U-95% wezinsongo zokuphepha kolwazi ziyaziwa, futhi ungazivikela kuzo usebenzisa izindlela zendabuko ezifana nama-antivirus, izindonga zomlilo, i-IDS, i-WAF. I-5% esele yezinsongo ayaziwa futhi iyingozi kakhulu. Bakha u-70% wobungozi benkampani ngenxa yokuthi kunzima kakhulu ukuzibona, kungasaphathwa ukuzivikela kuzo. Izibonelo ingabe i-WannaCry ransomware epidemic, NotPetya/ExPetr, cryptominers, “cyber weapon” Stuxnet (eshaye izikhungo zenuzi zase-Iran) kanye nokunye (noma ubani omunye okhumbula i-Kido/Conficker?) okunye ukuhlasela okungavikelwe kahle kakhulu ngezinyathelo zokuphepha zakudala. Sifuna ukukhuluma ngokuthi singabhekana kanjani nalezi zinsongo ezingu-5% kusetshenziswa ubuchwepheshe bokuzingela i-Treat Hunting.
Ukuvela okuqhubekayo kokuhlaselwa ku-inthanethi kudinga ukutholwa njalo kanye nezinyathelo zokuphikisa, okuholela ekugcineni ukuthi sicabange ngomjaho wezikhali ongapheli phakathi kwabahlaseli nabavikeli. Amasistimu okuvikela ajwayelekile awasakwazi ukunikeza izinga elamukelekayo lokuphepha lapho izinga lobungozi lingazithinti izinkomba ezibalulekile zenkampani (ezomnotho, ezombusazwe, isithunzi) ngaphandle kokuziguqulela ingqalasizinda ethile, kodwa ngokuvamile zihlanganisa ezinye ze izingozi. Kakade ohlelweni lokuqaliswa nokucushwa, izinhlelo zokuphepha zesimanje zizithola zibambe iqhaza futhi kufanele ziphendule ezinselele zesikhathi esisha.
Ubuchwepheshe Bokuzingela Okusongelayo bungaba enye yezimpendulo ezinseleleni zesikhathi sethu kuchwepheshe wezokuphepha kolwazi. Igama elithi Threat Hunting (ngemuva kwalokhu okuzobizwa ngalo ngokuthi TH) lavela eminyakeni embalwa edlule. Ubuchwepheshe ngokwabo buyathakazelisa impela, kodwa abukabi nazo izindinganiso nemithetho eyamukelwa ngokuvamile. Udaba luphinde lube nzima ukuhlukahluka kwemithombo yolwazi kanye nenani elincane lemithombo yolwazi yolimi lwesiRashiya ngalesi sihloko. Mayelana nalokhu, thina kwa-LANIT-Integration sanquma ukubhala isibuyekezo salobu buchwepheshe.
Ukubheka
Ubuchwepheshe be-TH buncike ezinqubweni zokuqapha ingqalasizinda.. Ukwazisa (okufana nezinsizakalo ze-MSSP) kuyindlela evamile yokusesha amasiginesha athuthukiswe ngaphambilini nezimpawu zokuhlaselwa nokuphendula kukho. Lesi simo senziwe ngempumelelo ngamathuluzi okuvikela asuselwa kusiginesha. Ukuzingela (isevisi yohlobo lwe-MDR) kuyindlela yokuqapha ephendula umbuzo othi “Avelaphi amasignesha nemithetho?” Kuyinqubo yokudala imithetho yokuxhumanisa ngokuhlaziya izinkomba ezifihliwe noma ezazingaziwa ngaphambili nezimpawu zokuhlasela. Ukuzingela Usongo kubhekisela kulolu hlobo lokuqapha.
Kuphela ngokuhlanganisa zombili izinhlobo zokuqapha sithola ukuvikeleka okuseduze nokuhle, kodwa kuhlale kunezinga elithile lengozi eyinsalela.
