Skip to content

Latest commit

 

History

History
249 lines (201 loc) · 12.5 KB

0021-threat-enrichment.md

File metadata and controls

249 lines (201 loc) · 12.5 KB
Raw

0021: Threat Enrichment

  • Stage: 3 (finished)
  • Date: 2021-10-20

As documented in the existing threat intel RFC, this proposal aims to solve the threat intel enrichment use case by reusing the threat.indicator fieldset under a new name and as an array of objects, where each object represents an indicator that matched the (now enriched) event, and the matched.* fields on each object provide context for that particular indicator match.

Moving this list of indicators to a new field allows us to:

  • reuse the existing threat.indicator fieldset
  • sidestep the documentation/mapping complexities around when threat.indicator is an object (indicator) vs. when it's an array of objects (enrichment)

Fields

As these fields represent the enrichment of an existing event with indicator information, they are comprised of two categories of data:

  1. The indicator's indicator fields, as defined in RFC 0018
  2. Fields representing the context of the enrichment itself

Proposed new fields

Field Type Example Description
threat.enrichments.matched.atomic keyword 2f5207f2add28b46267dc99bc5382480 The value that matched between the event and the indicator
threat.enrichments.matched.id keyword db8fb691ffdb4432a09ef171659c8993e6ddea1ea9b21381b93269d1bf2d0bc2 The _id of the indicator document that matched the event
threat.enrichments.matched.index keyword threat-index-000001 The _index of the indicator document that matched the event
threat.enrichments.matched.field keyword host.name Identifies the field on the enriched event that matched the indicator
threat.enrichments.matched.occurred date 2021-10-05T17:00:58.326Z Indicates when the match was generated
threat.enrichments.matched.type keyword indicator_match_rule Identifies the type of the atomic indicator that matched a local environment endpoint or network event.

Usage

Adding threat intelligence match/enrichment to another document

If it is determined that an event matches a given indicator, that event can be enriched with said indicator. Presently, Indicator Match Detection rules will perform that enrichment automatically, but ad hoc/manual enrichment is an expected feature that analysts will leverage in the future.

Example document

{
  "process": {
    "name": "svchost.exe",
    "pid": 1644,
    "entity_id": "MDgyOWFiYTYtMzRkYi1kZTM2LTFkNDItMzBlYWM3NDVlOTgwLTE2NDQtMTMyNDk3MTA2OTcuNDc1OTExNTAw",
    "executable": "C:\\Windows\\System32\\svchost.exe"
  },
  "message": "Endpoint file event",
  "@timestamp": "2020-11-17T19:07:46.0956672Z",
  "file": {
    "path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-AE7DB802.pf",
    "extension": "pf",
    "name": "SVCHOST.EXE-AE7DB802.pf",
    "hash": {
      "sha256": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4"
    }
  },
  "threat": {
    "enrichments": [
      {
        // Each enrichment is added as a nested object under `threat.enrichments.*`
        // Copy all the object indicators under `indicator.*`, providing full context
        "indicator": {
          "confidence": "High",
          "marking": {
            "tlp": "WHITE"
          },
          "first_seen": "2020-10-01",
          "file": {
            "hash": {
              "sha256": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4",
              "md5": "1eee2bf3f56d8abed72da2bc523e7431"
            },
            "size": 656896,
            "name": "invoice.doc"
          },
          "last_seen": "2020-11-01",
          "reference": "https://system.example.com/event/#0001234",
          "sightings": 4,
          "type": ["sha256", "md5", "file_name", "file_size"],
          "description": "file last associated with delivering Angler EK"
        },
        /* `matched` will provide context about which of the indicators above matched on this
              particular enrichment. If multiple matches for this indicator object, this could
              be a list */
        "matched": {
          "atomic": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4",
          "field": "file.hash.sha256",
          "id": "abc123f03",
          "index": "threat-indicators-index-000001",
          "occurred": "2021-10-05T17:00:58.326Z",
          "type": "indicator_match_rule"
        }
      }
    ]
  },
  // Tag the enriched document to indicate the threat enrichment matched
  "tags": ["threat-match"],
  // This should already exist from the original ingest pipeline of the document
  "related": {
    "hash": ["0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4"]
  }
}

Proposed enrichment pipeline mechanics pseudocode

  1. Original document completes its standard pipeline for the given source (i.e. filebeat module pipeline)
  2. Original document is sent to "threat lookup" pipeline
  3. For each indicator type, we perform the following (a file sha256 for example):
    • if exists "file.hash.sha256":
      • enrich processor: "policy_name": "file-sha256-policy", "field" : "file.hash.sha256", "target_field": "threat_match", "max_matches": "1"
      • policy file-sha256-policy: "match": { "indices": "threat-*", "match_field": "threat.indicator.file.hash.sha256", "enrich_fields": ["threat.indicator"] }
    • script: lang: "painless" inline: "ctx.threat_match.threat.matched.occurred = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").setTimeZone(TimeZone.getTimeZone("UTC")).format(new Date());"
    • set: field: "threat_match.threat.matched.type" value: "file-sha256-policy"
    • set: field: "threat_match.threat.matched.field" value: "file.hash.sha256"
    • set: field: "threat_match.threat.matched.atomic" value: "{{ file.hash.sha256 }}"
    • set: field: "threat.enrichments" value: [] override: false
    • append: field: "threat.enrichments" value: "{{ threat_match.threat }}"
    • remove: field: "threat_match"

NOTE: There may be some optimization on which enrichments we attempt based upon the event categorization fields. For instance, we know that data that presents the netflow model or "interface" doesn't contain a sha256 hash. Since those categorization fields are lists, if data presented as both netflow and file (for whatever reason), then we'd check both network-related lookups and file-related lookups

Source data

Source data are ECS indicator documents as specified RFC 0008. At present, the best source of these documents is the filebeat threatintel module.

Scope of impact

Concerns

I believe this format should actually simplify much of the enrichment logic originally proposed in RFC 0008, since a naive implementation would simply copy the fields directly from each indicator document into threat.enrichments, and add the appropriate matched fields.

While not a concern for ECS consumers at large, our existing experimental implementation within Kibana Security Solution will have to change significantly (for the better!), with accompanying data migration: elastic/kibana#100510

People

The following are the people that consulted on the contents of this RFC.

  • @rylnd | author
  • @devonakerr | sponsor

References

RFC Pull Requests