Usizo

Usizo oluvamile

Ukubuka konke kwedeshibhodi

Ideshibhodi ye-Shadowserver inikeza izibalo ezisezingeni eliphakeme ezibonisa amasethi wedatha ayinhloko i-Shadowserver eyiqoqayo futhi eyabelana ngayo ngemisebenzi yayo yansuku zonke emibikweni engaphezu kwengu-100 yansuku zonke. Amaqoqo edatha avumela ukukhonjwa kwendawo yokuhlaselwa eveziwe, ubuthakathaka, ukwakheka okungalungile, ukuyekethisa kwamanethiwekhi kanye nokuqapha ukuhlaselwa. Imininingwane, eyabiwe ngesimo semibiko, iqukethe imininingwane eningiliziwe yezinga le-IP ephathelene nenethiwekhi ethile noma isifunda. I-Shadowserver Dashboard ayikuvumeli lokhu kucaca. Kunalokho, linikeza izibalo ezisezingeni eliphakeme ezibonisa le misebenzi. Lokhu kuvumela ukuqonda ngezinsongo zakamuva ezivelayo, ubuthakathaka, izehlakalo ezinikeza ukuqwashisa ngesimo emphakathini obanzi ngenkathi kugcinwa ukungaziwa kwanoma yiziphi izinhlaka ezihilelekile.

Umthombo futhi Amathegi

Ukwethulwa kwedatha kuhlelwe cishe imithombo futhi amathegi. Umthombo ngokuyisisekelo ukuqoqwa kwedatha kwanoma yiluphi uhlobo. Imithombo eyinhloko yile honeypot, population, scan, sinkhole. Kokubili inani labantu kanye nokuhlolwa kuyisethi yedatha esekwe ekuhlolweni lapho inani labantu liyisibalo sokugcina sokuchayeka ngaphandle kokuhlolwa kobuthakathaka / ukuphepha. 6 isijobelelo simelela idatha ye-IPv6 (konke okufakiwe ngaphandle kwesijobelelo kubhekisa kudatha ye-IPv4).

Imithombo ingase ibe namathegi ahambisana nayo anikeza umongo owengeziwe wemininingwane evezwayo. Ngokwesibonelo, amathegi scan izofaka izinhlobo ezahlukene zangempela zokuhlola (okungukuthi izinsizakalo / izivumelwano ezihlolwa njenge- telnet, ftp futhi rdp). Amathegi sinkhole izobonisa imindeni yangempela ye-malware exhuma ku-sinkhole (isb. ama-hosts atheleleke ngohlobo lomndeni we-malware njenge adload, andromeda futhi necurs).

Amathegi anikeza ukuqonda okwengeziwe kwedatha eveziwe.

Ngaphezu kwalokho sibuye sethule amaqembu emithombo engeziwe ukubonisa kangcono ukubonwa kwama-hosts asengozini noma athintekile - isibonelo, http_vulnerable noma compromised_website. Lezi zivame ukuba namathegi akhombisa ubuthakathaka obuqondile be-CVE, abathengisi noma imikhiqizo ethintekile noma imininingwane mayelana nama-backdoors, ama-webshells noma ama-implants abonwe. Isibonelo http_vulnerable kungaba citrix noma cve-2023-3519.

Ekugcineni njengoba sengeza okunye ukubonwa kumasethi wethu wedatha sigcina sinamathikithi amaningi. Lokhu kusho ukuthi kungase kuvele imikhakha emisha yemithombo ongakhetha kuyo. Ngokwesibonelo, nakuba snmp i-tag ekhona emthonjeni scan, libuye liboniswe njengomthombo. Lokhu kusivumela ukuba sinikeze imiphumela yokuskena ye-snmp enemininingwane eminingi evumela ukubuka imiphumela ethile yokuskena ye-snmp ehambisana nobuthakathaka obunjengalokhu cve-2017-6736.

Izixhumanisi ezisheshayo ezigabeni zedatha: Ibha yokuzulazula yangakwesobunxele

Iqoqo lemininingwane eliveziwe liqoqwa ngezindlela ezahlukahlukene zokuqoqwa okukhulu okubandakanya i-sinkholing, ukuskena kanye nama-honeypots. Lezi zigaba eziyinhloko zamaqoqo edatha zihlanganiswa kubha yokuzulazula engakwesobunxele, uhlobo ngalunye lwesigaba luboniswa ngesithonjana esihlukile.

