Applied Threat Intelligence Fusion Feed 概览
Mandiant Fusion 指标 Feed 是一系列入侵指标 (IOC),包括与已知威胁行为者、恶意软件变种、活跃活动和已完成的情报报告相关联的哈希、IP、网域和网址。为确保最大价值,Feed 还包含 Mandiant Intelligence 已通过开源 Feed 仔细检查和验证的 IOC,确保了准确性。Mandiant 的策展过程包括以下步骤。
一线突发事件响应:Mandiant 分析师在调查漏洞时获得攻击者工具和技术的第一手知识。
威胁研究:专门的团队跟踪威胁行为者、分析恶意软件并发现新兴攻击基础架构。
情境化:IOC 与特定的威胁和活动对应,有助于了解突发事件并确定其优先级。
数据泄露分析 Feed 基于 Fusion 构建,添加了与 Mandiant 正在积极调查的新入侵和新发现关联的指标。该平台提供对最新攻击趋势的实时数据分析。YARA-L 规则可以利用 Applied Threat Intelligence Fusion Feed 中的上下文信息来增强简单的指标匹配规则。它包括关联的威胁组、被侵环境中是否存在指标或 Mandiant 的自动恶意恶意置信度评分。
使用 Fusion Feed 编写 YARA-L 规则
使用 Fusion Feed 编写 YARA-L 规则的过程类似于使用其他上下文实体来源编写 YARA-L 规则。如需详细了解如何编写此类 YARA-L 规则,请参阅创建情境感知分析。
“事件与比赛”部分
如需编写规则,请过滤所选上下文实体图。在本例中是 Fusion Feed。然后,按特定的指标类型进行过滤。例如 FILE。下面给出了一个示例。
events:
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
$context_graph.graph.metadata.entity_type = "FILE"
与不使用上下文实体的 YARA-L 规则类似,您可以在 events 部分添加事件或上下文实体的任何其他条件。您可以从上下文实体和 UDM 事件字段联接字段。在以下示例中,占位符变量 ioc 用于在上下文实体和事件之间执行传递联接。此占位符变量随后在 match 部分中使用,以确保在特定时间范围内匹配。
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
如需详细了解可在 YARA-L 规则中使用的上下文实体字段,请参阅 Fusion Feed 上下文实体字段部分。
结果部分
继续前面的示例,基本指示器匹配规则针对上下文实体中的文件哈希位置设置,位于 graph.entity.file.md5 字段和 principal.process.file.md5 UDM 字段。这条简单的匹配规则可以匹配大量的事件。因此,建议针对具有相关特定智能的上下文实体优化规则匹配。例如,这可能包括 Mandiant 为指标分配的置信度分数,无论其是否出现在被破坏的环境中,或与指标关联的恶意软件系列。这一切都可以在规则的 outcome 部分完成。
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
在 YARA-L 规则的 outcome 部分中,使用封装在 max 函数中的 if statement 提取置信度分数。对于多事件规则,必须使用这种方法。从 verdict_info 中提取 pwn 变量,指出在 Mandiant 识别的遭入侵环境中是否看到过某种指标。
然后,这两个结果变量合并到另一个 matched_conditions 变量中,从而允许在 condition 部分使用链式逻辑。
条件部分
condition 部分确保 e1、context_graph 和 matched_conditions 存在和/或符合指定条件。
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
完成 YARA-L 规则
此时,规则已准备就绪,可供使用,应如下所示:
rule fusion_feed_example_principal_process_file_md5 {
meta:
rule_name = "File Hash - Applied Threat Intelligence"
description = "Matches file hashes against the Applied Threat Intelligence Fusion Feed."
