Dahyebɔɔdo no mbuenyi
Shadowserver ne Dahyebɔɔdo dze nkontaabu a ɔso na ɔkyerɛ datasɛt ahorow a etsitsir a Shadowserver boaboaa ano na ɔkyɛɛ wɔ ne daadaa dwumadzi wɔ bɔbor 100 wɔ da biara da amandzɛɛbɔ mu. Datasɛt no ma kwan ma tsia a nkorɔfo roko tsia hɔn, mbrɛwyɛ ahorow, nhyehyɛɛ a ho nntsew, nsɛm a ɔboa twe hɛn adwen si nsɛm a ɔrokɔ do do. data a wɔkyɛ wɔ amandɛɛbɔ kwan do no kitsa IP lɛvol ho nsɛm a ɔkɔ ekyir a ɔfa nɛtwɛk anaa matɔw pɔtsee bi ho. Shadowserver Dahyebɔɔdo yi mma kwan mma dɛm granolariti lɛvol yi. Mbom nkontaabu a ɔkrɔn a ɔkyerɛ dɛm dwumadzi ahorow yi ma. Iyi ma kwan ma wohu ɔhaw ahyɛ ase reba, mbrɛwyɛ ahorow, nsɛm e esisi a ɔma mpɔtamufo ber a wɔkora hɔn a wɔdze hɔnho hyɛ mu biara dzin do
Fibea na taage
Wɔahyehyɛ data awɔdze kyerɛ no afa fibea ahorow na taage ahorow. Fibea yɛ data kuw tsitsir bi a wɔ kwan bi do.ndzɛmba etsitsir a wonya fi mu nye honeypot
, population
, scan
, sinkhole
. Populehyɛn na sekaan nyina gyina sekaan ne datasɛte do a populehyɛn dzi ewiei a ɔnnyɛ mbrɛw/bambɔ dwumadzi. 6
I odzi ekyir no gyina hɔ ma IPv6 data (nsɛm a wɔakyerɛw a onnyi okyigyinafo no nyina gyina hɔ ma IPv4 data).
Fibea no botum enya taage ahorow a ɔbɛbata hɔnho a ɔbɛma nsɛm fofor a ɔfa data a wɔdze roto gua no ho. Dɛ mfatoho,taag ma scan
bɛka sekan afofor ahorow no ankasa ho(ɔno nye. Sɛveses/protokɔls a wɔreskaane tse dɛtelnet
, ftp
na rdp
). Taage ma sinkhole
bɛda edzi wɔ malware ebusua ankasa a a wɔdze hɔnho robɔ sinkhole (ɔno nye. host a malware ebusua no dze nsan asan no tse dɛadload
, andromeda
na necurs
).
Taage no boa ma yenya nyimdzz pii ma data a wɔdze roto gua no.
Bio, yɛdze fibea ekuw afofor so ba dɛ mbrɛ ɔbɛda mfatoho a ɔwɔ afofor a ɔyɛ mbrɛw anaa ɔasei no edzi yie – dɛ mfato ho, http_vulnerable
anaa compromised_website
. Iyinom bɛtaa ekitsa taage ɔkyerɛCVE mbrɛwyɛ pɔtsee, adzetɔnfo anaa ndzɛma a ɔka hɔn anaa nsɛm a ɔfa ekyir apon, webshells anaa implants aa woehu ho. Mfatoho http_vulnerable
bɛyɛ citrix
anaa cve-2023-3519
.
Ewiei koraa no ber a yɛdze detɛkhyɛns pii ka hɛn dataset ho no, yewiw a yɛwɔ taage ahorow pii. Iyi kyerɛ dɛ annyɛ nna ɔbɛyɛ tse dɛ ma wɔapaw fibea kuw fofor bi. Dɛ mfato ho, ɔwɔ mu dɛ snmp
yɛ taage a ogyina fibea do scan
so dze, naaso wɔda no edzi dɛ fibea. Iyi ma yetum dze granular snmp sekaan aba a ɔma kwan ma yɛhwɛ snmp sekaan pɔtsee bi a aba a ɔfa mbrɛwyɛ tse dɛ cve-2017-6736
ho kyerɛ.
