Sekuvele kunezindatshana ezimbalwa ku-Habré mayelana nobuchwepheshe be-Honeypot kanye ne-Deception (, ). Nokho, kuze kube manje sibhekene nokuntuleka kokuqonda umehluko phakathi kwalezi zigaba zamathuluzi okuvikela. Ukwenza lokhu, ozakwethu abavela (unjiniyela wokuqala waseRussia ) inqume ukuchaza ngokuningiliziwe umehluko, izinzuzo kanye nezici zezakhiwo zalezi zixazululo.
Ake sithole ukuthi yiziphi "izimbiza zoju" kanye "nenkohliso":
"Ubuchwepheshe bokukhohlisa" (eng., Ubuchwepheshe bokukhohlisa) buvele emakethe yezinhlelo zokuphepha kolwazi muva nje. Kodwa-ke, abanye ochwepheshe basabheka Ukukhohlisa Kwezokuphepha njengamabhodwe oju athuthuke kakhulu.
Kulesi sihloko, sizozama ukugqamisa kokubili ukufana kanye nomehluko oyisisekelo phakathi kwalezi zixazululo ezimbili. Engxenyeni yokuqala, sizokhuluma "nge-honeypot", ukuthi lobu buchwepheshe buthuthuke kanjani futhi yiziphi izinzuzo zayo kanye nokubi. Futhi engxenyeni yesibili, sizohlala ngokuningiliziwe ngezimiso zokusebenza kwamapulatifomu okudala ingqalasizinda yokukhohlisa esabalalisiwe (isiNgisi, I-Distributed Deception Platform - DDP).
Umgomo oyisisekelo ngemuva kwamabhodwe oju ukwakha izicupho zabaduni. Izixazululo zokuqala zokukhohlisa zathuthukiswa ngomgomo ofanayo. Kodwa, ama-DDP anamuhla aphakeme kakhulu kunezitsha zoju, kokubili ngokusebenza nokusebenza kahle kwazo. Izinkundla zokukhohlisa zifaka: izicupho (isiNgisi, ama-decoys, ama-trap), izicupho (isiNgisi, izicupho), izinhlelo zokusebenza, idatha, imininingwane yolwazi, uhla lwemibhalo olusebenzayo. Ama-DDP esimanje angahlinzeka ngamakhono anamandla okuthola usongo, ukuhlaziya ukuhlasela, kanye ne-automation yokusabela.
Ngakho-ke, ukukhohlisa amasu okulingisa ingqalasizinda ye-IT yebhizinisi nokudukisa abaduni. Ngenxa yalokho, izinkundla ezinjalo zenza kube nokwenzeka ukumisa ukuhlasela ngaphambi kokudala umonakalo omkhulu empahleni yenkampani. I-honeypots, yebo, ayinalo ububanzi obunjalo bokusebenza kanye nezinga elinjalo lokuzenzekelayo, ngakho-ke ukusetshenziswa kwabo kudinga iziqu ezengeziwe ezivela kubasebenzi beminyango yokuphepha kolwazi.
1. Amabhodwe oju, ama-Honeynets kanye ne-Sandboxing: iyini futhi isetshenziswa kanjani
Ngokokuqala ngqa, igama elithi "izimbiza zoju" lasetshenziswa ngo-1989 encwadini ethi "The Cuckoo's Egg" kaClifford Stoll, echaza izehlakalo zokulandelela umgebengu e-Lawrence Berkeley National Laboratory (USA). Lo mbono wasetshenziswa ngo-1999 nguLance Spitzner, uchwepheshe wezokuphepha kolwazi kwa-Sun Microsystems, owasungula iphrojekthi yocwaningo lwe-Honeynet Project. Izitsha zoju zokuqala zazidinga kakhulu izinsiza, kunzima ukuzimisa nokuyinakekela.
Ake sicabangele ngokuningiliziwe ukuthi kuyini honeypots и izinyosi. Ama-honeypots angabasingathi abahlukene inhloso yabo iwukuheha abahlaseli ukuthi bangene kunethiwekhi yenkampani futhi bazame ukuntshontsha idatha ebalulekile, kanye nokwandisa ukufakwa kwenethiwekhi. I-Honeypot (ngokwezwi nezwi ehunyushwa ngokuthi "umgqomo woju") iyisiphakeli esikhethekile esinesethi yamasevisi ahlukahlukene enethiwekhi nezivumelwano ezifana ne-HTTP, FTP, njll. (bheka umdwebo 1).
