Ama-algorithms namaqhinga okuphendula izehlakalo zokuphepha kolwazi, izitayela zokuhlaselwa kwe-cyber yamanje, izindlela zokuphenya ukuvuza kwedatha ezinkampanini, iziphequluli zokucwaninga kanye namadivayisi eselula, ukuhlaziya amafayela abethelwe, ukukhipha idatha ye-geolocation kanye nokuhlaziywa kwamavolumu amakhulu wedatha - zonke lezi nezinye izihloko zingase zifundwe ezifundweni ezintsha ezihlanganyelwe zeQembu-IB neBelkasoft. Ngo-August thina isifundo sokuqala se-Belkasoft Digital Forensics, esiqala ngo-September 9, futhi, ngemva kokuthola imibuzo eminingi, sanquma ukutshela ngokuningiliziwe lokho abafundi abazokufunda, yiluphi ulwazi, amakhono namabhonasi (!) azotholwa yilabo abafinyelela ekupheleni. Mayelana nakho konke ngohlelo.
Ababili bonke kwelinye
Umqondo wokubamba izifundo zokuqeqesha ngokuhlanganyela uvele ngemuva kokuthi ababambiqhaza bezifundo zeQembu-IB beqale ukubuza mayelana nethuluzi elingabasiza ophenyweni lwezinhlelo zamakhompiyutha asengozini kanye namanethiwekhi, futhi bahlanganise ukusebenza kwezinsiza ezahlukahlukene zamahhala esizincomayo. ukusetshenziswa ngesikhathi sokuphendula kwesigameko.
Ngokombono wethu, i-Belkasoft Evidence Center ingaba ithuluzi elinjalo (sesivele sikhulume ngakho kuyo Igor Mikhailov "Isihluthulelo sokuqala: isofthiwe engcono kakhulu ne-hardware ye-forensics yekhompyutha"). Ngakho-ke, thina, kanye neBelkasoft, senze izifundo ezimbili zokuqeqesha: I-Belkasoft Digital Forensics ΠΈ Ukuhlolwa Kwempendulo Yesigameko sase-Belkasoft.
KUBALULEKILE: izifundo ziyalandelana futhi zixhumene! I-Belkasoft Digital Forensics inikezelwe ohlelweni lwe-Belkasoft Evidence Center, futhi Ukuhlolwa Kwempendulo Yesigameko sase-Belkasoft kunikezelwe ophenyweni lwesigameko kusetshenziswa imikhiqizo ye-Belkasoft. Okungukuthi, ngaphambi kokufunda isifundo se-Belkasoft Incident Response Examination, sincoma ngokuqinile ukuthi uqedele izifundo ze-Belkasoft Digital Forensics. Uma uqala ngaso leso sikhathi ngesifundo sophenyo lwesigameko, umfundi angase abe nezikhala zolwazi ezicasulayo ekusebenziseni i-Belkasoft Evidence Center, ekutholeni nasekucwaningeni ngezinto zobuciko ezisemthethweni. Lokhu kungaholela eqinisweni lokuthi ngesikhathi sokuhlolwa kwe-Belkasoft Incident Response Examination, umfundi ngeke abe naso isikhathi sokufunda kahle, noma uzonciphisa lonke iqembu ekutholeni ulwazi olusha, ngoba isikhathi sokuqeqeshwa sizosetshenziswa umqeqeshi echaza izinto ezivela esifundweni se-Belkasoft Digital Forensics.
I-Computer forensics ene-Belkasoft Evidence Center
Inhloso yesifundo I-Belkasoft Digital Forensics β ukwethula abafundi ohlelweni lweBelkasoft Evidence Center, ubafundise ukuthi bangalusebenzisa kanjani lolu hlelo ukuze baqoqe ubufakazi obuvela emithonjeni ehlukahlukene (isitoreji samafu, inkumbulo yokufinyelela okungahleliwe (RAM), amadivaysi eselula, imidiya yokugcina (ama-hard drive, ama-flash drive, njll.) , amasu nezindlela zokucwaninga eziyisisekelo, izindlela zophenyo lwe-forensic lwe-Windows, amadivaysi eselula, ukulahlwa kwenkumbulo Uzofunda futhi ukuthi ungahlonza kanjani futhi ubhale phansi isiphequluli nezinto zokwenziwa zemiyalezo esheshayo, dala amakhophi edatha e-forensic emithonjeni ehlukahlukene, khipha idatha ye-geolocation bese usesha. ukulandelana kombhalo (sesha ngamagama angukhiye), sebenzisa ama-hashe ocwaningweni, hlaziya ukubhaliswa kweWindows, funda amakhono okucwaninga imininingwane engaziwa ye-SQLite, izisekelo zokucwaninga amafayela wezithombe namavidiyo, kanye namasu okuhlaziya asetshenziswa phakathi nophenyo.
