseli ubona inzwa enjalo, noma i-phantom host, njenge-Windows PC yangempela noma iseva, iseva ye-Linux noma enye idivayisi esinquma ukumbonisa yona.
Ukuze kuzuzwe ibhizinisi futhi ngenjongo yokufuna ukwazi, sikhiphe “ipheya yesidalwa ngasinye” - Ama-Windows PC namaseva ezinguqulo ezihlukahlukene, amaseva e-Linux, i-ATM ene-Windows eshumekiwe, i-SWIFT Web Access, iphrinta yenethiwekhi, i-Cisco. switch, ikhamera ye-Axis IP, i-MacBook, i-PLC -device kanye nesibani esihlakaniphile. Kukhona ababungazi abangu-13 sebebonke. Ngokuvamile, umthengisi uncoma ukuthi kusetshenziswe izinzwa ezinjalo ngenani okungenani elingu-10% yenani labasingathi bangempela. Ibha ephezulu yindawo yamakheli etholakalayo.Iphuzu elibaluleke kakhulu ukuthi umsingathi ngamunye onjalo akawona umshini ophelele obonakalayo odinga izinsiza namalayisense. Lokhu ukukhohlisa, ukulingisa, inqubo eyodwa ku-TSA, enesethi yamapharamitha nekheli le-IP. Ngakho-ke, ngosizo lwe-TSA eyodwa, singakwazi ukugcwalisa inethiwekhi ngamakhulu alawo ma-phantom host, azosebenza njengezinzwa ohlelweni lwe-alamu. Yilobu buchwepheshe obenza kube nokwenzeka ukukala ngendlela engabizi kakhulu umqondo wembiza yezinyosi kunoma iyiphi inkampani enkulu esabalalisiwe.
Ngokombono womhlaseli, laba basingathi bayathandeka ngenxa yokuthi baqukethe ubungozi futhi babonakala beyizimpokophelo ezilula. Umhlaseli ubona amasevisi kulaba basingathi futhi angahlanganyela nabo futhi abahlasele esebenzisa amathuluzi avamile nezivumelwano (smb/wmi/ssh/telnet/web/dnp/bonjour/Modbus, njll.). Kodwa akwenzeki ukusebenzisa laba basokhaya ukuthuthukisa ukuhlasela noma ukusebenzisa ikhodi yakho.
- Inhlanganisela yalobu buchwepheshe obubili (i-FullOS nezicupho ezilingisiwe) isivumela ukuthi sifinyelele amathuba aphezulu ezibalo okuthi umhlaseli maduze noma kamuva ahlangabezane nengxenye ethile yenethiwekhi yethu yokusayina. Kodwa singaqinisekisa kanjani ukuthi leli thuba lisondele ku-100%?
Okubizwa ngokuthi amathokheni okukhohlisa angena empini. Siyabonga kubo, singafaka wonke ama-PC namaseva akhona ebhizinisi kuma-ID ethu asabalalisiwe. Amathokheni abekwe kuma-PC wangempela wabasebenzisi. Kubalulekile ukuqonda ukuthi amathokheni awawona ama-agent adla izinsiza futhi angabangela izingxabano. Amathokheni ayizici zolwazi lwe-passive, uhlobo "lwezimvuthu zesinkwa" zohlangothi oluhlaselayo oluholela ogibeni. Isibonelo, amadrayivu enethiwekhi afakwe kumephu, amabhukumaka kuya kubaphathi bewebhu mbumbulu esipheqululini futhi abagcinele amagama ayimfihlo, amaseshini agciniwe e-ssh/rdp/winscp, ama-trap ethu namazwana kumafayela abasingathi, amaphasiwedi alondolozwe kumemori, imininingwane yabasebenzisi abangekho, ihhovisi amafayela, ukuvula okuzocupha uhlelo, nokunye okuningi. Ngakho-ke, sibeka umhlaseli endaweni ehlanekezelwe, egcwele ama-vectors okuhlasela empeleni angabeki usongo kithi, kodwa kunalokho okuphambene. Futhi akanayo indlela yokunquma ukuthi ukwaziswa kuyiqiniso kuphi nokuthi kungamanga. Ngakho-ke, asiqinisekisi kuphela ukutholwa okusheshayo kokuhlasela, kodwa futhi sibambezela ngokuphawulekayo ukuqhubeka kwakho.
Isibonelo sokudala isicupho senethiwekhi nokusetha amathokheni. Isixhumi esibonakalayo esinobungane futhi akukho ukuhlela ngesandla kwe-configs, imibhalo, njll.
Endaweni yethu, silungiselele futhi sabeka inani lamathokheni anjalo ku-FOS01 esebenzisa i-Windows Server 2012R2 kanye ne-PC yokuhlola esebenza i-Windows 7. I-RDP iyasebenza kule mishini futhi ngezikhathi ezithile “siyayilenga” ku-DMZ, lapho inani lezinzwa zethu. (izicupho ezilingisiwe) nazo ziyaboniswa. Ngakho-ke sithola uchungechunge oluqhubekayo lwezigameko, ngokwemvelo ukusho kanjalo.