Uma uhlanganisa eziningana honeypots kunethiwekhi, khona-ke sizothola isistimu esebenza kahle kakhulu inetha lezinyosi, okuwukulingisa inethiwekhi yenkampani yenkampani (iseva yewebhu, iseva yefayela, nezinye izingxenye zenethiwekhi). Lesi sixazululo sikuvumela ukuthi uqonde isu labahlaseli futhi ubadukise. I-honeynet evamile, njengomthetho, igijima ngokuhambisana nenethiwekhi yokukhiqiza futhi izimele ngokuphelele kuyo. "Inethiwekhi" enjalo ingashicilelwa ku-inthanethi ngesiteshi esihlukile, futhi uhla oluhlukile lwamakheli e-IP lungabuye lwabelwe lona (bheka umdwebo 2).
Iphuzu lokusebenzisa i-honeynet ukukhombisa i-hacker ukuthi kuthiwa ingene kunethiwekhi yenkampani yenhlangano, empeleni, umhlaseli "usendaweni engayodwa" futhi ngaphansi kokuqondisa okuseduze kochwepheshe bezokuphepha kolwazi (bheka umdwebo 3).
Lapha futhi kuyadingeka ukusho ithuluzi elinjalo njengokuthi "sandbox"(IsiNgisi, ibhokisi lesihlabathi) evumela abahlaseli ukuthi bafake futhi basebenzise uhlelo olungayilungele ikhompuyutha endaweni engayodwa lapho ochwepheshe be-IT bengaqapha imisebenzi yabo ukuze babone ubungozi obungaba khona futhi bathathe nezinyathelo ezidingekayo zokuphikisa. Okwamanje, i-sandboxing ivamise ukusetshenziswa emishinini ebonakalayo ezinikele kumsingathi obonakalayo. Kodwa-ke, kufanele kuqashelwe ukuthi i-sandboxing ibonisa kuphela ukuthi izinhlelo eziyingozi neziyingozi ziziphatha kanjani, kuyilapho i-honeynet isiza uchwepheshe ukuba ahlaziye ukuziphatha "kwabadlali abayingozi".
Inzuzo esobala yama-honeynets ukuthi idukisa abahlaseli, ichitha amandla abo, izinsiza kanye nesikhathi. Ngenxa yalokho, esikhundleni sezinhloso zangempela, bahlasela amanga futhi bangayeka ukuhlasela inethiwekhi ngaphandle kokufeza noma yini. Ngokuvamile, ubuchwepheshe be-honeynets busetshenziswa kuma-ejensi kahulumeni kanye nezinkampani ezinkulu, izinhlangano zezezimali, njengoba lezi zakhiwo ziyizinhloso zokuhlaselwa okukhulu kwe-cyber. Kodwa-ke, amabhizinisi amancane naphakathi (i-SMB) nawo adinga amathuluzi asebenzayo okuvimbela izigameko zokuphepha kolwazi, kodwa ama-honeynets emkhakheni we-SMB akulula kakhulu ukuwasebenzisa, ngenxa yokuntuleka kwabasebenzi abaqeqeshiwe kulo msebenzi onzima.
Imikhawulo Yamabhodwe Oju kanye Nezixazululo Zezinyosi
Kungani amabhodwe oju nama-honeynets kungezona izixazululo ezingcono kakhulu zokunciphisa ukuhlasela ezitholakalayo namuhla? Kumele kuqashelwe ukuthi ukuhlaselwa kuya ngokuya kuba kukhulu, kuyinkimbinkimbi ngokobuchwepheshe futhi okukwazi ukudala umonakalo omkhulu kwingqalasizinda ye-IT yenhlangano, kuyilapho ubugebengu bamakhompuyutha bufinyelele ezingeni elihluke ngokuphelele futhi buyisakhiwo sebhizinisi lethunzi elihleleke kakhulu elihlome konke okudingekayo. izinsiza. Okungezwe kulokhu "isici somuntu" (amaphutha kuzilungiselelo zesofthiwe ne-hardware, izenzo zangaphakathi, njll.), ngakho-ke ukusebenzisa ubuchwepheshe kuphela ukuvimbela ukuhlaselwa akusanele okwamanje.
