應用威脅情報融合動態消息總覽
Applied Threat Intelligence (ATI) 融合動態消息是一系列入侵指標 (IOC),包括雜湊、IP、網域和網址,這些指標與已知的威脅發動者、惡意軟體變種、進行中的活動和完成的情報報告相關聯。動態消息也包含來自開放原始碼動態消息的入侵指標,這些指標都經過 Mandiant Intelligence 仔細檢查和驗證,可提供高準確度,並發揮最大價值。
Mandiant 的策展程序包括下列階段:
第一線事件應變:在調查違規事件時,Mandiant 分析師會直接瞭解攻擊者的工具和技術。
威脅研究:專責團隊會追蹤威脅發動者、分析惡意軟體,並找出新興的攻擊基礎架構。
脈絡化:將 IOC 對應至特定威脅和廣告活動,有助於瞭解事件並排定優先順序。
「侵害事件分析」摘要會納入新近和進行中的 Mandiant 侵害事件調查指標,以 ATI 融合摘要為基礎。並即時提供最新攻擊趨勢的深入分析資訊。為提升指標比對效果,YARA-L 規則可使用 ATI Fusion Feed 的背景資訊,例如相關聯的威脅群組、指標是否出現在遭入侵的環境,或是 Mandiant 的自動惡意程度分數。
使用 ATI Fusion 動態饋給編寫 YARA-L 規則
在 Google Security Operations 中編寫使用 ATI Fusion Feed 的 YARA-L 規則時,程序與編寫使用其他內容實體來源的 YARA-L 規則類似。詳情請參閱「建立情境感知分析」。
賽事和賽程部分
如要編寫規則,請篩選所選情境實體圖。在本例中,這是指 Fusion Feed。然後依特定指標類型篩選。例如,FILE
。範例如下:
events:
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
$context_graph.graph.metadata.entity_type = "FILE"
您可以在 events
部分新增活動或內容實體的任何其他條件。您可以從內容實體和 UDM 事件欄位加入欄位。在下列範例中,預留位置變數 ioc
用於在內容實體和事件之間執行遞移聯結。接著,系統會在 match
區段中使用這個預留位置變數,確保特定時間範圍內有相符項目。
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
如要進一步瞭解可在 YARA-L 規則中使用的內容實體欄位,請參閱「Fusion Feed 內容實體欄位」一節。
結果部分
延續上一個範例,基本指標比對規則是根據 graph.entity.file.md5
欄位和 principal.process.file.md5
UDM 欄位中內容實體的檔案雜湊設定。
由於這項規則可能會比對大量事件,建議您調整規則,比對具有特定智慧的內容實體。舉例來說,您可能想比對 Mandiant 指派給指標的信賴度分數、指標是否出現在遭入侵的環境,或是與指標相關聯的惡意軟體系列。所有這些操作都可以在規則的 outcome
區段中完成。
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
在 YARA-L 規則的 outcome
區段中,信賴分數會使用以 max
函式包裝的 if statement
擷取。多事件規則必須採用這項技術。系統會使用相同技術從 verdict_info
擷取 pwn
變數,指出在 Mandiant 識別出的遭入侵環境中,是否出現指標。
這兩個結果變數隨後會合併到另一個 matched_conditions
變數中,以便在 condition
區段中使用鏈結邏輯。
「條件」區段
condition
區段可確保 e1
、context_graph
和 matched_conditions
存在,且符合指定條件。
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
完整的 YARA-L 規則
此時規則已可使用,應如下所示:
rule fusion_feed_example_principal_process_file_md5 {
meta:
rule_name = "File Hash - Applied Threat Intelligence"
description = "Matches file hashes against the Applied Threat Intelligence Fusion Feed."
