{"id":5881,"date":"2019-04-22T11:00:55","date_gmt":"2019-04-22T08:00:55","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=5881"},"modified":"2019-11-15T14:30:00","modified_gmt":"2019-11-15T11:30:00","slug":"domain-fronting-rsa2019","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/domain-fronting-rsa2019\/5881\/","title":{"rendered":"RSAC 2019: Sald\u0131rganlar neden alan paravanlamaya ihtiya\u00e7 duyar"},"content":{"rendered":"<p>Alan paravanlama -ki\u015finin kendisini \u00fc\u00e7\u00fcnc\u00fc-parti alan\u0131n arkas\u0131nda saklamak i\u00e7in kullan\u0131lan bir teknik- <a href=\"https:\/\/www.wired.co.uk\/article\/telegram-in-russia-blocked-web-app-ban-facebook-twitter-google\" target=\"_blank\" rel=\"noopener nofollow\">Telegram<\/a> Rusya \u0130nternet d\u00fczenleyici Roskomnadzor taraf\u0131ndan engellenmekten sak\u0131nmak i\u00e7in bu y\u00f6ntemi kulland\u0131ktan sonra ilgi \u00e7ekmeye ba\u015flad\u0131. Bu kez, SANS Enstit\u00fcs\u00fc konu\u015fmac\u0131lar\u0131 RSA 2019 konferans\u0131nda konuya de\u011findiler. Sald\u0131rganlar i\u00e7in bu y\u00f6ntem, vir\u00fcsl\u00fc bir bilgisayar\u0131n kontrol\u00fcn\u00fc ele ge\u00e7irmek ve \u00e7al\u0131nan verileri \u00e7\u0131karmak gibi do\u011frudan bir sald\u0131r\u0131 rotas\u0131 de\u011fil. Haz\u0131rlam\u0131\u015f oldu\u011fu rapora <a href=\"https:\/\/www.kaspersky.com.tr\/blog\/grand-theft-dns-rsa2019\/5853\/\" target=\"_blank\" rel=\"noopener\">daha \u00f6nce de\u011findi\u011fimiz<\/a> Ed Skoudis bunu, \u201cbulutlar\u0131n aras\u0131nda kaybolman\u0131n\u201d yolunu arayan tipik bir siber su\u00e7lunun eylem plan\u0131 olarak tan\u0131ml\u0131yor.<\/p>\n<p>En karma\u015f\u0131k APT sald\u0131r\u0131lar\u0131, kumanda sunucusuyla ger\u00e7ekle\u015ftirilen bilgi de\u011fi\u015fimi s\u0131ras\u0131nda fark edilir. Bir firma a\u011f\u0131ndaki bilgisayarla d\u0131\u015far\u0131dan bilinmeyen bir makine aras\u0131nda ger\u00e7ekle\u015fen ani de\u011fi\u015fimler uyand\u0131rma alarmlar\u0131d\u0131r ve IS ekibinin yan\u0131t vermesini mutlaka tetikler \u2013 siber su\u00e7lular\u0131n bu ileti\u015fimleri gizlemek i\u00e7in bu kadar \u00e7al\u0131\u015fmalar\u0131n\u0131n sebebi de tam olarak budur. Bunun i\u00e7in farkl\u0131 i\u00e7erik teslim a\u011flar\u0131n\u0131n (CDNs) kullan\u0131lmas\u0131 gittik\u00e7e yayg\u0131n hale gelmektedir.<\/p>\n<p>Skoudis\u2019in tan\u0131mlad\u0131\u011f\u0131 algoritma \u015f\u00f6yle g\u00f6r\u00fcn\u00fcyor:<\/p>\n<ol>\n<li>Firma a\u011f\u0131 i\u00e7inde k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m bula\u015fm\u0131\u015f bir bilgisayar var.<\/li>\n<li>Bu makine, g\u00fcvenilir bir CDN\u2019deki temiz ve g\u00fcvenilir bir web sayfas\u0131na DNS sorgusu g\u00f6nderir.<\/li>\n<li>Ayn\u0131 CDN\u2019nin istemcisi de olan sald\u0131rgan kendi web sayfas\u0131n\u0131 orada tutar.<\/li>\n<li>Vir\u00fcsl\u00fc bilgisayar g\u00fcvenilir web sayfas\u0131yla \u015fifreli bir TLS ba\u011flant\u0131s\u0131 kurar.<\/li>\n<li>K\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m bu ba\u011flant\u0131n\u0131n i\u00e7erisinde, sald\u0131rgan\u0131n ayn\u0131 CDN \u00fczerinde bulunan<\/li>\n<li>Web sunucusunu adresleyen bir HTTP 1.1 sorgusu olu\u015fturur.<\/li>\n<li>Web sayfas\u0131 sorguyu k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m sunucular\u0131na iletir.<br>\n\u0130leti\u015fim kanal\u0131 kurulmu\u015ftur.<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-5883\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2019\/04\/18123548\/domain-fronting-scheme.png\" alt=\"\" width=\"1460\" height=\"960\"><\/p>\n<p>Bunlar\u0131n tamam\u0131 firman\u0131n a\u011f\u0131ndan sorumlu olan IS uzman\u0131na bilinen bir CDN\u2019deki g\u00fcvenilir bir web sayfas\u0131yla \u015fifreli bir kanal \u00fczerinden ger\u00e7ekle\u015ftirilen bir ileti\u015fim gibi g\u00f6r\u00fcn\u00fcr, \u00e7\u00fcnk\u00fc firman\u0131n istemcisi oldu\u011fu CDN\u2019e g\u00fcvenilir a\u011f\u0131n bir par\u00e7as\u0131 olarak davran\u0131r. Bu b\u00fcy\u00fck bir hatad\u0131r.