應用威脅情報融合動態總覽
支援以下發布途徑:
Google secops
Siem
Mandiant Fusion 指標動態饋給是一系列入侵指標 (IOC),包括與已知威脅攻擊者、惡意軟體株、有效的廣告活動和完成的情報報告相關的雜湊、IP、網域和網址。為確保最大價值,動態饋給也包含 Mandiant Intelligence 從開放原始碼動態饋給中仔細檢查及驗證的入侵指標,確保準確度。Mandiant 的策展程序包含下列步驟。
前線事件回應:Mandiant 分析師在調查違規行為時,可獲得攻擊者工具和技術的第一手資訊。
威脅研究:專責團隊會追蹤威脅行為者、分析惡意軟體,並找出新興的攻擊基礎架構。
提供背景資訊:將 IOC 對應至特定威脅和宣傳活動,有助於瞭解事件並將其排序。
違規分析動態饋給建立於 Fusion 之上,加入與 Mandiant 積極調查的新舊違規相關的指標。這項工具可即時提供最新攻擊趨勢的洞察資料。YARA-L 規則可利用應用威脅情報融合動態饋給的內容資訊,強化簡單的指標比對規則。包括相關威脅群組、遭入侵環境中的指標,或是 Mandiant 對惡意行為的自動信任分數。
使用 Fusion 動態饋給編寫 YARA-L 規則
使用 Fusion 動態饋給編寫 YARA-L 規則的程序,與使用其他內容實體來源編寫 YARA-L 規則類似。如要進一步瞭解如何編寫這類 YARA-L 規則,請參閱「建立依據情境的分析」。
事件和比對部分
如要編寫規則,請篩選所選情境實體圖表。在本例中,這項資訊是 Fusion 動態饋給。接著,篩選特定指標類型。例如,FILE。以下為範例。
events:
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
$context_graph.graph.metadata.entity_type = "FILE"
與不使用背景實體的 YARA-L 規則類似,您可以在 events 部分新增任何其他事件或背景實體條件。您可以從背景實體和 UDM 事件欄位彙整欄位。在以下範例中,預留位置變數 ioc 會用於在情境實體和事件之間進行傳遞式彙整。接著,這個預留位置變數會用於 match 區段,確保在特定時間範圍內符合條件。
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
如要進一步瞭解可在 YARA-L 規則中使用的內容實體欄位,請參閱「Fusion 動態饋給內容實體欄位」一節。
「結果」部分
接著,我們將繼續使用上述範例,針對 graph.entity.file.md5 欄位和 principal.process.file.md5 UDM 欄位中的內容實體,設定基本指標比對規則。這個簡單的比對規則可比對大量事件。因此,建議您針對含有特定感興趣的資訊的背景資訊實體,精進規則比對。舉例來說,這可能包括 Mandiant 指派給指標的可信度分數、指標是否出現在遭到入侵的環境中,或是與指標相關聯的惡意軟體家族。您可以在規則的 outcome 部分完成這項操作。
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
在 YARA-L 規則的 outcome 部分,系統會使用 max 函式內含的 if statement 擷取置信度分數。多事件規則必須使用這項技巧。同樣的技巧也用於從 verdict_info 中擷取 pwn 變數,這可指出 Mandiant 在遭入侵的環境中是否已發現指標。
接著,這兩個結果變數會在另一個 matched_conditions 變數中合併,讓您在 condition 部分使用鏈結邏輯。
「條件」區段
condition 部分可確保 e1、context_graph 和 matched_conditions 存在,或符合指定條件。
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
完整的 YARA-L 規則
此時,規則已可使用,且應如下所示:
rule fusion_feed_example_principal_process_file_md5 {
meta:
rule_name = "File Hash - Applied Threat Intelligence"
description = "Matches file hashes against the Applied Threat Intelligence Fusion Feed."
