Виды, источники, практическое применение, инструменты
Threat Intelligence: виды, источники, практическое применение и инструменты киберразведки. Сбор разведданных, анализ угроз, proactive защита.
Threat Intelligence - Киберразведка
Что такое Threat Intelligence?
Threat Intelligence (TI) — это процесс сбора, анализа и использования информации о киберугрозах для принятия обоснованных решений по обеспечению безопасности. Это проактивный подход к кибербезопасности, основанный на понимании угроз и их источников.
Ключевые принципы
- Proactive Defense — проактивная защита
- Context-Aware — осведомленность о контексте
- Actionable Intelligence — применимая разведка
- Continuous Learning — непрерывное обучение
Виды Threat Intelligence
1. Strategic Threat Intelligence
Стратегическая разведка угроз
Характеристики:
- Высокоуровневый анализ угроз
- Долгосрочное планирование
- Бизнес-ориентированный подход
- Аудитория: руководство, CISO
Примеры:
- Тренды в киберпреступности
- Геополитические угрозы
- Регулятивные изменения
- Технологические тренды
Примеры реализации:
// Система стратегической разведки угроз
class StrategicThreatIntelligence {
constructor() {
this.threatLandscape = new Map();
this.trends = [];
this.regulatoryChanges = [];
this.geopoliticalThreats = [];
}
// Анализ ландшафта угроз
analyzeThreatLandscape(timeframe = "quarterly") {
const analysis = {
timeframe: timeframe,
threatActors: this.analyzeThreatActors(),
attackVectors: this.analyzeAttackVectors(),
industryTrends: this.analyzeIndustryTrends(),
regulatoryImpact: this.analyzeRegulatoryImpact(),
recommendations: this.generateStrategicRecommendations(),
};
return analysis;
}
// Анализ групп угроз
analyzeThreatActors() {
const threatActors = {
nationState: {
count: 0,
capabilities: [],
targets: [],
motivations: [],
},
cybercriminals: {
count: 0,
capabilities: [],
targets: [],
motivations: [],
},
hacktivists: {
count: 0,
capabilities: [],
targets: [],
motivations: [],
},
insiders: {
count: 0,
capabilities: [],
targets: [],
motivations: [],
},
};
// Анализ данных о группах угроз
for (const [actorId, actor] of this.threatLandscape) {
switch (actor.type) {
case "NATION_STATE":
threatActors.nationState.count++;
threatActors.nationState.capabilities.push(...actor.capabilities);
threatActors.nationState.targets.push(...actor.targets);
threatActors.nationState.motivations.push(...actor.motivations);
break;
case "CYBERCRIMINAL":
threatActors.cybercriminals.count++;
threatActors.cybercriminals.capabilities.push(...actor.capabilities);
threatActors.cybercriminals.targets.push(...actor.targets);
threatActors.cybercriminals.motivations.push(...actor.motivations);
break;
case "HACKTIVIST":
threatActors.hacktivists.count++;
threatActors.hacktivists.capabilities.push(...actor.capabilities);
threatActors.hacktivists.targets.push(...actor.targets);
threatActors.hacktivists.motivations.push(...actor.motivations);
break;
case "INSIDER":
threatActors.insiders.count++;
threatActors.insiders.capabilities.push(...actor.capabilities);
threatActors.insiders.targets.push(...actor.targets);
threatActors.insiders.motivations.push(...actor.motivations);
break;
}
}
return threatActors;
}
// Анализ векторов атак
analyzeAttackVectors() {
const vectors = {
phishing: {
frequency: 0,
sophistication: "LOW",
successRate: 0,
targets: [],
},
malware: {
frequency: 0,
sophistication: "MEDIUM",
successRate: 0,
targets: [],
},
ransomware: {
frequency: 0,
sophistication: "HIGH",
successRate: 0,
targets: [],
},
supplyChain: {
frequency: 0,
sophistication: "HIGH",
successRate: 0,
targets: [],
},
zeroDay: {
frequency: 0,
sophistication: "CRITICAL",
successRate: 0,
targets: [],
},
};
// Анализ данных о векторах атак
for (const trend of this.trends) {
if (trend.type === "ATTACK_VECTOR") {
const vector = trend.data;