events:
// Filter graph
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.entity_type = "FILE"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
// Do join
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
}
Fusion Feed 上下文实体字段
您可以在规则中使用 Mandiant Fusion 指标 Feed 中的许多字段。这些字段均在统一数据模型字段列表中定义。以下字段与确定指标优先级相关:
| 实体字段 | 可能的值 |
|---|---|
metadata.threat.associations.type |
MALWARE,THREAT_ACTOR |
metadata.threat.associations.name |
威胁关联名称 |
metadata.threat.verdict_info.pwn |
TRUE,FALSE |
metadata.threat.verdict_info.pwn_first_tagged_time.seconds |
时间戳(秒) |
某些字段具有键值对,需要组合使用它们才能访问正确的值。以下是一个示例。
| 实体字段 1 | 值 | 实体字段 2 | 值 |
|---|---|---|---|
metadata.threat.verdict_info.source_provider |
Mandiant Global Intel | metadata.threat.verdict_info.global_hits_count |
整数 |
metadata.threat.verdict_info.source_provider |
Mandiant Global Intel | metadata.threat.verdict_info.global_customer_count |
整数 |
metadata.threat.verdict_info.source_provider |
Mandiant 分析师 Intel | metadata.threat.verdict_info.confidence_score |
整数 |
metadata.threat.verdict_info.source_provider |
Mandiant 自动化 Intel | metadata.threat.verdict_info.confidence_score |
整数 |
在 YARA-L 规则的 outcome 部分中,您可以使用以下命令访问由特定键指定的值:
$hit_count = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Global Intel", $context_graph.graph.metadata.threat.verdict_info.global_hits_count, 0))
通过检查 Google Security Operations 中的实体匹配,您可以全面了解数据,从而发现有助于评估指标提醒的优先级和上下文的其他字段。
以下是作为初始参考点的 Fusion Feed 上下文实体的示例。
{
"metadata": {
"product_entity_id": "md5--147d19e6-cdae-57bb-b9a1-a8676265fa4c",
"collected_timestamp": {
"seconds": "1695165683",
"nanos": 48000000
},
"vendor_name": "MANDIANT_FUSION_IOC",
"product_name": "MANDIANT_FUSION_IOC",
"product_version": "1710194393",
"entity_type": "FILE",
"creation_timestamp": {
"seconds": "1710201600"
},
"interval": {
"start_time": {
"seconds": "1"
},
"end_time": {
"seconds": "253402300799"
}
},
"threat": [
{
"category_details": [
"A phishing email message or the relevant headers from a phishing email."
],
"severity_details": "HIGH",
"confidence_details": "75",
"risk_score": 75,
"first_discovered_time": {
"seconds": "1683294326"
},
"associations": [
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"type": "THREAT_ACTOR",
"name": "UNC2633"
},
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"country_code": [
"unknown"
],
"type": "THREAT_ACTOR",
"name": "UNC2633",
"description": "UNC2633 is a distribution threat cluster that delivers emails containing malicious attachments or links that lead to malware payloads, primarily QAKBOT, but also SNOWCONE.GZIPLOADER (which leads to ICEDID) and MATANBUCHUS. Historically, UNC2633 has distributed ZIP files containing malicious Excel files that download malware payloads. In early 2023, UNC2633 started distributing OneNote files (.one) that usually led to QAKBOT. It has also leveraged HTML smuggling to distribute ZIP files containing IMG files that contain LNK files and malware payloads.",
"alias": [
{
"name": "TA570 (Proofpoint)"
}
],
"first_reference_time": {
"seconds": "1459085092"
},
"last_reference_time": {
"seconds": "1687392000"
},
"industries_affected": [
"Aerospace & Defense",
"Agriculture",
"Automotive",
"Chemicals & Materials",
"Civil Society & Non-Profits",
"Construction & Engineering",
"Education",
"Energy & Utilities",
"Financial Services",
"Governments",
"Healthcare",
"Hospitality",
"Insurance",
"Legal & Professional Services",
"Manufacturing",
"Media & Entertainment",
"Oil & Gas",
"Pharmaceuticals",
"Retail",
"Technology",
"Telecommunications",
"Transportation"
]
}
],
"campaigns": [
"CAMP.23.007"
],
"last_updated_time": {