events:
// Filter graph
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.entity_type = "FILE"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
// Do join
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
}
Fusion Feed 內容實體欄位
您可以在規則中使用 Mandiant Fusion 指標動態饋給中的許多欄位。這些欄位皆在統一資料模型欄位清單中定義。下列欄位與指標的優先順序相關:
| 實體欄位 | 可能的值 |
|---|---|
metadata.threat.associations.type |
MALWARE、THREAT_ACTOR |
metadata.threat.associations.name |
威脅關聯名稱 |
metadata.threat.verdict_info.pwn |
TRUE、FALSE |
metadata.threat.verdict_info.pwn_first_tagged_time.seconds |
時間戳記 (秒) |
部分欄位含有鍵/值組合,必須同時使用才能存取正確的值。以下是範例。
| 實體欄位 1 | 值 | 實體欄位 2 | 值 |
|---|---|---|---|
metadata.threat.verdict_info.source_provider |
Mandiant Global Intel | metadata.threat.verdict_info.global_hits_count |
整數 |
metadata.threat.verdict_info.source_provider |
Mandiant Global Intel | metadata.threat.verdict_info.global_customer_count |
整數 |
metadata.threat.verdict_info.source_provider |
Mandiant 分析師情報 | metadata.threat.verdict_info.confidence_score |
整數 |
metadata.threat.verdict_info.source_provider |
Mandiant Automated Intel | metadata.threat.verdict_info.confidence_score |
整數 |
在 YARA-L 規則的 outcome 部分,您可以使用下列指令存取特定鍵指定的值:
$hit_count = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Global Intel", $context_graph.graph.metadata.threat.verdict_info.global_hits_count, 0))
在 Google Security Operations 中檢查實體比對結果,可讓您全面掌握資料,並顯示其他欄位,協助您評估指標快訊的優先順序和背景資訊。
以下是使用 Fusion 動態饋給背景資訊實體做為初始參考點的範例。
{
"metadata": {
"product_entity_id": "md5--147d19e6-cdae-57bb-b9a1-a8676265fa4c",
"collected_timestamp": {
"seconds": "1695165683",
"nanos": 48000000
},
"vendor_name": "MANDIANT_FUSION_IOC",
"product_name": "MANDIANT_FUSION_IOC",
"product_version": "1710194393",
"entity_type": "FILE",
"creation_timestamp": {
"seconds": "1710201600"
},
"interval": {
"start_time": {
"seconds": "1"
},
"end_time": {
"seconds": "253402300799"
}
},
"threat": [
{
"category_details": [
"A phishing email message or the relevant headers from a phishing email."
],
"severity_details": "HIGH",
"confidence_details": "75",
"risk_score": 75,
"first_discovered_time": {
"seconds": "1683294326"
},
"associations": [
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"type": "THREAT_ACTOR",
"name": "UNC2633"
},
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"country_code": [
"unknown"
],
"type": "THREAT_ACTOR",
"name": "UNC2633",
"description": "UNC2633 is a distribution threat cluster that delivers emails containing malicious attachments or links that lead to malware payloads, primarily QAKBOT, but also SNOWCONE.GZIPLOADER (which leads to ICEDID) and MATANBUCHUS. Historically, UNC2633 has distributed ZIP files containing malicious Excel files that download malware payloads. In early 2023, UNC2633 started distributing OneNote files (.one) that usually led to QAKBOT. It has also leveraged HTML smuggling to distribute ZIP files containing IMG files that contain LNK files and malware payloads.",
"alias": [
{
"name": "TA570 (Proofpoint)"
}
],
"first_reference_time": {
"seconds": "1459085092"
},
"last_reference_time": {
"seconds": "1687392000"
},
"industries_affected": [
"Aerospace & Defense",
"Agriculture",
"Automotive",
"Chemicals & Materials",
"Civil Society & Non-Profits",
"Construction & Engineering",
"Education",
"Energy & Utilities",
"Financial Services",
"Governments",
"Healthcare",
"Hospitality",
"Insurance",
"Legal & Professional Services",
"Manufacturing",
"Media & Entertainment",
"Oil & Gas",
"Pharmaceuticals",
"Retail",
"Technology",
"Telecommunications",
"Transportation"
]
}
],
"campaigns": [
"CAMP.23.007"
],
"last_updated_time": {