if (vectors[vector.name]) {
vectors[vector.name].frequency += vector.frequency;
vectors[vector.name].sophistication = vector.sophistication;
vectors[vector.name].successRate = vector.successRate;
vectors[vector.name].targets.push(...vector.targets);
}
}
}
return vectors;
}
// Анализ отраслевых трендов
analyzeIndustryTrends() {
const trends = {
healthcare: {
threatLevel: "HIGH",
commonAttacks: ["ransomware", "data_breach"],
regulatoryImpact: "HIGH",
recommendations: [],
},
finance: {
threatLevel: "CRITICAL",
commonAttacks: ["fraud", "data_breach", "supply_chain"],
regulatoryImpact: "CRITICAL",
recommendations: [],
},
government: {
threatLevel: "CRITICAL",
commonAttacks: ["espionage", "supply_chain", "zero_day"],
regulatoryImpact: "HIGH",
recommendations: [],
},
technology: {
threatLevel: "HIGH",
commonAttacks: ["supply_chain", "zero_day", "data_breach"],
regulatoryImpact: "MEDIUM",
recommendations: [],
},
};
return trends;
}
// Анализ регулятивного воздействия
analyzeRegulatoryImpact() {
const impact = {
gdpr: {
level: "HIGH",
requirements: [
"data_protection",
"breach_notification",
"privacy_by_design",
],
penalties: "up_to_4%_of_revenue",
},
ccpa: {
level: "MEDIUM",
requirements: ["privacy_rights", "data_transparency", "opt_out"],
penalties: "up_to_7500_per_violation",
},
sox: {
level: "HIGH",
requirements: ["internal_controls", "audit_trails", "risk_management"],
penalties: "criminal_and_civil",
},
pci_dss: {
level: "HIGH",
requirements: ["data_encryption", "access_control", "monitoring"],
penalties: "up_to_100000_per_violation",
},
};
return impact;
}
// Генерация стратегических рекомендаций
generateStrategicRecommendations() {
const recommendations = [];
// Рекомендации по инвестициям
recommendations.push({
category: "INVESTMENT",
priority: "HIGH",
title: "Invest in Zero Trust Architecture",
description:
"Implement zero trust security model to protect against advanced threats",
timeline: "12-18 months",
budget: "High",
roi: "Medium to High",
});
// Рекомендации по обучению
recommendations.push({
category: "TRAINING",
priority: "HIGH",
title: "Enhance Security Awareness Training",
description:
"Implement advanced security awareness training for all employees",
timeline: "3-6 months",
budget: "Medium",
roi: "High",
});
// Рекомендации по технологиям
recommendations.push({
category: "TECHNOLOGY",
priority: "MEDIUM",
title: "Implement Threat Intelligence Platform",
description:
"Deploy comprehensive threat intelligence platform for proactive defense",
timeline: "6-12 months",
budget: "High",
roi: "Medium",
});
return recommendations;
}
}2. Tactical Threat Intelligence
Тактическая разведка угроз
Характеристики:
- Операционный уровень анализа
- Краткосрочное планирование
- Технически-ориентированный подход
- Аудитория: SOC, аналитики безопасности
Примеры:
- TTPs (Tactics, Techniques, Procedures)
- IOCs (Indicators of Compromise)
- Уязвимости и эксплойты
- Инструменты и методы атак
Примеры реализации:
// Система тактической разведки угроз
class TacticalThreatIntelligence {
constructor() {
this.iocs = new Map();
this.ttps = new Map();
this.vulnerabilities = new Map();
this.malware = new Map();
}
// Анализ IOCs
analyzeIOCs() {
const iocAnalysis = {
domains: this.analyzeDomainIOCs(),
ips: this.analyzeIPIOCs(),
hashes: this.analyzeHashIOCs(),
emails: this.analyzeEmailIOCs(),
urls: this.analyzeURLIOCs(),
};
return iocAnalysis;
}
// Анализ доменных IOCs
analyzeDomainIOCs() {
const domains = {
malicious: [],
suspicious: [],
benign: [],
unknown: [],
};
for (const [iocId, ioc] of this.iocs) {
if (ioc.type === "DOMAIN") {
const analysis = this.analyzeDomain(ioc.value);
switch (analysis.risk) {
case "HIGH":
domains.malicious.push({
domain: ioc.value,
confidence: analysis.confidence,
firstSeen: ioc.firstSeen,
lastSeen: ioc.lastSeen,
