实用威胁情报融合 Feed 概览
支持的语言:
Google SecOps
SIEM
Mandiant Fusion 指标 Feed 是一组失陷指标 (IOC),包括与已知威胁行为者、恶意软件变种、活跃的攻击活动和已完成的情报报告相关联的哈希、IP、网域和网址。 为确保最大价值,该 Feed 还包含 Mandiant Intelligence 从开源 Feed 中仔细检查和验证过的 IOC,确保准确性高。 Mandiant 的精选流程包括以下步骤。
一线突发事件响应:Mandiant 分析师在调查违规行为时,会直接了解攻击者工具和技术。
威胁研究:专门的团队负责跟踪威胁行为者、分析恶意软件,并发现新兴的攻击基础设施。
情境化:IOC 会映射到特定威胁和攻击活动,有助于了解和确定事件的优先级。
“数据泄露分析”Feed 基于 Fusion 构建,添加了与 Mandiant 正在积极调查的新兴数据泄露事件相关的指标。它可提供有关最新攻击趋势的实时数据分析。 YARA-L 规则可以利用 Applied Threat Intelligence Fusion Feed 中的上下文信息来增强简单的指示器匹配规则。它包括关联的威胁群体、受入侵环境中的指标存在情况,或 Mandiant 的恶意程度自动置信度得分。
使用 Fusion Feed 编写 YARA-L 规则
使用 Fusion Feed 编写 YARA-L 规则的过程与使用其他上下文实体来源编写 YARA-L 规则的过程类似。如需详细了解如何编写此类 YARA-L 规则,请参阅创建情境感知型分析。
活动和赛事部分
如需编写规则,请过滤所选上下文实体图。
在本例中,它是 Fusion Feed。然后,按特定指标类型进行过滤。例如 FILE。下面给出了一个示例。
events:
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
$context_graph.graph.metadata.entity_type = "FILE"
与不使用情境实体的 YARA-L 规则类似,您可以在 events 部分中添加事件或情境实体的任何其他条件。您可以联接情境实体中的字段和 UDM 事件字段。在以下示例中,占位变量 ioc 用于在上下文实体和事件之间执行传递联接。然后,在 match 部分中使用此占位变量,以确保在特定时间范围内进行匹配。
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
如需详细了解可在 YARA-L 规则中使用的上下文实体字段,请参阅融合 Feed 上下文实体字段部分。
结果部分
继续沿用上一个示例,基本指示器匹配规则是针对放置在 graph.entity.file.md5 字段和 principal.process.file.md5 UDM 字段中的上下文实体中的文件哈希设置的。此简单匹配规则可以匹配大量事件。因此,建议根据具有特定智能的相关实体来优化规则匹配。
例如,这可以包括 Mandiant 为指标分配的置信度得分、指标是否在遭入侵的环境中出现过,或者与指标关联的恶意软件系列。所有这些操作都可以在规则的 outcome 部分中完成。
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
在 YARA-L 规则的 outcome 部分中,使用封装在 max 函数中的 if statement 提取置信度得分。多事件规则必须使用此方法。我们使用相同的技术从 verdict_info 中提取 pwn 变量,该变量用于指示是否在 Mandiant 识别的违规环境中发现过某个指标。
然后,这两个结果变量会合并到另一个 matched_conditions 变量中,从而可以在 condition 部分中使用链式逻辑。
“条件”部分
condition 部分可确保 e1、context_graph 和 matched_conditions 存在,并且/或者符合指定的条件。
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
完整的 YARA-L 规则
此时,规则已可供使用,应如下所示:
rule fusion_feed_example_principal_process_file_md5 {
meta:
rule_name = "File Hash - Applied Threat Intelligence"
description = "Matches file hashes against the Applied Threat Intelligence Fusion Feed."