"seconds": "1695165683",
"nanos": 48000000
},
"verdict_info": [
{
"source_provider": "Mandiant Automated Intel",
"confidence_score": 75
},
{
"verdict_type": "ANALYST_VERDICT",
"confidence_score": 75
},
{
"source_count": 91,
"response_count": 1,
"verdict_type": "PROVIDER_ML_VERDICT",
"malicious_count": 1,
"ioc_stats": [
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Knowledge Graph",
"quality": "HIGH_CONFIDENCE",
"malicious_count": 1,
"response_count": 1,
"source_count": 8
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Malware Analysis",
"source_count": 4
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Spam Monitoring",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"second_level_source": "Crowdsourced Threat Analysis",
"source_count": 71
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "MISP",
"second_level_source": "Trusted Software List",
"source_count": 3
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Digitalside It Hashes",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Tds Harvester",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Urlhaus",
"source_count": 1
}
]
},
{
"source_provider": "Mandiant Analyst Intel",
"confidence_score": 75,
"pwn": true,
"pwn_first_tagged_time": {
"seconds": "1683911695"
}
}
],
"last_discovered_time": {
"seconds": "1683909854"
}
}
],
"source_type": "GLOBAL_CONTEXT",
"source_labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
{
"key": "has_pwn",
"value": "2023-05-12T17:14:55.000+0000"
}
],
"event_metadata": {
"id": "\\000\\000\\000\\000\\034Z\\n\\2545\\237\\367\\353\\271\\357\\302\\215t\\330\\275\\237\\000\\000\\000\\000\\007\\000\\000\\000\\206\\000\\000\\000",
"base_labels": {
"log_types": [
"MANDIANT_FUSION_IOC"
],
"allow_scoped_access": true
}
}
},
"entity": {
"file": {
"sha256": "000bc5900dc7a32851e380f418cc178ff0910242ee0561ae37ff424e6d3ec64a",
"md5": "f0095b0a7480c826095d9ffc9d5d2d8f",
"sha1": "8101315b9fbbf6a72bddbfe64837d246f4c8b419"
},
"labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
]
}
}
复杂条件
如需在上下文实体中同时使用多个字段,您可以将多个结果变量组合在一起以创建更复杂的条件逻辑。如需组合多个字段,您可以创建中间结果变量。然后,这些变量会组合起来形成可在 condition 部分使用的新结果变量。
下面给出了一个示例。
// Value will be 1 if threat.associations.type = "MALWARE"
// Wrapper max function required for multi-event rules
$is_attributed_malware = max(if($entity_context.graph.metadata.threat.associations.type = "MALWARE", 1, 0))
// Value will be 1 if threat.associations.type = "THREAT_ACTOR"
$is_attributed_actor = max(if($entity_context.graph.metadata.threat.associations.type = "THREAT_ACTOR", 1,0))
// Value will be the sum of the $is_attributed_malware $is_attributed_malware and $is_attributed_actor
$is_attributed = if($is_attributed_malware = 1, 1, 0)
+
if($is_attributed_actor = 1, 1, 0)
// If the value of $is_attributed is greater than 1, this indicates the indicator has been attributed at least once with the type "MALWARE" or "THREAT_ACTOR"
在这种情况下,两个中间结果变量 is_attributed_malware 和 is_attributed_actor 一起组合到一个结果变量 is_attributed 中。
在此示例中,中间结果值返回数值,允许在新的结果变量中进行比较。在此示例中,如果指示符至少有一个 MALWARE 或 THREAT_ACTOR 类型的威胁关联,则 is_attributed 将是 1 或更大的值。
YARA-L 中的灵活联接
IOC 之间的灵活联接允许根据上下文实体联接多个 UDM 字段。这样可以减少在多个 UDM 字段与上下文实体联接时所需的规则数量。
以下是对多个 UDM 字段使用灵活联接的 event 部分示例。
events:
// Filter graph
$mandiant.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.entity_type = "FILE"
$mandiant.graph.metadata.source_type = "GLOBAL_CONTEXT"
$mandiant.graph.entity.file.md5 = strings.coalesce($e.target.process.file.md5, $e.target.process.file.md5) OR
$mandiant.graph.entity.file.md5 = strings.coalesce($e.principal.process.file.md5, $e.principal.process.file.md5)