sources: ioc.sources,
});
break;
case "MEDIUM":
domains.suspicious.push({
domain: ioc.value,
confidence: analysis.confidence,
firstSeen: ioc.firstSeen,
lastSeen: ioc.lastSeen,
sources: ioc.sources,
});
break;
case "LOW":
domains.benign.push({
domain: ioc.value,
confidence: analysis.confidence,
firstSeen: ioc.firstSeen,
lastSeen: ioc.lastSeen,
sources: ioc.sources,
});
break;
default:
domains.unknown.push({
domain: ioc.value,
confidence: analysis.confidence,
firstSeen: ioc.firstSeen,
lastSeen: ioc.lastSeen,
sources: ioc.sources,
});
}
}
}
return domains;
}
// Анализ домена
analyzeDomain(domain) {
const analysis = {
risk: "UNKNOWN",
confidence: 0,
indicators: [],
};
// Проверка на известные вредоносные домены
if (this.isKnownMaliciousDomain(domain)) {
analysis.risk = "HIGH";
analysis.confidence = 0.9;
analysis.indicators.push("Known malicious domain");
}
// Проверка на подозрительные паттерны
if (this.hasSuspiciousPattern(domain)) {
analysis.risk = "MEDIUM";
analysis.confidence = 0.7;
analysis.indicators.push("Suspicious domain pattern");
}
// Проверка на репутацию
const reputation = this.checkDomainReputation(domain);
if (reputation.score < 0.3) {
analysis.risk = "HIGH";
analysis.confidence = 0.8;
analysis.indicators.push("Low reputation score");
}
return analysis;
}
// Анализ TTPs
analyzeTTPs() {
const ttpAnalysis = {
techniques: this.analyzeTechniques(),
tactics: this.analyzeTactics(),
procedures: this.analyzeProcedures(),
tools: this.analyzeTools(),
};
return ttpAnalysis;
}
// Анализ техник атак
analyzeTechniques() {
const techniques = {
initialAccess: [],
execution: [],
persistence: [],
privilegeEscalation: [],
defenseEvasion: [],
credentialAccess: [],
discovery: [],
lateralMovement: [],
collection: [],
commandAndControl: [],
exfiltration: [],
impact: [],
};
for (const [ttpId, ttp] of this.ttps) {
if (ttp.category === "TECHNIQUE") {
const technique = {
id: ttp.id,
name: ttp.name,
description: ttp.description,
mitreId: ttp.mitreId,
platforms: ttp.platforms,
permissions: ttp.permissions,
dataSources: ttp.dataSources,
detection: ttp.detection,
mitigation: ttp.mitigation,
};
if (techniques[ttp.tactic]) {
techniques[ttp.tactic].push(technique);
}
}
}
return techniques;
}
// Анализ уязвимостей
analyzeVulnerabilities() {
const vulnAnalysis = {
critical: [],
high: [],
medium: [],
low: [],
zeroDay: [],
exploited: [],
};
for (const [vulnId, vuln] of this.vulnerabilities) {
const analysis = {
id: vuln.id,
cve: vuln.cve,
cvss: vuln.cvss,
description: vuln.description,
affectedSystems: vuln.affectedSystems,
exploitAvailable: vuln.exploitAvailable,
patchAvailable: vuln.patchAvailable,
firstSeen: vuln.firstSeen,
lastSeen: vuln.lastSeen,
};
if (vuln.cvss >= 9.0) {
vulnAnalysis.critical.push(analysis);
} else if (vuln.cvss >= 7.0) {
vulnAnalysis.high.push(analysis);
} else if (vuln.cvss >= 4.0) {
vulnAnalysis.medium.push(analysis);
} else {
vulnAnalysis.low.push(analysis);
}
if (vuln.exploitAvailable) {
vulnAnalysis.exploited.push(analysis);
}
if (vuln.isZeroDay) {
vulnAnalysis.zeroDay.push(analysis);
}
}
return vulnAnalysis;
}
// Заглушки для анализа
isKnownMaliciousDomain(domain) {
return false;
}
hasSuspiciousPattern(domain) {
return false;
}
checkDomainReputation(domain) {
return { score: 0.5 };
}
}3. Operational Threat Intelligence
Операционная разведка угроз
Характеристики:
- Тактический уровень анализа
- Среднесрочное планирование
- Операционно-ориентированный подход
- Аудитория: инженеры безопасности, SOC
Примеры:
- Конкретные угрозы для организации
- Кампании атак
- Инциденты безопасности
- Контрмеры и рекомендации
Примеры реализации:
// Система операционной разведки угроз
class OperationalThreatIntelligence {
constructor() {
this.campaigns = new Map();
this.incidents = new Map();
this.threats = new Map();
this.countermeasures = new Map();