Ukuvikela usebenzisa izinhlobo ezimbili zokuqapha
Futhi kungakho i-TH (nokuzingela ngokuphelele!) izobaluleka kakhulu:
Izinsongo, amakhambi, izingozi.
. Lokhu kufaka phakathi izinhlobo ezinjengogaxekile, i-DDoS, amagciwane, ama-rootkits nolunye uhlelo olungayilungele ikhompuyutha lwakudala. Ungazivikela kulezi zinsongo usebenzisa izindlela zokuphepha ezifanayo zakudala.
Ngesikhathi sokuqaliswa kwanoma iyiphi iphrojekthi, futhi ama-20% asele omsebenzi athatha u-80% wesikhathi. Ngokufanayo, kuyo yonke indawo esongelayo, u-5% wezinsongo ezintsha zizobalelwa ku-70% wengozi enkampanini. Enkampanini lapho kuhlelwa khona izinqubo zokuphatha ukuphepha kolwazi, singalawula u-30% wengozi yokusetshenziswa kwezinsongo ezaziwayo ngandlela thize ngokugwema (ukwenqaba amanethiwekhi angenantambo ngokomgomo), ukwamukela (ukusebenzisa izinyathelo zokuphepha ezidingekayo) noma ngokushintshashintsha. (isibonelo, emahlombe esihlanganisi) le ngozi. Zivikele, ukuhlaselwa kwe-APT, ubugebengu bokweba imininingwane ebucayi,, ubunhloli be-cyber kanye nemisebenzi kazwelonke, kanye nenani elikhulu lolunye ukuhlaselwa kakade kunzima kakhulu. Imiphumela yalezi zinsongo ezi-5% izoba bucayi kakhulu () kunemiphumela yogaxekile noma amagciwane, lapho isofthiwe ye-antivirus igcinwa khona.
Cishe wonke umuntu kufanele abhekane nezinsongo ezingu-5%. Kamuva nje kudingeke ukuthi sifake isisombululo somthombo ovulekile esisebenzisa uhlelo lokusebenza olusuka ku-PEAR (PHP Extension and Application Repository) ikhosombe. Umzamo wokufaka lolu hlelo lokusebenza ngokufaka okuphakathi kwehlulekile ngoba ibingatholakali (manje kune-stub kuyo), bekufanele ngiyifake ngisuka ku-GitHub. Futhi muva nje kuvele ukuthi u-PEAR waba yisisulu.
Usakhumbula, ubhubhane lwe-NePetya ransomware ngokusebenzisa imojuli yokubuyekeza yohlelo lokubika intela. Izinsongo ziya ngokuya ziba yinkimbinkimbi, futhi kuphakama umbuzo onengqondo - "Singamelana kanjani nalezi zinsongo ezi-5%?"
Incazelo Yokuzingela Okusongelayo
Ngakho-ke, i-Threat Hunting kuyinqubo yosesho oluqhubekayo noluphindaphindayo kanye nokutholwa kwezinsongo ezithuthukile ezingakwazi ukutholwa ngamathuluzi okuvikela endabuko. Izinsongo ezithuthukisiwe zifaka, isibonelo, ukuhlaselwa okufana ne-APT, ukuhlaselwa kobungozi bezinsuku ezingu-0, Ukuhlala Ngaphandle Komhlaba, njalonjalo.
Singaphinda sisho ukuthi i-TH iyinqubo yokuhlola okucatshangwayo. Lena inqubo evame ukwenziwa ngezandla enezici ze-automation, lapho umhlaziyi, ethembele olwazini nasemakhonweni akhe, ehlunga imiqulu emikhulu yolwazi efuna izimpawu zokuhlehla ezihambisana nenkolelo-mbono enqunyiwe ekuqaleni mayelana nokuba khona kosongo oluthile. Isici sayo esihlukile ukuhlukahluka kwemithombo yolwazi.
