实用威胁情报融合 Feed 概览
Mandiant Fusion 指标 Feed 是一组失陷指标 (IOC),包括哈希值、IP 地址、网域和网址,这些指标与已知的威胁行为者、恶意软件变种、正在进行的攻击活动和已完成的情报报告相关联。为确保最大价值,Feed 中还包含 Mandiant Intelligence 的 IOC 已通过开源 Feed 的仔细检查和验证,确保了高准确度。 Mandiant 的策展过程包括以下步骤。
一线突发事件响应:Mandiant 分析师在调查数据泄露时会第一手了解攻击者工具和技术。
威胁研究:专门的团队会跟踪威胁行为者、分析恶意软件,并发现新出现的攻击基础架构。
上下文:IOC 会映射到特定的威胁和活动,这有助于了解和确定事件的优先级。
数据泄露分析 Feed 基于 Fusion 构建,添加了与 Mandiant 正在积极调查的新数据泄露和新兴数据泄露相关的指标。它提供 实时了解最新攻击趋势。 YARA-L 规则可以利用应用式威胁情报融合 Feed 中的上下文信息来增强简单的指标匹配规则。其中包括 威胁组织、受损环境中的指示信号,或 Mandiant 的 自动计算恶意内容置信度。
使用 Fusion Feed 编写 YARA-L 规则
使用 Fusion Feed 编写 YARA-L 规则的过程与使用其他情境实体来源编写 YARA-L 规则类似。如需详细了解如何 这种类型的 YARA-L 规则,请参阅创建情境感知分析。
“事件与比赛”部分
如需编写规则,请过滤所选的上下文实体图。在本例中是 Fusion Feed。然后,按特定指标类型过滤。例如 FILE
。下面给出了一个示例。
events:
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
$context_graph.graph.metadata.entity_type = "FILE"
与不使用情境实体的 YARA-L 规则类似,您可以在 events
部分添加事件或情境实体的任何其他条件。您可以联接情境实体字段和 UDM 事件字段。在以下示例中,占位符变量 ioc
用于在情境实体和事件之间执行传递联接。然后,在 match
部分中使用此占位符变量,以确保在特定时间范围内进行匹配。
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
详细了解可以利用的上下文实体字段 请参阅 Fusion Feed 上下文实体字段部分。
结果部分
接着前面的示例,我们将针对情境实体中的文件哈希值设置基本指标匹配规则,具体位置为 graph.entity.file.md5
字段和 principal.process.file.md5
UDM 字段。此简单的匹配规则可以匹配大量事件。因此,
对具有特定特征的上下文实体进行优化,
需要的情报。
例如,这可能包括分配给指标的置信度分数
无论是在被破坏的环境中发现,还是被恶意软件家族发现,
与指标相关联这一切都可以在规则的 outcome
部分完成。
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
在 YARA-L 规则的 outcome
部分中,置信度分数为
使用封装在 max
函数中的 if statement
提取。多事件规则必须采用此方法。同样的技术也用于从 verdict_info
中提取 pwn
变量,该变量用于指明 Mandiant 是否在遭到入侵的环境中发现了指标。
这两个结果变量随后合并到另一个
matched_conditions
变量,允许使用链式逻辑
在 condition
部分。
“Conditions”(条件)部分
condition
部分可确保 e1
、context_graph
和 matched_conditions
存在且/或与指定的条件匹配。
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
完成 YARA-L 规则
此时,规则已准备就绪,可供使用,应如下所示:
rule fusion_feed_example_principal_process_file_md5 {
meta:
rule_name = "File Hash - Applied Threat Intelligence"
description = "Matches file hashes against the Applied Threat Intelligence Fusion Feed."
