Applied Threat Intelligence Fusion Feed 概览
支持以下语言:
Google SecOps
SIEM
Mandiant Fusion 指标 Feed 是一系列危害指标 (IOC),包括与已知数据相关的哈希值、IP、域和网址 威胁行为者、恶意软件强度、活跃活动以及已完成的情报报告。 为确保最大价值,Feed 中还包含 Mandiant Intelligence 的 IOC 已通过开源 Feed 的仔细检查和验证,确保了很高的准确性。 Mandiant 的策展过程包括以下步骤。
一线突发事件响应:Mandiant 分析师获得第一线突发事件响应 攻击工具和技术。
威胁研究:专门的团队会跟踪威胁行为者、分析恶意软件,并发现新出现的攻击基础架构。
情境化:将 IOC 与具体的威胁和运动对应起来, 有助于了解突发事件并确定其优先级。
数据泄露分析 Feed 以 Fusion 为基础,添加了与以下内容相关的指标: Mandiant 正在积极调查的新漏洞和新型漏洞。它提供 实时了解最新攻击趋势。 YARA-L 规则可以利用应用式威胁情报融合 Feed 中的上下文信息来增强简单的指标匹配规则。其中包括 威胁组织、受损环境中的指示标志,或 Mandiant 的 自动计算恶意内容置信度。
使用合并 Feed 编写 YARA-L 规则
使用 Fusion Feed 编写 YARA-L 规则的过程与编写 使用其他上下文实体来源的 YARA-L 规则。如需详细了解如何 这种类型的 YARA-L 规则,请参阅创建情境感知分析。
“事件与比赛”部分
如需编写规则,请过滤所选上下文实体图表。
在本例中是 Fusion Feed。然后,按特定指标进行过滤
类型。例如 FILE。下面给出了一个示例。
events:
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
$context_graph.graph.metadata.entity_type = "FILE"
与不使用上下文实体的 YARA-L 规则类似,您可以添加
events 部分中的事件或上下文实体的条件。
您可以从上下文实体和 UDM 事件字段中联接某个字段。在以下
占位符变量 ioc 用于执行传递操作
创建上下文实体与事件之间的连接。然后,此占位符变量
match 部分,以确保在特定时间范围内匹配。
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
详细了解可以利用的上下文实体字段 请参阅 Fusion Feed 上下文实体字段部分。
结果部分
继续前面的示例,设置了基本指标匹配规则
根据上下文实体中 graph.entity.file.md5 处的文件哈希位置
和principal.process.file.md5 UDM 字段。
这条简单的匹配规则可以匹配大量的事件。因此,
对具有特定特征的上下文实体进行优化,
需要的情报。
例如,这可能包括分配给指标的置信度分数
无论是在被破坏的环境中发现,还是被恶意软件家族发现,
与指标相关联这一切都可以在规则的 outcome 部分完成。
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
在 YARA-L 规则的 outcome 部分中,置信度分数为
使用封装在 max 函数中的 if statement 提取。这种方法
是多事件规则的必填项同样的技术也用于从 verdict_info 中提取 pwn 变量,该变量用于指明 Mandiant 是否在遭到入侵的环境中发现了指标。
这两个结果变量随后合并到另一个
matched_conditions 变量,允许使用链式逻辑
在 condition 部分。
条件部分
condition 部分确保 e1、
存在 context_graph 和 matched_conditions,并且或
符合指定条件。
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
完成 YARA-L 规则
此时,规则已准备就绪,可供使用,应如下所示:
rule fusion_feed_example_principal_process_file_md5 {
meta:
rule_name = "File Hash - Applied Threat Intelligence"
description = "Matches file hashes against the Applied Threat Intelligence Fusion Feed."
