Mmoa

Mmoa a wɔde ma obiara

Dahyebɔɔdo no nnianimu

Shadowserver Dahyebɔɔdo no de akontabuo a ɛkorɔn a ɛkyerɛ datasɛt atitire a Shadowserver boaboa ano na ɛkyɛ denam ne da biara da dwumadie so wɔ bɛboro amanneɛbɔ 100 da biara da mu. Datasɛt no ma kwan ma wohunu to a ɔto hyɛɛ so a ani da hɔ adi, mmerɛyɛ ahoroɔ, nhyehyɛeɛ a ɛnyɛ papa, nɛtwɛke a kɔmpromise a wɔhunu deɛ ɛko tia so no. Data no, a wɔkyɛ wɔ amanneɛbɔ kwan so no, kura IP lɛvɛl ho nsɛm a ɛkɔ akyiri a ɛfa nɛtwɛke pɔtee anaa ɛkuo pɔtee bi ho. Shadowserver Dahyebɔɔdo no mma kwan mma saa granulariti lɛvɛl yi. Mmom ɛde akontaabuo a ɛkorɔn a ɛkyerɛ saa dwumadie ahoroɔ yi ma. Wei ma kwan ma wonya nteaseɛ wɔ asaine a ɛreba nnansa yi ara, mmerɛyɛ ahoroɔ, nsɛm a ɛsisi a ɛma mpɔtam hɔfo hu tebea ho berɛ a wɔkora wɔn a wɔde wɔn ho hyɛ mu biara din so.

Baabi a ɛfiri ne taage no

Wɔahyehyɛ data a wɔde kyerɛ no atwa baabi a ɛfiri ne taage ho ahyia. Baabi a ɛfiri ho hia ma data a wɔhyehyɛ no ɔkwan bi so no. Nneɛma titire a wonya fi mu ne honeypot, population, scan, sinkhole. Nnipa dodoɔ ne sekaane nyinaa yɛ datasɛt a ɛgyina sekaane so a nnipa dodoɔ yɛ eɛposure endpoint count a ɛnni mmerɛyɛ/ahobammɔ nhwehwɛmu. 6 deɛ ɛtwa toɔ no gyina hɔ ma IPv6 data (nsɛm a wɔatwerɛ a ɛnni deɛ ɛtwa toɔ no nyinaa kyerɛ IPv4 data).

Baabi a ɛfiri no bɛtumi anya taage a ɛbata wɔn ho a ɛma nsɛm foforɔ a ɛfa ho ma data a wɔde rema no. Sɛ nhwɛsoɔ no, taage ma scan bɛka sekaane ahodoɔ ankasa ho (kyerɛ sɛ. dwumadie/protɔkɔɔlo a wɔre sekaane te sɛ telnet, ftp ne rdp) na ɛyɛ adwuma. Taage a wɔde ma sinkhole bɛda malware mmusua ankasa a wɔde wɔn ho abɔ sinkhole (kyerɛ sɛ. hostu ahoroɔ a malware abusua bi te sɛ adload, andromeda and necurs) no.

Taage ma nteaseɛ foforɔ wɔ data a wɔde ama no ho.

Bio nso yɛde baabi a akuo foforɔ firi ba no nso ba sɛdeɛ ɛbɛyɛ a ɛbɛda nhwɛsoɔ a ɛwɔ ahɔhoɔ a ɛyɛ mmerɛ anaa ɛkɔmpromise - sɛ nhwɛsoɔ no, http_vulnerable anaa compromised_website. Weinom bɛtaa kura taage a ɛkyerɛ CVE mmerɛyɛ pɔtee, adetɔnfoɔ anaa nneɛma a ɛka wɔn anaa nsɛm a ɛkɔ so wɔ akyire, wɛbshells anaa implants a wɔahu ho. Nhwɛsoɔ ma http_vulnerable bɛyɛ citrix anaa cve-2023-3519.

