應用威脅情報融合動態消息總覽
支援的國家/地區:
Google SecOps
SIEM
Mandiant Fusion 指標動態饋給是一組入侵指標 (IOC),包括與已知威脅發動者、惡意軟體變種、進行中活動和已完成情報報告相關聯的雜湊、IP、網域和網址。為確保價值最大化,動態消息也包含 Mandiant Intelligence 從開放原始碼動態消息中仔細檢查及驗證的入侵指標,確保準確度。Mandiant 的策展程序包含下列步驟。
第一線事件應變:Mandiant 分析師在調查違規事件時,會直接瞭解攻擊者的工具和技術。
威脅研究:專責團隊會追蹤威脅發動者、分析惡意軟體,並找出新興的攻擊基礎架構。
情境化:將 IOC 對應至特定威脅和活動,有助於瞭解事件並排定優先順序。
「違規分析」動態饋給以 Fusion 為基礎,新增與 Mandiant 積極調查的新興違規事件相關的指標。即時掌握最新攻擊趨勢。YARA-L 規則可運用 Applied Threat Intelligence Fusion Feed 的內容資訊,強化簡單的指標比對規則。包括相關聯的威脅群組、遭入侵環境中是否有指標,或是 Mandiant 的惡意自動信心分數。
使用 Fusion 動態饋給編寫 YARA-L 規則
使用 Fusion 動態饋給編寫 YARA-L 規則的程序,與使用其他內容實體來源編寫 YARA-L 規則的程序類似。如要進一步瞭解如何編寫這類 YARA-L 規則,請參閱「建立情境感知分析」。
賽事和賽程表部分
如要編寫規則,請篩選所選情境實體圖。在本例中,這是指 Fusion 推薦內容。然後依特定指標類型篩選。例如,FILE。範例如下:
events:
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
$context_graph.graph.metadata.entity_type = "FILE"
與未使用內容實體的 YARA-L 規則類似,您可以在 events 區段中新增事件或內容實體的任何其他條件。您可以加入內容實體和 UDM 事件欄位的欄位。在下列範例中,預留位置變數 ioc 用於在內容實體和事件之間執行遞移聯結。然後在 match 區段中使用這個預留位置變數,確保在特定時間範圍內相符。
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
如要進一步瞭解可在 YARA-L 規則中使用的內容實體欄位,請參閱「Fusion Feed 內容實體欄位」一節。
結果區段
延續上一個範例,基本指標比對規則是針對 graph.entity.file.md5 欄位和 principal.process.file.md5 UDM 欄位中情境實體內的檔案雜湊設定。這項簡單的相符規則可以比對大量事件。因此,建議您根據特定智慧型內容實體調整規則比對。舉例來說,這類資訊包括 Mandiant 為指標指派的信賴度分數、指標是否出現在遭入侵的環境,或是與指標相關聯的惡意軟體系列。所有操作都可以在規則的 outcome 部分完成。
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
在 YARA-L 規則的 outcome 區段中,信賴分數會使用以 max 函式包裝的 if statement 擷取。多事件規則必須採用這項技術。系統會使用相同技術,從 verdict_info 中擷取 pwn 變數,指出 Mandiant 識別出的遭入侵環境中是否出現指標。
這兩個結果變數隨後會合併到另一個 matched_conditions 變數中,以便在 condition 區段中使用鏈結邏輯。
「條件」區段
condition 區段可確保 e1、context_graph 和 matched_conditions 存在,且符合指定條件。
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
完整的 YARA-L 規則
此時規則已可使用,應如下所示:
rule fusion_feed_example_principal_process_file_md5 {
meta:
rule_name = "File Hash - Applied Threat Intelligence"
description = "Matches file hashes against the Applied Threat Intelligence Fusion Feed."