events:
// Filter graph
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.entity_type = "FILE"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
// Do join
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
}
Fusion Feed 上下文实体字段
您可以在规则中使用 Mandiant Fusion 指标 Feed 中的许多字段。这些字段 统一数据模型字段列表中进行了定义。 以下字段与确定指标优先级相关:
| 实体字段 | 可能的值 |
|---|---|
metadata.threat.associations.type |
MALWARE,THREAT_ACTOR |
metadata.threat.associations.name |
威胁关联名称 |
metadata.threat.verdict_info.pwn |
TRUE,FALSE |
metadata.threat.verdict_info.pwn_first_tagged_time.seconds |
时间戳(秒) |
某些字段具有键值对,需要将其组合使用才能访问正确的值。以下是一个示例。
| 实体字段 1 | 值 | 实体字段 2 | 值 |
|---|---|---|---|
metadata.threat.verdict_info.source_provider |
Mandiant Global Intel | metadata.threat.verdict_info.global_hits_count |
整数 |
metadata.threat.verdict_info.source_provider |
Mandiant Global Intel | metadata.threat.verdict_info.global_customer_count |
整数 |
metadata.threat.verdict_info.source_provider |
Mandiant 分析师 Intel | metadata.threat.verdict_info.confidence_score |
整数 |
metadata.threat.verdict_info.source_provider |
Mandiant 自动化 Intel | metadata.threat.verdict_info.confidence_score |
整数 |
在 YARA-L 规则的 outcome 部分,您可以访问指定
特定键指定具体的键:
$hit_count = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Global Intel", $context_graph.graph.metadata.threat.verdict_info.global_hits_count, 0))
通过检查 Google Security Operations 中的实体匹配情况,您可以全面了解 从而揭示更多可能有助于评估 指示器提醒的优先级和上下文。
以下示例将 Fusion Feed 情境实体用作初始参考点。
{
"metadata": {
"product_entity_id": "md5--147d19e6-cdae-57bb-b9a1-a8676265fa4c",
"collected_timestamp": {
"seconds": "1695165683",
"nanos": 48000000
},
"vendor_name": "MANDIANT_FUSION_IOC",
"product_name": "MANDIANT_FUSION_IOC",
"product_version": "1710194393",
"entity_type": "FILE",
"creation_timestamp": {
"seconds": "1710201600"
},
"interval": {
"start_time": {
"seconds": "1"
},
"end_time": {
"seconds": "253402300799"
}
},
"threat": [
{
"category_details": [
"A phishing email message or the relevant headers from a phishing email."
],
"severity_details": "HIGH",
"confidence_details": "75",
"risk_score": 75,
"first_discovered_time": {
"seconds": "1683294326"
},
"associations": [
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"type": "THREAT_ACTOR",
"name": "UNC2633"
},
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"country_code": [
"unknown"
],
"type": "THREAT_ACTOR",
"name": "UNC2633",
"description": "UNC2633 is a distribution threat cluster that delivers emails containing malicious attachments or links that lead to malware payloads, primarily QAKBOT, but also SNOWCONE.GZIPLOADER (which leads to ICEDID) and MATANBUCHUS. Historically, UNC2633 has distributed ZIP files containing malicious Excel files that download malware payloads. In early 2023, UNC2633 started distributing OneNote files (.one) that usually led to QAKBOT. It has also leveraged HTML smuggling to distribute ZIP files containing IMG files that contain LNK files and malware payloads.",
"alias": [
{
"name": "TA570 (Proofpoint)"
}
],
"first_reference_time": {
"seconds": "1459085092"
},
"last_reference_time": {
"seconds": "1687392000"
},
"industries_affected": [
"Aerospace & Defense",
"Agriculture",
"Automotive",
"Chemicals & Materials",
"Civil Society & Non-Profits",
"Construction & Engineering",
"Education",
"Energy & Utilities",
"Financial Services",
"Governments",
"Healthcare",
"Hospitality",
"Insurance",
"Legal & Professional Services",
"Manufacturing",
"Media & Entertainment",
"Oil & Gas",
"Pharmaceuticals",
"Retail",
"Technology",
"Telecommunications",
"Transportation"
]
}
],
"campaigns": [
"CAMP.23.007"
],
"last_updated_time": {