}
// Анализ кампаний атак
analyzeAttackCampaigns() {
const campaigns = {
active: [],
dormant: [],
completed: [],
emerging: [],
};
for (const [campaignId, campaign] of this.campaigns) {
const analysis = {
id: campaign.id,
name: campaign.name,
description: campaign.description,
threatActors: campaign.threatActors,
targets: campaign.targets,
techniques: campaign.techniques,
iocs: campaign.iocs,
timeline: campaign.timeline,
status: this.determineCampaignStatus(campaign),
risk: this.assessCampaignRisk(campaign),
};
switch (analysis.status) {
case "ACTIVE":
campaigns.active.push(analysis);
break;
case "DORMANT":
campaigns.dormant.push(analysis);
break;
case "COMPLETED":
campaigns.completed.push(analysis);
break;
case "EMERGING":
campaigns.emerging.push(analysis);
break;
}
}
return campaigns;
}
// Определение статуса кампании
determineCampaignStatus(campaign) {
const now = Date.now();
const lastActivity = new Date(campaign.lastActivity).getTime();
const daysSinceActivity = (now - lastActivity) / (1000 * 60 * 60 * 24);
if (daysSinceActivity < 7) {
return "ACTIVE";
} else if (daysSinceActivity < 30) {
return "DORMANT";
} else if (campaign.isCompleted) {
return "COMPLETED";
} else {
return "EMERGING";
}
}
// Оценка риска кампании
assessCampaignRisk(campaign) {
let riskScore = 0;
// Факторы риска
if (campaign.threatActors.some((actor) => actor.type === "NATION_STATE")) {
riskScore += 3;
}
if (campaign.techniques.some((tech) => tech.sophistication === "HIGH")) {
riskScore += 2;
}
if (campaign.targets.includes("CRITICAL_INFRASTRUCTURE")) {
riskScore += 2;
}
if (campaign.iocs.length > 10) {
riskScore += 1;
}
if (riskScore >= 6) {
return "CRITICAL";
} else if (riskScore >= 4) {
return "HIGH";
} else if (riskScore >= 2) {
return "MEDIUM";
} else {
return "LOW";
}
}
// Анализ инцидентов безопасности
analyzeSecurityIncidents() {
const incidents = {
bySeverity: {
critical: [],
high: [],
medium: [],
low: [],
},
byType: {
dataBreach: [],
malware: [],
phishing: [],
ddos: [],
insider: [],
},
byStatus: {
open: [],
investigating: [],
resolved: [],
closed: [],
},
trends: this.analyzeIncidentTrends(),
};
for (const [incidentId, incident] of this.incidents) {
// Классификация по серьезности
switch (incident.severity) {
case "CRITICAL":
incidents.bySeverity.critical.push(incident);
break;
case "HIGH":
incidents.bySeverity.high.push(incident);
break;
case "MEDIUM":
incidents.bySeverity.medium.push(incident);
break;
case "LOW":
incidents.bySeverity.low.push(incident);
break;
}
// Классификация по типу
if (incidents.byType[incident.type]) {
incidents.byType[incident.type].push(incident);
}
// Классификация по статусу
switch (incident.status) {
case "OPEN":
incidents.byStatus.open.push(incident);
break;
case "INVESTIGATING":
incidents.byStatus.investigating.push(incident);
break;
case "RESOLVED":
incidents.byStatus.resolved.push(incident);
break;
case "CLOSED":
incidents.byStatus.closed.push(incident);
break;
}
}
return incidents;
}
// Анализ трендов инцидентов
analyzeIncidentTrends() {
const trends = {
totalIncidents: this.incidents.size,
incidentsByMonth: this.calculateIncidentsByMonth(),
averageResolutionTime: this.calculateAverageResolutionTime(),
topThreatTypes: this.getTopThreatTypes(),
topAffectedSystems: this.getTopAffectedSystems(),
};
return trends;
}
// Расчет инцидентов по месяцам
calculateIncidentsByMonth() {
const monthlyData = {};
for (const [incidentId, incident] of this.incidents) {
const month = new Date(incident.createdAt).toISOString().substring(0, 7);
monthlyData[month] = (monthlyData[month] || 0) + 1;
}
return monthlyData;
}
// Расчет среднего времени разрешения
calculateAverageResolutionTime() {
let totalTime = 0;
let resolvedCount = 0;
for (const [incidentId, incident] of this.incidents) {
if (incident.status === "RESOLVED" || incident.status === "CLOSED") {