Kufanele kuqashelwe ukuthi Ukuzingela Okusongelayo akulona uhlobo oluthile lwesofthiwe noma umkhiqizo wehadiwe. Lezi akuzona izexwayiso ezingabonwa kwesinye isixazululo. Lena akuyona inqubo yosesho ye-IOC (Izikhombi Zokuvumelana). Futhi lolu akulona uhlobo oluthile lomsebenzi wokungenzi lutho owenzeka ngaphandle kokubamba iqhaza kwabahlaziyi bezokuphepha kolwazi. Ukuzingela Okusongelayo kuwuhlelo lokuqala futhi oluphambili.
Izingxenye Zokuzingela Okusongelayo
Izingxenye ezintathu eziyinhloko Zokuzingela Okusongelayo: idatha, ubuchwepheshe, abantu.
Idatha (ini?), okuhlanganisa Idatha Enkulu. Zonke izinhlobo zokugeleza kwethrafikhi, ulwazi mayelana nama-APT wangaphambilini, izibalo, idatha yomsebenzisi, idatha yenethiwekhi, ulwazi oluvela kubasebenzi, ulwazi ku-darknet nokunye okuningi.
Ubuchwepheshe (kanjani?) ukucubungula le datha - zonke izindlela ezingenzeka zokucubungula le datha, okuhlanganisa Ukufunda Ngomshini.
Abantu (ngubani?) - labo abanolwazi olunzulu ekuhlaziyeni ukuhlaselwa okuhlukahlukene, intuition ethuthukisiwe kanye nekhono lokubona ukuhlaselwa. Ngokuvamile laba abahlaziyi bezokuphepha bolwazi okufanele babe nekhono lokukhiqiza imibono eqanjiwe futhi bathole ukuqinisekiswa kwabo. Bayisixhumanisi esikhulu enqubeni.
Imodeli PARIS
Adam Bateman Imodeli ye-PARIS yenqubo ekahle ye-TH. Igama libhekisela endaweni edumile yaseFrance. Le modeli ingabhekwa ngezindlela ezimbili - kusuka phezulu nangaphansi.
Njengoba sisebenza ngendlela yethu kusukela phansi kuya phezulu, sizohlangabezana nobufakazi obuningi bomsebenzi oyingozi. Isiqephu ngasinye sobufakazi sinesilinganiso esibizwa ngokuthi ukuzethemba - isici esibonisa isisindo salobu bufakazi. Kukhona "insimbi", ubufakazi obuqondile bomsebenzi omubi, ngokusho ukuthi singafinyelela ngokushesha phezulu kwephiramidi futhi sidale isixwayiso sangempela mayelana nokutheleleka okwaziwayo ngokunembile. Futhi kunobufakazi obungaqondile, isamba sakhona esingasiholela esiqongweni sephiramidi. Njengenjwayelo, kunobufakazi obuningi obungaqondile kunobufakazi obuqondile, okusho ukuthi badinga ukuhlungwa futhi bahlaziywe, ucwaningo olwengeziwe kufanele lwenziwe, futhi kuyatuseka ukwenza lokhu ngokuzenzakalelayo.
Imodeli PARIS.
Ingxenye engenhla yemodeli (1 no-2) isekelwe kubuchwepheshe bokuzenzakalela kanye nokuhlaziya okuhlukahlukene, kanti ingxenye engezansi (3 no-4) isekelwe kubantu abaneziqu ezithile abaphethe inqubo. Ungacabangela imodeli esuka phezulu iye phansi, lapho engxenyeni engenhla yombala oluhlaza okwesibhakabhaka sinezixwayiso ezivela kumathuluzi okuphepha endabuko (i-antivirus, i-EDR, i-firewall, amasignesha) ngezinga eliphezulu lokuzethemba nokwethemba, futhi ngezansi kunezinkomba ( I-IOC, i-URL, i-MD5 nezinye), ezinezinga eliphansi lokuqiniseka futhi ezidinga ukufunda okwengeziwe. Futhi izinga eliphansi futhi eliwugqinsi (4) isizukulwane semibono, ukwakhiwa kwezimo ezintsha zokusebenza kwezindlela zokuvikela zendabuko. Leli zinga aligcini nje kuphela emithonjeni ecacisiwe yemibono. Uma izinga liphansi, izidingo ezingaphezulu zibekwa ezifundweni zomhlaziyi.