events:
// Filter graph
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.entity_type = "FILE"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
// Do join
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
}
Fusion Feed 上下文实体字段
您可以在规则中使用 Mandiant Fusion 指标 Feed 中的许多字段。这些字段均在统一数据模型字段列表中定义。 以下字段与确定指标优先级相关:
| 实体字段 | 可能的值 |
|---|---|
metadata.threat.associations.type |
MALWARE,THREAT_ACTOR |
metadata.threat.associations.name |
威胁关联名称 |
metadata.threat.verdict_info.pwn |
TRUE,FALSE |
metadata.threat.verdict_info.pwn_first_tagged_time.seconds |
时间戳(以秒为单位) |
某些字段具有需要组合使用的键值对,才能访问正确的值。以下是一个示例。
| 实体字段 1 | 值 | 实体字段 2 | 值 |
|---|---|---|---|
metadata.threat.verdict_info.source_provider |
Mandiant 全球情报 | metadata.threat.verdict_info.global_hits_count |
整数 |
metadata.threat.verdict_info.source_provider |
Mandiant 全球情报 | metadata.threat.verdict_info.global_customer_count |
整数 |
metadata.threat.verdict_info.source_provider |
Mandiant 分析师情报 | metadata.threat.verdict_info.confidence_score |
整数 |
metadata.threat.verdict_info.source_provider |
Mandiant Automated Intel | metadata.threat.verdict_info.confidence_score |
整数 |
在 YARA-L 规则的 outcome 部分中,您可以使用以下命令访问由特定键指定的值:
$hit_count = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Global Intel", $context_graph.graph.metadata.threat.verdict_info.global_hits_count, 0))
通过检查 Google Security Operations 中的实体匹配项,您可以全面了解数据,并发现有助于评估指标提醒的优先级和背景信息的其他字段。
以下是一个 Fusion Feed 上下文实体作为初始参考点的示例。
{
"metadata": {
"product_entity_id": "md5--147d19e6-cdae-57bb-b9a1-a8676265fa4c",
"collected_timestamp": {
"seconds": "1695165683",
"nanos": 48000000
},
"vendor_name": "MANDIANT_FUSION_IOC",
"product_name": "MANDIANT_FUSION_IOC",
"product_version": "1710194393",
"entity_type": "FILE",
"creation_timestamp": {
"seconds": "1710201600"
},
"interval": {
"start_time": {
"seconds": "1"
},
"end_time": {
"seconds": "253402300799"
}
},
"threat": [
{
"category_details": [
"A phishing email message or the relevant headers from a phishing email."
],
"severity_details": "HIGH",
"confidence_details": "75",
"risk_score": 75,
"first_discovered_time": {
"seconds": "1683294326"
},
"associations": [
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"type": "THREAT_ACTOR",
"name": "UNC2633"
},
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"country_code": [
"unknown"
],
"type": "THREAT_ACTOR",
"name": "UNC2633",
"description": "UNC2633 is a distribution threat cluster that delivers emails containing malicious attachments or links that lead to malware payloads, primarily QAKBOT, but also SNOWCONE.GZIPLOADER (which leads to ICEDID) and MATANBUCHUS. Historically, UNC2633 has distributed ZIP files containing malicious Excel files that download malware payloads. In early 2023, UNC2633 started distributing OneNote files (.one) that usually led to QAKBOT. It has also leveraged HTML smuggling to distribute ZIP files containing IMG files that contain LNK files and malware payloads.",
"alias": [
{
"name": "TA570 (Proofpoint)"
}
],
"first_reference_time": {
"seconds": "1459085092"
},
"last_reference_time": {
"seconds": "1687392000"
},
"industries_affected": [
"Aerospace & Defense",
"Agriculture",
"Automotive",
"Chemicals & Materials",
"Civil Society & Non-Profits",
"Construction & Engineering",
"Education",
"Energy & Utilities",
"Financial Services",
"Governments",
"Healthcare",
"Hospitality",
"Insurance",
"Legal & Professional Services",
"Manufacturing",
"Media & Entertainment",
"Oil & Gas",
"Pharmaceuticals",
"Retail",
"Technology",
"Telecommunications",
"Transportation"
]
}
],
"campaigns": [
"CAMP.23.007"
],
"last_updated_time": {
"seconds": "1695165683",
