实用威胁情报融合 Feed 概览
支持的语言:
Google SecOps
SIEM
应用威胁情报 (ATI) 融合 Feed 是一组失陷指标 (IoC),包括与已知威胁行为者、恶意软件变种、活跃的攻击活动和已完成的情报报告相关联的哈希、IP、网域和网址。该 Feed 还包含来自开源 Feed 的 IoC,这些 IoC 经过 Mandiant Intelligence 的仔细检查和验证,可最大限度地提高价值并提供高准确性。
Mandiant 的精选流程包括以下阶段:
一线突发事件响应:在调查违规行为时,Mandiant 分析师会直接了解攻击者使用的工具和技术。
威胁研究:专门的团队负责跟踪威胁行为者、分析恶意软件,并发现新兴的攻击基础设施。
情境化:IoC 会映射到特定威胁和广告系列,这有助于了解和确定事件的优先级。
违规分析 Feed 基于 ATI Fusion Feed 构建,其中包含来自新的和活跃的 Mandiant 违规调查的指标。它可提供有关最新攻击趋势的实时数据分析。为了增强指标匹配,YARA-L 规则可以使用 ATI Fusion Feed 中的上下文信息,例如关联的威胁组织、指标在遭入侵环境中的存在情况或 Mandiant 的自动化恶意程度得分。
使用 ATI Fusion Feed 编写 YARA-L 规则
在 Google Security Operations 中编写使用 ATI Fusion Feed 的 YARA-L 规则,其流程与编写使用其他上下文实体来源的 YARA-L 规则类似。如需了解详情,请参阅创建情境感知分析。
活动和赛事部分
如需编写规则,请过滤所选上下文实体图。
在本例中,它是融合 Feed。然后,按特定指标类型进行过滤。例如 FILE。下面给出了一个示例。
events:
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
$context_graph.graph.metadata.entity_type = "FILE"
您可以在 events 部分中添加活动或上下文实体的任何其他条件。您可以从上下文实体和 UDM 事件字段中联接字段。在以下示例中,占位变量 ioc 用于在上下文实体和事件之间执行传递联接。然后,在 match 部分中使用此占位符变量,以确保在特定时间范围内存在匹配项。
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
如需详细了解可在 YARA-L 规则中使用的上下文实体字段,请参阅 Fusion Feed 上下文实体字段部分。
结果部分
沿用上一个示例,基本指示器匹配规则是针对 graph.entity.file.md5 字段和 principal.process.file.md5 UDM 字段中上下文实体中的文件哈希设置的。
由于此规则可以匹配大量事件,因此建议您优化该规则,以匹配具有特定智能的上下文实体。例如,您可能希望根据 Mandiant 为指标分配的确信度、指标是否出现在遭入侵的环境中,或与指标关联的恶意软件系列进行匹配。所有这些操作都可以在规则的 outcome 部分中完成。
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
在 YARA-L 规则的 outcome 部分中,使用封装在 max 函数中的 if statement 提取置信度得分。多事件规则必须使用此技术。我们使用相同的技术从 verdict_info 中提取 pwn 变量,该变量用于指示在 Mandiant 识别的违规环境中是否发现了指示器。
然后,这两个结果变量会合并到另一个 matched_conditions 变量中,以便在 condition 部分中使用链式逻辑。
“条件”部分
condition 部分可确保 e1、context_graph 和 matched_conditions 存在,并且/或者符合指定的条件。
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
完整的 YARA-L 规则
此时,规则已可供使用,应如下所示:
rule fusion_feed_example_principal_process_file_md5 {
meta:
rule_name = "File Hash - Applied Threat Intelligence"
description = "Matches file hashes against the Applied Threat Intelligence Fusion Feed."