const created = new Date(incident.createdAt).getTime();
const resolved = new Date(incident.resolvedAt).getTime();
totalTime += (resolved - created) / (1000 * 60 * 60 * 24); // дни
resolvedCount++;
}
}
return resolvedCount > 0 ? totalTime / resolvedCount : 0;
}
// Получение топ типов угроз
getTopThreatTypes() {
const threatTypes = {};
for (const [incidentId, incident] of this.incidents) {
threatTypes[incident.type] = (threatTypes[incident.type] || 0) + 1;
}
return Object.entries(threatTypes)
.sort(([, a], [, b]) => b - a)
.slice(0, 5)
.map(([type, count]) => ({ type, count }));
}
// Получение топ затронутых систем
getTopAffectedSystems() {
const systems = {};
for (const [incidentId, incident] of this.incidents) {
for (const system of incident.affectedSystems) {
systems[system] = (systems[system] || 0) + 1;
}
}
return Object.entries(systems)
.sort(([, a], [, b]) => b - a)
.slice(0, 5)
.map(([system, count]) => ({ system, count }));
}
}Форматы и стандарты
1. STIX (Structured Threat Information eXpression)
Стандарт для обмена информацией об угрозах
Ключевые компоненты:
- STIX Objects — объекты STIX
- STIX Relationships — связи между объектами
- STIX Bundles — пакеты объектов
- STIX Domain Objects — доменные объекты
Примеры реализации:
// Генератор STIX объектов
class STIXGenerator {
constructor() {
this.stixVersion = "2.1";
this.objects = [];
}
// Создание STIX Bundle
createSTIXBundle() {
return {
type: "bundle",
id: this.generateSTIXId(),
spec_version: this.stixVersion,
objects: this.objects,
};
}
// Создание Indicator объекта
createIndicator(indicator) {
const stixIndicator = {
type: "indicator",
id: this.generateSTIXId(),
spec_version: this.stixVersion,
created: new Date().toISOString(),
modified: new Date().toISOString(),
name: indicator.name,
description: indicator.description,
indicator_types: indicator.types,
pattern: indicator.pattern,
pattern_type: indicator.patternType,
pattern_version: indicator.patternVersion,
valid_from: indicator.validFrom,
valid_until: indicator.validUntil,
kill_chain_phases: indicator.killChainPhases,
labels: indicator.labels,
confidence: indicator.confidence,
external_references: indicator.externalReferences,
};
this.objects.push(stixIndicator);
return stixIndicator;
}
// Создание Malware объекта
createMalware(malware) {
const stixMalware = {
type: "malware",
id: this.generateSTIXId(),
spec_version: this.stixVersion,
created: new Date().toISOString(),
modified: new Date().toISOString(),
name: malware.name,
description: malware.description,
malware_types: malware.types,
is_family: malware.isFamily,
aliases: malware.aliases,
kill_chain_phases: malware.killChainPhases,
labels: malware.labels,
confidence: malware.confidence,
external_references: malware.externalReferences,
};
this.objects.push(stixMalware);
return stixMalware;
}
// Создание Threat Actor объекта
createThreatActor(threatActor) {
const stixThreatActor = {
type: "threat-actor",
id: this.generateSTIXId(),
spec_version: this.stixVersion,
created: new Date().toISOString(),
modified: new Date().toISOString(),
name: threatActor.name,
description: threatActor.description,
threat_actor_types: threatActor.types,
aliases: threatActor.aliases,
first_seen: threatActor.firstSeen,
last_seen: threatActor.lastSeen,
roles: threatActor.roles,
goals: threatActor.goals,
sophistication: threatActor.sophistication,
resource_level: threatActor.resourceLevel,
primary_motivation: threatActor.primaryMotivation,
secondary_motivations: threatActor.secondaryMotivations,
personal_motivations: threatActor.personalMotivations,
labels: threatActor.labels,
confidence: threatActor.confidence,
external_references: threatActor.externalReferences,
};
this.objects.push(stixThreatActor);
return stixThreatActor;
}
// Создание Attack Pattern объекта