events:
// Filter graph
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.entity_type = "FILE"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
// Do join
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
}
Fusion Feed 內容實體欄位
您可以在規則中使用 Mandiant Fusion 指標動態饋給中的許多欄位。這些欄位全都在整合式資料模型欄位清單中定義。下列欄位與指標優先順序相關:
| 實體欄位 | 可能的值 |
|---|---|
metadata.threat.associations.type |
MALWARE、THREAT_ACTOR |
metadata.threat.associations.name |
威脅關聯名稱 |
metadata.threat.verdict_info.pwn |
TRUE、FALSE |
metadata.threat.verdict_info.pwn_first_tagged_time.seconds |
時間戳記 (秒) |
部分欄位有鍵/值組合,需要搭配使用才能存取正確的值。範例如下所示。
| 實體欄位 1 | 值 | 實體欄位 2 | 值 |
|---|---|---|---|
metadata.threat.verdict_info.source_provider |
Mandiant Global Intel | metadata.threat.verdict_info.global_hits_count |
整數 |
metadata.threat.verdict_info.source_provider |
Mandiant Global Intel | metadata.threat.verdict_info.global_customer_count |
整數 |
metadata.threat.verdict_info.source_provider |
Mandiant 分析師情報 | metadata.threat.verdict_info.confidence_score |
整數 |
metadata.threat.verdict_info.source_provider |
Mandiant Automated Intel | metadata.threat.verdict_info.confidence_score |
整數 |
在 YARA-L 規則的 outcome 區段中,您可以使用下列指令存取特定鍵指定的值:
$hit_count = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Global Intel", $context_graph.graph.metadata.threat.verdict_info.global_hits_count, 0))
在 Google Security Operations 中檢查實體比對結果,可全面瞭解資料,並顯示其他有助於評估指標快訊優先順序和背景資訊的欄位。
以下是 Fusion Feed 情境實體的範例,可做為初始參考點。
{
"metadata": {
"product_entity_id": "md5--147d19e6-cdae-57bb-b9a1-a8676265fa4c",
"collected_timestamp": {
"seconds": "1695165683",
"nanos": 48000000
},
"vendor_name": "MANDIANT_FUSION_IOC",
"product_name": "MANDIANT_FUSION_IOC",
"product_version": "1710194393",
"entity_type": "FILE",
"creation_timestamp": {
"seconds": "1710201600"
},
"interval": {
"start_time": {
"seconds": "1"
},
"end_time": {
"seconds": "253402300799"
}
},
"threat": [
{
"category_details": [
"A phishing email message or the relevant headers from a phishing email."
],
"severity_details": "HIGH",
"confidence_details": "75",
"risk_score": 75,
"first_discovered_time": {
"seconds": "1683294326"
},
"associations": [
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"type": "THREAT_ACTOR",
"name": "UNC2633"
},
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"country_code": [
"unknown"
],
"type": "THREAT_ACTOR",
"name": "UNC2633",
"description": "UNC2633 is a distribution threat cluster that delivers emails containing malicious attachments or links that lead to malware payloads, primarily QAKBOT, but also SNOWCONE.GZIPLOADER (which leads to ICEDID) and MATANBUCHUS. Historically, UNC2633 has distributed ZIP files containing malicious Excel files that download malware payloads. In early 2023, UNC2633 started distributing OneNote files (.one) that usually led to QAKBOT. It has also leveraged HTML smuggling to distribute ZIP files containing IMG files that contain LNK files and malware payloads.",
"alias": [
{
"name": "TA570 (Proofpoint)"
}
],
"first_reference_time": {
"seconds": "1459085092"
},
"last_reference_time": {
"seconds": "1687392000"
},
"industries_affected": [
"Aerospace & Defense",
"Agriculture",
"Automotive",
"Chemicals & Materials",
"Civil Society & Non-Profits",
"Construction & Engineering",
"Education",
"Energy & Utilities",
"Financial Services",
"Governments",
"Healthcare",
"Hospitality",
"Insurance",
"Legal & Professional Services",
"Manufacturing",
"Media & Entertainment",
"Oil & Gas",
"Pharmaceuticals",
"Retail",
"Technology",
"Telecommunications",
"Transportation"
]
}
],
"campaigns": [
"CAMP.23.007"
],
"last_updated_time": {
"seconds": "1695165683",