events:
// Filter graph
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.entity_type = "FILE"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
// Do join
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
}
ATI Fusion Feed 內容實體欄位
您可以在規則中使用 ATI Fusion 動態饋給中的許多欄位。這些欄位全都在整合式資料模型欄位清單中定義。下列欄位與指標優先順序相關:
實體欄位 | 可能的值 |
---|---|
metadata.threat.associations.type |
MALWARE 、THREAT_ACTOR |
metadata.threat.associations.name |
威脅關聯名稱 |
metadata.threat.verdict_info.pwn |
TRUE 、FALSE |
metadata.threat.verdict_info.pwn_first_tagged_time.seconds |
時間戳記 (秒) |
部分欄位有鍵/值組合,需要搭配使用才能存取正確的值。例如:
實體欄位 1 | 值 | 實體欄位 2 | 值 |
---|---|---|---|
metadata.threat.verdict_info.source_provider |
Mandiant 全球情報 | metadata.threat.verdict_info.global_hits_count |
整數 |
metadata.threat.verdict_info.source_provider |
Mandiant 全球情報 | metadata.threat.verdict_info.global_customer_count |
整數 |
metadata.threat.verdict_info.source_provider |
Mandiant 分析師情報 | metadata.threat.verdict_info.confidence_score |
整數 |
metadata.threat.verdict_info.source_provider |
Mandiant Automated Intel | metadata.threat.verdict_info.confidence_score |
整數 |
在 YARA-L 規則的 outcome
區段中,您可以使用下列指令存取特定鍵指定的值:
$hit_count = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Global Intel", $context_graph.graph.metadata.threat.verdict_info.global_hits_count, 0))
在 Google Security Operations 中檢查實體比對結果,有助於全面掌握資料,並顯示其他欄位,方便您評估指標快訊的優先順序和背景資訊。
以下範例顯示 Fusion Feed 情境實體,做為初始參考點:
{
"metadata": {
"product_entity_id": "md5--147d19e6-cdae-57bb-b9a1-a8676265fa4c",
"collected_timestamp": {
"seconds": "1695165683",
"nanos": 48000000
},
"vendor_name": "MANDIANT_FUSION_IOC",
"product_name": "MANDIANT_FUSION_IOC",
"product_version": "1710194393",
"entity_type": "FILE",
"creation_timestamp": {
"seconds": "1710201600"
},
"interval": {
"start_time": {
"seconds": "1"
},
"end_time": {
"seconds": "253402300799"
}
},
"threat": [
{
"category_details": [
"A phishing email message or the relevant headers from a phishing email."
],
"severity_details": "HIGH",
"confidence_details": "75",
"risk_score": 75,
"first_discovered_time": {
"seconds": "1683294326"
},
"associations": [
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"type": "THREAT_ACTOR",
"name": "UNC2633"
},
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"country_code": [
"unknown"
],
"type": "THREAT_ACTOR",
"name": "UNC2633",
"description": "UNC2633 is a distribution threat cluster that delivers emails containing malicious attachments or links that lead to malware payloads, primarily QAKBOT, but also SNOWCONE.GZIPLOADER (which leads to ICEDID) and MATANBUCHUS. Historically, UNC2633 has distributed ZIP files containing malicious Excel files that download malware payloads. In early 2023, UNC2633 started distributing OneNote files (.one) that usually led to QAKBOT. It has also leveraged HTML smuggling to distribute ZIP files containing IMG files that contain LNK files and malware payloads.",
"alias": [
{
"name": "TA570 (Proofpoint)"
}
],
"first_reference_time": {
"seconds": "1459085092"
},
"last_reference_time": {
"seconds": "1687392000"
},
"industries_affected": [
"Aerospace & Defense",
"Agriculture",
"Automotive",
"Chemicals & Materials",
"Civil Society & Non-Profits",
"Construction & Engineering",
"Education",
"Energy & Utilities",
"Financial Services",
"Governments",
"Healthcare",
"Hospitality",
"Insurance",
"Legal & Professional Services",
"Manufacturing",
"Media & Entertainment",
"Oil & Gas",
"Pharmaceuticals",
"Retail",
"Technology",
"Telecommunications",
"Transportation"
]
}
],
"campaigns": [
"CAMP.23.007"
],
"last_updated_time": {