createAttackPattern(attackPattern) {
const stixAttackPattern = {
type: "attack-pattern",
id: this.generateSTIXId(),
spec_version: this.stixVersion,
created: new Date().toISOString(),
modified: new Date().toISOString(),
name: attackPattern.name,
description: attackPattern.description,
kill_chain_phases: attackPattern.killChainPhases,
external_references: attackPattern.externalReferences,
labels: attackPattern.labels,
confidence: attackPattern.confidence,
};
this.objects.push(stixAttackPattern);
return stixAttackPattern;
}
// Создание Relationship объекта
createRelationship(relationship) {
const stixRelationship = {
type: "relationship",
id: this.generateSTIXId(),
spec_version: this.stixVersion,
created: new Date().toISOString(),
modified: new Date().toISOString(),
relationship_type: relationship.type,
source_ref: relationship.sourceRef,
target_ref: relationship.targetRef,
description: relationship.description,
labels: relationship.labels,
confidence: relationship.confidence,
};
this.objects.push(stixRelationship);
return stixRelationship;
}
// Генерация STIX ID
generateSTIXId() {
const prefix = "indicator";
const uuid = this.generateUUID();
return `${prefix}--${uuid}`;
}
// Генерация UUID
generateUUID() {
return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(
/[xy]/g,
function (c) {
const r = (Math.random() * 16) | 0;
const v = c === "x" ? r : (r & 0x3) | 0x8;
return v.toString(16);
}
);
}
}2. TAXII (Trusted Automated eXchange of Intelligence Information)
Протокол для обмена информацией об угрозах
Ключевые компоненты:
- TAXII Servers — серверы TAXII
- Collections — коллекции данных
- Discovery — обнаружение сервисов
- Polling — опрос данных
Примеры реализации:
// TAXII клиент
class TAXIIClient {
constructor(serverUrl, apiRoot) {
this.serverUrl = serverUrl;
this.apiRoot = apiRoot;
this.collections = new Map();
}
// Обнаружение серверов TAXII
async discoverServers() {
try {
const response = await fetch(`${this.serverUrl}/taxii2/`);
const discovery = await response.json();
return {
success: true,
servers: discovery,
};
} catch (error) {
return {
success: false,
error: error.message,
};
}
}
// Получение коллекций
async getCollections() {
try {
const response = await fetch(
`${this.serverUrl}${this.apiRoot}/collections/`
);
const collections = await response.json();
for (const collection of collections.collections) {
this.collections.set(collection.id, collection);
}
return {
success: true,
collections: collections.collections,
};
} catch (error) {
return {
success: false,
error: error.message,
};
}
}
// Получение объектов из коллекции
async getObjects(collectionId, limit = 100, offset = 0) {
try {
const url = `${this.serverUrl}${this.apiRoot}/collections/${collectionId}/objects/`;
const params = new URLSearchParams({
limit: limit.toString(),
offset: offset.toString(),
});
const response = await fetch(`${url}?${params}`);
const objects = await response.json();
return {
success: true,
objects: objects.objects,
more: objects.more,
next: objects.next,
};
} catch (error) {
return {
success: false,
error: error.message,
};
}
}
// Получение объектов по ID
async getObjectById(collectionId, objectId) {
try {
const url = `${this.serverUrl}${this.apiRoot}/collections/${collectionId}/objects/${objectId}/`;
const response = await fetch(url);
const object = await response.json();
return {
success: true,
object: object,
};
} catch (error) {
return {
success: false,
error: error.message,
};
}
}
// Получение манифеста коллекции
async getManifest(collectionId, limit = 100, offset = 0) {
try {
const url = `${this.serverUrl}${this.apiRoot}/collections/${collectionId}/manifest/`;
const params = new URLSearchParams({
limit: limit.toString(),
offset: offset.toString(),
});
const response = await fetch(`${url}?${params}`);