Umgomo ukuvumela ukucwilisa okusheshayo umthombo izigaba. Ngokwesibonelo:

  • Sinkholes - inikeza ukubuka konke kwamasethi wedatha ahlelwe ngomthombo sinkhole. Khona-ke ungakwazi ukubuka umphumela othize we-sinkhole ngokukhetha ithegi noma iqembu lamathegi.
  • Izikena - inikeza ukubuka konke kwamasethi wedatha ahlelwe ngomthombo scan (Lesi sigaba siqukethe imiphumela yokuskena yezinsizakalo ezinohlobo oluthile lwenkinga yokuphepha ehambisana nazo, ungabona futhi imiphumela yokuskena yabantu ngokukhetha umthombo population kunalokho). Khona-ke ungabona umphumela othile wokuskena ngokukhetha umaki noma iqembu lamathegi.
  • Honeypots - inikeza ukubuka konke kwamasethi wedatha ahlelwe ngomthombo honeypot. Khona-ke ungakwazi ukubuka umphumela othile we-honeypot ngokukhetha ithegi noma iqembu lamathegi.
  • DDoS - inikeza ukubuka konke kwamasethi wedatha ahlelwe ngomthombo honeypot_ddos_amp. Lokhu kuhlaselwa kwe-amplification DDoS okubonwa yizinhloso ezihlukile ezweni/esifundeni esithile. Khona-ke ungakwazi ukubuka indlela ethile yokukhulisa esetshenziswa ngokukhetha ithegi noma iqembu lamathegi.
  • ICS - inikeza ukubuka konke kwamasethi wedatha ahlelwe ngomthombo ics (okuyimiphumela yokuskena yezinqubo zokuqala ze-Industrial Control Systems). Khona-ke ungakwazi ukubuka izivumelwano zomdabu ezisetshenziswa ngokukhetha ithegi noma iqembu lamathegi.
  • Web CVEs - inikeza ukubuka konke kwamasethi wedatha ahlelwe ngamaqembu http_vulnerable futhi exchange. Lezi yizinhlelo zokusebenza zewebhu ezisengozini ezikhonjwe ekuhloleni kwethu ngokuvamile yi-CVE. Ungabuka ama-CVE noma imikhiqizo ethintekile ngokukhetha ithegi noma iqembu lamathegi.

Amaqoqo edatha angahlukaniswa ngamazwe noma ngamaqembu amazwe, izifunda namazwekazi.

Iqoqo ngalinye lemininingwane lichazwe futhi ku “Mayelana nale datha”.

Sicela uqaphele ukuthi kunezinye izinhlu zedatha ezitholakalayo ngaphandle kwalezo ezigqanyisiwe. Ngokwesibonelo, umthombo beacon kuyokusiza ukuba uhlole post-ukusetshenziswa Uhlaka C2s sibona ku ukuskena kwethu, futhi umthombo compromised_website kuzokuvumela ukuba uhlole amaphuzu okugcina e-web athintekile abonwe ekuhloleni kwethu.

Ibha yokuzulazula ephezulu

Ibha yokuzulazula ephezulu ivumela izinketho ezahlukahlukene zokubukwa kokwethulwa kwedatha, kanye nokubukwa kwedatha yokuhlonza idivayisi nokuqapha ukuhlaselwa.

Izibalo ezijwayelekile

Izibalo ezijwayelekile zihlanganisa ikhono lokubona ngeso lengqondo umthombo futhi ithegi ngokukhetha:

  • Ibalazwe lomhlaba - ibalazwe lomhlaba ukubonisa okukhethiwe imithombo futhi amathegi. Izici ezengeziwe zihlanganisa: ikhono lokushintsha ukubonisa ukubonisa amathegi ajwayelekile kakhulu ngezwe ngalinye ngomthombo, ukujwayelekile ngokwenani labantu, i-GDP, ukuxhuma abasebenzisi njll. Ungase futhi ukhethe izimpawu ebalazweni ukuze ubonise amanani ngezwe.
  • Ibalazwe yesifunda - ukuboniswa kwemephu ezingeni lezwe namazwe ahlukaniswe ngezifunda nezifundazwe.
  • Ibalazwe yokuqhathanisa - ibalazwe eliqhathanisa amazwe amabili.
  • Uchungechunge lwezikhathi - ishadi elibonisa umthombo futhi ithegi ukuhlanganiswa kwesikhathi. Qaphela ukuthi ivumela izinhlobo ezahlukene zokuqoqwa kwedatha (hhayi nje ngezwe).
  • Ukubona ngeso lengqondo - inikeza izinketho ezahlukahlukene zokumba phansi kumasethi wedatha, kufaka phakathi izilinganiso zamanani ngokuhamba kwesikhathi. Ivumela ukubonisa idatha ngesimo samathebula, amashadi amabha, imidwebo yamabhamuza nokunye.

Izibalo zamadivayisi e-IoT (izibalo zokuhlonza amadivayisi)

Lolu hlu lwedatha kanye nokubukwa okuhambisanayo kunikeza isithombe esifushane samalanga onke sezingxenye eziveziwe ezihlanganiswe ngabakhiqizi abaveziwe kanye nemikhiqizo yabo ekhonjwe ngokusebenzisa ukuskena kwethu. Imininingwane ihlukaniswa ngokusho komthengisi, imodeli nohlobo lwedivayisi. Lezi zikhonjwa ngezindlela ezahlukahlukene, kufaka phakathi okuqukethwe kwekhasi lewebhu, izitifiketi ze-SSL / TLS, amabhanela aboniswe njll. Amaqoqo edatha aqukethe idatha yabantu kuphela okusho ukuthi akukho ukuhlolwa okwenziwe kwanoma yikuphi ukushiyeka okuhlobene nezindawo zokuphela eziveziwe (ukuthola lezo, khetha imithombo efana nesibonelo http_vulnerable ngaphansi kokuthi "Izibalo Ezijwayelekile" esikhundleni salokho).

Amashadi okubuka afana nalawo aku- "Izibalo Ezijwayelekile" akhona, umehluko wukuthi esikhundleni sokusebenzisa imithombo futhi amathegi ungabuka (futhi uhlanganise ngamaqembu) abathengisi, amamodeli futhi izinhlobo zemishini esikhundleni salokho.

Izibalo zokuhlaselwa: Ubuthakathaka

Lolu hlu lwedatha kanye nemidwebo ehambisana nalo lunikeza isithombe esifushane sansuku zonke sokuhlaselwa okubonwe yinethiwekhi yethu yezinzwa ze-honeypot, kugxilwe ekulimaleni okusetshenziselwa ukuxhashazwa. Lezi zihlanganisa ikhono lokubuka imikhiqizo ehlaselwa kaningi futhi ukuhlola ukuthi ihlaselwa kanjani (okungukuthi yiliphi ubuthakathaka obusetshenzisiwe, okungabandakanya i-CVE ethile esetshenzisiwe). Ungase futhi ubuke amashadi ngokwemithombo yokuhlaselwa nezindawo okuyiwa kuzo.

Amashadi okubuka afana nalawo aku- "Izibalo Ezijwayelekile" akhona, umehluko wukuthi esikhundleni sokusebenzisa imithombo futhi amathegi ungabuka (futhi uhlanganise ngamaqembu) umthengisi, ubuthakathaka kanye umthombo futhi indawo okuyiwa kuyo zokuhlaselwa.

Kuye kwanezelwa isigaba sokubukwa esingeziwe - Ukuqapha:

Leli ithebula elibuyekezwa nsuku zonke lokuxhashazwa okuvamile okuhlotshaniswa nama-IP omthombo oyingqayizivele abonwe ehlasela (noma imizamo yokuhlasela ebonwe, uma ukhetha inketho yezibalo zokuzama ukuxhuma). Imininingwane ivela kwinethiwekhi yethu yezinzwa ze-honeypot. Imininingwane iqoqwe ngokwezindawo ezibucayi ezixhashaziwe. Ibuye ifake ukufaniswa kwe-CISA Known Exploited Vulnerability (kufaka phakathi ukuthi kuyaziwa yini ukuthi kusetshenziswe yiqembu le-ransomware) nokuthi ngabe ukuhlaselwa kumayelana nedivayisi ye-IoT kunohlelo lokusebenza lweseva.