<\/p>\n<p>Skoudis\u2019e g\u00f6re bunlar son derece tehlikeli bir ak\u0131m\u0131n semptomlar\u0131d\u0131r. Alan paravanlama naho\u015f ama ba\u015f edilebilir bir \u015feydir. Tehlikeli k\u0131s\u0131m ise, su\u00e7lular\u0131n \u00e7oktan bulut teknolojilerine giri\u015fmeye cesaret etmeleridir. Teoride CDN\u2019lerden olu\u015fan bir zincir yaratabilirler ve faaliyetlerini bulut hizmetlerinin arkas\u0131na g\u00fcvenli bir \u015fekilde saklayabilirler ve b\u00f6ylece de \u201cba\u011flant\u0131lar\u0131n\u0131 aklayabilirler.\u201d Bir CDN\u2019in bir di\u011ferini g\u00fcvenlik sebebiyle engelleme ihtimali s\u0131f\u0131ra yak\u0131nd\u0131r; bu durumun i\u015flerine zarar verme ihtimali ise neredeyse y\u00fczde y\u00fczd\u00fcr.<\/p>\n<p>Bu t\u00fcr hilelerle ba\u015f etmek i\u00e7in Skoudis TLS dinleme tekniklerinin kullan\u0131lmas\u0131n\u0131 \u00f6neriyor. Ancak fark edilmesi gereken en \u00f6nemli \u015fey bunun ger\u00e7ekle\u015febilecek olmas\u0131 ve tehlike modellemesi yap\u0131l\u0131rken bu bulut sald\u0131r\u0131 rotas\u0131n\u0131 dikkate almakt\u0131r.<\/p>\n<p>Kaspersky Lab uzmanlar\u0131n\u0131n da benzer zararl\u0131 hileler ile deneyimleri vard\u0131r. <a href=\"https:\/\/www.kaspersky.com.tr\/enterprise-security\/threat-management-defense-solution\" target=\"_blank\" rel=\"noopener\">Threat Management and Defence<\/a> \u00e7\u00f6z\u00fcm\u00fcm\u00fcz b\u00f6ylesi ileti\u015fim kanallar\u0131n\u0131 tespit edebilmekte ve olas\u0131 zararl\u0131 faaliyetleri etiketlemektedir.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Vir\u00fcsl\u00fc bir makine ile kumanda sunucusu aras\u0131ndaki ileti\u015fimleri k\u0131l\u0131f\u0131na uydurmak i\u00e7in alan paravanlaman\u0131n nas\u0131l kullan\u0131ld\u0131\u011f\u0131na ili\u015fkin RSAC 2019&#8217;dan bir hikaye.<\/p>\n","protected":false},"author":700,"featured_media":5882,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1287,1194,1727],"tags":[1914,1876,1905,815,1666,1598],"class_list":{"0":"post-5881","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-business","9":"category-smb","10":"tag-cdn","11":"tag-rsa-konferansi","12":"tag-rsa2019","13":"tag-rsac","14":"tag-siber-saldirilar","15":"tag-tls"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/domain-fronting-rsa2019\/5881\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/domain-fronting-rsa2019\/15577\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/domain-fronting-rsa2019\/13122\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/domain-fronting-rsa2019\/17498\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/domain-fronting-rsa2019\/15648\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/domain-fronting-rsa2019\/14337\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/domain-fronting-rsa2019\/18219\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/domain-fronting-rsa2019\/17152\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/domain-fronting-rsa2019\/22571\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/domain-fronting-rsa2019\/26352\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/domain-fronting-rsa2019\/11618\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/domain-fronting-rsa2019\/11686\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/domain-fronting-rsa2019\/18978\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/domain-fronting-rsa2019\/23020\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/domain-fronting-rsa2019\/18224\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/domain-fronting-rsa2019\/22430\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/domain-fronting-rsa2019\/22366\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/rsac\/","name":"RSAC"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/5881","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/700"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=5881"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/5881\/revisions"}],"predecessor-version":[{"id":6802,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/5881\/revisions\/6802"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/5882"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=5881"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=5881"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=5881"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}