Awieeɛ koraa no berɛ a yɛde detechyan pii ka yɛn datasɛt ho no yɛwie a yɛwɔ taage pii. Wei kyerɛ sɛ ɛbia ɛbɛyɛ te sɛ nea baabi a akuo afoforɔ no firi a wɔpaw bi. Sɛ nhwɛsoɔ no, ɛwom sɛ snmp yɛ taage a ɛwɔ baabi a ɛfiri no scan so deɛ, nanso wɔda no adi nso sɛ baabi a ɛfiri. Wei ma yɛtumi de granular snmp sekaane mmuaeɛ a ɛma kwan ma yɛhwɛ snmp sekaane mmuaeɛ pɔtee bi a ɛfa mmerɛyɛ te sɛ cve-2017-6736 ho kyerɛ.

Nkitahodie a ɛkɔ data akuo ahoroɔ so ntɛmntɛm Nafigahyna baa a ɛwɔ bɛnkum

Wɔnam akwan akɛseɛ ahodoɔ a wɔfa so boaboa nsɛm ano a sinkholing, sekaanin ne honeypot ka ho na ɛboaboa datasɛt a wɔde ama no ano. Wɔkyekyɛ datasɛt ahoroɔ no mu akuo atitire yi wɔ nafigahyna baa a ɛwɔ bɛnkum, na wɔde ahyɛnsodeɛ soronko bi na ɛyɛ ɔfa biara ho sɛnkyerɛnne.

Botaeɛ ne sɛ ɛbɛma wɔatumi akɔ baabi a ɛfiri akuo pɔtee bi mu ntɛmntɛm. Nhwɛsoɔ:

  • Sinkholes - ma datasɛt a wɔahyehyɛ no akuoakuo sɛnea baabi a ɛfiri no sinkhole teɛ. Afei wobɛtumi ahwɛ sinkhole mmuaeɛ pɔtee bi denam taage anaa taage kuo bi a wobɛpaw so.
  • Sekaane ahodoɔ - ma datasɛt ahodoɔ a wɔahyehyɛ no akuoakuo denam baabi a ɛfiri no soscan (saa ɔfa yi kura sekaane ho mmuaeɛ ma nnwuma a ɛwɔ ahobammɔ ho asɛm bi a ɛbata ho, wobɛtumi nso ahwɛ nnipa dodoɔ a sekaane de ɛho mmuaeɛ ma denam paw a wobɛpaw baabi a ɛfiri no population mmom). Afei wobɛtumi ahwɛ sekaane ho mmuaeɛ pɔtee bi denam taage anaa taage kuo bi a wobɛpaw so.
  • Honeypots - ma datasɛt ahodoɔ a wɔahyehyɛ no akuoakuo sɛnea baabi a ɛfiri no honeypot teɛ. Afei wobɛtumi ahwɛ honeypot ho mmueɛ pɔtee bi denam taage anaa taage kuo bi a wobɛpaw so.
  • DDoS - ma datasɛt a wɔahyehyɛ no akuoakuo denam baabi a ɛfiri honeypot_ddos_amp teɛ. Weinom yɛ amplificahyan DDoS ɛko tia so no a botae soronko a ɛwɔ ɔman/ɔmantam pɔtee bi mu hu. Afei wobɛtumi ahwɛ amplificahyan kwan pɔtee bi a wɔde di dwuma denam taage anaa teage kuo bi a wobɛpaw so.
  • ICS - de datasɛt a wɔahyehyɛ no akuoakuo denam baabi a ɛfiri noics (a ɛyɛ sekaane ho mmuaeɛ a ɛfi native Industrial Kontrol Systems protokɔl ahodoɔ) mu ba no ho nkyerɛkyerɛmu ma. Afei wobɛtumi ahwɛ native protokɔl ahohoɔ a wɔde di dwuma no denam taage anaa taage kuw bi a wobɛpaw so.
  • Wɛb CVEs - ma datasɛt ahodoɔ a wɔahyehyɛ no akuoakuo denam http_vulnerable ne exchange so. Weinom yɛ wɛb aplikehyan a ɛyɛ mmerɛ a wɔahu wɔ yɛn scan ahoroɔ mu a mpɛn pii no CVE na ɛyɛ. Wobɛtumi ahwɛ CVEs anaa nneɛma a ɛka ho no denam taage anaa taage kuo bi a wobɛpaw so.