Ngakho-ke, nazi izibalo ezisheshayo zonyaka:
56 - izigameko ezirekhodiwe,
2 - kutholwe abasingathi bomthombo wokuhlasela.
Iyasebenzisana, imephu yokuhlasela echofozekayo
Ngesikhathi esifanayo, isixazululo asikhiqizi uhlobo oluthile lokuphakelayo kwe-mega-log noma umcimbi, okuthatha isikhathi eside ukuqondwa. Esikhundleni salokho, isisombululo ngokwaso sihlukanisa imicimbi ngezinhlobo zazo futhi sivumela ithimba lokuvikela ulwazi ukuthi ligxile ngokuyinhloko kweziyingozi kakhulu - lapho umhlaseli ezama ukukhulisa izikhathi zokulawula (ukusebenzelana) noma lapho ukulayishwa okukhokhelwayo okumbambili (ukutheleleka) kuvela kuthrafikhi yethu.
Yonke imininingwane mayelana nemicimbi iyafundeka futhi yethulwe, ngokubona kwami, ngendlela elula ukuyiqonda ngisho nakumsebenzisi onolwazi oluyisisekelo emkhakheni wokuphepha kolwazi.
Iningi lezehlakalo ezirekhodiwe imizamo yokuskena abasingathi bethu noma ukuxhumana okukodwa.
Noma izama ukuhlukumeza amagama ayimfihlo e-RDP
Kodwa kube nezimo ezithakaselayo kakhulu, ikakhulukazi lapho abahlaseli “bekwazile” ukuqagela igama-mfihlo le-RDP futhi bathole ukufinyelela kunethiwekhi yendawo.
Umhlaseli uzama ukwenza ikhodi esebenzisa i-psexec.
Umhlaseli uthole isikhathi esilondoloziwe, esimholele ogibeni ngendlela yeseva ye-Linux. Ngokushesha ngemva kokuxhuma, ngesethi eyodwa yemiyalo elungiselelwe kusengaphambili, izame ukucekela phansi wonke amafayela welogi nokuguquguquka kwesistimu okuhambisanayo.
Umhlaseli uzama ukwenza umjovo we-SQL ku-honeypot elingisa i-SWIFT Web Access.
Ngaphezu kokuhlaselwa okunjalo “okungokwemvelo,” siphinde sazihlola eziningana. Okunye okuveza kakhulu ukuhlola isikhathi sokutholwa kwesikelemu senethiwekhi kunethiwekhi. Ukwenza lokhu sisebenzise ithuluzi elivela ku-GuardiCore elibizwa . Lesi isikelemu senethiwekhi esingaduna i-Windows ne-Linux, kodwa ngaphandle “kokukhokha”.
Sabalalisa isikhungo sokuyala sendawo, sethula isibonelo sokuqala sesikelemu komunye wemishini, futhi sathola isexwayiso sokuqala kukhonsoli yeTrapX esikhathini esingaphansi komzuzu nesigamu. I-TTD imizuzwana engama-90 uma iqhathaniswa nezinsuku eziyi-106 ngokwesilinganiso...
Ngenxa yekhono lokuhlanganisa nezinye izigaba zezixazululo, singasuka ekutholeni izinsongo ngokushesha siye ekuphenduleni kuzo ngokuzenzakalelayo.
Isibonelo, ukuhlanganiswa nezinhlelo ze-NAC (Network Access Control) noma ne-CarbonBlack kuzokuvumela ukuthi unqamule ngokuzenzakalelayo ama-PC onakalisiwe kunethiwekhi.
Ukuhlanganiswa nama-sandbox kuvumela amafayela ahilelekile ekuhlaselweni ukuthi athunyelwe ngokuzenzakalela ukuze ahlaziywe.
Ukuhlanganiswa kwe-McAfee
Isixazululo siphinde sibe nesistimu yaso eyakhelwe ngaphakathi yokuhlanganisa umcimbi.
Kodwa asinelisekile ngamakhono ayo, ngakho-ke siyihlanganise ne-HP ArcSight.
Uhlelo olwakhelwe ngaphakathi lwamathikithi lusiza umhlaba wonke ukuthi ubhekane nezinsongo ezitholiwe.
Njengoba isixazululo sathuthukiswa “kusukela ekuqaleni” ngezidingo zama-ejensi kahulumeni kanye nengxenye enkulu yezinkampani, ngokwemvelo sisebenzisa imodeli yokufinyelela esekelwe indima, ukuhlanganiswa ne-AD, uhlelo oluthuthukisiwe lwemibiko kanye nezinto ezibangela (izixwayiso zomcimbi), i-orchestration ye izakhiwo ezinkulu zokubamba noma abahlinzeki be-MSSP.
Esikhundleni se-resume
Uma kukhona uhlelo olunjalo lokuqapha, okuthi, ngomqondo ongokomfanekiso, lumboze umhlane wethu, ngakho-ke ngokuyekethisa kwe-perimeter yonke into iqala nje. Okubaluleke kakhulu ukuthi kunethuba langempela lokubhekana nezigameko zokuphepha kolwazi, hhayi ukubhekana nemiphumela yazo.
Source: www.habr.com