"seconds": "1695165683",
"nanos": 48000000
},
"verdict_info": [
{
"source_provider": "Mandiant Automated Intel",
"confidence_score": 75
},
{
"verdict_type": "ANALYST_VERDICT",
"confidence_score": 75
},
{
"source_count": 91,
"response_count": 1,
"verdict_type": "PROVIDER_ML_VERDICT",
"malicious_count": 1,
"ioc_stats": [
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Knowledge Graph",
"quality": "HIGH_CONFIDENCE",
"malicious_count": 1,
"response_count": 1,
"source_count": 8
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Malware Analysis",
"source_count": 4
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Spam Monitoring",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"second_level_source": "Crowdsourced Threat Analysis",
"source_count": 71
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "MISP",
"second_level_source": "Trusted Software List",
"source_count": 3
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Digitalside It Hashes",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Tds Harvester",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Urlhaus",
"source_count": 1
}
]
},
{
"source_provider": "Mandiant Analyst Intel",
"confidence_score": 75,
"pwn": true,
"pwn_first_tagged_time": {
"seconds": "1683911695"
}
}
],
"last_discovered_time": {
"seconds": "1683909854"
}
}
],
"source_type": "GLOBAL_CONTEXT",
"source_labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
{
"key": "has_pwn",
"value": "2023-05-12T17:14:55.000+0000"
}
],
"event_metadata": {
"id": "\\000\\000\\000\\000\\034Z\\n\\2545\\237\\367\\353\\271\\357\\302\\215t\\330\\275\\237\\000\\000\\000\\000\\007\\000\\000\\000\\206\\000\\000\\000",
"base_labels": {
"log_types": [
"MANDIANT_FUSION_IOC"
],
"allow_scoped_access": true
}
}
},
"entity": {
"file": {
"sha256": "000bc5900dc7a32851e380f418cc178ff0910242ee0561ae37ff424e6d3ec64a",
"md5": "f0095b0a7480c826095d9ffc9d5d2d8f",
"sha1": "8101315b9fbbf6a72bddbfe64837d246f4c8b419"
},
"labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
]
}
}
复杂条件
如需在情境实体中一次使用多个字段,您可以将多个结果变量组合在一起,以创建更复杂的条件逻辑。若要组合多个字段,您可以创建中间结果变量。
然后,这些变量会组合成一个新的结果变量,
用于 condition 部分。
下面给出了一个示例。
// Value will be 1 if threat.associations.type = "MALWARE"
// Wrapper max function required for multi-event rules
$is_attributed_malware = max(if($entity_context.graph.metadata.threat.associations.type = "MALWARE", 1, 0))
// Value will be 1 if threat.associations.type = "THREAT_ACTOR"
$is_attributed_actor = max(if($entity_context.graph.metadata.threat.associations.type = "THREAT_ACTOR", 1,0))
// Value will be the sum of the $is_attributed_malware $is_attributed_malware and $is_attributed_actor
$is_attributed = if($is_attributed_malware = 1, 1, 0)
+
if($is_attributed_actor = 1, 1, 0)
// If the value of $is_attributed is greater than 1, this indicates the indicator has been attributed at least once with the type "MALWARE" or "THREAT_ACTOR"
在本示例中,有两个中间结果变量 is_attributed_malware
和 is_attributed_actor 合并到一个结果变量中
is_attributed。
在此示例中,中间结果值会返回数值,从而允许在新结果变量中进行数值比较。在此示例中,如果满足以下条件,is_attributed 将是 1 或更大的值:
指示器至少有 1 个类型为 MALWARE 的威胁关联
或 THREAT_ACTOR。
YARA-L 中的灵活联接
IOC 之间的灵活联接允许将多个 UDM 字段与上下文实体联接。这样可以减少有多个 UDM 时所需的规则数量 字段与上下文实体相联接。
以下是 event 部分的示例,其中针对
多个 UDM 字段。
events:
// Filter graph
$mandiant.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.entity_type = "FILE"
$mandiant.graph.metadata.source_type = "GLOBAL_CONTEXT"
$mandiant.graph.entity.file.md5 = strings.coalesce($e.target.process.file.md5, $e.target.process.file.md5) OR
$mandiant.graph.entity.file.md5 = strings.coalesce($e.principal.process.file.md5, $e.principal.process.file.md5)