Kubaluleke kakhulu ukuthi abahlaziyi bangagcini ngokuhlola isethi elinganiselwe yemibono enqunywe kusengaphambili, kodwa bahlale besebenzela ukukhiqiza imibono emisha nezinketho zokuzihlola.
TH Ukusetshenziswa Kwemodeli Yokukhula
Emhlabeni okahle, i-TH iyinqubo eqhubekayo. Kodwa, njengoba kungekho mhlaba okahle, ake sihlaziye kanye nezindlela ngokuya ngabantu, izinqubo kanye nobuchwepheshe obusetshenzisiwe. Ake sicabangele imodeli ye-TH eyindilinga eyindilinga. Kunamazinga angu-5 okusebenzisa lobu buchwepheshe. Ake sizibheke sisebenzisa isibonelo sokuvela kwethimba elilodwa labahlaziyi.
Amazinga okuvuthwa
Abantu
Izinqubo
of technology
Izinga le-0
Abahlaziyi be-SOC
24/7
Izinsimbi zomdabu:
Isiko
Isethi yezaziso
Ukuqapha okungenzi lutho
I-IDS, AV, Sandboxing,
Ngaphandle kwe-TH
Ukusebenza ngezexwayiso
Amathuluzi okuhlaziya isiginesha, idatha ye-Treat Intelligence.
Izinga le-1
Abahlaziyi be-SOC
Isikhathi esisodwa TH
I-EDR
Okokuhlola
Ulwazi oluyisisekelo lwe-forensics
Usesho lwe-IOC
Ukumbozwa kancane kwedatha evela kumadivayisi enethiwekhi
Ukuhlola nge-TH
Ulwazi oluhle lwamanethiwekhi nezinhlelo zokusebenza
Isicelo esiyingxenye
Izinga le-2
Umsebenzi wesikhashana
I-Sprints
I-EDR
Izikhathi ezithile
Ulwazi olujwayelekile lwe-forensics
Isonto nenyanga
Isicelo esigcwele
I-TH yesikhashana
Ulwazi oluhle kakhulu lwamanethiwekhi nezinhlelo zokusebenza
I-TH ejwayelekile
Ukuzenzakalela okuphelele kokusetshenziswa kwedatha ye-EDR
Ukusetshenziswa kancane kwamakhono e-EDR athuthukile
Izinga le-3
Umyalo ozinikele we-TH
24/7
Ikhono eliyingxenye lokuhlola ama-hypotheses TH
Okuvikelayo
Ulwazi oluhle kakhulu lwe-forensics kanye ne-malware
Ukuvimbela i-TH
Ukusetshenziswa ngokugcwele kwamakhono e-EDR athuthukile
Amacala akhethekile TH
Ulwazi oluhle kakhulu lohlangothi oluhlaselayo
Amacala akhethekile TH
Ukufakwa okugcwele kwedatha evela kumadivayisi enethiwekhi
Ukucushwa ukuze kuhambisane nezidingo zakho
Izinga le-4
Umyalo ozinikele we-TH
24/7
Ikhono eligcwele lokuhlola imibono ye-TH
Ukuhola
Ulwazi oluhle kakhulu lwe-forensics kanye ne-malware
Ukuvimbela i-TH
Ileveli 3, kanye:
Isebenzisa i-TH
Ulwazi oluhle kakhulu lohlangothi oluhlaselayo
Ukuhlola, ukuzenzekelayo kanye nokuqinisekiswa kwemibono TH
ukuhlanganiswa okuqinile kwemithombo yedatha;
Ikhono lokucwaninga
ukuthuthukiswa ngokwezidingo kanye nokusetshenziswa okungajwayelekile kwe-API.