"seconds": "1695165683",
"nanos": 48000000
},
"verdict_info": [
{
"source_provider": "Mandiant Automated Intel",
"confidence_score": 75
},
{
"verdict_type": "ANALYST_VERDICT",
"confidence_score": 75
},
{
"source_count": 91,
"response_count": 1,
"verdict_type": "PROVIDER_ML_VERDICT",
"malicious_count": 1,
"ioc_stats": [
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Knowledge Graph",
"quality": "HIGH_CONFIDENCE",
"malicious_count": 1,
"response_count": 1,
"source_count": 8
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Malware Analysis",
"source_count": 4
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Spam Monitoring",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"second_level_source": "Crowdsourced Threat Analysis",
"source_count": 71
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "MISP",
"second_level_source": "Trusted Software List",
"source_count": 3
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Digitalside It Hashes",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Tds Harvester",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Urlhaus",
"source_count": 1
}
]
},
{
"source_provider": "Mandiant Analyst Intel",
"confidence_score": 75,
"pwn": true,
"pwn_first_tagged_time": {
"seconds": "1683911695"
}
}
],
"last_discovered_time": {
"seconds": "1683909854"
}
}
],
"source_type": "GLOBAL_CONTEXT",
"source_labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
{
"key": "has_pwn",
"value": "2023-05-12T17:14:55.000+0000"
}
],
"event_metadata": {
"id": "\\000\\000\\000\\000\\034Z\\n\\2545\\237\\367\\353\\271\\357\\302\\215t\\330\\275\\237\\000\\000\\000\\000\\007\\000\\000\\000\\206\\000\\000\\000",
"base_labels": {
"log_types": [
"MANDIANT_FUSION_IOC"
],
"allow_scoped_access": true
}
}
},
"entity": {
"file": {
"sha256": "000bc5900dc7a32851e380f418cc178ff0910242ee0561ae37ff424e6d3ec64a",
"md5": "f0095b0a7480c826095d9ffc9d5d2d8f",
"sha1": "8101315b9fbbf6a72bddbfe64837d246f4c8b419"
},
"labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
]
}
}
複雜條件
如要在內容實體中使用多個欄位,可以結合多個結果變數,建立更複雜的條件邏輯。中介結果變數可用於合併多個欄位。然後合併這些變數,形成可在 condition
區段中使用的新結果變數。
例如:
// Value will be 1 if threat.associations.type = "MALWARE"
// Wrapper max function required for multi-event rules
$is_attributed_malware = max(if($entity_context.graph.metadata.threat.associations.type = "MALWARE", 1, 0))
// Value will be 1 if threat.associations.type = "THREAT_ACTOR"
$is_attributed_actor = max(if($entity_context.graph.metadata.threat.associations.type = "THREAT_ACTOR", 1,0))
// Value will be the sum of the $is_attributed_malware $is_attributed_malware and $is_attributed_actor
$is_attributed = if($is_attributed_malware = 1, 1, 0)
+
if($is_attributed_actor = 1, 1, 0)
// If the value of $is_attributed is greater than 1, this indicates the indicator has been attributed at least once with the type "MALWARE" or "THREAT_ACTOR"
在這個範例中,兩個中介結果變數 is_attributed_malware
和 is_attributed_actor
會合併為結果變數 is_attributed
。
中介結果值會傳回數值,因此可在新的結果變數中進行數值比較。
如果指標至少有一個類型為 MALWARE
或 THREAT_ACTOR
的威脅關聯,is_attributed
中的值會是 1 以上。
YARA-L 規則中的彈性聯結
如要減少所需規則數量,您可以在 IOC 之間使用彈性聯結,將多個 UDM 欄位連結至內容實體。以下範例說明如何在 event
區段中,對多個 UDM 欄位使用彈性聯結:
events:
// Filter graph
$mandiant.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.entity_type = "FILE"
$mandiant.graph.metadata.source_type = "GLOBAL_CONTEXT"
$mandiant.graph.entity.file.md5 = strings.coalesce($e.target.process.file.md5, $e.target.process.file.md5) OR
$mandiant.graph.entity.file.md5 = strings.coalesce($e.principal.process.file.md5, $e.principal.process.file.md5)
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。