Ngezansi sibala imikhawulo eyinhloko kanye nokubi kwezitsha zoju (ama-honeynets):
-
Izimbiza zoju ekuqaleni zaziklanyelwe ukukhomba izinsongo ezingaphandle kwenethiwekhi yezinkampani, zihloselwe kakhulu ukuhlaziya ukuziphatha kwabahlaseli futhi aziklanyelwe ukuphendula ngokushesha ezinsongweni.
-
Abenzi bobubi, njengomthetho, sebevele bafunda ukuqaphela izinhlelo ezilingiswayo futhi bagweme izimbiza zezinyosi.
-
Ama-honeynets (ama-honeypots) anezinga eliphansi kakhulu lokusebenzisana nokuxhumana nezinye izinhlelo zokuphepha, ngenxa yalokho, usebenzisa izimbiza zezinyosi, kunzima ukuthola ulwazi oluningiliziwe mayelana nokuhlaselwa nabahlaseli, ngakho-ke ngokuphumelelayo futhi ngokushesha ukuphendula izehlakalo zokuphepha kolwazi. Ngaphezu kwalokho, ochwepheshe bezokuphepha bolwazi bathola inombolo enkulu yezaziso zokusongela okungamanga.
-
Kwezinye izimo, izigebengu ze-inthanethi zingasebenzisa i-honeypot esengozini njengesiqalo sokuqhubeka nokuhlasela inethiwekhi yenhlangano.
-
Ngokuvamile kuba nezinkinga nge-scalability yama-honeypots, umthwalo ophezulu wokusebenza kanye nokucushwa kwezinhlelo ezinjalo (zidinga ochwepheshe abaqeqeshiwe kakhulu, abanalo isikhombimsebenzisi esilula sokuphatha, njll.). Kunobunzima obukhulu ekuthumeleni izimbiza zoju ezindaweni ezikhethekile ezifana ne-IoT, i-POS, izinhlelo zamafu, njll.
2. Ubuchwepheshe bokukhohlisa: izinzuzo nezimiso eziyisisekelo zokusebenza
Njengoba sesifunde zonke izinzuzo nezinkinga zamabhodwe oju, sifinyelela esiphethweni sokuthi indlela entsha ngokuphelele yokuphendula izehlakalo zokuphepha kolwazi iyadingeka ukuze kuthuthukiswe impendulo esheshayo neyanele ezenzweni zabahlaseli. Futhi leso sixazululo ubuchwepheshe. Inkohliso ye-Cyber (Inkohliso Yezokuphepha).
Amagama athi "Cyber deception", "Security deception", "Deception technology", "Distributed Deception Platform" (DDP) masha futhi avela esikhathini esingengakanani edlule. Eqinisweni, wonke la magama asho ukusetshenziswa "kobuchwepheshe bokukhohlisa" noma "amasu okulingisa ingqalasizinda ye-IT kanye nabahlaseli abangazi kahle." Izixazululo ezilula kakhulu zokukhohlisa ukuthuthukiswa kwemibono yama-honeypots, kuphela ezingeni elithuthuke kakhulu kwezobuchwepheshe, okubandakanya ukuzenzekelayo okwengeziwe kokutholwa nokusabela. Kodwa-ke, sekuvele kunezixazululo ezibucayi ze-DDP-class emakethe ezinikeza kalula ukuthunyelwa nokulinganisa, kanye ne-arsenal enzima "yezicupho" kanye "nokudla" kwabahlaseli. Isibonelo, i-Deception ikuvumela ukuthi ulingise izinto zengqalasizinda ye-IT ezifana nesizindalwazi, izindawo zokusebenza, amarutha, amaswishi, ama-ATM, amaseva ne-SCADA, amathuluzi ezokwelapha kanye ne-IoT.