"nanos": 48000000
},
"verdict_info": [
{
"source_provider": "Mandiant Automated Intel",
"confidence_score": 75
},
{
"verdict_type": "ANALYST_VERDICT",
"confidence_score": 75
},
{
"source_count": 91,
"response_count": 1,
"verdict_type": "PROVIDER_ML_VERDICT",
"malicious_count": 1,
"ioc_stats": [
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Knowledge Graph",
"quality": "HIGH_CONFIDENCE",
"malicious_count": 1,
"response_count": 1,
"source_count": 8
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Malware Analysis",
"source_count": 4
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Spam Monitoring",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"second_level_source": "Crowdsourced Threat Analysis",
"source_count": 71
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "MISP",
"second_level_source": "Trusted Software List",
"source_count": 3
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Digitalside It Hashes",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Tds Harvester",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Urlhaus",
"source_count": 1
}
]
},
{
"source_provider": "Mandiant Analyst Intel",
"confidence_score": 75,
"pwn": true,
"pwn_first_tagged_time": {
"seconds": "1683911695"
}
}
],
"last_discovered_time": {
"seconds": "1683909854"
}
}
],
"source_type": "GLOBAL_CONTEXT",
"source_labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
{
"key": "has_pwn",
"value": "2023-05-12T17:14:55.000+0000"
}
],
"event_metadata": {
"id": "\\000\\000\\000\\000\\034Z\\n\\2545\\237\\367\\353\\271\\357\\302\\215t\\330\\275\\237\\000\\000\\000\\000\\007\\000\\000\\000\\206\\000\\000\\000",
"base_labels": {
"log_types": [
"MANDIANT_FUSION_IOC"
],
"allow_scoped_access": true
}
}
},
"entity": {
"file": {
"sha256": "000bc5900dc7a32851e380f418cc178ff0910242ee0561ae37ff424e6d3ec64a",
"md5": "f0095b0a7480c826095d9ffc9d5d2d8f",
"sha1": "8101315b9fbbf6a72bddbfe64837d246f4c8b419"
},
"labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
]
}
}
复杂条件
如需在上下文实体中同时使用多个字段,您可以将多个结果变量组合在一起,以创建更复杂的条件逻辑。
如需合并多个字段,您可以创建中介结果变量。
然后,将这些变量组合起来,形成一个可在 condition 部分中使用的新结果变量。
下面给出了一个示例。
// Value will be 1 if threat.associations.type = "MALWARE"
// Wrapper max function required for multi-event rules
$is_attributed_malware = max(if($entity_context.graph.metadata.threat.associations.type = "MALWARE", 1, 0))
// Value will be 1 if threat.associations.type = "THREAT_ACTOR"
$is_attributed_actor = max(if($entity_context.graph.metadata.threat.associations.type = "THREAT_ACTOR", 1,0))
// Value will be the sum of the $is_attributed_malware $is_attributed_malware and $is_attributed_actor
$is_attributed = if($is_attributed_malware = 1, 1, 0)
+
if($is_attributed_actor = 1, 1, 0)
// If the value of $is_attributed is greater than 1, this indicates the indicator has been attributed at least once with the type "MALWARE" or "THREAT_ACTOR"
在这种情况下,两个中介结果变量 is_attributed_malware 和 is_attributed_actor 会合并到结果变量 is_attributed 中。
在此示例中,中介结果值返回的是数值,因此可以在新的结果变量中进行数值比较。
在此示例中,如果指示器至少有一个类型为 MALWARE 或 THREAT_ACTOR 的威胁关联,则 is_attributed 的值将为 1 或更大。
YARA-L 中的灵活联接
IOC 之间的灵活联接允许将多个 UDM 字段与上下文实体联接。如果多个 UDM 字段与上下文实体联接,则可以减少所需的规则数量。
以下是一个 event 部分的示例,其中针对多个 UDM 字段使用了灵活联接。
events:
// Filter graph
$mandiant.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.entity_type = "FILE"
$mandiant.graph.metadata.source_type = "GLOBAL_CONTEXT"
$mandiant.graph.entity.file.md5 = strings.coalesce($e.target.process.file.md5, $e.target.process.file.md5) OR
$mandiant.graph.entity.file.md5 = strings.coalesce($e.principal.process.file.md5, $e.principal.process.file.md5)
需要更多帮助?从社区成员和 Google SecOps 专业人士那里获得解答。