Nkitahodzi a ɔkɔ data ekuw ahorow do ntsɛntsɛm: Navigehyɛn baa a ɔwɔ benkum
Wɔnam akwan akɛse ahorow a wɔfa do boaboa ano a sinkhollin, sekaanen na honeypots ka ho na ɔboaboa datasets a wɔdze ama no ano. Wɔkyekyɛ dataset ahorow no mu ekuw etsitsir yi wɔ navigehyɛn baa a ɔwɔ benkum do, na wɔdze ahyɛnsewdze soronko yɛ ɔfa biara ho nsɛnkyerɛndze.
Botae nye dɛ ɔbɛma woetum akɔ fibea ekuewekuw. Dɛ mfatoho:
-
Sinkholes - ma datasets a wɔahyehyɛ no ekuwekuw dɛ fibea
sinkhole
tse. Afei wobotum ahwɛ sinkhole aba pɔtsee bi dɛ taage anaa taage kuw bi a wɔapaw do. -
Scans - ma datasets a wɔahyehyɛ no ekuwekuw dɛ fibea
scan
(ɔfa yi kitsa sekaan aba ma ndwuma a ɔwɔ ahobambɔ ho asɛm bi a ɔbata ho, wobotum so ahwɛ populehyɛn sekaan aba a ɔnam paw a wɔbɛpaw fibeapopulation
mbom). afei wobotum ahwɛ sekaan aba pɔtsee bi a ɔnam taage anaa taage kuw bi a wɔbɛpaw do. -
Honeypots - ma datasets a wɔahyehyɛ no ekuwekuw dɛ fibea
honeypot
tse. Afei wobotum ahwɛ honeypot aba pɔtsee abi a wɔbɛpaw a ɔnam taage anaa taage kuw bi wɔapa do. -
DDoS - ma datasets a wɔhyehyɛno ekuwekuw dɛ fibea
honeypot_ddos_amp
tse. Iyinom yɛ amplefikehyɛn DDoS ntohyɛfo a botae soronko no hu hɔn wɔ ɔman/mantamu pɔtsee bi mu. Afei, wobotum ahwɛ amplefikehyɛn kwan pɔtsee bi a wɔdze dzi dwuma ɔnam taage anaa taage kuw bi a wɔapaw do. -
ICS - dze datasets a wɔahyehyɛ no ekuwekuw dɛ fibea
ics
(a ɔyɛ sekaan aba a ofi native Industrial Control Systems protokɔls) mu ba no ho nkyerɛkyerɛmu ma. Afei wobotum ahwɛ native protokɔls a wɔdze dzi dwuma no a ɔnam taage anaa taage kuw bi a wɔbɛpaw do. -
Web CVEs - ma datasets a wɔahyehyɛ no ekuwekuw dɛ
http_vulnerable
naexchange
do. Iyinom yɛ wɛb aplikehyɛn a ɔyɛ mbrɛw a woehu wɔ hɛn sekaan ahorow mu a mpɛn pii no CVE na ɔyɛ. Wobotum ahwɛ CVE ahorow anaa ndzɛmba a ɔka ho no ɔnam taage anaa taage kuw bi a wɔbɛpaw do.
Wobotum akyekyɛ dataset ahorow no mu dɛ ma ɔman anaa aman ekuw, mpɔtamu na nsasepɔn tse.
Wɔakyerɛkyerɛ dataset biara mu so wɔ “Ma ɔfa dɛm data yi ho” mu.
Yɛsrɛ dɛ hyɛ no nsew dɛ dataset pii wɔ hɔ a ɔnnyɛ dza woesi do dua no. Dɛ mfatoho no, fibea beacon
bɛma wo kwan ma ahwehwɛ post-exploitehyɛn fremiwɛke C2s a yehu wɔ hɛn sekaan mu, na fibea compromised_website
bɛma wo kwan ma ahwehwɛ wɛb n'ewieu a yehu wɔ hɛn sekaan ahorow mu.
Navigehyɛn baa a ɔwɔ sor
Navigehyɛn baa a ɔwɔ sor no ma kwan ma wɔyɛ mfonyiyi ahorow a wobotum apaw ama data a wɔdze kyerɛ, na dɛmara so na wɔdze mfonyiyi a ɔkyerɛ mfir a wɔdze kyerɛ na ntowhyɛdo a wɔdze hwɛ dataset ahorow.