Isebenza kanjani i-Distributed Deception Platform? Ngemuva kokuthunyelwa kwe-DDP, ingqalasizinda ye-IT yenhlangano izokwakhiwa njengokungathi ivela ezingxenyeni ezimbili: ungqimba lokuqala luyingqalasizinda yangempela yenkampani, kanti okwesibili yindawo "efanisiwe" ehlanganisa izicupho (isiNgisi, ama-decoys, izicupho. ) nezinto zokulutha (isiNgisi, izicupho), ezitholakala kumishini yangempela yenethiwekhi ebonakalayo (bheka Umfanekiso 4).
Isibonelo, umhlaseli angathola imininingwane engamanga "enemibhalo eyimfihlo", izifakazelo ezingamanga zalabo okuthiwa "abasebenzisi abanenhlanhla" - konke lokhu kuyimigomo engamanga, bangakwazi ukuthakasela abangeneleli, ngaleyo ndlela basuse ukunaka kwabo ezimpahleni zolwazi lweqiniso zenkampani (bona Umfanekiso 5) .
I-DDP iyinto entsha emakethe yemikhiqizo yokuvikela ulwazi, lezi zixazululo zineminyaka embalwa kuphela ubudala futhi kuze kube manje yimboni yezinkampani kuphela engakwazi ukuzikhokhela. Kodwa maduze nje ama-SMB azokwazi ukusizakala ngeNkohliso ngokuqasha ama-DDP kubahlinzeki abakhethekile njengesevisi. Lolu khetho luwusizo nakakhulu, njengoba asikho isidingo sabasebenzi bethu abaqeqeshwe kakhulu.
Izinzuzo eziyinhloko zobuchwepheshe be-Deception ziboniswe ngezansi:
-
Ubuqiniso (ubuqiniso). Ubuchwepheshe bokukhohlisa buyakwazi ukukhiqiza kabusha indawo ye-IT eyiqiniso ngokuphelele yenkampani, elingisa izinhlelo zokusebenza, i-IoT, i-POS, amasistimu akhethekile (ezokwelapha, izimboni, njll.), izinsizakalo, izinhlelo zokusebenza, imininingwane, njll. ngekhwalithi ephezulu. Izicupho (ama-decoys) zixubene ngokucophelela endaweni yokukhiqiza, futhi umhlaseli ngeke akwazi ukuzibona njengezimbiza zoju.
-
Ukuqaliswa. Ama-DDP asebenzisa ukufunda komshini (ML) emsebenzini wawo. Ngosizo lwe-ML, ukulula, ukuguquguquka kwezilungiselelo kanye nokusebenza kahle kokuqaliswa kokukhohlisa kuyaqinisekiswa. "Ama-Trap" kanye "nama-baits" abuyekezwa ngokushesha okukhulu, okubandakanya umhlaseli kungqalasizinda ye-IT "yamanga" yenkampani, futhi okwamanje, izinhlelo zokuhlaziya ezithuthukisiwe ezisekelwe kubuhlakani bokwenziwa zingakwazi ukubona izenzo ezisebenzayo zabaduni futhi zibavimbele (ngokwesibonelo. , umzamo wokufinyelela ku-Active Directory ngokusekelwe kuma-akhawunti omgunyathi).
-
Ukusebenza okulula. I-"Distributed Deception Platform" yesimanje kulula ukuyinakekela nokuyiphatha. Njengomthetho, aphathwa ngekhonsoli yendawo noma yamafu, akhona amathuba okuhlanganiswa ne-SOC yenkampani (Isikhungo Sokusebenza Kwezokuphepha) nge-API kanye nezilawuli eziningi zokuphepha ezikhona. Ukuze kugcinwe futhi kusetshenziswe i-DDP, izinsizakalo zochwepheshe bezokuphepha abaqeqeshwe kakhulu azidingeki.
-
I-Scalability. Inkohliso yokuphepha ingasatshalaliswa endaweni ebonakalayo, ebonakalayo kanye nesamafu. Ama-DDP aphinde asebenze ngempumelelo ngezindawo ezikhethekile ezifana ne-IoT, ICS, POS, SWIFT, njll. Izinkundla Zokukhohlisa Okuthuthukile zingafaka “ubuchwepheshe bokukhohlisa” emahhovisi akude, ezindaweni ezizimele, ngaphandle kwesidingo sokuphakelwa okwengeziwe kweplathifomu egcwele.