"nanos": 48000000
},
"verdict_info": [
{
"source_provider": "Mandiant Automated Intel",
"confidence_score": 75
},
{
"verdict_type": "ANALYST_VERDICT",
"confidence_score": 75
},
{
"source_count": 91,
"response_count": 1,
"verdict_type": "PROVIDER_ML_VERDICT",
"malicious_count": 1,
"ioc_stats": [
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Knowledge Graph",
"quality": "HIGH_CONFIDENCE",
"malicious_count": 1,
"response_count": 1,
"source_count": 8
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Malware Analysis",
"source_count": 4
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Spam Monitoring",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"second_level_source": "Crowdsourced Threat Analysis",
"source_count": 71
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "MISP",
"second_level_source": "Trusted Software List",
"source_count": 3
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Digitalside It Hashes",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Tds Harvester",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Urlhaus",
"source_count": 1
}
]
},
{
"source_provider": "Mandiant Analyst Intel",
"confidence_score": 75,
"pwn": true,
"pwn_first_tagged_time": {
"seconds": "1683911695"
}
}
],
"last_discovered_time": {
"seconds": "1683909854"
}
}
],
"source_type": "GLOBAL_CONTEXT",
"source_labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
{
"key": "has_pwn",
"value": "2023-05-12T17:14:55.000+0000"
}
],
"event_metadata": {
"id": "\\000\\000\\000\\000\\034Z\\n\\2545\\237\\367\\353\\271\\357\\302\\215t\\330\\275\\237\\000\\000\\000\\000\\007\\000\\000\\000\\206\\000\\000\\000",
"base_labels": {
"log_types": [
"MANDIANT_FUSION_IOC"
],
"allow_scoped_access": true
}
}
},
"entity": {
"file": {
"sha256": "000bc5900dc7a32851e380f418cc178ff0910242ee0561ae37ff424e6d3ec64a",
"md5": "f0095b0a7480c826095d9ffc9d5d2d8f",
"sha1": "8101315b9fbbf6a72bddbfe64837d246f4c8b419"
},
"labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
]
}
}
複雜條件
如要在內容實體中一次使用多個欄位,可以合併多個結果變數,建立更複雜的條件式邏輯。如要合併多個欄位,可以建立中介結果變數。
然後合併這些變數,形成可在 condition 區段中使用的新結果變數。
範例如下:
// Value will be 1 if threat.associations.type = "MALWARE"
// Wrapper max function required for multi-event rules
$is_attributed_malware = max(if($entity_context.graph.metadata.threat.associations.type = "MALWARE", 1, 0))
// Value will be 1 if threat.associations.type = "THREAT_ACTOR"
$is_attributed_actor = max(if($entity_context.graph.metadata.threat.associations.type = "THREAT_ACTOR", 1,0))
// Value will be the sum of the $is_attributed_malware $is_attributed_malware and $is_attributed_actor
$is_attributed = if($is_attributed_malware = 1, 1, 0)
+
if($is_attributed_actor = 1, 1, 0)
// If the value of $is_attributed is greater than 1, this indicates the indicator has been attributed at least once with the type "MALWARE" or "THREAT_ACTOR"
在本例中,兩個中介結果變數 (is_attributed_malware 和 is_attributed_actor) 會合併為結果變數 is_attributed。
在本例中,中介結果值會傳回數值,因此可在新的結果變數中進行數值比較。在本例中,如果指標至少有一個類型為 MALWARE 或 THREAT_ACTOR 的威脅關聯,is_attributed 的值就會大於或等於 1。
YARA-L 中的彈性聯結
IOC 之間的彈性聯結可讓多個 UDM 欄位與內容實體聯結。如果多個 UDM 欄位與內容實體聯結,這項功能可減少所需規則數量。
以下是 event 區段範例,其中使用彈性聯結來聯結多個 UDM 欄位。
events:
// Filter graph
$mandiant.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.entity_type = "FILE"
$mandiant.graph.metadata.source_type = "GLOBAL_CONTEXT"
$mandiant.graph.entity.file.md5 = strings.coalesce($e.target.process.file.md5, $e.target.process.file.md5) OR
$mandiant.graph.entity.file.md5 = strings.coalesce($e.principal.process.file.md5, $e.principal.process.file.md5)
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。