Wobɛtumi akyekyɛ datasɛt ahoroɔ no mu sɛnea ɔman anaa aman akuo, mpɔtam ne nsasepɔn teɛ.

Wɔakyerɛkyerɛ datasɛt biara mu nso wɔ “data no asɛm” mu.

Yɛsrɛ sɛ hyɛ no nso sɛ datasɛt pii wɔ hɔ a ɛnyɛ nea wɔasi so dua no. Sɛ nhwɛsoɔ no, baabi a ɛfiri beacon bɛma wo kwan ma woahwehwɛ pɔstu-exploitahyan framewɛk C2s a yɛhunu wɔ yɛn sekaane ahodoɔ mu, na baabi a ɛfiri compromised_website bɛma wo kwan ma woahwehwɛ wɛb endpɔint ahodoɔ a asɛe a yɛhunu wɔ yɛn sekaane ahodoɔ mu .

Nafigahyna baa a ɛwɔ soro

Nafigahyna baa a ɛwɔ soro no ma kwan ma wɔyɛ mfonini ahoroɔ a wobɛtumi apaw ama data a wɔde kyerɛ, ne saa ara nso na wɔde mfonini a ɛkyerɛ mfiri a wɔde kyerɛ ne ko a ɛko tia a wɔde hwɛ datasɛt ahoroɔ.

Akontaabuo biara

Akontaabuo a ɛfa nneɛma nyinaa ho no bi ne tumi a wɔde yɛ baabi a ɛfiri ne taage biara ho mfonini wɔ w’adwenem denam paw a wobɛpaw so:

  • Wiase maapo - wiase asase mfonini a ɛkyerɛ baabi ɛfiri ne taage a wɔapaw. Nneɛma foforɔ a ɛwɔ hɔ ne: tumi a wode bɛsesa ɔyɛkyerɛ de akyerɛ taage a ɛtaa ba wɔ ɔman biara mu wɔ baabi a ɛfiri biara mu, normalisahyan sɛnea nnipa dodoɔ teɛ, GDP, ɛne wɔn a wɔde di dwuma no nni nkitaho etc. Wobɛtumi nso apaw markɛse wɔ maapo no so de akyerɛ valusu ​​wɔ ɔman biara mu.
  • Mpɔtam maapo - ɔman lɛvol maapo a wɔde kyerɛ a aman a wɔakyekyɛ mu ayɛ no mpɔtam ne amantam.
  • Ntotoho maapo - ntotoho maapo a ɛfa aman mmienu ho.
  • Ɛberɛ ntoatoasoɔ - nhyehyeɛ a ɛkyerɛ baabi a ɛfiri ne tag ɛka bom wɔ berɛ mu. Hyɛ no nso sɛ ɛma kwan ma wɔyɛ data akuo ahoroɔ (ɛnyɛ ɔman biara nkutoo).
  • Mfonini twa - de akwan ahodoɔ a wɔfa so tutu fam kɔ ​​datasɛt ahodoɔ no mu, a nkyɛmu a ɛfa botaeɛ a ɛwɔ berɛ mu ka ho. Ma kwan ma wɔda data adi wɔ ɔkwan a ɛyɛ ɛpono ahodoɔ, baa kyaate, bubulo ho mfonini ne nea ɛkeka ho.

IoT afidie akontaabu (mfiri a wɔde hu akontabuo)

Saa datasɛt yi ne mfonini ahoroɔ a ɛbata ho no ma da biara da mfonini a ɛkyerɛ awieei a wɔada no adi a wɔaboaboa ano denam adetɔnfoɔ a wɔada wɔn ho adi ne wɔn nneɛma a wɔahu denam yɛn sekaane ahoroɔ so. Wɔakyekyɛ data no mu sɛnea adetɔnfoɔ, modɛɛle ne afidie korɔ teɛ. Wɔnam akwan ahodoɔ so na ɛkyerɛ weinom, a wɛb krataafa mu nsɛm, SSL/TLS adansedie nkrataa, frankaa a wɔada no adi ne nea ɛkeka ho Datasɛt ahodoɔ no kura nnipa dodoɔ data nko ara i.e. wɔnyɛ nhwehwɛmu biara wɔ mmerɛyɛ biara a ɛbata awieeɛ a wɔada no adi no ho (sɛ wopɛ sɛ wuhu saa a, paw baabi a ɛfiri teɛ sɛ nhwɛsoɔ no http_vulnerable wɔ “Akontaabuo a ɛfa nneɛma nyinaa ho” ase mmom).