Akontaabu biara
Akontaabu a ɔfa ndzɛmba nyina ho no bi no tum a wɔdze yɛ fibea ne taage biara ho mfonyiyi wɔ w’adwen ɔnam paw a wobɛpaw do:
- Wiase maapo - wiase maapo a ɔkyerɛ fibea na taage a wɔapaw. Ndzɛmba fofor a ɔwɔ hɔ nye: tum a edze bɛsesa ɔyɛkyerɛ dze akyerɛ taage a ɔtaa ba wɔ ɔman biara mu wɔ fibea biara mu, nɔmalizahyɛn dɛ mbrɛ populehyɛn tse, GDP, ka hɔn a wɔdze dzi dwuma no bɔ mu, na dza ɔkeka ho. Botum so apaw makɛs wɔ maapo no do dze akyerɛ values wɔ ɔman biara mu.
- Mpɔtamu maapo - ɔman gyinabew maapo a wɔdze kyerɛ a aman a wɔakyekyɛ mu ayɛ no mantɔw na amantɔm.
- Ntotoho maapo - ntotoho maapo a ɔfa aman ebien ho.
- Ber ntoatoaso - nhyehyɛɛ a ɔkyerɛ fibea na taage nkabɔm wɔ ber mu. Hyɛ no nsew dɛ ɔma kwan ma wɔyɛ data ekuw ahorow (ɔnnyɛ ɔman biara nkotsee).
- Mfonyitwa - dze akwan ahorow a wɔfa do tutu famu kɔ datasets no mu, a nkyɛmu a ɔfa botae a ɔwɔ ber mu ka ho. Ma kwan ma wɔda data adzi wɔ kwan a ɔyɛ apon, baa kyaates, bɔbol diagrams na dza ɔkeka ho.
IoT nkontaabu mfir (mfir a wɔdze hu akontaabu)
Dɛm dataset yi na mfonyiyi ahorow a ɔbata ho no ma da biara da mfonyiyi a ɔkyerɛ ewiei a wɔada no dzi a wɔaboaboa ano ɔnam adzetɔnfo a wɔada hɔnho edzi na hɔn ndzɛmba a woehu ɔnam hɛn skaan ahorow do. Wɔakyekyɛ data no mu dɛ mbrɛ adzetɔnyi, modɛɛle na efir no su tse. Wɔnam akwan ahorow do kyerɛ iyinom, a wɛb krataafa mu nsɛm, SSL/TLS adansedzi nkrataa, frankaa a wɔada no edzi na dza ɔkeka ho Datasets no kitsa nyimpa dodow data nko a ɔno nye, wɔnnyɛ nhwehwɛmu biara wɔ mbrɛwyɛ biara a ɔbata awiei a wɔada no edzi no ho (sɛ epɛ dɛ ihu dɛm a, paw fibea tse dɛ mfatoho no http_vulnerable
wɔ “Daadaa nkontaa” ase mbom).
Mfonyiyɛ nhyehyɛɛ a ɔtse dɛmara tse dɛ dza ɔwɔ “Akontaabu a ɔkɔ ekyir” mu no wɔ hɔ, a sorbisirbi no nye dɛ sɛ nkyɛ edze fibea na taage bedzi dwuma no botum ahwɛ (na ɔfa kuw dze ni do) adzetɔnfo , modɛɛle na mfir ahorow mbom.
Mfir a ɔko tsia: Ne mbrɛwyɛ
Dataset na mfonini ahorow a ɔbata ho no ma yehu etua a hɛn honeypot sɛnsɔ netwɛk no hu da biara da, a ɔtwe adwen si mbrɛwyɛ ahorow a wɔdze dzi dwumason. Iyinom bi nye tum a wotum hwɛ ndzɛmba a wɔtaa tow hyɛ do na wɔhwehwɛ mbrɛ wɔtow hyɛ do (ɔno ne dɛ wɔnam mbrɛwyɛ a wɔdze dzi dwumason, a bi a ɔka CVE pɔtsee bi a wɔdze dzi dwuma ho). Botum so ahwɛ kyaate ahorow mbrɛ tua no fibea no na bae a worokɔ no tse.
Mfonyiyɛ nhyehyɛɛ a ɔtse dɛmara tse dɛ dza ɔwɔ “Akontaabu a ɔfa ndzɛmba nyina” mu no wɔ hɔ, a sorbisorbi nye dɛ dɛ sɛ nkyɛ edze fibea na taage bedzi dwuma no botum ahwɛ (na wɔafa kuw no do ayɛ) adzetɔnfo, a ɔyɛ mbrɛw na fibea na bea a wɔto tsia hɔ no.