Ngokuzenzakalelayo ukuboniswa kukhombisa ubuthakathaka obuvame kakhulu obusetshenziselwa umhlaba wonke, kodwa futhi ungahlunga ngezwe elithile noma ukuqoqa noma ukubonisa itafula lokungajwayelekile esikhundleni salokho.

Izibalo zokuhlaselwa: Amadivayisi

Lolu hlu lwedatha kanye nemidwebo ehambisana nalo lunikeza isithombe esifushane sansuku zonke sezinhlobo zamadivayisi ahlaselayo abonwa yinethiwekhi yethu yezinzwa ze-honeypot. Ukudonswa kweminwe kwalezi zinto kwenziwa ngokuhlolwa kwethu kwansuku zonke. Amaqoqo edatha avumela ukulandelwa kwezinhlobo ezithile zokuhlaselwa, abathengisi bamadivayisi noma amamodeli futhi angahlungwa ngezwe.

Amashadi afana nalawo ase "Izibalo Ezijwayelekile" akhona, umehluko uwukuthi esikhundleni sokusebenzisa imithombo futhi amathegi ungabuka (futhi uhlanganise ngamaqembu) ukuhlaselwa uhlobo, idivayisi umthengisi noma imodeli esikhundleni salokho.

Kuye kwanezelwa isigaba sokubukwa esingeziwe - Ukuqapha:

Leli itafula elibuyekezwa nsuku zonke lamadivayisi ahlaselwayo avame kakhulu abonwe ngama-IP omthombo oyingqayizivele abonwe ehlasela (noma imizamo yokuhlasela ebonwe, uma ukhetha inketho yezibalo zemizamo yokuxhuma). Njengazo zonke izinqwaba zedatha eziboniswe kulesi sigaba zivela kunethiwekhi yethu yezinzwa ze-honeypot. Iqoqwe ngohlobo lokuhlaselwa olubonwe, umthengisi kanye nemodeli (uma ikhona). Sithola idivayisi ehlaselwayo ngokuxhumanisa ama-IP abonwe nemiphumela yethu yansuku zonke yokuhlola iminwe yedivayisi (bheka isigaba “Izibalo zedivayisi ye-IoT”).

Ngokuzenzakalelayo isibonisi sikhombisa amadivayisi ahlaselwayo ajwayelekile (ngomthombo) abonwe ehlasela (lokhu kufaka phakathi amacala lapho singeke sikwazi ukukhomba khona idivayisi noma ngokwesibonelo, sikhombe umhlinzeki kuphela). Ungakhetha ukuhlunga ngezwe elithile noma ukuqoqa noma ukubonisa itafula lokungajwayelekile esikhundleni salokho.

Ukuthuthukiswa kwe-Shadowserver Dashboard kwaxhaswa yi- UK FCDO. Izibalo zeminwe yamadivayisi e-IoT kanye nezibalo zokuhlaselwa kwe-honeypot ezixhaswe ngezimali yi-Connecting Europe Facility ye-European Union (Iphrojekthi ye-EU CEF VARIoT).

Sithanda ukubonga bonke abalingani bethu abanomusa abafaka isandla kudatha esetshenziswe ku-Shadowserver Dashboard, kufaka phakathi (ngokulandelana kwama-alfabhethi) Ukudla Komphakathi kwe-APNIC, Bitsight, CISPA, if-is.net, Kryptos Logic, I-SecurityScorecard, Inyuvesi Kazwelonke YaseYokohama nabo bonke labo abakhetha ukungaziwa.

I-Shadowserver isebenzisa amakhukhi ukuze iqoqe ama-analytics. Lokhu kusivumela ukuba silinganise ukuthi isayithi lisetshenziswa kanjani futhi sithuthukise okuhlangenwe nakho kwabasebenzisi bethu. Ukuze uthole ukwaziswa okwengeziwe mayelana namakhukhi nokuthi i-Shadowserver iwasebenzisa kanjani, bheka inqubomgomo yobumfihlo. Sidinga imvume yakho ukuze sisebenzise amakhukhi ngale ndlela kudivayisi yakho.