events:
// Filter graph
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.entity_type = "FILE"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
// Do join
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
}
ATI Fusion Feed 上下文实体字段
您可以在规则中使用 ATI Fusion Feed 中的许多字段。这些字段均在统一数据模型字段列表中定义。 以下字段与确定指标优先级相关:
| 实体字段 | 可能的值 |
|---|---|
metadata.threat.associations.type |
MALWARE,THREAT_ACTOR |
metadata.threat.associations.name |
威胁关联名称 |
metadata.threat.verdict_info.pwn |
TRUE,FALSE |
metadata.threat.verdict_info.pwn_first_tagged_time.seconds |
时间戳(以秒为单位) |
某些字段具有需要组合使用的键值对,才能访问正确的值。例如:
| 实体字段 1 | 值 | 实体字段 2 | 值 |
|---|---|---|---|
metadata.threat.verdict_info.source_provider |
Mandiant 全球情报 | metadata.threat.verdict_info.global_hits_count |
整数 |
metadata.threat.verdict_info.source_provider |
Mandiant 全球情报 | metadata.threat.verdict_info.global_customer_count |
整数 |
metadata.threat.verdict_info.source_provider |
Mandiant 分析师情报 | metadata.threat.verdict_info.confidence_score |
整数 |
metadata.threat.verdict_info.source_provider |
Mandiant Automated Intel | metadata.threat.verdict_info.confidence_score |
整数 |
在 YARA-L 规则的 outcome 部分中,您可以使用以下命令访问由特定键指定的值:
$hit_count = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Global Intel", $context_graph.graph.metadata.threat.verdict_info.global_hits_count, 0))
检查 Google Security Operations 中的实体匹配项有助于您全面了解数据,从而发现有助于评估指示器提醒的优先级和背景信息的其他字段。
以下示例展示了作为初始参考点的 Fusion Feed 上下文实体:
{
"metadata": {
"product_entity_id": "md5--147d19e6-cdae-57bb-b9a1-a8676265fa4c",
"collected_timestamp": {
"seconds": "1695165683",
"nanos": 48000000
},
"vendor_name": "MANDIANT_FUSION_IOC",
"product_name": "MANDIANT_FUSION_IOC",
"product_version": "1710194393",
"entity_type": "FILE",
"creation_timestamp": {
"seconds": "1710201600"
},
"interval": {
"start_time": {
"seconds": "1"
},
"end_time": {
"seconds": "253402300799"
}
},
"threat": [
{
"category_details": [
"A phishing email message or the relevant headers from a phishing email."
],
"severity_details": "HIGH",
"confidence_details": "75",
"risk_score": 75,
"first_discovered_time": {
"seconds": "1683294326"
},
"associations": [
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"type": "THREAT_ACTOR",
"name": "UNC2633"
},
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"country_code": [
"unknown"
],
"type": "THREAT_ACTOR",
"name": "UNC2633",
"description": "UNC2633 is a distribution threat cluster that delivers emails containing malicious attachments or links that lead to malware payloads, primarily QAKBOT, but also SNOWCONE.GZIPLOADER (which leads to ICEDID) and MATANBUCHUS. Historically, UNC2633 has distributed ZIP files containing malicious Excel files that download malware payloads. In early 2023, UNC2633 started distributing OneNote files (.one) that usually led to QAKBOT. It has also leveraged HTML smuggling to distribute ZIP files containing IMG files that contain LNK files and malware payloads.",
"alias": [
{
"name": "TA570 (Proofpoint)"
}
],
"first_reference_time": {
"seconds": "1459085092"
},
"last_reference_time": {
"seconds": "1687392000"
},
"industries_affected": [
"Aerospace & Defense",
"Agriculture",
"Automotive",
"Chemicals & Materials",
"Civil Society & Non-Profits",
"Construction & Engineering",
"Education",
"Energy & Utilities",
"Financial Services",
"Governments",
"Healthcare",
"Hospitality",
"Insurance",
"Legal & Professional Services",
"Manufacturing",
"Media & Entertainment",
"Oil & Gas",
"Pharmaceuticals",
"Retail",
"Technology",
"Telecommunications",
"Transportation"
]
}
],
"campaigns": [
"CAMP.23.007"
],
"last_updated_time": {