Wɔdze mfonyiyɛ fa fofor - Monitoring, so abɛka ho:
Iyi yɛ daadaa pon a wɔayɛ no fofor a ɔkyerɛ mbrɛwyɛ ahorow a wɔtaa dze dzi dwuma dodow no ara a wɔahyehyɛ no ekuwekuw ɔnam fibea IP soronko a woehu dɛ ɔrotow ahyɛ do (anaa etua mbɔdzembɔ a woehu, sɛ epaw nkitahodzi mbɔdzembɔ ho akontaabu kwan). Wɔdze data fi hɛn honeypot sɛnsɔ nɛtwɛk no mu. Wɔdze data amekuwekuw dea ɔnam mbrɛwyɛ ahorow a wɔdze dzi dwuma do. Ɔsan so ka CISA Known Exploited Vulnerability mappings (a dza ɔka ho nye dɛ ebia wonyim dɛ ransomware kuw bi dze dzi dwuma) na dɛ ebia etua no tsia IoT mfir bi kyɛn dɛ ɔbɛyɛ sɛva aplikehyɛn.
Dɛ mbrɛ wɔahyɛ no, ɔyɛkyerɛ no kyerɛ mbrɛwyɛ ahorow a wɔtaa dze dzi dwuma ma wiase nyina, naaso botum so dze ɔman pɔtsee bi anaa kuw pɔtsee bi yiyi mu anaa ebɛda pon a onndzi mu mbom.
Mfir a ɔko tsia: Mfir
Dɛm dataset yi nye mfonyiyi ahorow a ɔbata ho no ma yehu mfir ahorow a ɔtow hyɛ hɛn do a hɛn honeypot sɛnsɔ nɛtwɛk no hu no da biara a. Wɔnam hɛn daadaa sekaan do na ɔyɛ dɛm mfir yi nsatea nkyerɛwee. Datasets no ma kwan ma wodzi etua ahorow pɔtsee bi, mfir a wɔtɔn anaa mfonyiyi ahorow ekyir na wotum yiyi mu mbrɛ ɔman biara tse.
Kyaats a ɔtse dɛ dza ɔwɔ “Daadaa nkotaabu” mu no wɔ hɔ, a sorbisorbi no nye dɛ sɛ nkyɛ edze fibea ahoriw na taage ahorow bedzi dwuma no ibotum ahwɛ (na wɔayɛ hɔn ekuw akɔ) etua su, mfir adzetɔnfo anaa mfatoho mbom.
Wɔdze mfonyiyɛ fa fofor - monitoring, so abɛka ho:
Iyi yɛ daadaa pon a wɔayɛ no foforo a ɔkyerɛ mfir dodow a wɔtaa tow hyɛ do a wohu ɔnam IP fibea soronko a woehu dɛ orutu (anaa n etua mbɔdzembɔ a wohu, dɛ epaw nkitahodzi mbɔdzembɔ akontaabu kwan a). Dɛ mbrɛ ɔte wɔ datasets a wɔada no edzi wɔ dɛm ɔfa yi mu nyina no, wonya fi hɛn honeypot sɛnsɔr nɛtwɛk no mu. Wɔakyekyɛ no ekuwekuw dɛ mbrɛ etua no su no da edzi, adzetɔnyi ne modɛɛle (dɛ ɔwɔ hɔ a). Yɛdze IP ahorow a yehu no na dza ofi yɛn daadaa mfir sekaan nsatea nkyerɛwee mu ba no bata efir a ɔtow hyɛ so no do (hwɛ “IoT mfiri akontaabu” ɔfa no).
Dɛ mbrɛ wɔahyɛ no, mfonyi no kyerɛ mfir a ɔtaa too hyɛ do (ɔnam beebi a ofi no do) a wohu sɛ Ereto ahyɛ do (iyi ka nsɛm a yenntum nnhu mmfi bi anaa dɛ mfatoho no, yehu adzetɔnfo nkotsee). Wobotum apaw dɛ wɔbɛsesa nam ɔman pɔtsee bi anaa kuw pɔtsee bi so anaa wɔbɛda dza annkɔ yie ho pon dzi mbom.