Mfoniniyɛ nhyehyɛe a ɛte saa ara te sɛ nea ɛwɔ “Akontaabuo biara” mu no wɔ hɔ, a nsonsonoe no ne sɛ sɛɛ anka wode baabi a ɛfiri ne taage bɛdi dwuma no wobɛtumi ahwɛ (na woayɛ no akuo denam) adetɔnfoɔ, modɛɛle ahodoɔ ne mfiri ahodoɔ mmom.

Mfidie a ɛko tia: Ne mmerɛyɛ

Saa datasɛt yi ne mfonini ahoroɔ a ɛbata ho no ma da biara da ko a ɛko tia mfonini a yɛn honeypot sɛnsa nɛtwɛk hunu, a ɛtwe adwene si mmerɛyɛ ahoroɔ a wɔde di dwuma so. Weinom bi ne tumi a wɔde hwɛ nneɛma a wɔtaa to ko tia so na wɔhwehwɛ sɛnea wɔko tia (ie. denam mmerɛyɛ a wɔde di dwuma so, a ɛbia ɛka CVE pɔtee bi a wɔde di dwuma ho). Wobɛtumi nso ahwɛ kyaate ahoroɔ sɛnea ko a ɛko yia no firi ne mmeae a ɛrekɔ no teɛ.

Mfoniniyɛ nhyehyɛe a ɛte saa ara te sɛ nea ɛwɔ “Akontaabuo biara” mu no wɔ hɔ, a nsonsonoe no ne sɛ sɛɛ anka wode baabi a ɛfiri ne taage bɛdi dwuma no wobɛtumi ahwɛ (na woayɛ no akuo denam) adetɔnfoɔ, mmerɛyɛ ne baabi a ɛfiri ne baabi a ɛrekɔ a ɛko tia no kɔ.

Wɔde mfoninitwa akuo afoforɔ - mɔnitarine, nso aka ho:

Wei yɛ da biara da pono a wɔayɛ no foforɔ a ɛkyerɛ mmerɛyɛ ahoroɔ a wɔtaa de di dwuma dodoɔ no ara a wɔahyehyɛ no akuoakuo denam baabi a IP soronko a wɔahunu sɛ ɛreto ahyɛ so no firi (anaasɛ ɛko tia mmɔdemmɔ a wɔahunu, sɛ wopaw nkitahodie mmɔdemmɔ akontaabuo kwan a). Wɔde data fi yɛn honeypot sɛnsa nɛtwɛk no mu. Wɔde data akuoakuo denam mmerɛyɛ ahoroɔ a wɔde di dwuma so. Ɛsan nso ka CISA Known Exploited Vulnerability mappings (a nea ɛka ho ne sɛ ebia wonim sɛ ransomware kuo bi de di dwuma) ne sɛ ɛbia ɛko tia IoT mfiri bi sen sɛ ɛbɛyɛ sɛva applikahyan.

Sɛnea wɔahyɛ no, ɔyɛkyerɛ no kyerɛ mmerɛyɛ ahoroɔ a wɔtaa de di dwuma ma wiase nyinaa, nanso wobɛtumi nso de ɔman pɔtee bi anaa ɛkuo pɔtee bi yiyi mu anaasɛ wobɛda anɔmaly ɛpono adi mmom.