-
Ukusebenzisana. Isebenzisa ama-decoys asebenzayo futhi akhangayo asekelwe ku-OS yangempela futhi abekwe ngobuhlakani phakathi kwengqalasizinda ye-IT yangempela, inkundla ye-Deception iqoqa ulwazi oluningi mayelana nomhlaseli. I-DDP ibe isinikeza izexwayiso ezisabisayo, kukhiqizwa imibiko, futhi ukusabela okuzenzakalelayo ezigamekweni zokuphepha kolwazi kwenzeka.
-
Iphuzu lokuqala lokuhlasela. Ekukhohlisweni kwanamuhla, izicupho kanye nama-baits afakwe ngaphakathi kobubanzi benethiwekhi, hhayi ngaphandle kwayo (njengoba kunjalo ngamabhodwe oju). Le modeli yokusatshalaliswa yezicupho ivimbela umhlaseli ukuthi angawasebenzisi njengesisekelo sokuhlasela ingqalasizinda yangempela ye-IT yenkampani. Kuzixazululo ezithuthuke kakhulu zekilasi Lokukhohlisa, kukhona amandla omzila wethrafikhi, ukuze ukwazi ukuqondisa yonke ithrafikhi yabahlaseli ngoxhumano oluzinikele. Lokhu kuzokuvumela ukuthi uhlaziye umsebenzi wabangenele ngaphandle kokufaka engcupheni impahla yenkampani ebalulekile.
-
Ukukholisa "kobuchwepheshe bokukhohlisa". Esigabeni sokuqala sokuhlasela, abahlaseli baqoqa futhi bahlaziye idatha emayelana nengqalasizinda ye-IT, bese beyisebenzisela ukuhamba ivundlile kunethiwekhi yebhizinisi. Ngosizo "lwezobuchwepheshe bokukhohlisa", umhlaseli uzowela nakanjani "ezicupheni" ezizomholela kude nempahla yangempela yenhlangano. I-DDP izohlaziya izindlela zokufinyelela zokuqinisekisa ezingaba khona kunethiwekhi yebhizinisi futhi inikeze umhlaseli "okuhloswe okungamanga" esikhundleni semininingwane yangempela. Lawa makhono abentuleka kakhulu kubuchwepheshe bebhodwe lezinyosi. (Bheka umdwebo 6).
Inkohliso VS Honeypot
Futhi ekugcineni, sifika ephuzwini elithakazelisa kakhulu lesifundo sethu. Sizozama ukugqamisa umehluko omkhulu phakathi kobuchwepheshe bokukhohlisa kanye ne-Honeypot. Naphezu kokufana okuthile, nokho, lobu buchwepheshe bubili buhluke kakhulu, kusukela emcabangweni oyisisekelo kuya ekusebenzeni kahle komsebenzi.
-
Imibono eyisisekelo ehlukahlukene. Njengoba sibhale ngenhla, ama-honeypot afakwe njenge "bait" ezungeze izimpahla ezibalulekile zenkampani (ngaphandle kwenethiwekhi yezinkampani), ngaleyo ndlela ezama ukuphazamisa abahlaseli. Nakuba ubuchwepheshe be-honeypot busekelwe ekuqondeni ingqalasizinda yenhlangano, izimbiza zoju zingaba isiqalo sokuhlasela inethiwekhi yenkampani. Ubuchwepheshe bokukhohlisa buthuthukiswa ngokucabangela umbono womhlaseli futhi bukuvumela ukuthi ukhombe ukuhlasela kusenesikhathi, ngakho-ke, ochwepheshe bokuphepha kolwazi bathola inzuzo enkulu phezu kwabahlaseli futhi bathole isikhathi.