TH amazinga okuvuthwa ngabantu, izinqubo kanye nobuchwepheshe
Ileveli 0: ngokwesiko, ngaphandle kokusebenzisa i-TH. Abahlaziyi abavamile basebenza nesethi evamile yezexwayiso kumodi yokuqapha yokwenziwa kusetshenziswa amathuluzi ajwayelekile nobuchwepheshe: I-IDS, i-AV, i-sandbox, amathuluzi okuhlaziya isiginesha.
Ileveli 1: ukuhlola, kusetshenziswa i-TH. Abahlaziyi abafanayo abanolwazi oluyisisekelo lwe-forensics kanye nolwazi oluhle lwamanethiwekhi nezinhlelo zokusebenza bangakwazi ukwenza i-Treat Hunting yesikhathi esisodwa ngokucinga izinkomba zokuyekethisa. Ama-EDR engezwa kumathuluzi anokufakwa kancane kwedatha evela kumadivayisi enethiwekhi. Amathuluzi asetshenziswa kancane.
Ileveli 2: periodic, yesikhashana TH. Abahlaziyi abafanayo asebevele bathuthukise ulwazi lwabo kuma-forensics, amanethiwekhi kanye nengxenye yesicelo kudingeka ukuthi bahlanganyele njalo ku-Threat Hunting (sprint), bathi, ngesonto ngenyanga. Amathuluzi engeza ukuhlola okugcwele kwedatha kusuka kumadivayisi enethiwekhi, ukuzenzekelayo kokuhlaziywa kwedatha kusuka ku-EDR, kanye nokusetshenziswa okuncane kwamakhono e-EDR athuthukile.
Ileveli 3: ukuvimbela, izimo ezivamile ze-TH. Abahlaziyi bethu bazihlele baba yiqembu elizinikele futhi baqala ukuba nolwazi oluhle kakhulu lwe-forensics nohlelo olungayilungele ikhompuyutha, kanye nolwazi lwezindlela namaqhinga ohlangothi oluhlaselayo. Inqubo isivele yenziwa 24/7. Ithimba liyakwazi ukuhlola ingxenye yemibono ye-TH kuyilapho lisebenzisa ngokugcwele amakhono athuthukile e-EDR ngokufaka ngokugcwele idatha evela kumadivayisi enethiwekhi. Abahlaziyi bayakwazi nokumisa amathuluzi afanele izidingo zabo.
Ileveli 4: okusezingeni eliphezulu, sebenzisa TH. Ithimba elifanayo lithole ikhono lokucwaninga, ikhono lokukhiqiza nokwenza ngokuzenzakalelayo inqubo yokuhlola imibono ye-TH. Manje amathuluzi asenezelwe ukuhlanganiswa okuseduze kwemithombo yedatha, ukuthuthukiswa kwesofthiwe ukuze kuhlangatshezwane nezidingo, kanye nokusetshenziswa okungajwayelekile kwama-API.
Usongo Ukuzingela Techniques
Basic Threat Hunting Techniques
К I-TH, ngokulandelana kokuvuthwa kobuchwepheshe obusetshenzisiwe, yilezi: ukusesha okuyisisekelo, ukuhlaziya izibalo, amasu okubona ngeso, ukuhlanganisa okulula, ukufunda ngomshini, nezindlela zaseBayesia.
Indlela elula, ukusesha okuyisisekelo, isetshenziselwa ukunciphisa indawo yocwaningo kusetshenziswa imibuzo ethile. Ukuhlaziywa kwezibalo kusetshenziswa, isibonelo, ukwakha umsebenzi ojwayelekile womsebenzisi noma wenethiwekhi ngendlela yemodeli yezibalo. Amasu okubona asetshenziselwa ukubonisa ngokubonakalayo nokwenza lula ukuhlaziya idatha ngendlela yamagrafu namashadi, okwenza kube lula kakhulu ukubona amaphethini kusampula. Isu lokuhlanganisa okulula ngezinkambu ezibalulekile lisetshenziselwa ukuthuthukisa ukusesha nokuhlaziya. Uma inqubo yenhlangano ye-TH ikhula, yilapho ukusetshenziswa kwama-algorithms okufunda komshini kuba okuhambisana kakhulu. Zibuye zisetshenziswe kabanzi ekuhlungeni ugaxekile, ukuthola ithrafikhi enonya kanye nokuthola imisebenzi yokukhwabanisa. Uhlobo oluthuthuke kakhulu lwe-algorithm yokufunda komshini izindlela ze-Bayesian, ezivumela ukuhlukaniswa, ukuncishiswa kosayizi wesampula, nokumodela isihloko.