const manifest = await response.json();
return {
success: true,
manifest: manifest.objects,
more: manifest.more,
next: manifest.next,
};
} catch (error) {
return {
success: false,
error: error.message,
};
}
}
}Практическое применение
1. Threat Hunting
Проактивный поиск угроз
Примеры реализации:
// Система Threat Hunting
class ThreatHuntingSystem {
constructor() {
this.hunts = new Map();
this.techniques = new Map();
this.dataSources = new Map();
}
// Создание охоты за угрозами
createHunt(huntDefinition) {
const hunt = {
id: this.generateHuntId(),
name: huntDefinition.name,
description: huntDefinition.description,
hypothesis: huntDefinition.hypothesis,
techniques: huntDefinition.techniques,
dataSources: huntDefinition.dataSources,
queries: huntDefinition.queries,
status: "ACTIVE",
created: new Date(),
lastRun: null,
results: [],
};
this.hunts.set(hunt.id, hunt);
return {
success: true,
hunt: hunt,
};
}
// Выполнение охоты
async executeHunt(huntId) {
const hunt = this.hunts.get(huntId);
if (!hunt) {
return {
success: false,
error: "Hunt not found",
};
}
const results = [];
for (const query of hunt.queries) {
const result = await this.executeQuery(query, hunt.dataSources);
results.push(result);
}
hunt.results = results;
hunt.lastRun = new Date();
return {
success: true,
results: results,
};
}
// Выполнение запроса
async executeQuery(query, dataSources) {
const results = [];
for (const dataSource of dataSources) {
const data = await this.queryDataSource(dataSource, query);
results.push(...data);
}
return {
query: query,
results: results,
count: results.length,
};
}
// Запрос к источнику данных
async queryDataSource(dataSource, query) {
// Имитация запроса к источнику данных
return [];
}
// Генерация ID охоты
generateHuntId() {
return "hunt-" + Math.random().toString(36).substr(2, 9);
}
}2. IOC Management
Управление индикаторами компрометации
Примеры реализации:
// Система управления IOCs
class IOCManager {
constructor() {
this.iocs = new Map();
this.feedSources = new Map();
}
// Добавление IOC
addIOC(ioc) {
const iocId = this.generateIOCId();
const iocData = {
id: iocId,
type: ioc.type,
value: ioc.value,
confidence: ioc.confidence,
severity: ioc.severity,
sources: ioc.sources,
tags: ioc.tags,
created: new Date(),
lastSeen: new Date(),
status: "ACTIVE",
};
this.iocs.set(iocId, iocData);
return {
success: true,
ioc: iocData,
};
}
// Поиск IOC
searchIOCs(criteria) {
const results = [];
for (const [iocId, ioc] of this.iocs) {
if (this.matchesCriteria(ioc, criteria)) {
results.push(ioc);
}
}
return results;
}
// Проверка соответствия критериям
matchesCriteria(ioc, criteria) {
if (criteria.type && ioc.type !== criteria.type) {
return false;
}
if (criteria.value && !ioc.value.includes(criteria.value)) {
return false;
}
if (criteria.confidence && ioc.confidence < criteria.confidence) {
return false;
}
if (criteria.severity && ioc.severity !== criteria.severity) {
return false;
}
if (criteria.tags && !criteria.tags.some((tag) => ioc.tags.includes(tag))) {
return false;
}
return true;
}
// Генерация ID IOC
generateIOCId() {
return "ioc-" + Math.random().toString(36).substr(2, 9);
}
}Заключение
Threat Intelligence — это критически важный компонент современной кибербезопасности, который позволяет организациям:
- Проактивно защищаться от угроз
- Понимать контекст атак
- Принимать обоснованные решения
- Улучшать общую безопасность
Помните: Threat Intelligence — это не просто сбор данных, а процесс анализа, понимания и применения информации об угрозах. Успех зависит от правильной интеграции в процессы безопасности и постоянного совершенствования.
Совет: Начните с определения ваших потребностей в разведке угроз, затем выберите подходящие источники и форматы данных. Не забывайте о автоматизации процессов и интеграции с существующими системами безопасности!