-
"Ukukhangwa" VS "Ukubanjwa". Uma usebenzisa ama-honeypots, impumelelo incike ekudonseleni ukunakwa kwabahlaseli futhi ibakhuthaze ngokwengeziwe ukuthi baqhubekele phambili ekuhlosweni ku-honeypot. Lokhu kusho ukuthi umhlaseli kusafanele afike ebhodweni lezinyosi ngaphambi kokuba ummise. Ngakho, ukuba khona kwabangenele kunethiwekhi kungahlala izinyanga ezimbalwa noma ngaphezulu, futhi lokhu kuzoholela ekuvuzeni kwedatha nokulimala. I-DDP ilingisa ngokufanelekile ingqalasizinda yangempela ye-IT yenkampani, inhloso yokusetshenziswa kwabo akukhona nje ukuheha ukunaka komhlaseli, kodwa ukumdida ukuze achithe isikhathi nezinsiza, kodwa angatholi ukufinyelela kwempahla yangempela yenkampani.
-
"i-scalability elinganiselwe" VS "i-automatic scalability". Njengoba kuphawuliwe ngaphambili, izimbiza zoju nezinyosi zinezinkinga zokukala. Kunzima futhi kuyabiza, futhi ukuze ukwandise inani lama-honeypots ohlelweni lwezinkampani, kuzodingeka ungeze amakhompyutha amasha, i-OS, uthenge amalayisensi, unikeze i-IP. Ngaphezu kwalokho, kuyadingeka futhi ukuthi kube nabasebenzi abaqeqeshiwe abazophatha lezi zinhlelo. Izinkundla zokukhohlisa zisetshenziswa ngokuzenzakalelayo njengezikali zengqalasizinda, ngaphandle kwe-overhead ebalulekile.
-
"Inani eliphezulu lezinto ezingamanga" VS "akukho zimpawu ezingamanga". Ingqikithi yenkinga ukuthi ngisho nomsebenzisi olula angase ahlangane ne-honeypot, ngakho-ke "uhlangothi oluphambene" lwalobu buchwepheshe luyinani elikhulu lezinto ezingalungile, eziphazamisa ochwepheshe bezokuphepha kolwazi emsebenzini. "Izicupho" kanye "nezicupho" ku-DDP zifihlwe ngokucophelela kumsebenzisi ojwayelekile futhi zenzelwe umhlaseli kuphela, ngakho isignali ngayinye evela ohlelweni olunjalo iyisexwayiso mayelana nosongo lwangempela, hhayi ukuvuma okungamanga.
isiphetho
Ngokombono wethu, ubuchwepheshe bokukhohlisa bungukuthuthuka okukhulu kunobuchwepheshe obudala be-Honeypots. Ngamafuphi, i-DDP isiphenduke inkundla yezokuphepha ebanzi okulula ukuyipha nokuyiphatha.
Izinkundla zesimanje zaleli klasi zidlala indima ebalulekile ekutholeni ngokunembile nasekuphenduleni ngempumelelo ezinsongweni zenethiwekhi, futhi ukuhlanganiswa kwazo nezinye izingxenye zesitaki sokuphepha kukhulisa izinga lokuzenzakalela, kukhulisa ukusebenza kahle nokusebenza kahle kwempendulo yesigameko. Izinkundla zokukhohlisa zisekelwe eqinisweni, ukulinganisa, ukuphatha kalula kanye nokuhlanganiswa nezinye izinhlelo. Konke lokhu kunikeza inzuzo enkulu ngesivinini sokuphendula izehlakalo zokuphepha kolwazi.
Futhi, ngokusekelwe ekuqaphelisweni kwamapentest ezinkampani lapho isiteji se-Xello Deception sasetshenziswa noma sahlolwa, singaphetha ngokuthi ngisho nama-pentesters anolwazi ngokuvamile awakwazi ukubona izintambo kunethiwekhi yezinkampani futhi ahluleke, awela ezingibeni. Leli qiniso liphinda liqinisekisa ukusebenza kweNkohliso kanye namathemba amahle avulekele lobu buchwepheshe esikhathini esizayo.
Ukuhlolwa komkhiqizo
Uma unentshisekelo yesikhulumi Senkohliso, khona-ke sesilungile .
Hlala ubukele ukuze uthole izibuyekezo eziteshini zethu (, , , )!
Source: www.habr.com