Imodeli yedayimane kanye namasu we-TH
USergio Caltagiron, u-Andrew Pendegast noChristopher Betz emsebenzini wabo "» ibonise izingxenye eziyinhloko zanoma yimuphi umsebenzi onobungozi kanye nokuxhumana okuyisisekelo phakathi kwazo.
Imodeli yedayimane yomsebenzi onobungozi
Ngokwale modeli, kunamasu angu-4 Okuzingela Okusongelayo, asekelwe ezingxenyeni ezibalulekile ezihambisanayo.
1. Isu eligxile kuzisulu. Sicabanga ukuthi isisulu sinabaphikisi futhi bazoletha "amathuba" nge-imeyili. Sibheka idatha yesitha kumeyili. Sesha izixhumanisi, izinanyathiselwa, njll. Sifuna ukuqinisekiswa kwalokhu kucatshangelwa isikhathi esithile (inyanga, amasonto amabili); uma singakutholi, i-hypothesis ayisebenzanga.
2. Isu eligxile kwingqalasizinda. Kunezindlela eziningana zokusebenzisa leli su. Ngokuya ngokufinyelela nokubonakala, ezinye zilula kunezinye. Isibonelo, siqapha amaseva egama lesizinda aziwa ngokusingatha izizinda ezinonya. Noma sihamba ngenqubo yokuqapha konke ukubhaliswa kwesizinda esisha sephethini eyaziwayo esetshenziswa yisitha.
3. Isu eliqhutshwa amandla. Ngaphezu kwesu eligxile ekuhlukunyezweni elisetshenziswa iningi labavikeli benethiwekhi, kunesu eligxile emathubeni. Ingeyesibili ethandwa kakhulu futhi igxile ekutholeni amandla esitha, okungukuthi “i-malware” kanye nekhono lesitha lokusebenzisa amathuluzi asemthethweni afana ne-psexec, i-powershell, i-certutil namanye.
4. Isu eligxile ezitheni. Indlela yokuqondisa izitha igxile kumphikisi uqobo. Lokhu kufaka phakathi ukusetshenziswa kolwazi oluvulekile oluvela emithonjeni etholakala esidlangalaleni (OSINT), ukuqoqwa kwedatha emayelana nesitha, amasu nezindlela zaso (TTP), ukuhlaziya izigameko zangaphambilini, idatha ye-Threat Intelligence, njll.
Imithombo yolwazi kanye nemibono ku-TH
Eminye imithombo yolwazi ye-Treat Hunting
Kungaba nemithombo eminingi yolwazi. Umhlaziyi ofanelekile kufanele akwazi ukukhipha ulwazi kukho konke okuzungezile. Imithombo evamile cishe kunoma iyiphi ingqalasizinda izoba idatha evela kumathuluzi okuvikela: DLP, SIEM, IDS/IPS, WAF/FW, EDR. Futhi, imithombo evamile yolwazi izoba izinkomba ezihlukahlukene zokuyekethisa, izinsizakalo ze-Treat Intelligence, idatha ye-CERT kanye ne-OSINT. Ukwengeza, ungasebenzisa ulwazi oluvela ku-darknet (isibonelo, kungazelelwe kukhona umyalo wokugenca ibhokisi leposi lenhloko yenhlangano, noma umuntu ozongenela isikhundla sikanjiniyela wenethiwekhi uvelelwe umsebenzi wakhe), imininingwane etholwe ku- I-HR (izibuyekezo zekhandidethi elivela endaweni yangaphambili yokusebenza), ulwazi oluvela kwabezokuphepha (ngokwesibonelo, imiphumela yokuqinisekiswa komlingani).