Lesi sifundo sizoba usizo kochwepheshe abanolwazi emkhakheni wobuchwepheshe bekhompyutha (ubuchwepheshe bekhompyutha); ochwepheshe bezobuchwepheshe abanquma izizathu zokungena ngempumelelo, bahlaziye uchungechunge lwezehlakalo kanye nemiphumela yokuhlaselwa ku-inthanethi; ochwepheshe bezobuchwepheshe abahlonza futhi babhale phansi ukwebiwa kwedatha (ukuvuza) ngumuntu wangaphakathi (umenzi wecala wangaphakathi); ochwepheshe be-e-Discovery; Abasebenzi be-SOC kanye ne-CERT/CSIRT; izikhulu zezokuphepha zolwazi; abathanda ama-computer forensics.
Uhlelo lwesifundo:
- Belkasoft Ubufakazi Centre (BEC): izinyathelo zokuqala
- Ukudala nokucubungula amacala ku-BEC
- Ukuqoqa Ubufakazi Bedijithali Ophenyweni Lwezobunhloli ne-BEC
- Ukusebenzisa izihlungi
- Ukubika
- Ukuhlola Izinhlelo Zokuthumela Imiyalezo Esheshayo
- Ucwaningo Lwesiphequluli Sewebhu
- Ucwaningo Lweselula
- Ikhipha idatha ye-geolocation
- Sesha ukulandelana kombhalo ezimeni
- Ukukhishwa kwedatha nokuhlaziya kusuka kusitoreji samafu
- Ukusebenzisa amabhukumaka ukuze kugqanyiswe ubufakazi obubalulekile obutholakala phakathi nocwaningo
- Ihlola Amafayela Esistimu YeWindows
- Ukuhlaziywa kokubhaliswa kweWindows
- Ukuhlaziywa kolwazi lwe-SQLite
- Izindlela Zokubuyisela Idatha
- Amasu okuhlola ukulahlwa kwe-RAM
- Ukusetshenziswa kwe-hash calculator nokuhlaziywa kwe-hashi ophenyweni lwe-forensic
- Ukuhlaziywa kwamafayela abethelwe
- Izindlela zokucwaninga amafayela ayingcaca namavidiyo
- Ukusetshenziswa kwezindlela zokuhlaziya ocwaningweni lwe-forensic
- Ukuzenzakalela kwezenzo ezijwayelekile kusetshenziswa ulimi lokuhlela olwakhelwe ngaphakathi lwe-Belkascripts
- Izifundo eziwusizo
Course: Belkasoft Incident Response Examination
Inhloso yalesi sifundo ukufunda izisekelo zophenyo lwe-forensic lokuhlaselwa ku-inthanethi kanye namathuba okusebenzisa i-Belkasoft Evidence Center ophenyweni. Uzofunda mayelana nama-vector ayinhloko okuhlasela kwesimanje kumanethiwekhi wekhompiyutha, ufunde ukuthi ungahlukanisa kanjani ukuhlaselwa kwamakhompiyutha ngokusekelwe ku-MITER ATT & CK matrix, usebenzise ama-algorithms ocwaningo lwesistimu yokusebenza ukuze uthole iqiniso lokuyekethisa nokwakha kabusha izenzo zabahlaseli, thola ukuthi kuphi. ama-artifact atholakala abonisa ukuthi yimaphi amafayela agcine ukuvulwa , lapho isistimu yokusebenza igcina khona ulwazi olumayelana nokulayisha nokusebenzisa amafayela asebenzisekayo, ukuthi abahlaseli bahamba kanjani kunethiwekhi, nokufunda indlela yokuhlola lawa ma-artifact kusetshenziswa i-BEC. Uzofunda futhi ukuthi yiziphi izehlakalo ze-syslog ongazithakaselayo zophenyo lwesigameko kanye nokunqunywa kokufinyelela ukude, futhi ufunde ukuthi ungayiphenya kanjani usebenzisa i-BEC.
Isifundo sizoba usizo kochwepheshe bezobuchwepheshe abanquma izizathu zokungena ngempumelelo, bahlaziye uchungechunge lwezehlakalo kanye nemiphumela yokuhlaselwa ku-inthanethi; abaphathi besistimu; Abasebenzi be-SOC kanye ne-CERT/CSIRT; abasebenzi bezokuphepha kolwazi.
