Bu bo‘limda “hujumni qanday to‘xtatamiz?” emas, hujumni qanday erta aniqlaymiz va zararini kamaytiramiz degan yo‘l bilan ketamiz.
Nimalarni o‘rganamiz:
- Loglar:
/var/log, Windows Event Viewer, web-server loglari - SIEM tushunchasi: log yig‘ish → normalizatsiya → alert
- IOC (Indicator of Compromise): shubhali IP, domen, fayl hash
- Hodisa (incident) jarayoni: aniqlash → izolyatsiya → tiklash
Eng tez ishlaydigan amaliy tekshiruvlar
- Windows: Task Manager / Startup / Event Viewer (4624/4625 loginlar), Defender history
- Linux:
ss -tulpn,journalctl -xe,last,auth.log - Network: router log, DNS tarix, noma’lum portlar, g‘alati trafik piki
Himoya
- Parol siyosati + 2FA
- Patch/Update: OS va brauzer, pluginlar
- Least privilege: admin bo‘lmasdan ishlash
- Backup: 3-2-1