"seconds": "1695165683",
"nanos": 48000000
},
"verdict_info": [
{
"source_provider": "Mandiant Automated Intel",
"confidence_score": 75
},
{
"verdict_type": "ANALYST_VERDICT",
"confidence_score": 75
},
{
"source_count": 91,
"response_count": 1,
"verdict_type": "PROVIDER_ML_VERDICT",
"malicious_count": 1,
"ioc_stats": [
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Knowledge Graph",
"quality": "HIGH_CONFIDENCE",
"malicious_count": 1,
"response_count": 1,
"source_count": 8
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Malware Analysis",
"source_count": 4
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Spam Monitoring",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"second_level_source": "Crowdsourced Threat Analysis",
"source_count": 71
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "MISP",
"second_level_source": "Trusted Software List",
"source_count": 3
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Digitalside It Hashes",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Tds Harvester",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Urlhaus",
"source_count": 1
}
]
},
{
"source_provider": "Mandiant Analyst Intel",
"confidence_score": 75,
"pwn": true,
"pwn_first_tagged_time": {
"seconds": "1683911695"
}
}
],
"last_discovered_time": {
"seconds": "1683909854"
}
}
],
"source_type": "GLOBAL_CONTEXT",
"source_labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
{
"key": "has_pwn",
"value": "2023-05-12T17:14:55.000+0000"
}
],
"event_metadata": {
"id": "\\000\\000\\000\\000\\034Z\\n\\2545\\237\\367\\353\\271\\357\\302\\215t\\330\\275\\237\\000\\000\\000\\000\\007\\000\\000\\000\\206\\000\\000\\000",
"base_labels": {
"log_types": [
"MANDIANT_FUSION_IOC"
],
"allow_scoped_access": true
}
}
},
"entity": {
"file": {
"sha256": "000bc5900dc7a32851e380f418cc178ff0910242ee0561ae37ff424e6d3ec64a",
"md5": "f0095b0a7480c826095d9ffc9d5d2d8f",
"sha1": "8101315b9fbbf6a72bddbfe64837d246f4c8b419"
},
"labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
]
}
}
複雜條件
如要在內容實體中一次使用多個欄位,可以將多個結果變數結合,建立更複雜的條件邏輯。如要合併多個欄位,您可以建立中介結果變數。這些變數會合併成可在 condition 部分使用的新結果變數。
以下為範例。
// Value will be 1 if threat.associations.type = "MALWARE"
// Wrapper max function required for multi-event rules
$is_attributed_malware = max(if($entity_context.graph.metadata.threat.associations.type = "MALWARE", 1, 0))
// Value will be 1 if threat.associations.type = "THREAT_ACTOR"
$is_attributed_actor = max(if($entity_context.graph.metadata.threat.associations.type = "THREAT_ACTOR", 1,0))
// Value will be the sum of the $is_attributed_malware $is_attributed_malware and $is_attributed_actor
$is_attributed = if($is_attributed_malware = 1, 1, 0)
+
if($is_attributed_actor = 1, 1, 0)
// If the value of $is_attributed is greater than 1, this indicates the indicator has been attributed at least once with the type "MALWARE" or "THREAT_ACTOR"
在本例中,兩個中介結果變數 is_attributed_malware 和 is_attributed_actor 會在結果變數 is_attributed 中合併。
在本例中,中間結果值會傳回數值,讓您在新結果變數中進行數值比較。在這個範例中,如果指標至少有一個 MALWARE 或 THREAT_ACTOR 類型的威脅關聯,is_attributed 的值就會是 1 以上。
YARA-L 中的彈性彙整
IOC 之間的靈活彙整可讓多個 UDM 欄位與內容實體彙整。這樣一來,如果有多個 UDM 欄位與內容實體結合,就不需要那麼多規則。
以下是 event 部分的範例,其中針對多個 UDM 欄位使用彈性彙整。
events:
// Filter graph
$mandiant.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.entity_type = "FILE"
$mandiant.graph.metadata.source_type = "GLOBAL_CONTEXT"
$mandiant.graph.entity.file.md5 = strings.coalesce($e.target.process.file.md5, $e.target.process.file.md5) OR
$mandiant.graph.entity.file.md5 = strings.coalesce($e.principal.process.file.md5, $e.principal.process.file.md5)
還有其他問題嗎?向社群成員和 Google SecOps 專家尋求解答。