Uhlolojikelele lwesifundo
I-Cyber ββββKill Chain ichaza izigaba eziyinhloko zanoma yikuphi ukuhlaselwa kwezobuchwepheshe kumakhompyutha (noma inethiwekhi yekhompyutha) yesisulu kanje:
Izenzo zabasebenzi be-SOC (i-CERT, ukuphepha kolwazi, njll.) kuhloswe ngazo ukuvimbela abangeneleli ekufinyeleleni izinsiza zolwazi ezivikelwe.
Uma abahlaseli nokho bengena kwingqalasizinda evikelwe, abantu abangenhla kufanele bazame ukunciphisa umonakalo ovela emisebenzini yabahlaseli, banqume ukuthi ukuhlasela kwenziwe kanjani, bakhe kabusha izehlakalo nokulandelana kwezenzo zabahlaseli esakhiweni solwazi esonakalisiwe futhi. thatha izinyathelo zokuvimbela lolu hlobo lokuhlaselwa esikhathini esizayo.
Kungqalasizinda yolwazi esengozini, izinhlobo ezilandelayo zokulandelelwa zingatholwa ezibonisa ukonakala kwenethiwekhi (ikhompyutha):
Yonke iminonjana enjalo ingatholakala kusetshenziswa iBelkasoft Evidence Center.
I-BEC inemojula ethi "Incident Investigation", lapho, lapho kuhlaziywa imidiya yokugcina, kubekwa ulwazi mayelana nezinto zobuciko ezingasiza umcwaningi ekuphenyeni izehlakalo.
I-BEC isekela ukuhlolwa kwezinhlobo eziyinhloko zezinto zobuciko ze-Windows ezibonisa ukwethulwa kwamafayela asebenzisekayo ohlelweni oluphenywayo, okuhlanganisa i-Amcache, Userassist, Prefetch, BAM/DAM, , ukuhlaziywa kwemicimbi yesistimu.
Ulwazi mayelana nokulandelelwa okuqukethe ulwazi mayelana nezenzo zomsebenzisi ohlelweni olusengozini lunganikezwa ngaleli fomu elilandelayo:
Lolu lwazi, phakathi kwezinye izinto, luhlanganisa ulwazi mayelana nokwethulwa kwamafayela asebenzisekayo:
Ulwazi mayelana nokusebenzisa ifayela elithi 'RDPWInst.exe'.
Ulwazi mayelana nabahlaseli abahlala ezinhlelweni ezisengozini ingatholakala kokhiye bokuqalisa bokubhalisa kwe-Windows, izinsizakalo, imisebenzi ehleliwe, imibhalo ye-Logon, i-WMI, njalonjalo. Izibonelo zokuthola ulwazi lokuphina kusistimu yomhlaseli zingabonwa ezithombeni-skrini ezilandelayo:
Ukuphina abahlaseli kusetshenziswa isihleli somsebenzi ngokudala umsebenzi osebenzisa iskripthi se-PowerShell.
Ukulungisa abahlaseli kusetshenziswa iWindows Management Instrumentation (WMI).
Ukuphina abahlaseli ngombhalo we-Logon.
Ukunyakaza kwabahlaseli kunethiwekhi yekhompiyutha esengozini kungatholwa, isibonelo, ngokuhlaziya amalogi esistimu ye-Windows (uma abahlaseli basebenzisa isevisi ye-RDP).
Ulwazi mayelana noxhumo lwe-RDP olutholiwe.
Ulwazi mayelana nokunyakaza kwabahlaseli ngenethiwekhi.
Ngakho-ke, i-Belkasoft Evidence Centre iyakwazi ukusiza abacwaningi ukuthi babone amakhompyutha asengozini kunethiwekhi yekhompiyutha ehlaselwe, bathole iminonjana yokwethulwa kohlelo olungayilungele ikhompuyutha, iminonjana yokulungiswa ohlelweni nokuzulazula kunethiwekhi, neminye iminonjana yemisebenzi yabahlaseli kumakhompuyutha onakalisiwe.
Indlela yokuqhuba izifundo ezinjalo futhi kutholwe izinto zobuciko ezichazwe ngenhla kuchazwe esifundweni sokuqeqeshwa se-Belkasoft Incident Response Examination.