Kodwa ngaphambi kokusebenzisa yonke imithombo etholakalayo, kuyadingeka ukuba okungenani ube ne-hypothesis eyodwa.
Ukuze kuhlolwe ama-hypotheses, kufanele kuqala abekwe phambili. Futhi ukuze ubeke phambili ama-hypotheses amaningi aphezulu, kuyadingeka ukusebenzisa indlela ehlelekile. Inqubo yokukhiqiza ama-hypotheses ichazwa ngokuningiliziwe ku, kulula kakhulu ukuthatha lolu hlelo njengesisekelo senqubo yokubeka phambili ama-hypotheses.
Umthombo oyinhloko we-hypotheses uzoba I-ATT&CK matrix (Amaqhinga Okuphikisa, Amasu kanye Nolwazi Olujwayelekile). Empeleni, isisekelo solwazi kanye nemodeli yokuhlola ukuziphatha kwabahlaseli abenza imisebenzi yabo ezinyathelweni zokugcina zokuhlasela, ngokuvamile okuchazwa kusetshenziswa umqondo we-Kill Chain. Okusho ukuthi, ezigabeni ngemva kokuba umhlaseli engene kunethiwekhi yangaphakathi yebhizinisi noma kudivayisi yeselula. Isisekelo solwazi ekuqaleni sasihlanganisa izincazelo zamaqhinga namasu angu-121 asetshenziswa ekuhlaseleni, ngayinye echazwe ngokuningiliziwe ngefomethi ye-Wiki. I-Threat Intelligence analytics ehlukahlukene ifaneleka kahle njengomthombo wokukhiqiza ama-hypotheses. Okuphawuleka ngokukhethekile yimiphumela yokuhlaziywa kwengqalasizinda nokuhlolwa kokungena - lena idatha ebaluleke kakhulu engasinika imibono ye-ironclad ngenxa yokuthi isekelwe engqalasizinda ethile enezinkinga zayo ezithile.
Inqubo yokuhlola i-hypothesis
USergei Soldatov waletha ngencazelo enemininingwane yenqubo, ikhombisa inqubo yokuhlola imibono ye-TH ohlelweni olulodwa. Ngizobonisa izigaba eziyinhloko ngencazelo emfushane.
Isigaba 1: Ipulazi le-TI
Kulesi sigaba kuyadingeka ukugqamisa izinto (ngokuzihlaziya kanye nayo yonke idatha yokusongela) futhi uzinikeze amalebula ezici zazo. Lawa ifayela, i-URL, i-MD5, inqubo, insiza, umcimbi. Uma udlula kumasistimu we-Threat Intelligence, kuyadingeka ukunamathisela amathegi. Okusho ukuthi, le sayithi yaqashelwa ku-CNC ngonyaka othize, le MD5 yahlotshaniswa nohlelo olungayilungele ikhompuyutha olunjalo nalolo, le MD5 yalandwa kusayithi esabalalisa uhlelo olungayilungele ikhompuyutha.
Isigaba 2: Amacala
Esigabeni sesibili, sibheka ukusebenzisana phakathi kwalezi zinto futhi sihlonze ubudlelwano phakathi kwazo zonke lezi zinto. Sithola amasistimu amakiwe enza into embi.
Isiteji sesi-3: Umhlaziyi
Esigabeni sesithathu, icala lidluliselwa kumhlaziyi onolwazi onokuhlangenwe nakho okukhulu ekuhlaziyeni, futhi wenza isinqumo. Uhlahlela phansi kumabhayithi ukuthi yini, kuphi, kanjani, kungani futhi kungani le khodi yenza. Lo mzimba bekuwuhlelo olungayilungele ikhompuyutha, le khompyutha ibithelelekile. Iveza ukuxhumana phakathi kwezinto, ihlola imiphumela yokugijima kubhokisi lesihlabathi.