Mfidie a ɛko tia: Mfidie

Saa datasɛt yi ne mfonini ahoroɔ a ɛbata ho no ma yɛhunu mfiri ahoroɔ a ɛko tia yɛn so a yɛn honeypot sɛnsa nɛtwɛk no hunu no da biara da. Wɔnam yɛn da biara da sekaane no so na ɛyɛ saa mfiri yi nsateaa ano ntwerɛwee. Datasɛt ahodoɔ no ma kwan ma wɔko tia nneɛma pɔtee bi, mfiri a wɔtɔn anaa mfonini ahodoɔ akyi na wɔtumi yiyi mu sɛdeɛ ɔman biara teɛ.

Kyaate ahodoɔ a ɛte sɛ nea ɛwɔ “Akontaabuo biara” mu no wɔ hɔ, a nsonsonoe no ne sɛ sɛ anka wode baabi a ɛfiri ne taage bɛdi dwuma no wobɛtumi ahwɛ (na woayɛ kuo denam) ko a ɛko tia soade korɔ, mfiri adetɔnfoɔ anaa nhwɛsoɔ mmom.

Wɔde mfoninitwa akuo afoforɔ - mɔnitarine, nso aka ho:

Wei yɛ da biara da pono a wɔayɛ no foforɔ a ɛkyerɛ mfiri dodoɔ no ara a wɔtaa ko tia a wohu denam baabi a IP soronko a wɔahu sɛ ɛretu no firi (anaasɛ ɛko tia mmɔdemmɔ a wohu, sɛ wopaw nkitahodie mmɔdemmɔ akontaabuo kwan a). Sɛnea ɛte wɔ datasɛt ahodoɔ a wɔada no adi wɔ saa ɔfa yi mu nyinaa mu no, wonya fi yɛn honeypot sɛnsa nɛtwɛk no mu. Wɔakyekyɛ no akuoakuo sɛnea ade korɔ a ɛko tia a wohunu no teɛ, adetɔnfoɔ ne modɛɛle (sɛ ɛwɔ hɔ a). Yɛde IP ahoroɔ a yɛhunu no ne nea ɛfiri yɛn da biara da mfiri a ɛsekaane nsateaa ntwerɛwee mu ba no bata afiri a ɛko tia no so (hwɛ “IoT mfiri akontaabuo” ɔfa no).

Sɛnea wɔahyɛ no, mofini no kyerɛ mfidie a ɛtaa to hyɛ so (ɛnam baabi a ɛfiri no so) a wohu sɛ ɛreto ahyɛ so (eyi ka nsɛm a yentumi nhu mfiri bi anaasɛ sɛ nhwɛso no, yehu adetɔnfo nkutoo). Wubetumi apaw sɛ wobɛsesa denam ɔman pɔtee bi anaa kuw pɔtee bi so anaasɛ wobɛda deɛ ankɔ yie ho ɛpono adi mmom.

UK FCDO na ɛboaa Shadowserver Dahyebɔɔdo no nkɔsoɔ. IoT mfiri nsateaa ano ntwerɛwee akontabuo ne honeypot a ɛko tia akontabuo a Europa Aman Nkabom Kuo no Connecting Europe Dwumadibea (EU CEF VARIOT project) na ɛbom de sika boa.

Yɛpɛ sɛ yɛda yɛn ahokafoɔ a wɔfiri ayamyeɛ mu boa ma data a wɔde di dwuma wɔ Shadowserver Dahyebɔɔdo no mu nyinaa ase, a (sɛnea wahyehyɛ no nnidisoɔ teɛ no) APNIC Kɔmuniti Feedi ahodoɔ, Bitsight, CISPA, if-is.net, Kryptos Logic, Ahobammɔ Scorecard, Yokohama National University ne wɔn a wɔpaw sɛ wɔremmɔ wɔn din nyinaa.

Shadowserver de kukisi di dwuma de boaboa nhwehwɛmu ano. Wei ma yɛtumi susu sɛnea wɔde wɛbsaet no di dwuma no na ɛma osuahu no tu mpɔn ma wɔn a wɔde di dwuma no. Sɛ wopɛ nsɛm pii fa kukisi ne sɛnea Shadowserver de di dwuma ho a, hwɛ yɛn kokoam nsɛm ho nhyehyɛe. Yɛhia wo nteaseɛ na yɛde kukisi adi dwuma saa kwan yi so wɔ wo mfiri no so.