Uhlelo lwesifundo:
- Okuthrendayo ekuhlaselweni kwe-inthanethi. Ubuchwepheshe, amathuluzi, imigomo yabahlaseli
- Ukusebenzisa amamodeli okusongela ukuqonda amaqhinga, amasu, nezinqubo zabahlaseli
- I-Cyber ββββkill chain
- I-algorithm yempendulo yesigameko: ukuhlonza, ukwenziwa kwasendaweni, ukukhiqizwa kwezinkomba, sesha ama-node amasha anegciwane
- Ihlaziya ama-Windows Systems nge-BEC
- Ukuhlonzwa kwezindlela zokutheleleka eziyinhloko, ukusakazwa kwenethiwekhi, ukuphikelela, umsebenzi wenethiwekhi wohlelo olungayilungele ikhompuyutha esebenzisa i-BEC
- Ukuhlonzwa kwezinhlelo ezithelelekile kanye nokubuyiselwa komlando wokutheleleka kusetshenziswa i-BEC
- Izifundo eziwusizo
Imibuzo Evame UkubuzwaZiqhutshwa kuphi izifundo?
Izifundo zibanjelwa endlunkulu yeQembu-IB noma esizeni sangaphandle (esikhungweni sokuqeqesha). Ukuhamba komqeqeshi ezisekelweni kumakhasimende ezinkampani kungenzeka.
Ubani oqhuba amakilasi?
Abaqeqeshi ku-Group-IB bangabasebenzi abaneminyaka eminingi yokuhlangenwe nakho ophenyweni lwe-forensic, uphenyo lwezinkampani kanye nokuphendula isigameko sokuphepha kolwazi.
Iziqu zabaqeqeshi ziqinisekiswa yizitifiketi eziningi zamazwe ngamazwe: GCFA, MCFE, ACE, EnCE, njll.
Abaqeqeshi bethu bathola kalula ulimi olujwayelekile nezithameli, bechaza nezihloko eziyinkimbinkimbi ngendlela efinyeleleka kalula. Abafundi bazofunda ulwazi oluningi olufanele noluthokozisayo mayelana nophenyo lwezigameko zamakhompiyutha, izindlela zokubona kanye nokubala ukuhlaselwa kwamakhompiyutha, bathole ulwazi lwangempela olungokoqobo abangalusebenzisa ngokushesha ngemva kokuthweswa iziqu.
Ingabe izifundo zizohlinzeka ngamakhono awusizo angahlobene nemikhiqizo ye-Belkasoft, noma ingabe lawa makhono ngeke asebenze ngaphandle kwale software?
Amakhono atholwe ngesikhathi sokuqeqeshwa azoba usizo ngisho nangaphandle kokusebenzisa imikhiqizo yeBelkasoft.
Yini efakiwe ekuhlolweni kokuqala?
Ukuhlola okuyisisekelo kuwukuhlola kolwazi lwezisekelo ze-computer forensics. Ukuhlolwa kolwazi lwemikhiqizo ye-Belkasoft kanye ne-Group-IB akuhleliwe.
Ngingalutholaphi ulwazi mayelana nezifundo zemfundo zenkampani?
Ngaphakathi kohlaka lwezifundo zemfundo, i-Group-IB iqeqesha ochwepheshe ekuphenduleni izigameko, ucwaningo lwe-malware, ochwepheshe be-cyber intelligence (Threat Intelligence), ochwepheshe bomsebenzi ku-Security Operation Center (SOC), ochwepheshe bokusesha okusongelayo (I-Threat Hunter), njll. . Uhlu oluphelele lwezifundo zababhali ezivela ku-Group-IB luyatholakala .
Imaphi amabhonasi abafundi abaphothula izifundo ezihlanganyelwe zeGroup-IB neBelkasoft abawatholayo?
Labo abaphothule izifundo ezihlanganyelwe zeGroup-IB neBelkasoft bazothola:
- isitifiketi sokuphothula izifundo;
- ukubhalisa kwamahhala kwanyanga zonke ku-Belkasoft Evidence Center;
- 10% isaphulelo sokuthenga i-Belkasoft Evidence Center.
Sikukhumbuza ukuthi isifundo sokuqala siqala ngoMsombuluko, I-9 Septemba, β ungaphuthelwa ithuba lokuthola ulwazi oluyingqayizivele emkhakheni wezokuphepha kolwazi, i-computer forensics kanye nempendulo yesigameko! Ukubhalisela izifundo .
ImithomboEkulungiseleleni lesi sihloko, isethulo sika-Oleg Skulkin esithi "Ukusebenzisa i-host-based forensics ukuze uthole izinkomba zokuyekethisa ukuze kuphumelele impendulo yesigameko esiqhutshwa ubuhlakani" sisetshenziswe.
Source: www.habr.com