"seconds": "1695165683",
"nanos": 48000000
},
"verdict_info": [
{
"source_provider": "Mandiant Automated Intel",
"confidence_score": 75
},
{
"verdict_type": "ANALYST_VERDICT",
"confidence_score": 75
},
{
"source_count": 91,
"response_count": 1,
"verdict_type": "PROVIDER_ML_VERDICT",
"malicious_count": 1,
"ioc_stats": [
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Knowledge Graph",
"quality": "HIGH_CONFIDENCE",
"malicious_count": 1,
"response_count": 1,
"source_count": 8
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Malware Analysis",
"source_count": 4
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Spam Monitoring",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"second_level_source": "Crowdsourced Threat Analysis",
"source_count": 71
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "MISP",
"second_level_source": "Trusted Software List",
"source_count": 3
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Digitalside It Hashes",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Tds Harvester",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Urlhaus",
"source_count": 1
}
]
},
{
"source_provider": "Mandiant Analyst Intel",
"confidence_score": 75,
"pwn": true,
"pwn_first_tagged_time": {
"seconds": "1683911695"
}
}
],
"last_discovered_time": {
"seconds": "1683909854"
}
}
],
"source_type": "GLOBAL_CONTEXT",
"source_labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
{
"key": "has_pwn",
"value": "2023-05-12T17:14:55.000+0000"
}
],
"event_metadata": {
"id": "\\000\\000\\000\\000\\034Z\\n\\2545\\237\\367\\353\\271\\357\\302\\215t\\330\\275\\237\\000\\000\\000\\000\\007\\000\\000\\000\\206\\000\\000\\000",
"base_labels": {
"log_types": [
"MANDIANT_FUSION_IOC"
],
"allow_scoped_access": true
}
}
},
"entity": {
"file": {
"sha256": "000bc5900dc7a32851e380f418cc178ff0910242ee0561ae37ff424e6d3ec64a",
"md5": "f0095b0a7480c826095d9ffc9d5d2d8f",
"sha1": "8101315b9fbbf6a72bddbfe64837d246f4c8b419"
},
"labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
]
}
}
复杂条件
如需在上下文实体中使用多个字段,您可以组合多个结果变量,以创建更复杂的条件逻辑。中介结果变量可用于合并多个字段。然后,将这些变量组合起来,形成一个可在 condition 部分中使用的新结果变量。
例如:
// Value will be 1 if threat.associations.type = "MALWARE"
// Wrapper max function required for multi-event rules
$is_attributed_malware = max(if($entity_context.graph.metadata.threat.associations.type = "MALWARE", 1, 0))
// Value will be 1 if threat.associations.type = "THREAT_ACTOR"
$is_attributed_actor = max(if($entity_context.graph.metadata.threat.associations.type = "THREAT_ACTOR", 1,0))
// Value will be the sum of the $is_attributed_malware $is_attributed_malware and $is_attributed_actor
$is_attributed = if($is_attributed_malware = 1, 1, 0)
+
if($is_attributed_actor = 1, 1, 0)
// If the value of $is_attributed is greater than 1, this indicates the indicator has been attributed at least once with the type "MALWARE" or "THREAT_ACTOR"
在此示例中,两个中介结果变量 is_attributed_malware 和 is_attributed_actor 合并为一个结果变量 is_attributed。
中间结果值会返回数值,从而可以在新的结果变量中进行数值比较。
如果相应指标至少有一个类型为 MALWARE 或 THREAT_ACTOR 的威胁关联,则 is_attributed 中的值将为 1 或更大。
YARA-L 规则中的灵活联接
为了减少所需的规则数量,您可以在 IoC 之间使用灵活的联接,将多个 UDM 字段连接到情境实体。以下示例展示了如何在 event 部分中针对多个 UDM 字段使用灵活联接:
events:
// Filter graph
$mandiant.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.entity_type = "FILE"
$mandiant.graph.metadata.source_type = "GLOBAL_CONTEXT"
$mandiant.graph.entity.file.md5 = strings.coalesce($e.target.process.file.md5, $e.target.process.file.md5) OR
$mandiant.graph.entity.file.md5 = strings.coalesce($e.principal.process.file.md5, $e.principal.process.file.md5)
需要更多帮助?从社区成员和 Google SecOps 专业人士那里获得解答。