Imiphumela yomsebenzi womhlaziyi idluliselwa phambili. I-Digital Forensics ihlola izithombe, i-Malware Analysis ihlola "imizimba" etholiwe, futhi ithimba le-Incident Response lingaya kusayithi futhi liphenye okuthile osekuvele kukhona. Umphumela womsebenzi uzoba i-hypothesis eqinisekisiwe, ukuhlaselwa okuhlonziwe kanye nezindlela zokubhekana nakho.
Imiphumela
I-Threat Hunting ubuchwepheshe obusha obungamelana ngempumelelo nezinsongo ezenziwe ngokwezifiso, ezintsha nezingezona ezijwayelekile, ezinethuba elihle uma kubhekwa inani elikhulayo lalezo zinsongo kanye nobunzima obukhulayo bengqalasizinda yebhizinisi. Idinga izingxenye ezintathu - idatha, amathuluzi nabahlaziyi. Izinzuzo Zokuzingela Okusongelayo azikhawulelwe ekuvimbeleni ukuqaliswa kwezinsongo. Ungakhohlwa ukuthi phakathi nenqubo yosesho singena kwingqalasizinda yethu kanye nezindawo zayo ezibuthakathaka ngamehlo omhlaziyi wezokuphepha futhi singaqhubeka siqinisa lawa maphuzu.
Izinyathelo zokuqala, ngokubona kwethu, ezidinga ukuthathwa ukuze kuqalwe inqubo ye-TH enhlanganweni yakho.
- Nakekela ukuvikela izindawo zokugcina kanye nengqalasizinda yenethiwekhi. Nakekela ukubonakala (i-NetFlow) futhi ulawule (i-firewall, i-IDS, i-IPS, i-DLP) yazo zonke izinqubo kunethiwekhi yakho. Yazi inethiwekhi yakho ukusuka kumzila onqenqemeni ukuya kumsingathi wokugcina.
- Hlola.
- Yenza ama-pentest ajwayelekile okungenani wezinsiza ezibalulekile zangaphandle, hlaziya imiphumela yayo, khomba okuhlosiwe okuyinhloko kokuhlaselwa futhi uvale ubungozi bazo.
- Sebenzisa uhlelo lwe-Threat Intelligence yomthombo ovulekile (isibonelo, i-MISP, i-Yeti) futhi uhlaziye amalogi ngokuhlanganyela nawo.
- Sebenzisa inkundla yokuphendula isigameko (IRP): R-Vision IRP, The Hive, sandbox yokuhlaziya amafayela asolisayo (FortiSandbox, Cuckoo).
- Shintsha izinqubo zenkambiso. Ukuhlaziywa kwezingodo, ukuqoshwa kwezigameko, ukwazisa abasebenzi kuyinkambu enkulu yokuzenzakalelayo.
- Funda ukusebenzisana ngempumelelo nonjiniyela, onjiniyela, nosekelo lobuchwepheshe ukuze uhlanganyele ezehlakalweni.
- Bhala yonke inqubo, amaphuzu abalulekile, imiphumela ezuziwe ukuze ubuyele kubo kamuva noma wabelane ngale datha nozakwenu;
- Yiba nomphakathi: Qaphela ukuthi kwenzekani kubasebenzi bakho, ukuthi ubani obaqashayo, nokuthi ubani onikeza ukufinyelela kuzisetshenziswa zolwazi zenhlangano.
- Hlala wazi ngezinkambiso emkhakheni wezinsongo ezintsha nezindlela zokuvikela, wandise izinga lakho lokufunda nobuchwepheshe (okubandakanya nokusebenza kwezinsizakalo ze-IT kanye nezinhlelo ezingaphansi), hambela izingqungquthela futhi uxhumane nozakwenu.
Ilungele ukuxoxa ngenhlangano yenqubo ye-TH kumazwana.
Noma woza uzosebenza nathi!
Imithombo kanye nezinsiza zokufunda
Source: www.habr.com