events:
// Filter graph
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.entity_type = "FILE"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
// Do join
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
}
融合 Feed 情境实体字段
您可以在规则中使用 Mandiant Fusion 指标 Feed 中的许多字段。这些字段均在统一数据模型字段列表中定义。以下字段与确定指标优先级相关:
实体字段 | 可能的值 |
---|---|
metadata.threat.associations.type |
MALWARE ,THREAT_ACTOR |
metadata.threat.associations.name |
威胁关联名称 |
metadata.threat.verdict_info.pwn |
TRUE ,FALSE |
metadata.threat.verdict_info.pwn_first_tagged_time.seconds |
时间戳(秒) |
某些字段包含键值对,需要组合使用它们才能访问 正确的值。以下是一个示例。
实体字段 1 | 值 | 实体字段 2 | 值 |
---|---|---|---|
metadata.threat.verdict_info.source_provider |
Mandiant Global Intel | metadata.threat.verdict_info.global_hits_count |
整数 |
metadata.threat.verdict_info.source_provider |
Mandiant 全球情报 | metadata.threat.verdict_info.global_customer_count |
整数 |
metadata.threat.verdict_info.source_provider |
Mandiant 分析师 Intel | metadata.threat.verdict_info.confidence_score |
整数 |
metadata.threat.verdict_info.source_provider |
Mandiant Automated Intel | metadata.threat.verdict_info.confidence_score |
整数 |
在 YARA-L 规则的 outcome
部分,您可以访问指定
特定键指定具体的键:
$hit_count = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Global Intel", $context_graph.graph.metadata.threat.verdict_info.global_hits_count, 0))
通过在 Google Security Operations 中检查实体匹配项,您可以全面了解数据,并显示有助于评估指标提醒的优先级和上下文的其他字段。
以下示例将 Fusion Feed 情境实体用作初始参考点。
{
"metadata": {
"product_entity_id": "md5--147d19e6-cdae-57bb-b9a1-a8676265fa4c",
"collected_timestamp": {
"seconds": "1695165683",
"nanos": 48000000
},
"vendor_name": "MANDIANT_FUSION_IOC",
"product_name": "MANDIANT_FUSION_IOC",
"product_version": "1710194393",
"entity_type": "FILE",
"creation_timestamp": {
"seconds": "1710201600"
},
"interval": {
"start_time": {
"seconds": "1"
},
"end_time": {
"seconds": "253402300799"
}
},
"threat": [
{
"category_details": [
"A phishing email message or the relevant headers from a phishing email."
],
"severity_details": "HIGH",
"confidence_details": "75",
"risk_score": 75,
"first_discovered_time": {
"seconds": "1683294326"
},
"associations": [
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"type": "THREAT_ACTOR",
"name": "UNC2633"
},
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"country_code": [
"unknown"
],
"type": "THREAT_ACTOR",
"name": "UNC2633",
"description": "UNC2633 is a distribution threat cluster that delivers emails containing malicious attachments or links that lead to malware payloads, primarily QAKBOT, but also SNOWCONE.GZIPLOADER (which leads to ICEDID) and MATANBUCHUS. Historically, UNC2633 has distributed ZIP files containing malicious Excel files that download malware payloads. In early 2023, UNC2633 started distributing OneNote files (.one) that usually led to QAKBOT. It has also leveraged HTML smuggling to distribute ZIP files containing IMG files that contain LNK files and malware payloads.",
"alias": [
{
"name": "TA570 (Proofpoint)"
}
],
"first_reference_time": {
"seconds": "1459085092"
},
"last_reference_time": {
"seconds": "1687392000"
},
"industries_affected": [
"Aerospace & Defense",
"Agriculture",
"Automotive",
"Chemicals & Materials",
"Civil Society & Non-Profits",
"Construction & Engineering",
"Education",
"Energy & Utilities",
"Financial Services",
"Governments",
"Healthcare",
"Hospitality",
"Insurance",
"Legal & Professional Services",
"Manufacturing",
"Media & Entertainment",
"Oil & Gas",
"Pharmaceuticals",
"Retail",
"Technology",
"Telecommunications",
"Transportation"
]
}
],
"campaigns": [
"CAMP.23.007"
],
"last_updated_time": {
"seconds": "1695165683",
"nanos": 48000000
},
"verdict_info": [
{
"source_provider": "Mandiant Automated Intel",
"confidence_score": 75
},
{
"verdict_type": "ANALYST_VERDICT",
"confidence_score": 75
},
{
"source_count": 91,
"response_count": 1,
"verdict_type": "PROVIDER_ML_VERDICT",
"malicious_count": 1,
"ioc_stats": [
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Knowledge Graph",
"quality": "HIGH_CONFIDENCE",
"malicious_count": 1,
"response_count": 1,
"source_count": 8
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Malware Analysis",
"source_count": 4
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Spam Monitoring",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"second_level_source": "Crowdsourced Threat Analysis",
"source_count": 71
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "MISP",
"second_level_source": "Trusted Software List",
"source_count": 3
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Digitalside It Hashes",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Tds Harvester",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Urlhaus",
"source_count": 1
}
]
},
{
"source_provider": "Mandiant Analyst Intel",
"confidence_score": 75,
"pwn": true,
"pwn_first_tagged_time": {
"seconds": "1683911695"
}
}
],
"last_discovered_time": {
"seconds": "1683909854"
}
}
],
"source_type": "GLOBAL_CONTEXT",
"source_labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
{
"key": "has_pwn",
"value": "2023-05-12T17:14:55.000+0000"
}
],
"event_metadata": {
"id": "\\000\\000\\000\\000\\034Z\\n\\2545\\237\\367\\353\\271\\357\\302\\215t\\330\\275\\237\\000\\000\\000\\000\\007\\000\\000\\000\\206\\000\\000\\000",
"base_labels": {
"log_types": [
"MANDIANT_FUSION_IOC"
],
"allow_scoped_access": true
}
}
},
"entity": {
"file": {
"sha256": "000bc5900dc7a32851e380f418cc178ff0910242ee0561ae37ff424e6d3ec64a",
"md5": "f0095b0a7480c826095d9ffc9d5d2d8f",
"sha1": "8101315b9fbbf6a72bddbfe64837d246f4c8b419"
},
"labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
]
}
}
复杂条件
如需在情境实体中一次使用多个字段,您可以将多个结果变量组合在一起,以创建更复杂的条件逻辑。若要组合多个字段,您可以创建中间结果变量。
然后,这些变量会组合成一个新的结果变量,可在 condition
部分中使用。
下面给出了一个示例。
// Value will be 1 if threat.associations.type = "MALWARE"
// Wrapper max function required for multi-event rules
$is_attributed_malware = max(if($entity_context.graph.metadata.threat.associations.type = "MALWARE", 1, 0))
// Value will be 1 if threat.associations.type = "THREAT_ACTOR"
$is_attributed_actor = max(if($entity_context.graph.metadata.threat.associations.type = "THREAT_ACTOR", 1,0))
// Value will be the sum of the $is_attributed_malware $is_attributed_malware and $is_attributed_actor
$is_attributed = if($is_attributed_malware = 1, 1, 0)
+
if($is_attributed_actor = 1, 1, 0)
// If the value of $is_attributed is greater than 1, this indicates the indicator has been attributed at least once with the type "MALWARE" or "THREAT_ACTOR"
在本示例中,有两个中间结果变量 is_attributed_malware
和 is_attributed_actor
合并到一个结果变量中
is_attributed
。
在此示例中,中间结果值返回数值,
允许在新的结果变量中进行比较。
在此示例中,如果满足以下条件,则 is_attributed
将是 1 或更大的值
指示器至少有 1 个类型为 MALWARE
的威胁关联
或 THREAT_ACTOR
。
YARA-L 中的灵活联接
在 IOC 之间灵活联接允许联接多个 UDM 字段 上下文实体。这样一来,如果将多个 UDM 字段与情境实体联接,则可以减少所需的规则数量。
以下是针对多个 UDM 字段使用灵活联接的 event
部分示例。
events:
// Filter graph
$mandiant.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.entity_type = "FILE"
$mandiant.graph.metadata.source_type = "GLOBAL_CONTEXT"
$mandiant.graph.entity.file.md5 = strings.coalesce($e.target.process.file.md5, $e.target.process.file.md5) OR
$mandiant.graph.entity.file.md5 = strings.coalesce($e.principal.process.file.md5, $e.principal.process.file.md5)